相关文章推荐
八块腹肌的拖把  ·  RxJava2 ...·  1 月前    · 
力能扛鼎的饼干  ·  python日期格式转换mm-dd-yyyy ...·  10 月前    · 
沉着的熊猫  ·  移动端实现内滚动的4种方案 - 知乎·  1 年前    · 
越狱的鼠标  ·  plpgsql 编程 - ...·  1 年前    · 
讲道义的甘蔗  ·  oracle清理缓存快捷键-掘金·  1 年前    · 
Code  ›  Microsoft Defender for IoT alert reference - Microsoft Defender for IoT | Microsoft Learn
activity traffic
https://learn.microsoft.com/en-us/azure/defender-for-iot/organizations/alert-engine-messages
狂野的松树
1 年前

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Download Microsoft Edge More info about Internet Explorer and Microsoft Edge

This article provides a reference of the alerts that are generated by Microsoft Defender for IoT network sensors, including a list of all alert types and descriptions. You might use this reference to map alerts into playbooks , define forwarding rules on an OT network sensor, or other custom activity.

Important

The Alerts page in the Azure portal is currently in PREVIEW . See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

OT alerts turned off by default

Several alerts are turned off by default, as indicated by asterisks (*) in the tables below. OT sensor Admin users can enable or disable alerts from the Support page on a specific OT network sensor.

If you turn off alerts that are referenced in other places, such as alert forwarding rules , make sure to update those references as needed.

Alert severities

Defender for IoT alerts use the following severity levels:

  • Critical : Indicates a malicious attack that should be handled immediately.

  • Major : Indicates a security threat that's important to address.

  • Minor : Indicates some deviation from the baseline behavior that might contain a security threat.

  • Warning : Indicates some deviation from the baseline behavior with no security threats.

    Supported alert types

    Alert type Description Policy violation alerts Triggered when the Policy Violation engine detects a deviation from traffic previously learned. For example:
    - A new device is detected.
    - A new configuration is detected on a device.
    - A device not defined as a programming device carries out a programming change.
    - A firmware version changed. Protocol violation alerts Triggered when the Protocol Violation engine detects packet structures or field values that don't comply with the protocol specification. Operational alerts Triggered when the Operational engine detects network operational incidents or a device malfunctioning. For example, a network device was stopped through a Stop PLC command, or an interface on a sensor stopped monitoring traffic. Malware alerts Triggered when the Malware engine detects malicious network activity. For example, the engine detects a known attack such as Conficker. Anomaly alerts Triggered when the Anomaly engine detects a deviation. For example, a device is performing network scans but isn't defined as a scanning device.

    Supported alert categories

    Each alert has one of the following categories:

  • Abnormal Communication Behavior
  • Abnormal HTTP Communication Behavior
  • Authentication
  • Backup
  • Bandwidth Anomalies
  • Buffer overflow
  • Command Failures
  • Configuration changes
  • Custom Alerts
  • Discovery
  • Firmware change
  • Illegal commands
    • Beckhoff Software Changed Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. Major Firmware Change Tactics:
    - Inhibit Response Function
    - Persistence

    Techniques:
    - T0857: System Firmware Database Login Failed A failed sign-in attempt was detected from a source device to a destination server. This might be the result of human error, but could also indicate a malicious attempt to compromise the server or data on it.

    Threshold: 2 sign-in failures in 5 minutes Major Authentication Tactics:
    - Lateral Movement
    - Collection

    Techniques:
    - T0812: Default Credentials
    - T0811: Data from Information Repositories Emerson ROC Firmware Version Changed Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. Major Firmware Change Tactics:
    - Inhibit Response Function
    - Persistence

    Techniques:
    - T0857: System Firmware External address within the network communicated with Internet A source device defined as part of your network is communicating with Internet addresses. The source isn't authorized to communicate with Internet addresses. Critical Internet Access Tactics:
    - Initial Access

    Techniques:
    - T0883: Internet Accessible Device Field Device Discovered Unexpectedly A new source device was detected on the network but hasn't been authorized. Major Discovery Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing Firmware Change Detected Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. Major Firmware Change Tactics:
    - Inhibit Response Function
    - Persistence

    Techniques:
    - T0857: System Firmware Firmware Version Changed Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. Major Firmware Change Tactics:
    - Inhibit Response Function
    - Persistence

    Techniques:
    - T0857: System Firmware Foxboro I/A Unauthorized Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message
    - T0836: Modify Parameter FTP Login Failed A failed sign-in attempt was detected from a source device to a destination server. This alert might be the result of human error, but could also indicate a malicious attempt to compromise the server or data on it. Major Authentication Tactics:
    - Lateral Movement
    - Command And Control

    Techniques:
    - T0812: Default Credentials
    - T0869: Standard Application Layer Protocol Function Code Raised Unauthorized Exception * A source device (secondary) returned an exception to a destination device (primary). Major Command Failures Tactics:
    - Inhibit Response Function

    Techniques:
    - T0835: Manipulate I/O Image GOOSE Message Type Settings Message (identified by protocol ID) settings were changed on a source device. Warning Unauthorized Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0836: Modify Parameter Honeywell Firmware Version Changed Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. Major Firmware Change Tactics:
    - Inhibit Response Function
    - Persistence

    Techniques:
    - T0857: System Firmware Illegal HTTP Communication * New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Abnormal HTTP Communication Behavior Tactics:
    - Discovery

    Techniques:
    - T0846: Remote System Discovery Internet Access Detected A source device defined as part of your network is communicating with Internet addresses. The source isn't authorized to communicate with Internet addresses. Major Internet Access Tactics:
    - Initial Access

    Techniques:
    - T0883: Internet Accessible Device Mitsubishi Firmware Version Changed Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. Major Firmware Change Tactics:
    - Inhibit Response Function
    - Persistence

    Techniques:
    - T0857: System Firmware Modbus Address Range Violation A primary device requested access to a new secondary memory address. Major Unauthorized Communication Behavior Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing Modbus Firmware Version Changed Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. Major Firmware Change Tactics:
    - Inhibit Response Function
    - Persistence

