Add Lookout Mobile Risk API v2 KQL queries

Azure Services/Lookout/Queries/Diagnostics/Device compliance status.kql

@@ -0,0 +1,65 @@
+// Author: fgravato
+// Display name: Device Compliance Status
+// Description: Monitors device compliance status, security posture, and MDM integration for mobile devices managed by Lookout.
+// Categories: Security
+// Resource types: Log Analytics workspaces
+// Topic: Diagnostics
+
+LookoutEvents
+| where EventType == "DEVICE"
+| where DeviceComplianceStatus in ("Non-Compliant", "Partial") 
+   or DeviceSecurityStatus in ("THREATS_HIGH", "THREATS_MEDIUM")
+   or ChangeType == "UPDATE"
+| extend 
+    DeviceRiskScore = case(
+        DeviceSecurityStatus == "THREATS_HIGH", 9,
+        DeviceSecurityStatus == "THREATS_MEDIUM", 6,
+        DeviceSecurityStatus == "THREATS_LOW", 3,
+        DeviceComplianceStatus == "Non-Compliant", 7,
+        DeviceComplianceStatus == "Partial", 4,
+        1
+    ),
+    ComplianceReason = case(
+        DeviceCheckinTime < ago(7d), "No Recent Check-in",
+        DeviceActivationStatus != "ACTIVE", "Inactive Device",
+        isempty(ClientLookoutSDKVersion), "Missing Security Client",
+        "Configuration Issue"
+    ),
+    PlatformRisk = case(
+        DevicePlatform == "ANDROID" and DeviceOSVersion matches regex @"^[1-9]\.", "Outdated Android",
+        DevicePlatform == "IOS" and DeviceOSVersion matches regex @"^1[0-4]\.", "Outdated iOS",
+        DevicePlatform == "UNKNOWN", "Unknown Platform",
+        "Current"
+    )
+| extend MDMIntegrationStatus = case(
+    isnotempty(MDMConnectorId) and isnotempty(MDMExternalId), "Fully Integrated",
+    isnotempty(MDMConnectorId), "Partial Integration", 
+    "Not Integrated"
+)
+| extend SecurityPosture = case(
+    DeviceRiskScore >= 8, "Critical",
+    DeviceRiskScore >= 6, "High",
+    DeviceRiskScore >= 4, "Medium",
+    "Low"
+)
+| project
+    TimeGenerated,
+    DeviceGuid,
+    DevicePlatform,
+    DeviceOSVersion,
+    DeviceManufacturer,
+    DeviceModel,
+    DeviceEmailAddress,
+    DeviceActivationStatus,
+    DeviceSecurityStatus,
+    DeviceComplianceStatus,
+    DeviceRiskScore,
+    SecurityPosture,
+    ComplianceReason,
+    PlatformRisk,
+    DeviceCheckinTime,
+    ClientLookoutSDKVersion,
+    MDMConnectorId,
+    MDMExternalId,
+    MDMIntegrationStatus
+| order by DeviceRiskScore desc, TimeGenerated desc

Azure Services/Lookout/Queries/Security/High severity mobile threats.kql

@@ -0,0 +1,65 @@
+// Author: fgravato
+// Display name: High Severity Mobile Threats
+// Description: Detects high severity mobile threats from Lookout Mobile Risk API v2 with enhanced threat intelligence, risk scoring, and device context.
+// Categories: Security
+// Resource types: Log Analytics workspaces
+// Topic: Security
+
+LookoutEvents
+| where EventType == "THREAT"
+| where ThreatSeverity in ("CRITICAL", "HIGH")
+| where ThreatAction == "DETECTED"
+| where ThreatStatus in ("OPEN", "ACTIVE")
+| extend 
+    ThreatRiskScore = case(
+        ThreatSeverity == "CRITICAL", 10,
+        ThreatSeverity == "HIGH", 8,
+        ThreatSeverity == "MEDIUM", 5,
+        ThreatSeverity == "LOW", 2,
+        1
+    ),
+    DeviceRiskLevel = case(
+        DeviceSecurityStatus == "THREATS_HIGH", "High",
+        DeviceSecurityStatus == "THREATS_MEDIUM", "Medium",
+        DeviceSecurityStatus == "THREATS_LOW", "Low",
+        "Unknown"
+    ),
+    ThreatCategory = case(
+        ThreatClassifications has "MALWARE", "Malware",
+        ThreatClassifications has "PHISHING", "Phishing", 
+        ThreatClassifications has "SPYWARE", "Spyware",
+        ThreatClassifications has "TROJAN", "Trojan",
+        ThreatClassifications has "ADWARE", "Adware",
+        "Other"
+    )
+| extend ComplianceImpact = case(
+    DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 8, "Critical",
+    DeviceComplianceStatus == "Non-Compliant" and ThreatRiskScore >= 5, "High", 
+    DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 8, "High",
+    DeviceComplianceStatus == "Partial" and ThreatRiskScore >= 5, "Medium",
+    "Low"
+)
+| project
+    TimeGenerated,
+    ThreatId,
+    ThreatType,
+    ThreatSeverity,
+    ThreatRiskScore,
+    ThreatCategory,
+    ThreatClassifications,
+    ThreatStatus,
+    ThreatDescription,
+    ThreatApplicationName,
+    ThreatPackageName,
+    ThreatPackageSha,
+    DeviceGuid,
+    DevicePlatform,
+    DeviceOSVersion,
+    DeviceManufacturer,
+    DeviceModel,
+    DeviceEmailAddress,
+    DeviceSecurityStatus,
+    DeviceRiskLevel,
+    DeviceComplianceStatus,
+    ComplianceImpact
+| order by ThreatRiskScore desc, TimeGenerated desc

