Επεξεργασία

Κοινή χρήση μέσω


Microsoft Defender for IoT alert reference

This article provides a reference of the alerts that are generated by Microsoft Defender for IoT network sensors, including a list of all alert types and descriptions. The reference also shows which alerts can be triaged as learnable or not, for more information on the learnable status, see Alert statuses and triaging options. You might use this reference to map alerts into playbooks, define forwarding rules on an Operational Technology (OT) network sensor, or other custom activity.

OT alerts turned off by default

Several alerts are turned off by default, as indicated by asterisks (*) in the tables below. OT sensor Admin users can enable or disable alerts from the Support page on a specific OT network sensor.

If you turn off alerts that are referenced in other places, such as alert forwarding rules, make sure to update those references as needed.

Alert severities

Defender for IoT alerts use the following severity levels:

Azure portal OT sensor Description
High Critical Indicates a malicious attack that should be handled immediately.
Medium Major Indicates a security threat that's important to address.
Low Minor, Warning Indicates some deviation from the baseline behavior that might contain a security threat, or contains no security threats.

Alert severities on this page list the severity as shown in the Azure portal.

Supported alert types

Alert type Description
Policy violation alerts Triggered when the Policy Violation engine detects a deviation from traffic previously learned. For example:
- A new device is detected.
- A new configuration is detected on a device.
- A device not defined as a programming device carries out a programming change.
- A firmware version changed.
Protocol violation alerts Triggered when the Protocol Violation engine detects packet structures or field values that don't comply with the protocol specification.
Operational alerts Triggered when the Operational engine detects network operational incidents or a device malfunctioning. For example, a network device was stopped through a Stop PLC command, or an interface on a sensor stopped monitoring traffic.
Malware alerts Triggered when the Malware engine detects malicious network activity. For example, the engine detects a known attack such as Conficker.
Anomaly alerts Triggered when the Anomaly engine detects a deviation. For example, a device is performing network scans but isn't defined as a scanning device.

Defender for IoT's alert detection policy steers the different alert engines to trigger alerts based on business impact and network context, and reduce low-value IT related alerts. For more information, see Focused alerts in OT/IT environments.

Supported alert categories

Each alert has one of the following categories:

  • Abnormal Communication Behavior
  • Abnormal HTTP Communication Behavior
  • Authentication
  • Backup
  • Bandwidth Anomalies
  • Buffer overflow
  • Command Failures
  • Configuration changes
  • Custom Alerts
  • Discovery
  • Firmware change
  • Illegal commands
  • Internet Access
  • Operation Failures
  • Operational issues
  • Programming
  • Remote access
  • Restart/Stop Commands
  • Scan
  • Sensor traffic
  • Suspicion of malicious activity
  • Suspicion of Malware
  • Unauthorized Communication Behavior
  • Unresponsive

Policy engine alerts

Policy engine alerts describe detected deviations from learned baseline behavior.

Title Description Severity Category MITRE ATT&CK
Tactics and techniques
Learnable
Beckhoff Software Changed Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. Medium Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Learnable
Database Login Failed A failed sign-in attempt was detected from a source device to a destination server. This might be the result of human error, but could also indicate a malicious attempt to compromise the server or data on it.

Threshold: 2 sign-in failures in 5 minutes
Medium Authentication Tactics:
- Lateral Movement
- Collection

Techniques:
- T0812: Default Credentials
- T0811: Data from Information Repositories
Not learnable
Emerson ROC Firmware Version Changed Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. Medium Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Learnable
External address within the network communicated with Internet A source device defined as part of your network is communicating with Internet addresses. The source isn't authorized to communicate with Internet addresses. High Internet Access Tactics:
- Initial Access

Techniques:
- T0883: Internet Accessible Device
Learnable
Field Device Discovered Unexpectedly A new source device was detected on the network but isn't authorized. Medium Discovery Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Not learnable
Firmware Change Detected Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. Medium Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Not learnable
Firmware Version Changed Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. Medium Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Learnable
Foxboro I/A Unauthorized Operation New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Learnable
FTP Login Failed A failed sign-in attempt was detected from a source device to a destination server. This alert might be the result of human error, but could also indicate a malicious attempt to compromise the server or data on it. Medium Authentication Tactics:
- Lateral Movement
- Command And Control

Techniques:
- T0812: Default Credentials
- T0869: Standard Application Layer Protocol
Not learnable
Function Code Raised Unauthorized Exception * A source device (secondary) returned an exception to a destination device (primary). Medium Command Failures Tactics:
- Inhibit Response Function

Techniques:
- T0835: Manipulate I/O Image
Learnable
GOOSE Message Type Settings Message (identified by protocol ID) settings were changed on a source device. Low Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Learnable
Honeywell Firmware Version Changed Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. Medium Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Learnable
Illegal HTTP Communication * New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Abnormal HTTP Communication Behavior Tactics:
- Discovery

Techniques:
- T0846: Remote System Discovery
Learnable
Internet Access Detected A source device defined as part of your network is communicating with Internet addresses. The source isn't authorized to communicate with Internet addresses. Medium Internet Access Tactics:
- Initial Access

Techniques:
- T0883: Internet Accessible Device
Learnable
Mitsubishi Firmware Version Changed Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. Medium Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Learnable
Modbus Address Range Violation A primary device requested access to a new secondary memory address. Medium Unauthorized Communication Behavior Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Learnable
Modbus Firmware Version Changed Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. Medium Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Learnable
New Activity Detected - CIP Class New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Discovery

Techniques:
- T0888: Remote System Information Discovery
Learnable
New Activity Detected - CIP Class Service New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Inhibit Response Function

