Query Details
Stop PLC Io T Device
Query
//Stop PLC Command for an IoT device SecurityAlert | where TimeGenerated > ago(7d) | where AlertName == "An S7 Stop PLC Command was Sent" | extend SourceDeviceAddress_ = tostring(parse_json(ExtendedProperties).SourceDeviceAddress) | extend DestinationDeviceAddress_ = tostring(parse_json(ExtendedProperties).DestinationDeviceAddress)
Explanation
This query is looking for security alerts related to an IoT device. It filters alerts that occurred within the last 7 days and have the specific alert name "An S7 Stop PLC Command was Sent". It also extracts the source and destination device addresses from the extended properties of the alert.
Details
Rod Trent
Released: November 8, 2021
Tables
SecurityAlert
Keywords
IoT,Device
Operators
whereago==extendtostringparse_json