Azure Services/Lookout/Queries/Security/Multi-vector attack correlation.kql

@@ -0,0 +1,53 @@
+// Author: fgravato
+// Display name: Multi-Vector Attack Correlation
+// Description: Identifies devices experiencing multiple threat types within 24 hours, indicating coordinated or sophisticated attacks targeting mobile devices.
+// Categories: Security
+// Resource types: Log Analytics workspaces
+// Topic: Security
+
+let timeWindow = 24h;
+let threatEvents = LookoutEvents
+| where TimeGenerated > ago(timeWindow)
+| where EventType == "THREAT"
+| where ThreatSeverity in ("CRITICAL", "HIGH")
+| summarize 
+    ThreatTypes = make_set(ThreatType),
+    ThreatCount = count(),
+    FirstThreat = min(TimeGenerated),
+    LastThreat = max(TimeGenerated),
+    ThreatClassifications = make_set(ThreatClassifications)
+    by DeviceGuid, DeviceEmailAddress, DevicePlatform;
+let smishingEvents = LookoutEvents
+| where TimeGenerated > ago(timeWindow)
+| where EventType == "SMISHING_ALERT"
+| where SmishingAlertSeverity in ("CRITICAL", "HIGH")
+| summarize 
+    SmishingTypes = make_set(SmishingAlertType),
+    SmishingCount = count(),
+    FirstSmishing = min(TimeGenerated)
+    by DeviceGuid;
+threatEvents
+| join kind=leftouter (smishingEvents) on DeviceGuid
+| where ThreatCount >= 2 or SmishingCount >= 1
+| extend AttackDuration = LastThreat - FirstThreat
+| extend MultiVectorRisk = case(
+    ThreatCount >= 3 and SmishingCount >= 1, "Critical",
+    ThreatCount >= 2 and SmishingCount >= 1, "High", 
+    ThreatCount >= 3, "High",
+    ThreatCount >= 2, "Medium",
+    "Low"
+)
+| project 
+    DeviceGuid, 
+    DeviceEmailAddress, 
+    DevicePlatform,
+    ThreatTypes, 
+    SmishingTypes, 
+    ThreatCount, 
+    SmishingCount, 
+    AttackDuration, 
+    MultiVectorRisk,
+    FirstThreat, 
+    LastThreat, 
+    ThreatClassifications
+| order by MultiVectorRisk desc, ThreatCount desc

Azure Services/Lookout/Queries/Security/Smishing and phishing detection.kql

@@ -0,0 +1,61 @@
+// Author: fgravato
+// Display name: Smishing and Phishing Detection
+// Description: Detects SMS phishing (smishing) and phishing alerts with impersonation analysis, identifying CEO fraud, credential harvesting, and malicious link campaigns.
+// Categories: Security
+// Resource types: Log Analytics workspaces
+// Topic: Security
+
+LookoutEvents
+| where EventType == "SMISHING_ALERT"
+| where SmishingAlertSeverity in ("CRITICAL", "HIGH", "MEDIUM")
+| extend 
+    AlertRiskScore = case(
+        SmishingAlertSeverity == "CRITICAL", 10,
+        SmishingAlertSeverity == "HIGH", 8,
+        SmishingAlertSeverity == "MEDIUM", 5,
+        SmishingAlertSeverity == "LOW", 2,
+        1
+    ),
+    ThreatCategory = case(
+        SmishingAlertType == "PHISHING_DETECTION", "Phishing",
+        SmishingAlertType == "FRAUD_DETECTION", "Fraud",
+        SmishingAlertType == "CREDENTIAL_HARVESTING", "Credential Theft",
+        SmishingAlertType == "MALICIOUS_LINK", "Malicious Link",
+        "Other"
+    ),
+    ImpersonationRisk = case(
+        SmishingAlertDescription has "CEO" or SmishingAlertDescription has "executive", "Executive Impersonation",
+        SmishingAlertDescription has "IT" or SmishingAlertDescription has "support", "IT Support Impersonation", 
+        SmishingAlertDescription has "bank" or SmishingAlertDescription has "financial", "Financial Impersonation",
+        SmishingAlertDescription has "delivery" or SmishingAlertDescription has "package", "Delivery Impersonation",
+        "Generic Phishing"
+    )
+| extend DeviceRiskLevel = case(
+    DeviceSecurityStatus == "THREATS_HIGH", "High",
+    DeviceSecurityStatus == "THREATS_MEDIUM", "Medium", 
+    DeviceSecurityStatus == "THREATS_LOW", "Low",
+    "Unknown"
+)
+| extend CampaignIndicators = case(
+    AlertRiskScore >= 8 and DeviceRiskLevel == "High", "Targeted Campaign",
+    AlertRiskScore >= 6 and ImpersonationRisk != "Generic Phishing", "Sophisticated Attack",
+    AlertRiskScore >= 5, "Coordinated Threat",
+    "Isolated Incident"
+)
+| project
+    TimeGenerated,
+    SmishingAlertId,
+    SmishingAlertType,
+    SmishingAlertSeverity,
+    SmishingAlertDescription,
+    AlertRiskScore,
+    ThreatCategory,
+    ImpersonationRisk,
+    CampaignIndicators,
+    DeviceGuid,
+    DevicePlatform,
+    DeviceOSVersion,
+    DeviceEmailAddress,
+    DeviceSecurityStatus,
+    DeviceRiskLevel
+| order by AlertRiskScore desc, TimeGenerated desc

Azure Services/Lookout/Queries/Usage/Mobile threat summary.kql

@@ -0,0 +1,51 @@
+// Author: fgravato
+// Display name: Mobile Threat Summary
+// Description: Provides an overview of mobile security metrics including threat counts, device compliance, and platform distribution for Lookout-managed devices.
+// Categories: Security
+// Resource types: Log Analytics workspaces
+// Topic: Usage
+
+let timeRange = 24h;
+let threatSummary = LookoutEvents
+| where TimeGenerated > ago(timeRange)
+| where EventType == "THREAT"
+| summarize 
+    TotalThreats = count(),
+    CriticalThreats = countif(ThreatSeverity == "CRITICAL"),
+    HighThreats = countif(ThreatSeverity == "HIGH"),
+    MediumThreats = countif(ThreatSeverity == "MEDIUM"),
+    LowThreats = countif(ThreatSeverity == "LOW"),
+    UniqueDevicesWithThreats = dcount(DeviceGuid),
+    ThreatTypes = make_set(ThreatType)
+| extend SummaryType = "Threats";
+let smishingSummary = LookoutEvents
+| where TimeGenerated > ago(timeRange)
+| where EventType == "SMISHING_ALERT"
+| summarize 
+    TotalSmishingAlerts = count(),
+    CriticalSmishing = countif(SmishingAlertSeverity == "CRITICAL"),
+    HighSmishing = countif(SmishingAlertSeverity == "HIGH"),
+    UniqueDevicesWithSmishing = dcount(DeviceGuid),
+    SmishingTypes = make_set(SmishingAlertType)
+| extend SummaryType = "Smishing";
+let deviceSummary = LookoutEvents
+| where TimeGenerated > ago(timeRange)
+| where EventType == "DEVICE"
+| summarize 
+    TotalDevices = dcount(DeviceGuid),
+    ActiveDevices = dcountif(DeviceGuid, DeviceActivationStatus == "ACTIVE"),
+    NonCompliantDevices = dcountif(DeviceGuid, DeviceComplianceStatus == "Non-Compliant"),
+    HighRiskDevices = dcountif(DeviceGuid, DeviceSecurityStatus == "THREATS_HIGH"),
+    AndroidDevices = dcountif(DeviceGuid, DevicePlatform == "ANDROID"),
+    iOSDevices = dcountif(DeviceGuid, DevicePlatform == "IOS")
+| extend SummaryType = "Devices";
+let platformBreakdown = LookoutEvents
+| where TimeGenerated > ago(timeRange)
+| where EventType == "THREAT"
+| summarize ThreatsByPlatform = count() by DevicePlatform
+| extend SummaryType = "PlatformBreakdown";
+union
+    (threatSummary | project SummaryType, TotalThreats, CriticalThreats, HighThreats, MediumThreats, LowThreats, UniqueDevicesWithThreats, ThreatTypes),
+    (smishingSummary | project SummaryType, TotalSmishingAlerts, CriticalSmishing, HighSmishing, UniqueDevicesWithSmishing, SmishingTypes),
+    (deviceSummary | project SummaryType, TotalDevices, ActiveDevices, NonCompliantDevices, HighRiskDevices, AndroidDevices, iOSDevices),
+    (platformBreakdown | project SummaryType, DevicePlatform, ThreatsByPlatform)