Techniques:
- T0836: Modify Parameter
Learnable
New Activity Detected - CIP PCCC Command New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Inhibit Response Function

Techniques:
- T0836: Modify Parameter
Learnable
New Activity Detected - CIP Symbol New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Inhibit Response Function

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Learnable
New Activity Detected - EtherNet/IP I/O Connection New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Discovery
- Inhibit Response Function

Techniques:
- T0846: Remote System Discovery
- T0835: Manipulate I/O Image
Learnable
New Activity Detected - EtherNet/IP Protocol Command New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Inhibit Response Function

Techniques:
- T0836: Modify Parameter
Learnable
New Activity Detected - GSM Message Code New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- CommandAndControl

Techniques:
- T0869: Standard Application Layer Protocol
Learnable
New Activity Detected - LonTalk Command Codes New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Collection
- Impair Process Control

Techniques:
- T0861 - Point & Tag Identification
- T0855: Unauthorized Command Message
Learnable
New Port Discovery New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Low Discovery Tactics:
- Lateral Movement

Techniques:
- T0867: Lateral Tool Transfer
Learnable
New Activity Detected - LonTalk Network Variable New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Learnable
New Activity Detected - Ovation Data Request New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Collection
- Discovery

Techniques:
- T0801: Monitor Process State
- T0888: Remote System Information Discovery
Learnable
New Activity Detected - Read/Write Command (AMS Index Group) New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Configuration Changes Tactics:
- Impair Process Control
- Inhibit Response Function

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Learnable
New Activity Detected - Read/Write Command (AMS Index Offset) New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Configuration Changes Tactics:
- Impair Process Control
- Inhibit Response Function

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Learnable
New Activity Detected - Unauthorized DeltaV Message Type New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Learnable
New Activity Detected - Unauthorized DeltaV ROC Operation New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Learnable
New Activity Detected - Unauthorized RPC Message Type New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Learnable
New Activity Detected - Using AMS Protocol Command New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Inhibit Response Function
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
- T0821: Modify Controller Tasking
Learnable
New Activity Detected - Using Siemens SICAM Command New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Inhibit Response Function

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Learnable
New Activity Detected - Using Suitelink Protocol command New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Inhibit Response Function

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Learnable
New Activity Detected - Using Suitelink Protocol sessions New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Learnable
New Activity Detected - Using Yokogawa VNetIP Command New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Learnable
New Asset Detected A new source device was detected on the network but isn't authorized.

This alert applies to devices discovered in OT subnets. New devices discovered in IT subnets don't trigger an alert.
Medium Discovery Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Learnable
New LLDP Device Configuration A new source device was detected on the network but isn't authorized. Medium Configuration Changes Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Learnable
Omron FINS Unauthorized Command New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Learnable
S7 Plus PLC Firmware Changed Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. Medium Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Learnable
Sampled Values Message Type Settings Message (identified by protocol ID) settings were changed on a source device. Low Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Not learnable
Suspicion of Illegal Integrity Scan * A scan was detected on a DNP3 source device (outstation). This scan wasn't authorized as learned traffic on your network. Medium Scan Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Learnable
Toshiba Computer Link Unauthorized Command New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Low Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Learnable
Unauthorized ABB Totalflow File Operation New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Not learnable
Unauthorized ABB Totalflow Register Operation New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Not learnable
Unauthorized Access to Siemens S7 Data Block A source device attempted to access a resource on another device. An access attempt to this resource between these two devices isn't authorized as learned traffic on your network. Low Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Initial Access

Techniques:
- T0855: Unauthorized Command Message
- T0811: Data from Information Repositories
Learnable
Unauthorized Access to Siemens S7 Plus Object New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution
- Inhibit Response Function

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
- T0809: Data Destruction
Learnable
Unauthorized Access to Wonderware Tag A source device attempted to access a resource on another device. An access attempt to this resource between these two devices isn't authorized as learned traffic on your network. Medium Unauthorized Communication Behavior Tactics:
- Collection
- Impair Process Control

Techniques:
- T0861: Point & Tag Identification
- T0855: Unauthorized Command Message
Learnable
Unauthorized BACNet Object Access New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Learnable
Unauthorized BACNet Route New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Learnable
Unauthorized Database Login * A sign-in attempt between a source client and destination server was detected. Communication between these devices isn't authorized as learned traffic on your network. Medium Authentication Tactics:
- Lateral Movement
- Persistence
- Collection

Techniques:
- T0859: Valid Accounts
- T0811: Data from Information Repositories
Learnable
Unauthorized Database Operation New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Abnormal Communication Behavior Tactics:
- Impair Process Control
- Initial Access

Techniques:
- T0855: Unauthorized Command Message
- T0811: Data from Information Repositories
Learnable
Unauthorized Emerson ROC Operation New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Learnable
Unauthorized GE SRTP File Access New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Collection
- LateralMovement
- Persistence

Techniques:
- T0801: Monitor Process State
- T0859: Valid Accounts
Learnable
Unauthorized GE SRTP Protocol Command New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Learnable
Unauthorized GE SRTP System Memory Operation New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Discovery
- Impair Process Control

Techniques:
- T0846: Remote System Discovery
- T0855: Unauthorized Command Message
Learnable
Unauthorized HTTP Activity New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Abnormal HTTP Communication Behavior Tactics:
- Initial Access
- Command And Control

Techniques:
- T0822: External Remote Services
- T0869: Standard Application Layer Protocol
Learnable
Unauthorized HTTP SOAP Action * New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Abnormal HTTP Communication Behavior Tactics:
- Command And Control
- Execution

Techniques:
- T0869: Standard Application Layer Protocol
- T0871: Execution through API
Learnable
Unauthorized HTTP User Agent * An unauthorized application was detected on a source device. The application isn't authorized as a learned application on your network. Medium Abnormal HTTP Communication Behavior Tactics:
- Command And Control

Techniques:
- T0869: Standard Application Layer Protocol
Learnable
Unauthorized Internet Connectivity Detected A source device defined as part of your network is communicating with Internet addresses. The source isn't authorized to communicate with Internet addresses. High Internet Access Tactics:
- Initial Access

Techniques:
- T0883: Internet Accessible Device
Learnable
Unauthorized Mitsubishi MELSEC Command New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Learnable
Unauthorized MMS Program Access A source device attempted to access a resource on another device. An access attempt to this resource between these two devices isn't authorized as learned traffic on your network. Medium Programming Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Learnable
Unauthorized MMS Service New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Learnable
Unauthorized Multicast/Broadcast Connection A Multicast/Broadcast connection was detected between a source device and other devices. Multicast/Broadcast communication isn't authorized. High Abnormal Communication Behavior Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Learnable
Unauthorized Name Query New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Abnormal Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Not learnable
Unauthorized OPC UA Activity New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Learnable
Unauthorized OPC UA Request/Response New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Learnable
Unauthorized Operation was detected by a User Defined Rule Traffic was detected between two devices. This activity is unauthorized, based on a Custom Alert Rule defined by a user. Medium Custom Alerts Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Not learnable
Unauthorized PLC Configuration Read The source device isn't defined as a programming device but performed a read/write operation on a destination controller. Programming changes should only be performed by programming devices. A programming application might have been installed on this device. Low Configuration Changes Tactics:
- Collection

Techniques:
- T0801: Monitor Process State
Learnable
Unauthorized PLC Configuration Write The source device sent a command to read/write the program of a destination controller. This activity wasn't previously seen. Medium Configuration Changes Tactics:
- Impair Process Control
- Persistence
- Impact

Techniques:
- T0839: Module Firmware
- T0831: Manipulation of Control
- T0889: Modify Program
Learnable
Unauthorized PLC Program Upload The source device sent a command to read/write the program of a destination controller. This activity wasn't previously seen. Medium Programming Tactics:
- Impair Process Control
- Persistence
- Collection

Techniques:
- T0839: Module Firmware
- T0845: Program Upload
Learnable
Unauthorized PLC Programming The source device isn't defined as a programming device but performed a read/write operation on a destination controller. Programming changes should only be performed by programming devices. A programming application might have been installed on this device. High Programming Tactics:
- Impair Process Control
- Persistence
- Lateral Movement

Techniques:
- T0839: Module Firmware
- T0889: Modify Program
- T0843: Program Download
Learnable
Unauthorized Profinet Frame Type New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Learnable
Unauthorized SAIA S-Bus Command New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Learnable
Unauthorized Siemens S7 Execution of Control Function New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Inhibit Response Function

Techniques:
- T0855: Unauthorized Command Message
- T0809: Data Destruction
Learnable
Unauthorized Siemens S7 Execution of User Defined Function New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0836: Modify Parameter
- T0863: User Execution
Learnable
Unauthorized Siemens S7 Plus Block Access New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Inhibit Response Function
- Persistence
- Execution

Techniques:
- T0803 - Block Command Message
- T0889: Modify Program
- T0821: Modify Controller Tasking
Learnable
Unauthorized Siemens S7 Plus Operation New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0863: User Execution
Learnable
Unauthorized SMB Login A sign-in attempt between a source client and destination server was detected. Communication between these devices isn't authorized as learned traffic on your network. Medium Authentication Tactics:
- Initial Access
- Lateral Movement
- Persistence

Techniques:
- T0886: Remote Services
- T0859: Valid Accounts
Learnable
Unauthorized SNMP Operation New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Abnormal Communication Behavior Tactics:
- Discovery
- Command And Control

Techniques:
- T0842: Network Sniffing
- T0885: Commonly Used Port
Learnable
Unauthorized SSH Access New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Remote Access Tactics:
- InitialAccess
- Lateral Movement
- Command And Control

Techniques:
- T0886: Remote Services
- T0869: Standard Application Layer Protocol
Learnable
Unauthorized Windows Process An unauthorized application was detected on a source device. The application isn't authorized as a learned application on your network. Medium Abnormal Communication Behavior Tactics:
- Execution
- Privilege Escalation
- Command And Control

Techniques:
- T0841: Hooking
- T0885: Commonly Used Port
Learnable
Unauthorized Windows Service An unauthorized application was detected on a source device. The application isn't authorized as a learned application on your network. Medium Abnormal Communication Behavior Tactics:
- Initial Access
- Lateral Movement

Techniques:
- T0866: Exploitation of Remote Services
Learnable
Unauthorized Operation was detected by a User Defined Rule New traffic parameters were detected. This parameter combination violates a user defined rule Medium Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Not learnable
Unpermitted Modbus Schneider Electric Extension New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Learnable
Unpermitted Usage of ASDU Types New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Learnable
Unpermitted Usage of DNP3 Function Code New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Learnable
Unpermitted Usage of Internal Indication (IIN) * A DNP3 source device (outstation) reported an internal indication (IIN) that hasn't authorized as learned traffic on your network. Medium Illegal Commands Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Learnable
Unpermitted Usage of Modbus Function Code New traffic parameters were detected. This parameter combination isn't authorized as learned traffic on your network. The following combination is unauthorized. Medium Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Learnable

Anomaly engine alerts

Note

This article contains references to the term slave, a term that Microsoft no longer uses. When the term is removed from the software, we’ll remove it from this article.

Anomaly engine alerts describe detected anomalies in network activity.

Title Description Severity Category MITRE ATT&CK
Tactics and techniques
Learnable
Abnormal Exception Pattern in Slave * An excessive number of errors were detected on a source device. This alert might be the result of an operational issue.

Threshold: 20 exceptions in 1 hour
Low Abnormal Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0806: Brute Force I/O
Not learnable
Abnormal HTTP Header Length * The source device sent an abnormal message. This alert might indicate an attempt to attack the destination device. High Abnormal HTTP Communication Behavior Tactics:
- Initial Access
- Lateral Movement
- Command And Control

Techniques:
- T0866: Exploitation of Remote Services
- T0869: Standard Application Layer Protocol
Learnable
Abnormal Number of Parameters in HTTP Header * The source device sent an abnormal message. This alert might indicate an attempt to attack the destination device. High Abnormal HTTP Communication Behavior Tactics:
- Initial Access
- Lateral Movement
- Command And Control

Techniques:
- T0866: Exploitation of Remote Services
- T0869: Standard Application Layer Protocol
Learnable
Abnormal Periodic Behavior In Communication Channel A change in the frequency of communication between the source and destination devices was detected. Low Abnormal Communication Behavior Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Learnable
Abnormal Termination of Applications * An excessive number of stop commands were detected on a source device. This alert might be the result of an operational issue or an attempt to manipulate the device.

Threshold: 20 stop commands in 3 hours
Medium Abnormal Communication Behavior Tactics:
- Persistence
- Impact

Techniques:
- T0889: Modify Program
- T0831: Manipulation of Control
Learnable
Abnormal Traffic Bandwidth * Abnormal bandwidth was detected on a channel. Bandwidth appears to be lower/higher than previously detected. For details, work with the Total Bandwidth widget. Low Bandwidth Anomalies Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Learnable
Abnormal Traffic Bandwidth Between Devices * Abnormal bandwidth was detected on a channel. Bandwidth appears to be lower/higher than previously detected. For details, work with the Total Bandwidth widget. Low Bandwidth Anomalies Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Not learnable
Address Scan Detected A source device was detected scanning network devices. This device isn't authorized as a network scanning device.

Threshold: 50 connections to the same B class subnet in 2 minutes
High Scan Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Learnable
ARP Address Scan Detected * A source device was detected scanning network devices using Address Resolution Protocol (ARP). This device address isn't authorized as valid ARP scanning address.

Threshold: 40 scans in 6 minutes
High Scan Tactics:
- Discovery
- Collection

Techniques:
- T0842: Network Sniffing
- T0830: Man in the Middle
Learnable
ARP Spoofing * An abnormal quantity of packets was detected in the network. This alert could indicate an attack, for example, an ARP spoofing or ICMP flooding attack.

Threshold: 60 packets in 1 minute
Low Abnormal Communication Behavior Tactics:
- Collection

Techniques:
- T0830: Man in the Middle
Not learnable
Excessive Login Attempts A source device was seen performing excessive sign-in attempts to a destination server. This alert might indicate a brute force attack. The server might be compromised by a malicious actor.

Threshold: 20 sign-in attempts in 1 minute
High Authentication Tactics:
- LateralMovement
- Impair Process Control

Techniques:
- T0812: Default Credentials
- T0806: Brute Force I/O
Not learnable
Excessive Number of Sessions A source device was seen performing excessive sign-in attempts to a destination server. This might indicate a brute force attack. The server might be compromised by a malicious actor.

Threshold: 50 sessions in 1 minute
High Abnormal Communication Behavior Tactics:
- Lateral Movement
- Impair Process Control

Techniques:
- T0812: Default Credentials
- T0806: Brute Force I/O
Not learnable
Excessive Restart Rate of an Outstation * An excessive number of restart commands were detected on a source device. These alerts might be the result of an operational issue or an attempt to manipulate the device.

Threshold: 10 restarts in 1 hour
Medium Restart/ Stop Commands Tactics:
- Inhibit Response Function
- Impair Process Control

Techniques:
- T0814: Denial of Service
- T0806: Brute Force I/O
Not learnable
Excessive SMB login attempts A source device was seen performing excessive sign-in attempts to a destination server. This might indicate a brute force attack. The server might be compromised by a malicious actor.

Threshold: 10 sign-in attempts in 10 minutes
High Authentication Tactics:
- Persistence
- Execution
- LateralMovement

Techniques:
- T0812: Default Credentials
- T0853: Scripting
- T0859: Valid Accounts
Not learnable
ICMP Flooding * An abnormal quantity of packets was detected in the network. This alert could indicate an attack, for example, an ARP spoofing or ICMP flooding attack.

Threshold: 60 packets in 1 minute
Low Abnormal Communication Behavior Tactics:
- Discovery
- Collection

Techniques:
- T0842: Network Sniffing
- T0830: Man in the Middle
Not learnable
Illegal HTTP Header Content * The source device initiated an invalid request. High Abnormal HTTP Communication Behavior Tactics:
- Initial Access
- LateralMovement

Techniques:
- T0866: Exploitation of Remote Services
Not learnable
Inactive Communication Channel * A communication channel between two devices was inactive during a period in which activity is usually observed. This might indicate that the program generating this traffic was changed, or the program might be unavailable. It's recommended to review the configuration of installed program and verify that it's configured properly.

Threshold: 1 minute
Low Unresponsive Tactics:
- Inhibit Response Function

Techniques:
- T0881: Service Stop
Not lernable
Long Duration Address Scan Detected * A source device was detected scanning network devices. This device isn't authorized as a network scanning device.

Threshold: 50 connections to the same B class subnet in 10 minutes
High Scan Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Learnable
Password Guessing Attempt Detected A source device was seen performing excessive sign-in attempts to a destination server. This might indicate a brute force attack. The server might be compromised by a malicious actor.

Threshold: 100 attempts in 1 minute
High Authentication Tactics:
- Lateral Movement

Techniques:
- T0812: Default Credentials
- T0806: Brute Force I/O
Not learnable
PLC Scan Detected A source device was detected scanning network devices. This device isn't authorized as a network scanning device.

Threshold: 10 scans in 2 minutes
High Scan Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Learnable
Port Scan Detected A source device was detected scanning network devices. This device isn't authorized as a network scanning device.

Threshold: 25 scans in 2 minutes
High Scan Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Learnable
Unexpected message length The source device sent an abnormal message. This alert might indicate an attempt to attack the destination device.

Threshold: text length - 32768
High Abnormal Communication Behavior Tactics:
- InitialAccess
- LateralMovement

Techniques:
- T0869: Exploitation of Remote Services
Not learnable
Unexpected Traffic for Standard Port * Traffic was detected on a device using a port reserved for another protocol. Medium Abnormal Communication Behavior Tactics:
- Command And Control
- Discovery

Techniques:
- T0869: Standard Application Layer Protocol
- T0842: Network Sniffing
Not learnable

Protocol violation engine alerts

Protocol engine alerts describe detected deviations in the packet structure, or field values compared to protocol specifications.

Title Description Severity Category MITRE ATT&CK
Tactics and techniques
Learnable
Excessive Malformed Packets In a Single Session * An abnormal number of malformed packets sent from the source device to the destination device. This alert might indicate erroneous communications, or an attempt to manipulate the targeted device.

Threshold: 2 malformed packets in 10 minutes
Medium Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0806: Brute Force I/O
Not learnable
Firmware Update A source device sent a command to update firmware on a destination device. Verify that recent programming, configuration and firmware upgrades made to the destination device are valid. Low Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Learnable
Function Code Not Supported by Outstation The destination device received an invalid request. Medium Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Not learnable
Illegal BACNet message The source device initiated an invalid request. Medium Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Not learnable
Illegal Connection Attempt on Port 0 A source device attempted to connect to destination device on port number zero (0). For TCP, port 0 is reserved and can’t be used. For UDP, the port is optional and a value of 0 means no port. There's usually no service on a system that listens on port 0. This event might indicate an attempt to attack the destination device, or indicate that an application was programmed incorrectly. Low Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Not learnable
Illegal DNP3 Operation The source device initiated an invalid request. Medium Illegal Commands Tactics:
- Initial Access
- Lateral Movement

Techniques:
- T0866: Exploitation of Remote Services
Not learnable
Illegal MODBUS Operation (Exception Raised by Master) The source device initiated an invalid request. Medium Illegal Commands Tactics:
- Initial Access
- Lateral Movement

Techniques:
- T0866: Exploitation of Remote Services
Not learnable
Illegal MODBUS Operation (Function Code Zero) * The source device initiated an invalid request. Medium Illegal Commands Tactics:
- Initial Access
- Lateral Movement

Techniques:
- T0866: Exploitation of Remote Services
Not learnable
Illegal Protocol Version * The source device initiated an invalid request. Medium Illegal Commands Tactics:
- Initial Access
- LateralMovement
- Impair Process Control

Techniques:
- T0820: Remote Services
- T0836: Modify Parameter
Not learnable
Incorrect Parameter Sent to Outstation The destination device received an invalid request. Medium Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Not learnable
Initiation of an Obsolete Function Code (Initialize Data) The source device initiated an invalid request. Low Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Not learnable
Initiation of an Obsolete Function Code (Save Config) The source device initiated an invalid request. Low Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Not learnable
Master Requested an Application Layer Confirmation The source device initiated an invalid request. Low Illegal Commands Tactics:
- Command And Control

Techniques:
- T0869: Standard Application Layer Protocol
Not learnable
Modbus Exception A source device (secondary) returned an exception to a destination device (primary). Medium Illegal Commands Tactics:
- Inhibit Response Function

Techniques:
- T0814: Denial of Service
Not learnable
Slave Device Received Illegal ASDU Type The destination device received an invalid request. Medium Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Not learnable
Slave Device Received Illegal Command Cause of Transmission The destination device received an invalid request. Medium Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Not learnable
Slave Device Received Illegal Common Address The destination device received an invalid request. Medium Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Not learnable
Slave Device Received Illegal Data Address Parameter * The destination device received an invalid request. Medium Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Not learnable
Slave Device Received Illegal Data Value Parameter * The destination device received an invalid request. Medium Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Not learnable
Slave Device Received Illegal Function Code * The destination device received an invalid request. Medium Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Not learnable
Slave Device Received Illegal Information Object Address The destination device received an invalid request. Medium Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Not learnable
Unknown Object Sent to Outstation The destination device received an invalid request. Medium Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Not learnable
Usage of a Reserved Function Code The source device initiated an invalid request. Medium Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Not learnable
Usage of Improper Formatting by Outstation * The source device initiated an invalid request. Low Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Not learnable
Usage of Reserved Status Flags (IIN) A DNP3 source device (outstation) used the reserved Internal Indicator 2.6. It's recommended to check the device's configuration. Low Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Not learnable

Malware engine alerts

Malware engine alerts describe detected malicious network activity.

Title Description Severity Category MITRE ATT&CK
Tactics and techniques
Learnable
Connection Attempt to Known Malicious IP Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware.

Triggered by both OT and Enterprise IoT network sensors.
High Suspicion of Malicious Activity Tactics:
- Initial Access
- Command And Control

Techniques:
- T0883: Internet Accessible Device
- T0884: Connection Proxy
Not learnable
Invalid SMB Message (DoublePulsar Backdoor Implant) Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. High Suspicion of Malware Tactics:
- Initial Access
- LateralMovement

Techniques:
- T0866: Exploitation of Remote Services
Not learnable
Malicious Domain Name Request Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware.

Triggered by both OT and Enterprise IoT network sensors.
High Suspicion of Malicious Activity Tactics:
- Initial Access
- Command And Control

Techniques:
- T0883: Internet Accessible Device
- T0884: Connection Proxy
Learnable
Malicious URL Path A request was made to a known malicious URL path. Requests made for this URL path may indicate that the source making the request is compromised. High Suspicion of Malicious Activity Tactics:
- Initial Access
- Command And Control

Techniques:
- T0883: Internet Accessible Device
- T0884: Connection Proxy
Not learnable
Malware Test File Detected - EICAR AV Success An EICAR AV test file was detected in traffic between two devices (over any transport - TCP or UDP). The file isn't malware. It's used to confirm that the antivirus software is installed correctly. Demonstrate what happens when a virus is found, and check internal procedures and reactions when a virus is found. Antivirus software should detect EICAR as if it were a real virus. High Suspicion of Malicious Activity Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Not learnable
Suspicion of Conficker Malware Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. Medium Suspicion of Malware Tactics:
- Initial Access
- Impact

Techniques:
- T0826: Loss of Availability
- T0828: Loss of Productivity and Revenue
- T0847: Replication Through Removable Media
Not learnable
Suspicion of Denial Of Service Attack A source device attempted to initiate an excessive number of new connections to a destination device. This might indicate a Denial Of Service (DOS) attack against the destination device, and might interrupt device functionality, affect performance and service availability, or cause unrecoverable errors.

Threshold: 3000 attempts in 1 minute
High Suspicion of Malicious Activity Tactics:
- Inhibit Response Function

Techniques:
- T0814: Denial of Service
Learnable
Suspicion of Malicious Activity Suspicious network activity was detected. This activity might be associated with an attack that triggered known 'Indicators of Compromise' (IOCs). Alert metadata should be reviewed by the security team. High Suspicion of Malicious Activity Tactics:
- Lateral Movement

Techniques:
- T0867: Lateral Tool Transfer
Not learnable
Suspicion of Malicious Activity (BlackEnergy) Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. High Suspicion of Malware Tactics:
- Command And Control

Techniques:
- T0869: Standard Application Layer Protocol
Not learnable
Suspicion of Malicious Activity (DarkComet) Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. High Suspicion of Malware Tactics:
- Impact

Techniques:
- T0882: Theft of Operational Information
Not learnable
Suspicion of Malicious Activity (Duqu) Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. High Suspicion of Malware Tactics:
- Impact

Techniques:
- T0882: Theft of Operational Information
Not learnable
Suspicion of Malicious Activity (Flame) Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. High Suspicion of Malware Tactics:
- Collection
- Impact

Techniques:
- T0882: Theft of Operational Information
- T0811: Data from Information Repositories
Not learnable
Suspicion of Malicious Activity (Havex) Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. High Suspicion of Malware Tactics:
- Collection
- Discovery
- Inhibit Response Function

Techniques:
- T0861: Point & Tag Identification
- T0846: Remote System Discovery
- T0814: Denial of Service
Not learnable
Suspicion of Malicious Activity (Karagany) Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. High Suspicion of Malware Tactics:
- Impact

Techniques:
- T0882: Theft of Operational Information
Not learnable
Suspicion of Malicious Activity (LightsOut) Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. High Suspicion of Malware Tactics:
- Evasion

Techniques:
- T0849: Masquerading
Not learnable
Suspicion of Malicious Activity (Name Queries) Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware.

Threshold: 25 name queries in 1 minute
High Suspicion of Malicious Activity Tactics:
- Command And Control

Techniques:
- T0884: Connection Proxy
Not learnable
Suspicion of Malicious Activity (Poison Ivy) Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. High Suspicion of Malware Tactics:
- Initial Access
- Lateral Movement

Techniques:
- T0866: Exploitation of Remote Services
Not learnable
Suspicion of Malicious Activity (Regin) Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. High Suspicion of Malware Tactics:
- Initial Access
- Lateral Movement
- Impact

Techniques:
- T0866: Exploitation of Remote Services
- T0882: Theft of Operational Information
Not learnable
Suspicion of Malicious Activity (Stuxnet) Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. High Suspicion of Malware Tactics:
- Initial Access
- Lateral Movement
- Impact

Techniques:
- T0818: Engineering Workstation Compromise
- T0866: Exploitation of Remote Services
- T0831: Manipulation of Control
Not learnable
Suspicion of Malicious Activity (WannaCry) * Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. Medium Suspicion of Malware Tactics:
- Initial Access
- Lateral Movement

Techniques:
- T0866: Exploitation of Remote Services
- T0867: Lateral Tool Transfer
Not learnable
Suspicion of NotPetya Malware - Illegal SMB Parameters Detected Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. High Suspicion of Malware Tactics:
- Initial Access
- Lateral Movement

Techniques:
- T0866: Exploitation of Remote Services
Not learnable
Suspicion of NotPetya Malware - Illegal SMB Transaction Detected Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. High Suspicion of Malware Tactics:
- Lateral Movement

Techniques:
- T0867: Lateral Tool Transfer
Not learnable
Suspicion of Remote Code Execution with PsExec Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. High Suspicion of Malicious Activity Tactics:
- Lateral Movement
- Initial Access

Techniques:
- T0866: Exploitation of Remote Services
Not learnable
Suspicion of Remote Windows Service Management * Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. High Suspicion of Malicious Activity Tactics:
- Initial Access

Techniques:
- T0822: NetworkExternal Remote Services
Not learnable
Suspicious Executable File Detected on Endpoint Suspicious network activity was detected. This activity might be associated with an attack exploiting a method used by known malware. High Suspicion of Malicious Activity Tactics:
- Evasion
- Inhibit Response Function

Techniques:
- T0851: Rootkit
Learnable
Suspicious Traffic Detected * Suspicious network activity was detected. This activity might be associated with an attack that triggered known 'Indicators of Compromise' (IOCs). Alert metadata should be reviewed by the security team High Suspicion of Malicious Activity Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Not learnable
Backup Activity with Antivirus Signatures Traffic detected between the source device and the destination backup server triggered this alert. The traffic includes backup of antivirus software that might contain malware signatures. This is most likely legitimate backup activity. Low Backup Tactics:
- Impact

Techniques:
- T0882: Theft of Operational Information
Not learnable

Operational engine alerts

Operational engine alerts describe detected operational incidents, or malfunctioning entities.

Title Description Severity Category MITRE ATT&CK
Tactics and techniques
Learnable
An S7 Stop PLC Command was Sent The source device sent a stop command to a destination controller. The controller stops operating until a start command is sent. Low Restart/ Stop Commands Tactics:
- Lateral Movement
- Defense Evasion
- Execution
- Inhibit Response Function

Techniques:
- T0843: Program Download
- T0858: Change Operating Mode
- T0814: Denial of Service
Not learnable
BACNet Operation Failed A server returned an error code. This alert indicates a server error or an invalid request by a client. Medium Command Failures Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Not learnable
Bad MMS Device State An MMS Virtual Manufacturing Device (VMD) sent a status message. The message indicates that the server might not be configured correctly, partially operational, or not operational at all. Medium Operational Issues Tactics:
- Inhibit Response Function

Techniques:
- T0814: Denial of Service
Not learnable
Change of Device Configuration * A configuration change was detected on a source device. Low Configuration Changes Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Not learnable
Continuous Event Buffer Overflow at Outstation * A buffer overflow event was detected on a source device. The event might cause data corruption, program crashes, or execution of malicious code.

Threshold: 3 occurrences in 10 minutes
Medium Buffer Overflow Tactics:
- Inhibit Response Function
- Impair Process Control
- Persistence

Techniques:
- T0814: Denial of Service
- T0806: Brute Force I/O
- T0839: Module Firmware
Not learnable
Controller Reset A source device sent a reset command to a destination controller. The controller stopped operating temporarily and started again automatically. Low Restart/ Stop Commands Tactics:
- Defense Evasion
- Execution
- Inhibit Response Function

Techniques:
- T0858: Change Operating Mode
- T0814: Denial of Service
Not learnable
Controller Stop The source device sent a stop command to a destination controller. The controller stops operating until a start command is sent. Low Restart/ Stop Commands Tactics:
- Lateral Movement
- Defense Evasion
- Execution
- Inhibit Response Function

Techniques:
- T0843: Program Download
- T0858: Change Operating Mode
- T0814: Denial of Service
Not learnable
Device Failed to Receive a Dynamic IP Address The source device is configured to receive a dynamic IP address from a DHCP server but didn't receive an address. This indicates a configuration error on the device, or an operational error in the DHCP server. It's recommended to notify the network administrator of the incident Medium Command Failures Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Not learnable
Device is Suspected to be Disconnected (Unresponsive) A source device didn't respond to a command sent to it. It might have been disconnected when the command was sent.

Threshold: 8 attempts in 5 minutes
Medium Unresponsive Tactics:
- Inhibit Response Function

Techniques:
- T0881: Service Stop
Not learnable
EtherNet/IP CIP Service Request Failed A server returned an error code. This indicates a server error or an invalid request by a client. Medium Command Failures Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Not learnable
EtherNet/IP Encapsulation Protocol Command Failed A server returned an error code. This indicates a server error or an invalid request by a client. Medium Command Failures Tactics:
- Collection

Techniques:
- T0801: Monitor Process State
Not learnable
Event Buffer Overflow in Outstation A buffer overflow event was detected on a source device. The event might cause data corruption, program crashes, or execution of malicious code. Medium Buffer Overflow Tactics:
- Inhibit Response Function
- Impair Process Control
- Persistence

Techniques:
- T0814: Denial of Service
- T0839: Module Firmware
Not learnable
Expected Backup Operation Did Not Occur Expected backup/file transfer activity didn't occur between two devices. This alert might indicate errors in the backup / file transfer process.

Threshold: 100 seconds
Medium Backup Tactics:
- Inhibit Response Function

Techniques:
- T0809: Data Destruction
Learnable
GE SRTP Command Failure A server returned an error code. This alert indicates a server error or an invalid request by a client. Medium Command Failures Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Not learnable
GE SRTP Stop PLC Command was Sent The source device sent a stop command to a destination controller. The controller stops operating until a start command is sent. Low Restart/ Stop Commands Tactics:
- Lateral Movement
- Defense Evasion
- Execution
- Inhibit Response Function

Techniques:
- T0843: Program Download
- T0858: Change Operating Mode
- T0814: Denial of Service
Not learnable
GOOSE Control Block Requires Further Configuration A source device sent a GOOSE message indicating that the device needs commissioning. This means that the GOOSE control block requires further configuration and GOOSE messages are partially or completely non-operational. Medium Configuration Changes Tactics:
- Impair Process Control
- Inhibit Response Function

Techniques:
- T0803: Block Command Message
- T0821: Modify Controller Tasking
Not learnable
GOOSE Dataset Configuration was Changed * A message (identified by protocol ID) dataset was changed on a source device. This means the device reports a different dataset for this message. Low Configuration Changes Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Not learnable
Honeywell Controller Unexpected Status A Honeywell Controller sent an unexpected diagnostic message indicating a status change. Low Operational Issues Tactics:
- Evasion
- Execution

Techniques:
- T0858: Change Operating Mode
Not learnable
HTTP Client Error * The source device initiated an invalid request. Low Abnormal HTTP Communication Behavior Tactics:
- Command And Control

Techniques:
- T0869: Standard Application Layer Protocol
Not learnable
Illegal IP Address System detected traffic between a source device and an IP address that is an invalid address. This might indicate wrong configuration or an attempt to generate illegal traffic. Low Abnormal Communication Behavior Tactics:
- Discovery
- Impair Process Control

Techniques:
- T0842: Network Sniffing
- T0836: Modify Parameter
Not learnable
Master-Slave Authentication Error The authentication process between a DNP3 source device (primary) and a destination device (outstation) failed. Low Authentication Tactics:
- Lateral Movement
- Persistence

Techniques:
- T0859: Valid Accounts
Not learnable
MMS Service Request Failed A server returned an error code. This indicates a server error or an invalid request by a client. Medium Command Failures Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Not learnable
No Traffic Detected on Sensor Interface A sensor stopped detecting network traffic on a network interface. High Sensor Traffic Tactics:
- Inhibit Response Function

Techniques:
- T0881: Service Stop
Not learnable
OPC UA Server Raised an Event That Requires User's Attention An OPC UA server sent an event notification to a client. This type of event requires user attention Medium Operational Issues Tactics:
- Inhibit Response Function

Techniques:
- T0838: Modify Alarm Settings
Not learnable
OPC UA Service Request Failed A server returned an error code. This indicates a server error or an invalid request by a client. Medium Command Failures Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Not learnable
Outstation Restarted A cold restart was detected on a source device. This means the device was physically turned off and back on again. Low Restart/ Stop Commands Tactics:
- Inhibit Response Function

Techniques:
- T0816: Device Restart/Shutdown
Not learnable
Outstation Restarts Frequently An excessive number of cold restarts were detected on a source device. This means the device was physically turned off and back on again an excessive number of times.

Threshold: 2 restarts in 10 minutes
Low Restart/ Stop Commands Tactics:
- Inhibit Response Function

Techniques:
- T0814: Denial of Service
- T0816: Device Restart/Shutdown
Not learnable
Outstation's Configuration Changed A configuration change was detected on a source device. Medium Configuration Changes Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Not learnable
Outstation's Corrupted Configuration Detected This DNP3 source device (outstation) reported a corrupted configuration. Medium Configuration Changes Tactics:
- Inhibit Response Function

Techniques:
- T0809: Data Destruction
Not learnable
Profinet DCP Command Failed A server returned an error code. This indicates a server error or an invalid request by a client. Medium Command Failures Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Not learnable
Profinet Device Factory Reset A source device sent a factory reset command to a Profinet destination device. The reset command clears Profinet device configurations and stops its operation. Low Restart/ Stop Commands Tactics:
- Defense Evasion
- Execution
- Inhibit Response Function

Techniques:
- T0858: Change Operating Mode
- T0814: Denial of Service
Not learnable
RPC Operation Failed * A server returned an error code. This alert indicates a server error or an invalid request by a client. Medium Command Failures Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Not learnable
Sampled Values Message Dataset Configuration was Changed * A message (identified by protocol ID) dataset was changed on a source device. This means the device reports a different dataset for this message. Low Configuration Changes Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Not learnable
Slave Device Unrecoverable Failure * An unrecoverable condition error was detected on a source device. This kind of error usually indicates a hardware failure or failure to perform a specific command. Medium Command Failures Tactics:
- Inhibit Response Function

Techniques:
- T0814: Denial of Service
Not learnable
Suspicion of Hardware Problems in Outstation An unrecoverable condition error was detected on a source device. This kind of error usually indicates a hardware failure or failure to perform a specific command. Medium Operational Issues Tactics:
- Inhibit Response Function

Techniques:
- T0814: Denial of Service
- T0881: Service Stop
Not learnable
Suspicion of Unresponsive MODBUS Device A source device didn't respond to a command sent to it. It might have been disconnected when the command was sent.

Threshold: Minimum of 1 valid response for a minimum of 3 requests within 5 minutes
Low Unresponsive Tactics:
- Inhibit Response Function

Techniques:
- T0881: Service Stop
Not learnable
Traffic Detected on Sensor Interface A sensor resumed detecting network traffic on a network interface. Low Sensor Traffic Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Not learnable
PLC Operating Mode Changed The operating mode on this PLC changed. The new mode might indicate that the PLC isn't secure. Leaving the PLC in an unsecure operating mode might allow adversaries to perform malicious activities on it, such as a program download. If the PLC is compromised, devices and processes that interact with it might be impacted. This might affect overall system security and safety. Low Configuration changes Tactics:
- Execution
- Evasion

Techniques:
- T0858: Change Operating Mode
Not learnable

Next steps

For more information, see: