Microsoft Defender for IoT alert types and descriptions

This article provides a reference of the alerts that are generated by Microsoft Defender for IoT network sensors. You might use this reference to map alerts into playbooks, define forwarding rules on an OT network sensor, or other custom activity.

Important

The Alerts page in the Azure portal is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

OT alerts turned off by default

Several alerts are turned off by default, as indicated by asterisks (*) in the tables below. OT sensor Admin users can enable or disable alerts from the Support page on a specific OT network sensor.

If you turn off alerts that are referenced in other places, such as alert forwarding rules, make sure to update those references as needed.

Alert severities

Defender for IoT alerts use the following severity levels:

  • Critical: Indicates a malicious attack that should be handled immediately.

  • Major: Indicates a security threat that's important to address.

  • Minor: Indicates some deviation from the baseline behavior that might contain a security threat.

  • Warning: Indicates some deviation from the baseline behavior with no security threats.

Supported alert types

Alert type Description
Policy violation alerts Triggered when the Policy Violation engine detects a deviation from traffic previously learned. For example:
- A new device is detected.
- A new configuration is detected on a device.
- A device not defined as a programming device carries out a programming change.
- A firmware version changed.
Protocol violation alerts Triggered when the Protocol Violation engine detects packet structures or field values that don't comply with the protocol specification.
Operational alerts Triggered when the Operational engine detects network operational incidents or a device malfunctioning. For example, a network device was stopped through a Stop PLC command, or an interface on a sensor stopped monitoring traffic.
Malware alerts Triggered when the Malware engine detects malicious network activity. For example, the engine detects a known attack such as Conficker.
Anomaly alerts Triggered when the Anomaly engine detects a deviation. For example, a device is performing network scans but isn't defined as a scanning device.

Supported alert categories

Each alert has one of the following categories:

  • Abnormal Communication Behavior
  • Abnormal HTTP Communication Behavior
  • Authentication
  • Backup
  • Bandwidth Anomalies
  • Buffer overflow
  • Command Failures
  • Configuration changes
  • Custom Alerts
  • Discovery
  • Firmware change
  • Illegal commands
  • Internet Access
  • Operation Failures
  • Operational issues
  • Programming
  • Remote access
  • Restart/Stop Commands
  • Scan
  • Sensor traffic
  • Suspicion of malicious activity
  • Suspicion of Malware
  • Unauthorized Communication Behavior
  • Unresponsive

Policy engine alerts

Policy engine alerts describe detected deviations from learned baseline behavior.

Title Description Severity Category MITRE ATT&CK
tactics and techniques
Beckhoff Software Changed Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. Major Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Database Login Failed A failed sign-in attempt was detected from a source device to a destination server. This might be the result of human error, but could also indicate a malicious attempt to compromise the server or data on it.

Threshold: 2 sign-in failures in 5 minutes
Major Authentication Tactics:
- Lateral Movement
- Collection

Techniques:
- T0812: Default Credentials
- T0811: Data from Information Repositories
Emerson ROC Firmware Version Changed Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. Major Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
External address within the network communicated with Internet A source device defined as part of your network is communicating with Internet addresses. The source isn't authorized to communicate with Internet addresses. Critical Internet Access Tactics:
- Initial Access

Techniques:
- T0883: Internet Accessible Device
Field Device Discovered Unexpectedly A new source device was detected on the network but hasn't been authorized. Major Discovery Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Firmware Change Detected Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. Major Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Firmware Version Changed Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. Major Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Foxboro I/A Unauthorized Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
FTP Login Failed A failed sign-in attempt was detected from a source device to a destination server. This alert might be the result of human error, but could also indicate a malicious attempt to compromise the server or data on it. Major Authentication Tactics:
- Lateral Movement
- Command And Control

Techniques:
- T0812: Default Credentials
- T0869: Standard Application Layer Protocol
Function Code Raised Unauthorized Exception * A source device (secondary) returned an exception to a destination device (primary). Major Command Failures Tactics:
- Inhibit Response Function

Techniques:
- T0835: Manipulate I/O Image
GOOSE Message Type Settings Message (identified by protocol ID) settings were changed on a source device. Warning Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Honeywell Firmware Version Changed Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. Major Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Illegal HTTP Communication * New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Abnormal HTTP Communication Behavior Tactics:
- Discovery

Techniques:
- T0846: Remote System Discovery
Internet Access Detected A source device defined as part of your network is communicating with Internet addresses. The source isn't authorized to communicate with Internet addresses. Major Internet Access Tactics:
- Initial Access

Techniques:
- T0883: Internet Accessible Device
Mitsubishi Firmware Version Changed Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. Major Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Modbus Address Range Violation A primary device requested access to a new secondary memory address. Major Unauthorized Communication Behavior Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Modbus Firmware Version Changed Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. Major Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
New Activity Detected - CIP Class New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Discovery

Techniques:
- T0888: Remote System Information Discovery
New Activity Detected - CIP Class Service New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Inhibit Response Function

Techniques:
- T0836: Modify Parameter
New Activity Detected - CIP PCCC Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Inhibit Response Function

Techniques:
- T0836: Modify Parameter
New Activity Detected - CIP Symbol New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Inhibit Response Function