    Techniques:
    - T0857: System Firmware New Activity Detected - CIP Class New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Discovery

    Techniques:
    - T0888: Remote System Information Discovery New Activity Detected - CIP Class Service New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Inhibit Response Function

    Techniques:
    - T0836: Modify Parameter New Activity Detected - CIP PCCC Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Inhibit Response Function

    Techniques:
    - T0836: Modify Parameter New Activity Detected - CIP Symbol New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Inhibit Response Function

    Techniques:
    - T0855: Unauthorized Command Message
    - T0836: Modify Parameter New Activity Detected - EtherNet/IP I/O Connection New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Discovery
    - Inhibit Response Function

    Techniques:
    - T0846: Remote System Discovery
    - T0835: Manipulate I/O Image New Activity Detected - EtherNet/IP Protocol Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Inhibit Response Function

    Techniques:
    - T0836: Modify Parameter New Activity Detected - GSM Message Code New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - CommandAndControl

    Techniques:
    - T0869: Standard Application Layer Protocol New Activity Detected - LonTalk Command Codes New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Collection
    - Impair Process Control

    Techniques:
    - T0861 - Point & Tag Identification
    - T0855: Unauthorized Command Message New Port Discovery New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Warning Discovery Tactics:
    - Lateral Movement

    Techniques:
    - T0867: Lateral Tool Transfer New Activity Detected - LonTalk Network Variable New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message New Activity Detected - Ovation Data Request New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Collection
    - Discovery

    Techniques:
    - T0801: Monitor Process State
    - T0888: Remote System Information Discovery New Activity Detected - Read/Write Command (AMS Index Group) New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Configuration Changes Tactics:
    - Impair Process Control
    - Inhibit Response Function

    Techniques:
    - T0855: Unauthorized Command Message
    - T0836: Modify Parameter New Activity Detected - Read/Write Command (AMS Index Offset) New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Configuration Changes Tactics:
    - Impair Process Control
    - Inhibit Response Function

    Techniques:
    - T0855: Unauthorized Command Message
    - T0836: Modify Parameter New Activity Detected - Unauthorized DeltaV Message Type New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Execution

    Techniques:
    - T0855: Unauthorized Command Message
    - T0821: Modify Controller Tasking New Activity Detected - Unauthorized DeltaV ROC Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Execution

    Techniques:
    - T0855: Unauthorized Command Message
    - T0821: Modify Controller Tasking New Activity Detected - Unauthorized RPC Message Type New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message New Activity Detected - Using AMS Protocol Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Inhibit Response Function
    - Execution

    Techniques:
    - T0855: Unauthorized Command Message
    - T0836: Modify Parameter
    - T0821: Modify Controller Tasking New Activity Detected - Using Siemens SICAM Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Inhibit Response Function

    Techniques:
    - T0855: Unauthorized Command Message
    - T0836: Modify Parameter New Activity Detected - Using Suitelink Protocol command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Inhibit Response Function

    Techniques:
    - T0855: Unauthorized Command Message
    - T0836: Modify Parameter New Activity Detected - Using Suitelink Protocol sessions New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0836: Modify Parameter New Activity Detected - Using Yokogawa VNetIP Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Execution

    Techniques:
    - T0855: Unauthorized Command Message
    - T0821: Modify Controller Tasking New Asset Detected A new source device was detected on the network but hasn't been authorized.

    This alert applies to devices discovered in OT subnets. New devices discovered in IT subnets don't trigger an alert. Major Discovery Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing New LLDP Device Configuration A new source device was detected on the network but hasn't been authorized. Major Configuration Changes Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing Omron FINS Unauthorized Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message
    - T0836: Modify Parameter S7 Plus PLC Firmware Changed Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. Major Firmware Change Tactics:
    - Inhibit Response Function
    - Persistence

    Techniques:
    - T0857: System Firmware Sampled Values Message Type Settings Message (identified by protocol ID) settings were changed on a source device. Warning Unauthorized Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0836: Modify Parameter Suspicion of Illegal Integrity Scan * A scan was detected on a DNP3 source device (outstation). This scan wasn't authorized as learned traffic on your network. Major Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing Toshiba Computer Link Unauthorized Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Minor Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Execution

    Techniques:
    - T0855: Unauthorized Command Message
    - T0821: Modify Controller Tasking Unauthorized ABB Totalflow File Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Execution

    Techniques:
    - T0855: Unauthorized Command Message
    - T0821: Modify Controller Tasking Unauthorized ABB Totalflow Register Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Execution

    Techniques:
    - T0855: Unauthorized Command Message
    - T0821: Modify Controller Tasking Unauthorized Access to Siemens S7 Data Block A source device attempted to access a resource on another device. An access attempt to this resource between these two devices hasn't been authorized as learned traffic on your network. Warning Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Initial Access

    Techniques:
    - T0855: Unauthorized Command Message
    - T0811: Data from Information Repositories Unauthorized Access to Siemens S7 Plus Object New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Execution
    - Inhibit Response Function

    Techniques:
    - T0855: Unauthorized Command Message
    - T0821: Modify Controller Tasking
    - T0809: Data Destruction Unauthorized Access to Wonderware Tag A source device attempted to access a resource on another device. An access attempt to this resource between these two devices hasn't been authorized as learned traffic on your network. Major Unauthorized Communication Behavior Tactics:
    - Collection
    - Impair Process Control

    Techniques:
    - T0861: Point & Tag Identification
    - T0855: Unauthorized Command Message Unauthorized BACNet Object Access New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Execution

    Techniques:
    - T0855: Unauthorized Command Message
    - T0821: Modify Controller Tasking Unauthorized BACNet Route New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Execution

    Techniques:
    - T0855: Unauthorized Command Message
    - T0821: Modify Controller Tasking Unauthorized Database Login * A sign-in attempt between a source client and destination server was detected. Communication between these devices hasn't been authorized as learned traffic on your network. Major Authentication Tactics:
    - Lateral Movement
    - Persistence
    - Collection

    Techniques:
    - T0859: Valid Accounts
    - T0811: Data from Information Repositories Unauthorized Database Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Abnormal Communication Behavior Tactics:
    - Impair Process Control
    - Initial Access

    Techniques:
    - T0855: Unauthorized Command Message
    - T0811: Data from Information Repositories Unauthorized Emerson ROC Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Execution

    Techniques:
    - T0855: Unauthorized Command Message
    - T0821: Modify Controller Tasking Unauthorized GE SRTP File Access New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Collection
    - LateralMovement
    - Persistence

    Techniques:
    - T0801: Monitor Process State
    - T0859: Valid Accounts Unauthorized GE SRTP Protocol Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message
    - T0821: Modify Controller Tasking Unauthorized GE SRTP System Memory Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Discovery
    - Impair Process Control

    Techniques:
    - T0846: Remote System Discovery
    - T0855: Unauthorized Command Message Unauthorized HTTP Activity New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Abnormal HTTP Communication Behavior Tactics:
    - Initial Access
    - Command And Control

    Techniques:
    - T0822: External Remote Services
    - T0869: Standard Application Layer Protocol Unauthorized HTTP SOAP Action * New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Abnormal HTTP Communication Behavior Tactics:
    - Command And Control
    - Execution

    Techniques:
    - T0869: Standard Application Layer Protocol
    - T0871: Execution through API Unauthorized HTTP User Agent * An unauthorized application was detected on a source device. The application hasn't been authorized as a learned application on your network. Major Abnormal HTTP Communication Behavior Tactics:
    - Command And Control

    Techniques:
    - T0869: Standard Application Layer Protocol Unauthorized Internet Connectivity Detected A source device defined as part of your network is communicating with Internet addresses. The source isn't authorized to communicate with Internet addresses. Critical Internet Access Tactics:
    - Initial Access

    Techniques:
    - T0883: Internet Accessible Device Unauthorized Mitsubishi MELSEC Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Execution

    Techniques:
    - T0855: Unauthorized Command Message
    - T0821: Modify Controller Tasking Unauthorized MMS Program Access A source device attempted to access a resource on another device. An access attempt to this resource between these two devices hasn't been authorized as learned traffic on your network. Major Programming Tactics:
    - Impair Process Control
    - Execution

    Techniques:
    - T0855: Unauthorized Command Message
    - T0821: Modify Controller Tasking Unauthorized MMS Service New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Execution

    Techniques:
    - T0855: Unauthorized Command Message
    - T0821: Modify Controller Tasking Unauthorized Multicast/Broadcast Connection A Multicast/Broadcast connection was detected between a source device and other devices. Multicast/Broadcast communication isn't authorized. Critical Abnormal Communication Behavior Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing Unauthorized Name Query New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Abnormal Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0836: Modify Parameter Unauthorized OPC UA Activity New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0836: Modify Parameter Unauthorized OPC UA Request/Response New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0836: Modify Parameter Unauthorized Operation was detected by a User Defined Rule Traffic was detected between two devices. This activity is unauthorized, based on a Custom Alert Rule defined by a user. Major Custom Alerts Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing Unauthorized PLC Configuration Read The source device isn't defined as a programming device but performed a read/write operation on a destination controller. Programming changes should only be performed by programming devices. A programming application may have been installed on this device. Warning Configuration Changes Tactics:
    - Collection

    Techniques:
    - T0801: Monitor Process State Unauthorized PLC Configuration Write The source device sent a command to read/write the program of a destination controller. This activity wasn't previously seen. Major Configuration Changes Tactics:
    - Impair Process Control
    - Persistence
    - Impact

    Techniques:
    - T0839: Module Firmware
    - T0831: Manipulation of Control
    - T0889: Modify Program Unauthorized PLC Program Upload The source device sent a command to read/write the program of a destination controller. This activity wasn't previously seen. Major Programming Tactics:
    - Impair Process Control
    - Persistence
    - Collection

    Techniques:
    - T0839: Module Firmware
    - T0845: Program Upload Unauthorized PLC Programming The source device isn't defined as a programming device but performed a read/write operation on a destination controller. Programming changes should only be performed by programming devices. A programming application may have been installed on this device. Critical Programming Tactics:
    - Impair Process Control
    - Persistence
    - Lateral Movement

    Techniques:
    - T0839: Module Firmware
    - T0889: Modify Program
    - T0843: Program Download Unauthorized Profinet Frame Type New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0836: Modify Parameter Unauthorized SAIA S-Bus Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message Unauthorized Siemens S7 Execution of Control Function New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Inhibit Response Function

    Techniques:
    - T0855: Unauthorized Command Message
    - T0809: Data Destruction Unauthorized Siemens S7 Execution of User Defined Function New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Execution

    Techniques:
    - T0836: Modify Parameter
    - T0863: User Execution Unauthorized Siemens S7 Plus Block Access New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Inhibit Response Function
    - Persistence
    - Execution

    Techniques:
    - T0803 - Block Command Message
    - T0889: Modify Program
    - T0821: Modify Controller Tasking Unauthorized Siemens S7 Plus Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control
    - Execution

    Techniques:
    - T0855: Unauthorized Command Message
    - T0863: User Execution Unauthorized SMB Login A sign-in attempt between a source client and destination server was detected. Communication between these devices hasn't been authorized as learned traffic on your network. Major Authentication Tactics:
    - Initial Access
    - Lateral Movement
    - Persistence

    Techniques:
    - T0886: Remote Services
    - T0859: Valid Accounts Unauthorized SNMP Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Abnormal Communication Behavior Tactics:
    - Discovery
    - Command And Control

    Techniques:
    - T0842: Network Sniffing
    - T0885: Commonly Used Port Unauthorized SSH Access New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Remote Access Tactics:
    - InitialAccess
    - Lateral Movement
    - Command And Control

    Techniques:
    - T0886: Remote Services
    - T0869: Standard Application Layer Protocol Unauthorized Windows Process An unauthorized application was detected on a source device. The application hasn't been authorized as a learned application on your network. Major Abnormal Communication Behavior Tactics:
    - Execution
    - Privilege Escalation
    - Command And Control

    Techniques:
    - T0841: Hooking
    - T0885: Commonly Used Port Unauthorized Windows Service An unauthorized application was detected on a source device. The application hasn't been authorized as a learned application on your network. Major Abnormal Communication Behavior Tactics:
    - Initial Access
    - Lateral Movement

    Techniques:
    - T0866: Exploitation of Remote Services Unauthorized Operation was detected by a User Defined Rule New traffic parameters were detected. This parameter combination violates a user defined rule Major Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing Unpermitted Modbus Schneider Electric Extension New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message Unpermitted Usage of ASDU Types New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message Unpermitted Usage of DNP3 Function Code New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0836: Modify Parameter Unpermitted Usage of Internal Indication (IIN) * A DNP3 source device (outstation) reported an internal indication (IIN) that hasn't authorized as learned traffic on your network. Major Illegal Commands Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing Unpermitted Usage of Modbus Function Code New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0836: Modify Parameter

    Anomaly engine alerts

    This article contains references to the term slave , a term that Microsoft no longer uses. When the term is removed from the software, we’ll remove it from this article.

    Anomaly engine alerts describe detected anomalies in network activity.

    Title Description Severity Category MITRE ATT&CK
    tactics and techniques Abnormal Exception Pattern in Slave * An excessive number of errors were detected on a source device. This alert may be the result of an operational issue.

    Threshold: 20 exceptions in 1 hour Minor Abnormal Communication Behavior Tactics:
    - Impair Process Control

    Techniques:
    - T0806: Brute Force I/O Abnormal HTTP Header Length * The source device sent an abnormal message. This alert may indicate an attempt to attack the destination device. Critical Abnormal HTTP Communication Behavior Tactics:
    - Initial Access
    - Lateral Movement
    - Command And Control

    Techniques:
    - T0866: Exploitation of Remote Services
    - T0869: Standard Application Layer Protocol Abnormal Number of Parameters in HTTP Header * The source device sent an abnormal message. This alert may indicate an attempt to attack the destination device. Critical Abnormal HTTP Communication Behavior Tactics:
    - Initial Access
    - Lateral Movement
    - Command And Control

    Techniques:
    - T0866: Exploitation of Remote Services
    - T0869: Standard Application Layer Protocol Abnormal Periodic Behavior In Communication Channel A change in the frequency of communication between the source and destination devices was detected. Minor Abnormal Communication Behavior Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing Abnormal Termination of Applications * An excessive number of stop commands were detected on a source device. This alert may be the result of an operational issue or an attempt to manipulate the device.

    Threshold: 20 stop commands in 3 hours Major Abnormal Communication Behavior Tactics:
    - Persistence
    - Impact

    Techniques:
    - T0889: Modify Program
    - T0831: Manipulation of Control Abnormal Traffic Bandwidth * Abnormal bandwidth was detected on a channel. Bandwidth appears to be lower/higher than previously detected. For details, work with the Total Bandwidth widget. Warning Bandwidth Anomalies Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing Abnormal Traffic Bandwidth Between Devices * Abnormal bandwidth was detected on a channel. Bandwidth appears to be lower/higher than previously detected. For details, work with the Total Bandwidth widget. Warning Bandwidth Anomalies Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing Address Scan Detected A source device was detected scanning network devices. This device hasn't been authorized as a network scanning device.

    Threshold: 50 connections to the same B class subnet in 2 minutes Critical Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing ARP Address Scan Detected * A source device was detected scanning network devices using Address Resolution Protocol (ARP). This device address hasn't been authorized as valid ARP scanning address.

    Threshold: 40 scans in 6 minutes Critical Tactics:
    - Discovery
    - Collection

    Techniques:
    - T0842: Network Sniffing
    - T0830: Man in the Middle ARP Spoofing * An abnormal quantity of packets was detected in the network. This alert could indicate an attack, for example, an ARP spoofing or ICMP flooding attack.

    Threshold: 60 packets in 1 minute Warning Abnormal Communication Behavior Tactics:
    - Collection

    Techniques:
    - T0830: Man in the Middle Excessive Login Attempts A source device was seen performing excessive sign-in attempts to a destination server. This alert may indicate a brute force attack. The server may be compromised by a malicious actor.

    Threshold: 20 sign-in attempts in 1 minute Critical Authentication Tactics:
    - LateralMovement
    - Impair Process Control

    Techniques:
    - T0812: Default Credentials
    - T0806: Brute Force I/O Excessive Number of Sessions A source device was seen performing excessive sign-in attempts to a destination server. This may indicate a brute force attack. The server may be compromised by a malicious actor.

    Threshold: 50 sessions in 1 minute Critical Abnormal Communication Behavior Tactics:
    - Lateral Movement
    - Impair Process Control

    Techniques:
    - T0812: Default Credentials
    - T0806: Brute Force I/O Excessive Restart Rate of an Outstation * An excessive number of restart commands were detected on a source device. These alerts may be the result of an operational issue or an attempt to manipulate the device.

    Threshold: 10 restarts in 1 hour Major Restart/ Stop Commands Tactics:
    - Inhibit Response Function
    - Impair Process Control

    Techniques:
    - T0814: Denial of Service
    - T0806: Brute Force I/O Excessive SMB login attempts A source device was seen performing excessive sign-in attempts to a destination server. This may indicate a brute force attack. The server may be compromised by a malicious actor.

    Threshold: 10 sign-in attempts in 10 minutes Critical Authentication Tactics:
    - Persistence
    - Execution
    - LateralMovement

    Techniques:
    - T0812: Default Credentials
    - T0853: Scripting
    - T0859: Valid Accounts ICMP Flooding * An abnormal quantity of packets was detected in the network. This alert could indicate an attack, for example, an ARP spoofing or ICMP flooding attack.

    Threshold: 60 packets in 1 minute Warning Abnormal Communication Behavior Tactics:
    - Discovery
    - Collection

    Techniques:
    - T0842: Network Sniffing
    - T0830: Man in the Middle Illegal HTTP Header Content * The source device initiated an invalid request. Critical Abnormal HTTP Communication Behavior Tactics:
    - Initial Access
    - LateralMovement

    Techniques:
    - T0866: Exploitation of Remote Services Inactive Communication Channel * A communication channel between two devices was inactive during a period in which activity is usually observed. This might indicate that the program generating this traffic was changed, or the program might be unavailable. It's recommended to review the configuration of installed program and verify that it's configured properly.

    Threshold: 1 minute Warning Unresponsive Tactics:
    - Inhibit Response Function

    Techniques:
    - T0881: Service Stop Long Duration Address Scan Detected * A source device was detected scanning network devices. This device hasn't been authorized as a network scanning device.

    Threshold: 50 connections to the same B class subnet in 10 minutes Critical Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing Password Guessing Attempt Detected A source device was seen performing excessive sign-in attempts to a destination server. This may indicate a brute force attack. The server may be compromised by a malicious actor.

    Threshold: 100 attempts in 1 minute Critical Authentication Tactics:
    - Lateral Movement

    Techniques:
    - T0812: Default Credentials
    - T0806: Brute Force I/O PLC Scan Detected A source device was detected scanning network devices. This device hasn't been authorized as a network scanning device.

    Threshold: 10 scans in 2 minutes Critical Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing Port Scan Detected A source device was detected scanning network devices. This device hasn't been authorized as a network scanning device.

    Threshold: 25 scans in 2 minutes Critical Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing Unexpected message length The source device sent an abnormal message. This alert may indicate an attempt to attack the destination device.

    Threshold: text length - 32768 Critical Abnormal Communication Behavior Tactics:
    - InitialAccess
    - LateralMovement

    Techniques:
    - T0869: Exploitation of Remote Services Unexpected Traffic for Standard Port * Traffic was detected on a device using a port reserved for another protocol. Major Abnormal Communication Behavior Tactics:
    - Command And Control
    - Discovery

    Techniques:
    - T0869: Standard Application Layer Protocol
    - T0842: Network Sniffing

    Protocol violation engine alerts

    Protocol engine alerts describe detected deviations in the packet structure, or field values compared to protocol specifications.

    Title Description Severity Category MITRE ATT&CK
    tactics and techniques Excessive Malformed Packets In a Single Session * An abnormal number of malformed packets sent from the source device to the destination device. This alert might indicate erroneous communications, or an attempt to manipulate the targeted device.

    Threshold: 2 malformed packets in 10 minutes Major Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0806: Brute Force I/O Firmware Update A source device sent a command to update firmware on a destination device. Verify that recent programming, configuration and firmware upgrades made to the destination device are valid. Warning Firmware Change Tactics:
    - Inhibit Response Function
    - Persistence

    Techniques:
    - T0857: System Firmware Function Code Not Supported by Outstation The destination device received an invalid request. Major Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message Illegal BACNet message The source device initiated an invalid request. Major Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message
    - T0836: Modify Parameter Illegal Connection Attempt on Port 0 A source device attempted to connect to destination device on port number zero (0). For TCP, port 0 is reserved and can’t be used. For UDP, the port is optional and a value of 0 means no port. There's usually no service on a system that listens on port 0. This event may indicate an attempt to attack the destination device, or indicate that an application was programmed incorrectly. Minor Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message
    - T0836: Modify Parameter Illegal DNP3 Operation The source device initiated an invalid request. Major Illegal Commands Tactics:
    - Initial Access
    - Lateral Movement

    Techniques:
    - T0866: Exploitation of Remote Services Illegal MODBUS Operation (Exception Raised by Master) The source device initiated an invalid request. Major Illegal Commands Tactics:
    - Initial Access
    - Lateral Movement

    Techniques:
    - T0866: Exploitation of Remote Services Illegal MODBUS Operation (Function Code Zero) * The source device initiated an invalid request. Major Illegal Commands Tactics:
    - Initial Access
    - Lateral Movement

    Techniques:
    - T0866: Exploitation of Remote Services Illegal Protocol Version * The source device initiated an invalid request. Major Illegal Commands Tactics:
    - Initial Access
    - LateralMovement
    - Impair Process Control

    Techniques:
    - T0820: Remote Services
    - T0836: Modify Parameter Incorrect Parameter Sent to Outstation The destination device received an invalid request. Major Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message
    - T0836: Modify Parameter Initiation of an Obsolete Function Code (Initialize Data) The source device initiated an invalid request. Minor Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message Initiation of an Obsolete Function Code (Save Config) The source device initiated an invalid request. Minor Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message Master Requested an Application Layer Confirmation The source device initiated an invalid request. Warning Illegal Commands Tactics:
    - Command And Control

    Techniques:
    - T0869: Standard Application Layer Protocol Modbus Exception A source device (secondary) returned an exception to a destination device (primary). Major Illegal Commands Tactics:
    - Inhibit Response Function

    Techniques:
    - T0814: Denial of Service Slave Device Received Illegal ASDU Type The destination device received an invalid request. Major Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0836: Modify Parameter Slave Device Received Illegal Command Cause of Transmission The destination device received an invalid request. Major Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message
    - T0836: Modify Parameter Slave Device Received Illegal Common Address The destination device received an invalid request. Major Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message
    - T0836: Modify Parameter Slave Device Received Illegal Data Address Parameter * The destination device received an invalid request. Major Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message
    - T0836: Modify Parameter Slave Device Received Illegal Data Value Parameter * The destination device received an invalid request. Major Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message
    - T0836: Modify Parameter Slave Device Received Illegal Function Code * The destination device received an invalid request. Major Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message
    - T0836: Modify Parameter Slave Device Received Illegal Information Object Address The destination device received an invalid request. Major Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message
    - T0836: Modify Parameter Unknown Object Sent to Outstation The destination device received an invalid request. Major Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message Usage of a Reserved Function Code The source device initiated an invalid request. Major Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0836: Modify Parameter Usage of Improper Formatting by Outstation * The source device initiated an invalid request. Warning Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message **Usage of Reserved Status Flags (IIN) ** A DNP3 source device (outstation) used the reserved Internal Indicator 2.6. It's recommended to check the device's configuration. Warning Illegal Commands Tactics:
    - Impair Process Control

    Techniques:
    - T0836: Modify Parameter

    Malware engine alerts

    Malware engine alerts describe detected malicious network activity.

    Title Description Severity Category MITRE ATT&CK
    tactics and techniques Connection Attempt to Known Malicious IP Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware.

    Triggered by both OT and Enterprise IoT network sensors. Critical Suspicion of Malicious Activity Tactics:
    - Initial Access
    - Command And Control

    Techniques:
    - T0883: Internet Accessible Device
    - T0884: Connection Proxy Invalid SMB Message (DoublePulsar Backdoor Implant) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
    - Initial Access
    - LateralMovement

    Techniques:
    - T0866: Exploitation of Remote Services Malicious Domain Name Request Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware.

    Triggered by both OT and Enterprise IoT network sensors. Critical Suspicion of Malicious Activity Tactics:
    - Initial Access
    - Command And Control

    Techniques:
    - T0883: Internet Accessible Device
    - T0884: Connection Proxy Malware Test File Detected - EICAR AV Success An EICAR AV test file was detected in traffic between two devices (over any transport - TCP or UDP). The file isn't malware. It's used to confirm that the antivirus software is installed correctly. Demonstrate what happens when a virus is found, and check internal procedures and reactions when a virus is found. Antivirus software should detect EICAR as if it were a real virus. Critical Suspicion of Malicious Activity Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing Suspicion of Conficker Malware Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Major Suspicion of Malware Tactics:
    - Initial Access
    - Impact

    Techniques:
    - T0826: Loss of Availability
    - T0828: Loss of Productivity and Revenue
    - T0847: Replication Through Removable Media Suspicion of Denial Of Service Attack A source device attempted to initiate an excessive number of new connections to a destination device. This may indicate a Denial Of Service (DOS) attack against the destination device, and might interrupt device functionality, affect performance and service availability, or cause unrecoverable errors.

    Threshold: 3000 attempts in 1 minute Critical Suspicion of Malicious Activity Tactics:
    - Inhibit Response Function

    Techniques:
    - T0814: Denial of Service Suspicion of Malicious Activity Suspicious network activity was detected. This activity may be associated with an attack that triggered known 'Indicators of Compromise' (IOCs). Alert metadata should be reviewed by the security team. Critical Suspicion of Malicious Activity Tactics:
    - Lateral Movement

    Techniques:
    - T0867: Lateral Tool Transfer Suspicion of Malicious Activity (BlackEnergy) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
    - Command And Control

    Techniques:
    - T0869: Standard Application Layer Protocol Suspicion of Malicious Activity (DarkComet) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
    - Impact

    Techniques:
    - T0882: Theft of Operational Information Suspicion of Malicious Activity (Duqu) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
    - Impact

    Techniques:
    - T0882: Theft of Operational Information Suspicion of Malicious Activity (Flame) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
    - Collection
    - Impact

    Techniques:
    - T0882: Theft of Operational Information
    - T0811: Data from Information Repositories Suspicion of Malicious Activity (Havex) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
    - Collection
    - Discovery
    - Inhibit Response Function

    Techniques:
    - T0861: Point & Tag Identification
    - T0846: Remote System Discovery
    - T0814: Denial of Service Suspicion of Malicious Activity (Karagany) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
    - Impact

    Techniques:
    - T0882: Theft of Operational Information Suspicion of Malicious Activity (LightsOut) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
    - Evasion

    Techniques:
    - T0849: Masquerading Suspicion of Malicious Activity (Name Queries) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware.

    Threshold: 25 name queries in 1 minute Critical Suspicion of Malicious Activity Tactics:
    - Command And Control

    Techniques:
    - T0884: Connection Proxy Suspicion of Malicious Activity (Poison Ivy) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
    - Initial Access
    - Lateral Movement

    Techniques:
    - T0866: Exploitation of Remote Services Suspicion of Malicious Activity (Regin) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
    - Initial Access
    - Lateral Movement
    - Impact

    Techniques:
    - T0866: Exploitation of Remote Services
    - T0882: Theft of Operational Information Suspicion of Malicious Activity (Stuxnet) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
    - Initial Access
    - Lateral Movement
    - Impact

    Techniques:
    - T0818: Engineering Workstation Compromise
    - T0866: Exploitation of Remote Services
    - T0831: Manipulation of Control Suspicion of Malicious Activity (WannaCry) * Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Major Suspicion of Malware Tactics:
    - Initial Access
    - Lateral Movement

    Techniques:
    - T0866: Exploitation of Remote Services
    - T0867: Lateral Tool Transfer Suspicion of NotPetya Malware - Illegal SMB Parameters Detected Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
    - Initial Access
    - Lateral Movement

    Techniques:
    - T0866: Exploitation of Remote Services Suspicion of NotPetya Malware - Illegal SMB Transaction Detected Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
    - Lateral Movement

    Techniques:
    - T0867: Lateral Tool Transfer Suspicion of Remote Code Execution with PsExec Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malicious Activity Tactics:
    - Lateral Movement
    - Initial Access

    Techniques:
    - T0866: Exploitation of Remote Services Suspicion of Remote Windows Service Management * Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malicious Activity Tactics:
    - Initial Access

    Techniques:
    - T0822: NetworkExternal Remote Services Suspicious Executable File Detected on Endpoint Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malicious Activity Tactics:
    - Evasion
    - Inhibit Response Function

    Techniques:
    - T0851: Rootkit Suspicious Traffic Detected * Suspicious network activity was detected. This activity may be associated with an attack that triggered known 'Indicators of Compromise' (IOCs). Alert metadata should be reviewed by the security team Critical Suspicion of Malicious Activity Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing Backup Activity with Antivirus Signatures Traffic detected between the source device and the destination backup server triggered this alert. The traffic includes backup of antivirus software that might contain malware signatures. This is most likely legitimate backup activity. Warning Backup Tactics:
    - Impact

    Techniques:
    - T0882: Theft of Operational Information

    Operational engine alerts

    Operational engine alerts describe detected operational incidents, or malfunctioning entities.

    Title Description Severity Category MITRE ATT&CK
    tactics and techniques An S7 Stop PLC Command was Sent The source device sent a stop command to a destination controller. The controller will stop operating until a start command is sent. Warning Restart/ Stop Commands Tactics:
    - Lateral Movement
    - Defense Evasion
    - Execution
    - Inhibit Response Function

    Techniques:
    - T0843: Program Download
    - T0858: Change Operating Mode
    - T0814: Denial of Service BACNet Operation Failed A server returned an error code. This alert indicates a server error or an invalid request by a client. Major Command Failures Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message Bad MMS Device State An MMS Virtual Manufacturing Device (VMD) sent a status message. The message indicates that the server may not be configured correctly, partially operational, or not operational at all. Major Operational Issues Tactics:
    - Inhibit Response Function

    Techniques:
    - T0814: Denial of Service Change of Device Configuration * A configuration change was detected on a source device. Minor Configuration Changes Tactics:
    - Impair Process Control

    Techniques:
    - T0836: Modify Parameter Continuous Event Buffer Overflow at Outstation * A buffer overflow event was detected on a source device. The event may cause data corruption, program crashes, or execution of malicious code.

    Threshold: 3 occurrences in 10 minutes Major Buffer Overflow Tactics:
    - Inhibit Response Function
    - Impair Process Control
    - Persistence

    Techniques:
    - T0814: Denial of Service
    - T0806: Brute Force I/O
    - T0839: Module Firmware Controller Reset A source device sent a reset command to a destination controller. The controller stopped operating temporarily and started again automatically. Warning Restart/ Stop Commands Tactics:
    - Defense Evasion
    - Execution
    - Inhibit Response Function

    Techniques:
    - T0858: Change Operating Mode
    - T0814: Denial of Service Controller Stop The source device sent a stop command to a destination controller. The controller will stop operating until a start command is sent. Warning Restart/ Stop Commands Tactics:
    - Lateral Movement
    - Defense Evasion
    - Execution
    - Inhibit Response Function

    Techniques:
    - T0843: Program Download
    - T0858: Change Operating Mode
    - T0814: Denial of Service Device Failed to Receive a Dynamic IP Address The source device is configured to receive a dynamic IP address from a DHCP server but didn't receive an address. This indicates a configuration error on the device, or an operational error in the DHCP server. It's recommended to notify the network administrator of the incident Major Command Failures Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing Device is Suspected to be Disconnected (Unresponsive) A source device didn't respond to a command sent to it. It may have been disconnected when the command was sent.

    Threshold: 8 attempts in 5 minutes Major Unresponsive Tactics:
    - Inhibit Response Function

    Techniques:
    - T0881: Service Stop EtherNet/IP CIP Service Request Failed A server returned an error code. This indicates a server error or an invalid request by a client. Major Command Failures Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message EtherNet/IP Encapsulation Protocol Command Failed A server returned an error code. This indicates a server error or an invalid request by a client. Major Command Failures Tactics:
    - Collection

    Techniques:
    - T0801: Monitor Process State Event Buffer Overflow in Outstation A buffer overflow event was detected on a source device. The event may cause data corruption, program crashes, or execution of malicious code. Major Buffer Overflow Tactics:
    - Inhibit Response Function
    - Impair Process Control
    - Persistence

    Techniques:
    - T0814: Denial of Service
    - T0839: Module Firmware Expected Backup Operation Did Not Occur Expected backup/file transfer activity didn't occur between two devices. This alert may indicate errors in the backup / file transfer process.

    Threshold: 100 seconds Major Backup Tactics:
    - Inhibit Response Function

    Techniques:
    - T0809: Data Destruction GE SRTP Command Failure A server returned an error code. This alert indicates a server error or an invalid request by a client. Major Command Failures Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message GE SRTP Stop PLC Command was Sent The source device sent a stop command to a destination controller. The controller will stop operating until a start command is sent. Warning Restart/ Stop Commands Tactics:
    - Lateral Movement
    - Defense Evasion
    - Execution
    - Inhibit Response Function

    Techniques:
    - T0843: Program Download
    - T0858: Change Operating Mode
    - T0814: Denial of Service GOOSE Control Block Requires Further Configuration A source device sent a GOOSE message indicating that the device needs commissioning. This means that the GOOSE control block requires further configuration and GOOSE messages are partially or completely non-operational. Major Configuration Changes Tactics:
    - Impair Process Control
    - Inhibit Response Function

    Techniques:
    - T0803: Block Command Message
    - T0821: Modify Controller Tasking GOOSE Dataset Configuration was Changed * A message (identified by protocol ID) dataset was changed on a source device. This means the device will report a different dataset for this message. Warning Configuration Changes Tactics:
    - Impair Process Control

    Techniques:
    - T0836: Modify Parameter Honeywell Controller Unexpected Status A Honeywell Controller sent an unexpected diagnostic message indicating a status change. Warning Operational Issues Tactics:
    - Evasion
    - Execution

    Techniques:
    - T0858: Change Operating Mode HTTP Client Error * The source device initiated an invalid request. Warning Abnormal HTTP Communication Behavior Tactics:
    - Command And Control

    Techniques:
    - T0869: Standard Application Layer Protocol Illegal IP Address System detected traffic between a source device and an IP address that is an invalid address. This may indicate wrong configuration or an attempt to generate illegal traffic. Minor Abnormal Communication Behavior Tactics:
    - Discovery
    - Impair Process Control

    Techniques:
    - T0842: Network Sniffing
    - T0836: Modify Parameter Master-Slave Authentication Error The authentication process between a DNP3 source device (primary) and a destination device (outstation) failed. Minor Authentication Tactics:
    - Lateral Movement
    - Persistence

    Techniques:
    - T0859: Valid Accounts MMS Service Request Failed A server returned an error code. This indicates a server error or an invalid request by a client. Major Command Failures Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message No Traffic Detected on Sensor Interface A sensor stopped detecting network traffic on a network interface. Critical Sensor Traffic Tactics:
    - Inhibit Response Function

    Techniques:
    - T0881: Service Stop OPC UA Server Raised an Event That Requires User's Attention An OPC UA server sent an event notification to a client. This type of event requires user attention Major Operational Issues Tactics:
    - Inhibit Response Function

    Techniques:
    - T0838: Modify Alarm Settings OPC UA Service Request Failed A server returned an error code. This indicates a server error or an invalid request by a client. Major Command Failures Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message Outstation Restarted A cold restart was detected on a source device. This means the device was physically turned off and back on again. Warning Restart/ Stop Commands Tactics:
    - Inhibit Response Function

    Techniques:
    - T0816: Device Restart/Shutdown Outstation Restarts Frequently An excessive number of cold restarts were detected on a source device. This means the device was physically turned off and back on again an excessive number of times.

    Threshold: 2 restarts in 10 minutes Minor Restart/ Stop Commands Tactics:
    - Inhibit Response Function

    Techniques:
    - T0814: Denial of Service
    - T0816: Device Restart/Shutdown Outstation's Configuration Changed A configuration change was detected on a source device. Major Configuration Changes Tactics:
    - Inhibit Response Function
    - Persistence

    Techniques:
    - T0857: System Firmware Outstation's Corrupted Configuration Detected This DNP3 source device (outstation) reported a corrupted configuration. Major Configuration Changes Tactics:
    - Inhibit Response Function

    Techniques:
    - T0809: Data Destruction Profinet DCP Command Failed A server returned an error code. This indicates a server error or an invalid request by a client. Major Command Failures Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message Profinet Device Factory Reset A source device sent a factory reset command to a Profinet destination device. The reset command clears Profinet device configurations and stops its operation. Warning Restart/ Stop Commands Tactics:
    - Defense Evasion
    - Execution
    - Inhibit Response Function

    Techniques:
    - T0858: Change Operating Mode
    - T0814: Denial of Service RPC Operation Failed * A server returned an error code. This alert indicates a server error or an invalid request by a client. Major Command Failures Tactics:
    - Impair Process Control

    Techniques:
    - T0855: Unauthorized Command Message Sampled Values Message Dataset Configuration was Changed * A message (identified by protocol ID) dataset was changed on a source device. This means the device will report a different dataset for this message. Warning Configuration Changes Tactics:
    - Impair Process Control

    Techniques:
    - T0836: Modify Parameter Slave Device Unrecoverable Failure * An unrecoverable condition error was detected on a source device. This kind of error usually indicates a hardware failure or failure to perform a specific command. Major Command Failures Tactics:
    - Inhibit Response Function

    Techniques:
    - T0814: Denial of Service Suspicion of Hardware Problems in Outstation An unrecoverable condition error was detected on a source device. This kind of error usually indicates a hardware failure or failure to perform a specific command. Major Operational Issues Tactics:
    - Inhibit Response Function

    Techniques:
    - T0814: Denial of Service
    - T0881: Service Stop Suspicion of Unresponsive MODBUS Device A source device didn't respond to a command sent to it. It may have been disconnected when the command was sent.

    Threshold: Minimum of 1 valid response for a minimum of 3 requests within 5 minutes Minor Unresponsive Tactics:
    - Inhibit Response Function

    Techniques:
    - T0881: Service Stop Traffic Detected on Sensor Interface A sensor resumed detecting network traffic on a network interface. Warning Sensor Traffic Tactics:
    - Discovery

    Techniques:
    - T0842: Network Sniffing PLC Operating Mode Changed The operating mode on this PLC changed. The new mode may indicate that the PLC is not secure. Leaving the PLC in an unsecure operating mode may allow adversaries to perform malicious activities on it, such as a program download. If the PLC is compromised, devices and processes that interact with it may be impacted. This may affect overall system security and safety. Warning Configuration changes Tactics:
    - Execution
    - Evasion

    Techniques:
    - T0858: Change Operating Mode

    Next steps

    For more information, see:

  • View and manage alerts on the Defender for IoT portal (Preview)
  • View alerts on your sensor
  • Accelerate alert workflows
  • Forward alert information
  • Work with alerts on the on-premises management console
  • Alert management API reference for on-premises management consoles
  • Alert management API reference for OT monitoring sensors
  • Forward alert information
    •  
    推荐文章
    八块腹肌的拖把  ·  RxJava2 错误处理详解_onerrorcomplete-CSDN博客
    1 月前
    力能扛鼎的饼干  ·  python日期格式转换mm-dd-yyyy变成年月日-掘金
    10 月前
    沉着的熊猫  ·  移动端实现内滚动的4种方案 - 知乎
    1 年前
    越狱的鼠标  ·  plpgsql 编程 - JSON数组循环-阿里云开发者社区
    1 年前
    讲道义的甘蔗  ·  oracle清理缓存快捷键-掘金
    1 年前
    今天看啥   ·   Py中国   ·   codingpro   ·   藏经阁   ·   小百科   ·   link之家   ·   卧龙AI搜索
    删除内容请联系邮箱 2879853325@qq.com
    Code - 代码工具平台
    © 2024 ~ 沪ICP备11025650号