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
New Activity Detected - EtherNet/IP I/O Connection New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Discovery
- Inhibit Response Function

Techniques:
- T0846: Remote System Discovery
- T0835: Manipulate I/O Image
New Activity Detected - EtherNet/IP Protocol Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Inhibit Response Function

Techniques:
- T0836: Modify Parameter
New Activity Detected - GSM Message Code New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- CommandAndControl

Techniques:
- T0869: Standard Application Layer Protocol
New Activity Detected - LonTalk Command Codes New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Collection
- Impair Process Control

Techniques:
- T0861 - Point & Tag Identification
- T0855: Unauthorized Command Message
New Port Discovery New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Warning Discovery Tactics:
- Lateral Movement

Techniques:
- T0867: Lateral Tool Transfer
New Activity Detected - LonTalk Network Variable New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
New Activity Detected - Ovation Data Request New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Collection
- Discovery

Techniques:
- T0801: Monitor Process State
- T0888: Remote System Information Discovery
New Activity Detected - Read/Write Command (AMS Index Group) New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Configuration Changes Tactics:
- Impair Process Control
- Inhibit Response Function

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
New Activity Detected - Read/Write Command (AMS Index Offset) New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Configuration Changes Tactics:
- Impair Process Control
- Inhibit Response Function

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
New Activity Detected - Unauthorized DeltaV Message Type New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
New Activity Detected - Unauthorized DeltaV ROC Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
New Activity Detected - Unauthorized RPC Message Type New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
New Activity Detected - Using AMS Protocol Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Inhibit Response Function
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
- T0821: Modify Controller Tasking
New Activity Detected - Using Siemens SICAM Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Inhibit Response Function

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
New Activity Detected - Using Suitelink Protocol command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Inhibit Response Function

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
New Activity Detected - Using Suitelink Protocol sessions New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
New Activity Detected - Using Yokogawa VNetIP Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
New Asset Detected A new source device was detected on the network but hasn't been authorized.

This alert applies to devices discovered in OT subnets. New devices discovered in IT subnets don't trigger an alert.
Major Discovery Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
New LLDP Device Configuration A new source device was detected on the network but hasn't been authorized. Major Configuration Changes Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Omron FINS Unauthorized Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
S7 Plus PLC Firmware Changed Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. Major Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Sampled Values Message Type Settings Message (identified by protocol ID) settings were changed on a source device. Warning Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Suspicion of Illegal Integrity Scan * A scan was detected on a DNP3 source device (outstation). This scan wasn't authorized as learned traffic on your network. Major Scan Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Toshiba Computer Link Unauthorized Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Minor Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Unauthorized ABB Totalflow File Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Unauthorized ABB Totalflow Register Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Unauthorized Access to Siemens S7 Data Block A source device attempted to access a resource on another device. An access attempt to this resource between these two devices hasn't been authorized as learned traffic on your network. Warning Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Initial Access

Techniques:
- T0855: Unauthorized Command Message
- T0811: Data from Information Repositories
Unauthorized Access to Siemens S7 Plus Object New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution
- Inhibit Response Function

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
- T0809: Data Destruction
Unauthorized Access to Wonderware Tag A source device attempted to access a resource on another device. An access attempt to this resource between these two devices hasn't been authorized as learned traffic on your network. Major Unauthorized Communication Behavior Tactics:
- Collection
- Impair Process Control

Techniques:
- T0861: Point & Tag Identification
- T0855: Unauthorized Command Message
Unauthorized BACNet Object Access New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Unauthorized BACNet Route New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Unauthorized Database Login * A sign-in attempt between a source client and destination server was detected. Communication between these devices hasn't been authorized as learned traffic on your network. Major Authentication Tactics:
- Lateral Movement
- Persistence
- Collection

Techniques:
- T0859: Valid Accounts
- T0811: Data from Information Repositories
Unauthorized Database Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Abnormal Communication Behavior Tactics:
- Impair Process Control
- Initial Access

Techniques:
- T0855: Unauthorized Command Message
- T0811: Data from Information Repositories
Unauthorized Emerson ROC Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Unauthorized GE SRTP File Access New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Collection
- LateralMovement
- Persistence

Techniques:
- T0801: Monitor Process State
- T0859: Valid Accounts
Unauthorized GE SRTP Protocol Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Unauthorized GE SRTP System Memory Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Discovery
- Impair Process Control

Techniques:
- T0846: Remote System Discovery
- T0855: Unauthorized Command Message
Unauthorized HTTP Activity New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Abnormal HTTP Communication Behavior Tactics:
- Initial Access
- Command And Control

Techniques:
- T0822: External Remote Services
- T0869: Standard Application Layer Protocol
Unauthorized HTTP SOAP Action * New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Abnormal HTTP Communication Behavior Tactics:
- Command And Control
- Execution

Techniques:
- T0869: Standard Application Layer Protocol
- T0871: Execution through API
Unauthorized HTTP User Agent * An unauthorized application was detected on a source device. The application hasn't been authorized as a learned application on your network. Major Abnormal HTTP Communication Behavior Tactics:
- Command And Control

Techniques:
- T0869: Standard Application Layer Protocol
Unauthorized Internet Connectivity Detected A source device defined as part of your network is communicating with Internet addresses. The source isn't authorized to communicate with Internet addresses. Critical Internet Access Tactics:
- Initial Access

Techniques:
- T0883: Internet Accessible Device
Unauthorized Mitsubishi MELSEC Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Unauthorized MMS Program Access A source device attempted to access a resource on another device. An access attempt to this resource between these two devices hasn't been authorized as learned traffic on your network. Major Programming Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Unauthorized MMS Service New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0821: Modify Controller Tasking
Unauthorized Multicast/Broadcast Connection A Multicast/Broadcast connection was detected between a source device and other devices. Multicast/Broadcast communication isn't authorized. Critical Abnormal Communication Behavior Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Unauthorized Name Query New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Abnormal Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Unauthorized OPC UA Activity New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Unauthorized OPC UA Request/Response New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Unauthorized Operation was detected by a User Defined Rule Traffic was detected between two devices. This activity is unauthorized, based on a Custom Alert Rule defined by a user. Major Custom Alerts Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Unauthorized PLC Configuration Read The source device isn't defined as a programming device but performed a read/write operation on a destination controller. Programming changes should only be performed by programming devices. A programming application may have been installed on this device. Warning Configuration Changes Tactics:
- Collection

Techniques:
- T0801: Monitor Process State
Unauthorized PLC Configuration Write The source device sent a command to read/write the program of a destination controller. This activity wasn't previously seen. Major Configuration Changes Tactics:
- Impair Process Control
- Persistence
- Impact

Techniques:
- T0839: Module Firmware
- T0831: Manipulation of Control
- T0889: Modify Program
Unauthorized PLC Program Upload The source device sent a command to read/write the program of a destination controller. This activity wasn't previously seen. Major Programming Tactics:
- Impair Process Control
- Persistence
- Collection

Techniques:
- T0839: Module Firmware
- T0845: Program Upload
Unauthorized PLC Programming The source device isn't defined as a programming device but performed a read/write operation on a destination controller. Programming changes should only be performed by programming devices. A programming application may have been installed on this device. Critical Programming Tactics:
- Impair Process Control
- Persistence
- Lateral Movement

Techniques:
- T0839: Module Firmware
- T0889: Modify Program
- T0843: Program Download
Unauthorized Profinet Frame Type New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Unauthorized SAIA S-Bus Command New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Unauthorized Siemens S7 Execution of Control Function New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Inhibit Response Function

Techniques:
- T0855: Unauthorized Command Message
- T0809: Data Destruction
Unauthorized Siemens S7 Execution of User Defined Function New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0836: Modify Parameter
- T0863: User Execution
Unauthorized Siemens S7 Plus Block Access New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Inhibit Response Function
- Persistence
- Execution

Techniques:
- T0803 - Block Command Message
- T0889: Modify Program
- T0821: Modify Controller Tasking
Unauthorized Siemens S7 Plus Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control
- Execution

Techniques:
- T0855: Unauthorized Command Message
- T0863: User Execution
Unauthorized SMB Login A sign-in attempt between a source client and destination server was detected. Communication between these devices hasn't been authorized as learned traffic on your network. Major Authentication Tactics:
- Initial Access
- Lateral Movement
- Persistence

Techniques:
- T0886: Remote Services
- T0859: Valid Accounts
Unauthorized SNMP Operation New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Abnormal Communication Behavior Tactics:
- Discovery
- Command And Control

Techniques:
- T0842: Network Sniffing
- T0885: Commonly Used Port
Unauthorized SSH Access New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Remote Access Tactics:
- InitialAccess
- Lateral Movement
- Command And Control

Techniques:
- T0886: Remote Services
- T0869: Standard Application Layer Protocol
Unauthorized Windows Process An unauthorized application was detected on a source device. The application hasn't been authorized as a learned application on your network. Major Abnormal Communication Behavior Tactics:
- Execution
- Privilege Escalation
- Command And Control

Techniques:
- T0841: Hooking
- T0885: Commonly Used Port
Unauthorized Windows Service An unauthorized application was detected on a source device. The application hasn't been authorized as a learned application on your network. Major Abnormal Communication Behavior Tactics:
- Initial Access
- Lateral Movement

Techniques:
- T0866: Exploitation of Remote Services
Unauthorized Operation was detected by a User Defined Rule New traffic parameters were detected. This parameter combination violates a user defined rule Major Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Unpermitted Modbus Schneider Electric Extension New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Unpermitted Usage of ASDU Types New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Unpermitted Usage of DNP3 Function Code New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Unpermitted Usage of Internal Indication (IIN) * A DNP3 source device (outstation) reported an internal indication (IIN) that hasn't authorized as learned traffic on your network. Major Illegal Commands Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Unpermitted Usage of Modbus Function Code New traffic parameters were detected. This parameter combination hasn't been authorized as learned traffic on your network. The following combination is unauthorized. Major Unauthorized Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter

Anomaly engine alerts

Note

This article contains references to the term slave, a term that Microsoft no longer uses. When the term is removed from the software, we’ll remove it from this article.

Anomaly engine alerts describe detected anomalies in network activity.

Title Description Severity Category MITRE ATT&CK
tactics and techniques
Abnormal Exception Pattern in Slave * An excessive number of errors were detected on a source device. This alert may be the result of an operational issue.

Threshold: 20 exceptions in 1 hour
Minor Abnormal Communication Behavior Tactics:
- Impair Process Control

Techniques:
- T0806: Brute Force I/O
Abnormal HTTP Header Length * The source device sent an abnormal message. This alert may indicate an attempt to attack the destination device. Critical Abnormal HTTP Communication Behavior Tactics:
- Initial Access
- Lateral Movement
- Command And Control

Techniques:
- T0866: Exploitation of Remote Services
- T0869: Standard Application Layer Protocol
Abnormal Number of Parameters in HTTP Header * The source device sent an abnormal message. This alert may indicate an attempt to attack the destination device. Critical Abnormal HTTP Communication Behavior Tactics:
- Initial Access
- Lateral Movement
- Command And Control

Techniques:
- T0866: Exploitation of Remote Services
- T0869: Standard Application Layer Protocol
Abnormal Periodic Behavior In Communication Channel A change in the frequency of communication between the source and destination devices was detected. Minor Abnormal Communication Behavior Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Abnormal Termination of Applications * An excessive number of stop commands were detected on a source device. This alert may be the result of an operational issue or an attempt to manipulate the device.

Threshold: 20 stop commands in 3 hours
Major Abnormal Communication Behavior Tactics:
- Persistence
- Impact

Techniques:
- T0889: Modify Program
- T0831: Manipulation of Control
Abnormal Traffic Bandwidth * Abnormal bandwidth was detected on a channel. Bandwidth appears to be lower/higher than previously detected. For details, work with the Total Bandwidth widget. Warning Bandwidth Anomalies Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Abnormal Traffic Bandwidth Between Devices * Abnormal bandwidth was detected on a channel. Bandwidth appears to be lower/higher than previously detected. For details, work with the Total Bandwidth widget. Warning Bandwidth Anomalies Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Address Scan Detected A source device was detected scanning network devices. This device hasn't been authorized as a network scanning device.

Threshold: 50 connections to the same B class subnet in 2 minutes
Critical Scan Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
ARP Address Scan Detected * A source device was detected scanning network devices using Address Resolution Protocol (ARP). This device address hasn't been authorized as valid ARP scanning address.

Threshold: 40 scans in 6 minutes
Critical Scan Tactics:
- Discovery
- Collection

Techniques:
- T0842: Network Sniffing
- T0830: Man in the Middle
ARP Spoofing * An abnormal quantity of packets was detected in the network. This alert could indicate an attack, for example, an ARP spoofing or ICMP flooding attack.

Threshold: 60 packets in 1 minute
Warning Abnormal Communication Behavior Tactics:
- Collection

Techniques:
- T0830: Man in the Middle
Excessive Login Attempts A source device was seen performing excessive sign-in attempts to a destination server. This alert may indicate a brute force attack. The server may be compromised by a malicious actor.

Threshold: 20 sign-in attempts in 1 minute
Critical Authentication Tactics:
- LateralMovement
- Impair Process Control

Techniques:
- T0812: Default Credentials
- T0806: Brute Force I/O
Excessive Number of Sessions A source device was seen performing excessive sign-in attempts to a destination server. This may indicate a brute force attack. The server may be compromised by a malicious actor.

Threshold: 50 sessions in 1 minute
Critical Abnormal Communication Behavior Tactics:
- Lateral Movement
- Impair Process Control

Techniques:
- T0812: Default Credentials
- T0806: Brute Force I/O
Excessive Restart Rate of an Outstation * An excessive number of restart commands were detected on a source device. These alerts may be the result of an operational issue or an attempt to manipulate the device.

Threshold: 10 restarts in 1 hour
Major Restart/ Stop Commands Tactics:
- Inhibit Response Function
- Impair Process Control

Techniques:
- T0814: Denial of Service
- T0806: Brute Force I/O
Excessive SMB login attempts A source device was seen performing excessive sign-in attempts to a destination server. This may indicate a brute force attack. The server may be compromised by a malicious actor.

Threshold: 10 sign-in attempts in 10 minutes
Critical Authentication Tactics:
- Persistence
- Execution
- LateralMovement

Techniques:
- T0812: Default Credentials
- T0853: Scripting
- T0859: Valid Accounts
ICMP Flooding * An abnormal quantity of packets was detected in the network. This alert could indicate an attack, for example, an ARP spoofing or ICMP flooding attack.

Threshold: 60 packets in 1 minute
Warning Abnormal Communication Behavior Tactics:
- Discovery
- Collection

Techniques:
- T0842: Network Sniffing
- T0830: Man in the Middle
Illegal HTTP Header Content * The source device initiated an invalid request. Critical Abnormal HTTP Communication Behavior Tactics:
- Initial Access
- LateralMovement

Techniques:
- T0866: Exploitation of Remote Services
Inactive Communication Channel * A communication channel between two devices was inactive during a period in which activity is usually observed. This might indicate that the program generating this traffic was changed, or the program might be unavailable. It's recommended to review the configuration of installed program and verify that it's configured properly.

Threshold: 1 minute
Warning Unresponsive Tactics:
- Inhibit Response Function

Techniques:
- T0881: Service Stop
Long Duration Address Scan Detected * A source device was detected scanning network devices. This device hasn't been authorized as a network scanning device.

Threshold: 50 connections to the same B class subnet in 10 minutes
Critical Scan Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Password Guessing Attempt Detected A source device was seen performing excessive sign-in attempts to a destination server. This may indicate a brute force attack. The server may be compromised by a malicious actor.

Threshold: 100 attempts in 1 minute
Critical Authentication Tactics:
- Lateral Movement

Techniques:
- T0812: Default Credentials
- T0806: Brute Force I/O
PLC Scan Detected A source device was detected scanning network devices. This device hasn't been authorized as a network scanning device.

Threshold: 10 scans in 2 minutes
Critical Scan Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Port Scan Detected A source device was detected scanning network devices. This device hasn't been authorized as a network scanning device.

Threshold: 25 scans in 2 minutes
Critical Scan Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Unexpected message length The source device sent an abnormal message. This alert may indicate an attempt to attack the destination device.

Threshold: text length - 32768
Critical Abnormal Communication Behavior Tactics:
- InitialAccess
- LateralMovement

Techniques:
- T0869: Exploitation of Remote Services
Unexpected Traffic for Standard Port * Traffic was detected on a device using a port reserved for another protocol. Major Abnormal Communication Behavior Tactics:
- Command And Control
- Discovery

Techniques:
- T0869: Standard Application Layer Protocol
- T0842: Network Sniffing

Protocol violation engine alerts

Protocol engine alerts describe detected deviations in the packet structure, or field values compared to protocol specifications.

Title Description Severity Category MITRE ATT&CK
tactics and techniques
Excessive Malformed Packets In a Single Session * An abnormal number of malformed packets sent from the source device to the destination device. This alert might indicate erroneous communications, or an attempt to manipulate the targeted device.

Threshold: 2 malformed packets in 10 minutes
Major Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0806: Brute Force I/O
Firmware Update A source device sent a command to update firmware on a destination device. Verify that recent programming, configuration and firmware upgrades made to the destination device are valid. Warning Firmware Change Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Function Code Not Supported by Outstation The destination device received an invalid request. Major Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Illegal BACNet message The source device initiated an invalid request. Major Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Illegal Connection Attempt on Port 0 A source device attempted to connect to destination device on port number zero (0). For TCP, port 0 is reserved and can’t be used. For UDP, the port is optional and a value of 0 means no port. There's usually no service on a system that listens on port 0. This event may indicate an attempt to attack the destination device, or indicate that an application was programmed incorrectly. Minor Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Illegal DNP3 Operation The source device initiated an invalid request. Major Illegal Commands Tactics:
- Initial Access
- Lateral Movement

Techniques:
- T0866: Exploitation of Remote Services
Illegal MODBUS Operation (Exception Raised by Master) The source device initiated an invalid request. Major Illegal Commands Tactics:
- Initial Access
- Lateral Movement

Techniques:
- T0866: Exploitation of Remote Services
Illegal MODBUS Operation (Function Code Zero) * The source device initiated an invalid request. Major Illegal Commands Tactics:
- Initial Access
- Lateral Movement

Techniques:
- T0866: Exploitation of Remote Services
Illegal Protocol Version * The source device initiated an invalid request. Major Illegal Commands Tactics:
- Initial Access
- LateralMovement
- Impair Process Control

Techniques:
- T0820: Remote Services
- T0836: Modify Parameter
Incorrect Parameter Sent to Outstation The destination device received an invalid request. Major Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Initiation of an Obsolete Function Code (Initialize Data) The source device initiated an invalid request. Minor Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Initiation of an Obsolete Function Code (Save Config) The source device initiated an invalid request. Minor Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Master Requested an Application Layer Confirmation The source device initiated an invalid request. Warning Illegal Commands Tactics:
- Command And Control

Techniques:
- T0869: Standard Application Layer Protocol
Modbus Exception A source device (secondary) returned an exception to a destination device (primary). Major Illegal Commands Tactics:
- Inhibit Response Function

Techniques:
- T0814: Denial of Service
Slave Device Received Illegal ASDU Type The destination device received an invalid request. Major Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Slave Device Received Illegal Command Cause of Transmission The destination device received an invalid request. Major Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Slave Device Received Illegal Common Address The destination device received an invalid request. Major Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Slave Device Received Illegal Data Address Parameter * The destination device received an invalid request. Major Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Slave Device Received Illegal Data Value Parameter * The destination device received an invalid request. Major Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Slave Device Received Illegal Function Code * The destination device received an invalid request. Major Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Slave Device Received Illegal Information Object Address The destination device received an invalid request. Major Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
- T0836: Modify Parameter
Unknown Object Sent to Outstation The destination device received an invalid request. Major Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Usage of a Reserved Function Code The source device initiated an invalid request. Major Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Usage of Improper Formatting by Outstation * The source device initiated an invalid request. Warning Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
**Usage of Reserved Status Flags (IIN) ** A DNP3 source device (outstation) used the reserved Internal Indicator 2.6. It's recommended to check the device's configuration. Warning Illegal Commands Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter

Malware engine alerts

Malware engine alerts describe detected malicious network activity.

Title Description Severity Category MITRE ATT&CK
tactics and techniques
Connection Attempt to Known Malicious IP Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware.

Triggered by both OT and Enterprise IoT network sensors.
Major Suspicion of Malicious Activity Tactics:
- Initial Access
- Command And Control

Techniques:
- T0883: Internet Accessible Device
- T0884: Connection Proxy
Invalid SMB Message (DoublePulsar Backdoor Implant) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
- Initial Access
- LateralMovement

Techniques:
- T0866: Exploitation of Remote Services
Malicious Domain Name Request Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware.

Triggered by both OT and Enterprise IoT network sensors.
Major Suspicion of Malicious Activity Tactics:
- Initial Access
- Command And Control

Techniques:
- T0883: Internet Accessible Device
- T0884: Connection Proxy
Malware Test File Detected - EICAR AV Success An EICAR AV test file was detected in traffic between two devices (over any transport - TCP or UDP). The file isn't malware. It's used to confirm that the antivirus software is installed correctly. Demonstrate what happens when a virus is found, and check internal procedures and reactions when a virus is found. Antivirus software should detect EICAR as if it were a real virus. Major Suspicion of Malicious Activity Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Suspicion of Conficker Malware Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Major Suspicion of Malware Tactics:
- Initial Access
- Impact

Techniques:
- T0826: Loss of Availability
- T0828: Loss of Productivity and Revenue
- T0847: Replication Through Removable Media
Suspicion of Denial Of Service Attack A source device attempted to initiate an excessive number of new connections to a destination device. This may indicate a Denial Of Service (DOS) attack against the destination device, and might interrupt device functionality, affect performance and service availability, or cause unrecoverable errors.

Threshold: 3000 attempts in 1 minute
Critical Suspicion of Malicious Activity Tactics:
- Inhibit Response Function

Techniques:
- T0814: Denial of Service
Suspicion of Malicious Activity Suspicious network activity was detected. This activity may be associated with an attack that triggered known 'Indicators of Compromise' (IOCs). Alert metadata should be reviewed by the security team. Major Suspicion of Malicious Activity Tactics:
- Lateral Movement

Techniques:
- T0867: Lateral Tool Transfer
Suspicion of Malicious Activity (BlackEnergy) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
- Command And Control

Techniques:
- T0869: Standard Application Layer Protocol
Suspicion of Malicious Activity (DarkComet) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
- Impact

Techniques:
- T0882: Theft of Operational Information
Suspicion of Malicious Activity (Duqu) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
- Impact

Techniques:
- T0882: Theft of Operational Information
Suspicion of Malicious Activity (Flame) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
- Collection
- Impact

Techniques:
- T0882: Theft of Operational Information
- T0811: Data from Information Repositories
Suspicion of Malicious Activity (Havex) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
- Collection
- Discovery
- Inhibit Response Function

Techniques:
- T0861: Point & Tag Identification
- T0846: Remote System Discovery
- T0814: Denial of Service
Suspicion of Malicious Activity (Karagany) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
- Impact

Techniques:
- T0882: Theft of Operational Information
Suspicion of Malicious Activity (LightsOut) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
- Evasion

Techniques:
- T0849: Masquerading
Suspicion of Malicious Activity (Name Queries) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware.

Threshold: 25 name queries in 1 minute
Major Suspicion of Malicious Activity Tactics:
- Command And Control

Techniques:
- T0884: Connection Proxy
Suspicion of Malicious Activity (Poison Ivy) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
- Initial Access
- Lateral Movement

Techniques:
- T0866: Exploitation of Remote Services
Suspicion of Malicious Activity (Regin) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
- Initial Access
- Lateral Movement
- Impact

Techniques:
- T0866: Exploitation of Remote Services
- T0882: Theft of Operational Information
Suspicion of Malicious Activity (Stuxnet) Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
- Initial Access
- Lateral Movement
- Impact

Techniques:
- T0818: Engineering Workstation Compromise
- T0866: Exploitation of Remote Services
- T0831: Manipulation of Control
Suspicion of Malicious Activity (WannaCry) * Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Major Suspicion of Malware Tactics:
- Initial Access
- Lateral Movement

Techniques:
- T0866: Exploitation of Remote Services
- T0867: Lateral Tool Transfer
Suspicion of NotPetya Malware - Illegal SMB Parameters Detected Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
- Initial Access
- Lateral Movement

Techniques:
- T0866: Exploitation of Remote Services
Suspicion of NotPetya Malware - Illegal SMB Transaction Detected Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Critical Suspicion of Malware Tactics:
- Lateral Movement

Techniques:
- T0867: Lateral Tool Transfer
Suspicion of Remote Code Execution with PsExec Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Major Suspicion of Malicious Activity Tactics:
- Lateral Movement
- Initial Access

Techniques:
- T0866: Exploitation of Remote Services
Suspicion of Remote Windows Service Management * Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Major Suspicion of Malicious Activity Tactics:
- Initial Access

Techniques:
- T0822: NetworkExternal Remote Services
Suspicious Executable File Detected on Endpoint Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Major Suspicion of Malicious Activity Tactics:
- Evasion
- Inhibit Response Function

Techniques:
- T0851: Rootkit
Suspicious Traffic Detected * Suspicious network activity was detected. This activity may be associated with an attack that triggered known 'Indicators of Compromise' (IOCs). Alert metadata should be reviewed by the security team Critical Suspicion of Malicious Activity Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Backup Activity with Antivirus Signatures Traffic detected between the source device and the destination backup server triggered this alert. The traffic includes backup of antivirus software that might contain malware signatures. This is most likely legitimate backup activity. Warning Backup Tactics:
- Impact

Techniques:
- T0882: Theft of Operational Information

Operational engine alerts

Operational engine alerts describe detected operational incidents, or malfunctioning entities.

Title Description Severity Category MITRE ATT&CK
tactics and techniques
An S7 Stop PLC Command was Sent The source device sent a stop command to a destination controller. The controller will stop operating until a start command is sent. Warning Restart/ Stop Commands Tactics:
- Lateral Movement
- Defense Evasion
- Execution
- Inhibit Response Function

Techniques:
- T0843: Program Download
- T0858: Change Operating Mode
- T0814: Denial of Service
BACNet Operation Failed A server returned an error code. This alert indicates a server error or an invalid request by a client. Major Command Failures Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Bad MMS Device State An MMS Virtual Manufacturing Device (VMD) sent a status message. The message indicates that the server may not be configured correctly, partially operational, or not operational at all. Major Operational Issues Tactics:
- Inhibit Response Function

Techniques:
- T0814: Denial of Service
Change of Device Configuration * A configuration change was detected on a source device. Minor Configuration Changes Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Continuous Event Buffer Overflow at Outstation * A buffer overflow event was detected on a source device. The event may cause data corruption, program crashes, or execution of malicious code.

Threshold: 3 occurrences in 10 minutes
Major Buffer Overflow Tactics:
- Inhibit Response Function
- Impair Process Control
- Persistence

Techniques:
- T0814: Denial of Service
- T0806: Brute Force I/O
- T0839: Module Firmware
Controller Reset A source device sent a reset command to a destination controller. The controller stopped operating temporarily and started again automatically. Warning Restart/ Stop Commands Tactics:
- Defense Evasion
- Execution
- Inhibit Response Function

Techniques:
- T0858: Change Operating Mode
- T0814: Denial of Service
Controller Stop The source device sent a stop command to a destination controller. The controller will stop operating until a start command is sent. Warning Restart/ Stop Commands Tactics:
- Lateral Movement
- Defense Evasion
- Execution
- Inhibit Response Function

Techniques:
- T0843: Program Download
- T0858: Change Operating Mode
- T0814: Denial of Service
Device Failed to Receive a Dynamic IP Address The source device is configured to receive a dynamic IP address from a DHCP server but didn't receive an address. This indicates a configuration error on the device, or an operational error in the DHCP server. It's recommended to notify the network administrator of the incident Major Command Failures Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
Device is Suspected to be Disconnected (Unresponsive) A source device didn't respond to a command sent to it. It may have been disconnected when the command was sent.

Threshold: 8 attempts in 5 minutes
Major Unresponsive Tactics:
- Inhibit Response Function

Techniques:
- T0881: Service Stop
EtherNet/IP CIP Service Request Failed A server returned an error code. This indicates a server error or an invalid request by a client. Major Command Failures Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
EtherNet/IP Encapsulation Protocol Command Failed A server returned an error code. This indicates a server error or an invalid request by a client. Major Command Failures Tactics:
- Collection

Techniques:
- T0801: Monitor Process State
Event Buffer Overflow in Outstation A buffer overflow event was detected on a source device. The event may cause data corruption, program crashes, or execution of malicious code. Major Buffer Overflow Tactics:
- Inhibit Response Function
- Impair Process Control
- Persistence

Techniques:
- T0814: Denial of Service
- T0839: Module Firmware
Expected Backup Operation Did Not Occur Expected backup/file transfer activity didn't occur between two devices. This alert may indicate errors in the backup / file transfer process.

Threshold: 100 seconds
Major Backup Tactics:
- Inhibit Response Function

Techniques:
- T0809: Data Destruction
GE SRTP Command Failure A server returned an error code. This alert indicates a server error or an invalid request by a client. Major Command Failures Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
GE SRTP Stop PLC Command was Sent The source device sent a stop command to a destination controller. The controller will stop operating until a start command is sent. Warning Restart/ Stop Commands Tactics:
- Lateral Movement
- Defense Evasion
- Execution
- Inhibit Response Function

Techniques:
- T0843: Program Download
- T0858: Change Operating Mode
- T0814: Denial of Service
GOOSE Control Block Requires Further Configuration A source device sent a GOOSE message indicating that the device needs commissioning. This means that the GOOSE control block requires further configuration and GOOSE messages are partially or completely non-operational. Major Configuration Changes Tactics:
- Impair Process Control
- Inhibit Response Function

Techniques:
- T0803: Block Command Message
- T0821: Modify Controller Tasking
GOOSE Dataset Configuration was Changed * A message (identified by protocol ID) dataset was changed on a source device. This means the device will report a different dataset for this message. Warning Configuration Changes Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Honeywell Controller Unexpected Status A Honeywell Controller sent an unexpected diagnostic message indicating a status change. Warning Operational Issues Tactics:
- Evasion
- Execution

Techniques:
- T0858: Change Operating Mode
HTTP Client Error * The source device initiated an invalid request. Warning Abnormal HTTP Communication Behavior Tactics:
- Command And Control

Techniques:
- T0869: Standard Application Layer Protocol
Illegal IP Address System detected traffic between a source device and an IP address that is an invalid address. This may indicate wrong configuration or an attempt to generate illegal traffic. Minor Abnormal Communication Behavior Tactics:
- Discovery
- Impair Process Control

Techniques:
- T0842: Network Sniffing
- T0836: Modify Parameter
Master-Slave Authentication Error The authentication process between a DNP3 source device (primary) and a destination device (outstation) failed. Minor Authentication Tactics:
- Lateral Movement
- Persistence

Techniques:
- T0859: Valid Accounts
MMS Service Request Failed A server returned an error code. This indicates a server error or an invalid request by a client. Major Command Failures Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
No Traffic Detected on Sensor Interface A sensor stopped detecting network traffic on a network interface. Critical Sensor Traffic Tactics:
- Inhibit Response Function

Techniques:
- T0881: Service Stop
OPC UA Server Raised an Event That Requires User's Attention An OPC UA server sent an event notification to a client. This type of event requires user attention Major Operational Issues Tactics:
- Inhibit Response Function

Techniques:
- T0838: Modify Alarm Settings
OPC UA Service Request Failed A server returned an error code. This indicates a server error or an invalid request by a client. Major Command Failures Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Outstation Restarted A cold restart was detected on a source device. This means the device was physically turned off and back on again. Warning Restart/ Stop Commands Tactics:
- Inhibit Response Function

Techniques:
- T0816: Device Restart/Shutdown
Outstation Restarts Frequently An excessive number of cold restarts were detected on a source device. This means the device was physically turned off and back on again an excessive number of times.

Threshold: 2 restarts in 10 minutes
Minor Restart/ Stop Commands Tactics:
- Inhibit Response Function

Techniques:
- T0814: Denial of Service
- T0816: Device Restart/Shutdown
Outstation's Configuration Changed A configuration change was detected on a source device. Major Configuration Changes Tactics:
- Inhibit Response Function
- Persistence

Techniques:
- T0857: System Firmware
Outstation's Corrupted Configuration Detected This DNP3 source device (outstation) reported a corrupted configuration. Major Configuration Changes Tactics:
- Inhibit Response Function

Techniques:
- T0809: Data Destruction
Profinet DCP Command Failed A server returned an error code. This indicates a server error or an invalid request by a client. Major Command Failures Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Profinet Device Factory Reset A source device sent a factory reset command to a Profinet destination device. The reset command clears Profinet device configurations and stops its operation. Warning Restart/ Stop Commands Tactics:
- Defense Evasion
- Execution
- Inhibit Response Function

Techniques:
- T0858: Change Operating Mode
- T0814: Denial of Service
RPC Operation Failed * A server returned an error code. This alert indicates a server error or an invalid request by a client. Major Command Failures Tactics:
- Impair Process Control

Techniques:
- T0855: Unauthorized Command Message
Sampled Values Message Dataset Configuration was Changed * A message (identified by protocol ID) dataset was changed on a source device. This means the device will report a different dataset for this message. Warning Configuration Changes Tactics:
- Impair Process Control

Techniques:
- T0836: Modify Parameter
Slave Device Unrecoverable Failure * An unrecoverable condition error was detected on a source device. This kind of error usually indicates a hardware failure or failure to perform a specific command. Major Command Failures Tactics:
- Inhibit Response Function

Techniques:
- T0814: Denial of Service
Suspicion of Hardware Problems in Outstation An unrecoverable condition error was detected on a source device. This kind of error usually indicates a hardware failure or failure to perform a specific command. Major Operational Issues Tactics:
- Inhibit Response Function

Techniques:
- T0814: Denial of Service
- T0881: Service Stop
Suspicion of Unresponsive MODBUS Device A source device didn't respond to a command sent to it. It may have been disconnected when the command was sent.

Threshold: Minimum of 1 valid response for a minimum of 3 requests within 5 minutes
Minor Unresponsive Tactics:
- Inhibit Response Function

Techniques:
- T0881: Service Stop
Traffic Detected on Sensor Interface A sensor resumed detecting network traffic on a network interface. Warning Sensor Traffic Tactics:
- Discovery

Techniques:
- T0842: Network Sniffing
PLC Operating Mode Changed The operating mode on this PLC changed. The new mode may indicate that the PLC is not secure. Leaving the PLC in an unsecure operating mode may allow adversaries to perform malicious activities on it, such as a program download. If the PLC is compromised, devices and processes that interact with it may be impacted. This may affect overall system security and safety. Warning Configuration changes Tactics:
- Execution
- Evasion

Techniques:
- T0858: Change Operating Mode

Next steps

For more information, see: