Bash This section is relevant specifically when upgrading a micro agent from version 3.13.1 or lower to version 4.1.2 or higher. In version 4.1.2, the standalone micro agent directory changed to align with standard Linux installation directory structures. This change requires customers to reauthenticate the micro agent and modify the connection string location. 1. Upgrade your micro agent as described above. 2. Reauthenticate your micro agent. For more information, see Authenticate the micro agent. Specify a version number in your command to install the specified micro agent version. Use the following command syntax: Bash For more information, see: Install Defender for IoT micro agent for Edge Tutorial: Create a DefenderforIoTMicroAgent module twin sudo apt-get install defender-iot-micro-agent-edge Upgrade a standalone micro agent from a legacy version Install a specific version of the micro agent sudo apt-get install defender-iot-micro-agent=<version> Next steps
Tutorial: Configure Microsoft Defender for IoT agent-based solution Article • 04/19/2023 This tutorial will help you learn how to configure the Microsoft Defender for IoT agentbased solution. In this tutorial you'll learn how to: An Azure account with an active subscription. Create an account for free . An IoT hub. You must have enabled Microsoft Defender for IoT on your Azure IoT Hub. You must have added a resource group to your IoT solution You must have created a Defender for IoT micro agent module twin. You must have installed the Defender for IoT micro agent To enable data collection: 1. Sign in to the Azure portal . 2. Navigate to IoT Hub > Your hub > Defender for IoT > Settings > Data Collection. " Enable data collection " Create a Log Analytics workspace " Enable geolocation and IP address handling Prerequisites Enable data collection
3. Under Microsoft Defender for IoT, ensure that Enable Microsoft Defender for IoT is enabled.
4. Select Save. Defender for IoT allows you to store security alerts, recommendations, and raw security data, in your Log Analytics workspace. Log Analytics ingestion in IoT Hub is set to off by default in the Defender for IoT solution. It is possible, to attach Defender for IoT to a Log Analytics workspace, and to store the security data there as well. There are two types of information stored by default in your Log Analytics workspace by Defender for IoT: Security alerts. Recommendations. You can choose to add storage of an additional information type as raw events . To enable Log Analytics to work with micro agent: 1. Sign in to the Azure portal . 2. Navigate to IoT Hub > Your hub > Defender for IoT > Settings > Data Collection. 3. Under the Workspace configuration, switch the Log Analytics toggle to On. 4. Select a subscription from the drop-down menu. 5. Select a workspace from the drop-down menu. If you don't already have an existing Log Analytics workspace, you can select Create New Workspace to create a new one. Create a Log Analytics workspace 7 Note Storing raw events in Log Analytics carries additional storage costs.
6. Verify that the Access to raw security data option is selected. 7. Select Save. Every month, the first 5 gigabytes of data ingested, per customer to the Azure Log Analytics service, is free. Every gigabyte of data ingested into your Azure Log Analytics workspace, is retained at no charge for the first 31 days. For more information on pricing, see, Log Analytics pricing . In order to secure your IoT solution, the IP addresses of the incoming, and outgoing connections for your IoT devices, IoT Edge, and IoT Hub(s) are collected and stored by default. This information is essential, and used to detect abnormal connectivity from suspicious IP address sources. For example, when there are attempts made that try to establish connections from an IP address source of a known botnet, or from an IP address source outside your geolocation. The Defender for IoT service, offers the flexibility to enable, and disable the collection of the IP address data at any time. To enable the collection of IP address data: 1. Sign in to the Azure portal . 2. Navigate to IoT Hub > Your hub > Defender for IoT > Settings > Data Collection. 3. Ensure the IP data collection checkbox is selected. Enable geolocation and IP address handling
4. Select Save. There are no resources to clean up. Clean up resources Next steps Investigate security recommendations
DMI Decoder configurations Article • 12/27/2022 This article explains how to configure the DMI decoder, and alternative configurations for devices that do not support it. The Microsoft Defender for IoT Device inventory provides an overview of all IoT devices in your environment. The device inventory table can be customized to your preferences by adding or removing information fields, and filtering the fields. The DMI decoder is used to retrieve data on the hardware and firmware of the device. Retrieved fields are: Firmware vendor Firmware version Hardware model Hardware serial number Hardware vendor For more information on the DMI Decoder, see dmidecode(8): DMI table decoder - Linux man page (die.net) . To support dmidecode(8), SMBIOS tables needs to be present and valid. To implement, please refer to the System Management BIOS specifications . For devices that do not support the DMI decoder, there are two alternative options for retrieving and setting the firmware and hardware fields: JSON file Module twin configurations Overview Populate SMBIOS tables for dmidecode Alternative configurations JSON file
To manually set the values on the device, create a JSON file. The micro agent will read the values from the JSON file and send them to the cloud. To configure the file, use the following path and format details: Path: Bash Format: Bash To manually set the values on the cloud, use the module twin configuration by setting the following properties: Bash Configure Microsoft Defender for IoT agent-based solution Configure pluggable Authentication Modules (PAM) to audit sign-in events (Preview) /etc/defender_iot_micro_agent/sysinfo.json "HardwareVendor": "<hardware vendor>", "HardwareModel": "<hardware model>", "HardwareSerialNumber": "<hardware serial number>", "FirmwareVendor": "<firmware vendor>", "FirmwareVersion": "<firmware version>" Module twin configurations “properties”:{ “desired”:{ “SystemInformation_HardwareVendor”: ”<data>”, “SystemInformation_HardwareModel”: ”<data>”, “SystemInformation_FirmwareVendor”: ”<data>”, “SystemInformation_ FirmwareVersion”: ”<data>”, “SystemInformation_HardwareSerialNumber”: ”<data>” } } Next steps
Investigate OS baseline (based on CIS benchmark) recommendation Article • 04/02/2023 Perform basic and advanced investigations based on OS baseline recommendations. You can investigate OS baseline recommendations by navigating to Defender for IoT in the Azure portal . For more information, see how to Investigate security recommendations. This section describes how to better understand the OS baseline test results, and querying events in Azure Log Analytics. Prerequisites: The advanced OS baseline security recommendation investigation is only supported by using Azure Log Analytics and you must connect Defender for IoT to a Log Analytics workspace before continuing. For more information, see Configure Microsoft Defender for IoT agent-based solution. To query your IoT security events in Log Analytics for alerts: 1. In your Log Analytics workspace, go to Logs > AzureSecurityOfThings > SecurityAlert. 7 Note The Microsoft Defender for IoT legacy experience under IoT Hub has been replaced by our new Defender for IoT standalone experience, in the Defender for IoT area of the Azure portal. The legacy experience under IoT Hub will not be supported after March 31, 2023. Basic OS baseline security recommendation investigation Advanced OS baseline security recommendation investigation
2. In the query editor on the right, enter a KQL query to display the alerts you want to see. 3. Select Run to display the alerts that match your query. For example: Device fleet failure: Run this query to retrieve the latest information about checks that failed across the device fleet: Kusto 7 Note In addition to alerts, you can also use this same procedure to query for recommendations or raw event data. Useful queries to investigate the OS baseline resources 7 Note Make sure to replace <device-id> with the name(s) you gave your device in each of the following queries. Retrieve the latest information
Specific device failure - Run this query to retrieve the latest information about checks that failed on a specific device: Kusto Specific device error - Run this query to retrieve the latest information about checks that have an error on a specific device: Kusto let lastDates = SecurityIoTRawEvent | where RawEventName == "Baseline" | summarize TimeStamp=max(TimeStamp) by DeviceId; lastDates | join kind=inner (SecurityIoTRawEvent) on TimeStamp, DeviceId | extend event = parse_json(EventDetails) | where event.BaselineCheckResult == "FAIL" | project DeviceId, event.BaselineCheckId, event.BaselineCheckDescription let id = SecurityIoTRawEvent | extend IoTRawEventId = extractjson("$.EventId", EventDetails, typeof(string)) | where TimeGenerated <= now() | where RawEventName == "Baseline" | where DeviceId == "<device-id>" | summarize arg_max(TimeGenerated, IoTRawEventId) | project IoTRawEventId; SecurityIoTRawEvent | extend IoTRawEventId = extractjson("$.EventId", EventDetails, typeof(string)), extraDetails = todynamic(EventDetails) | where IoTRawEventId == toscalar(id) | where extraDetails.BaselineCheckResult == "FAIL" | project DeviceId, CceId = extraDetails.BaselineCheckId, Description = extraDetails.BaselineCheckDescription let id = SecurityIoTRawEvent | extend IoTRawEventId = extractjson("$.EventId", EventDetails, typeof(string)) | where TimeGenerated <= now() | where RawEventName == "Baseline" | where DeviceId == "<device-id>" | summarize arg_max(TimeGenerated, IoTRawEventId) | project IoTRawEventId; SecurityIoTRawEvent | extend IoTRawEventId = extractjson("$.EventId", EventDetails, typeof(string)), extraDetails = todynamic(EventDetails) | where IoTRawEventId == toscalar(id) | where extraDetails.BaselineCheckResult == "ERROR" | project DeviceId, CceId = extraDetails.BaselineCheckId, Description = extraDetails.BaselineCheckDescription
Update device list for device fleet that failed a specific check - Run this query to retrieve updated list of devices (across the device fleet) that failed a specific check: Kusto Investigate security recommendations. let lastDates = SecurityIoTRawEvent | where RawEventName == "Baseline" | summarize TimeStamp=max(TimeStamp) by DeviceId; lastDates | join kind=inner (SecurityIoTRawEvent) on TimeStamp, DeviceId | extend event = parse_json(EventDetails) | where event.BaselineCheckResult == "FAIL" | where event.BaselineCheckId contains "6.2.8" | project DeviceId; Next steps
Configure a micro agent twin Article • 12/14/2022 Learn how to configure a micro agent twin. An Azure account. If you do not already have an Azure account, you can create your Azure free account today . A Defender for IoT subscription. An existing IoT Hub with: A connected device, and A micro agent module twin. To view and update the micro agent twin configuration: 1. Navigate to the Azure portal . 2. Search for, and select IoT Hub. 3. Select your IoT Hub from the list. 4. Under the Device management section, select Devices. Prerequisites Micro agent configuration
5. Select your device from the list. 6. Select the module ID. 7. In the Module Identity Details screen, select Module Identity Twin.
8. Change the value of any field by adding the field to the "desired" section with the new value.
For example:
For the full list of supported properties, see Micro agent configurations. The agent successfully set the new configuration if the value of "latest_state" , under the "reported" section shows "success" . If the agent fails to set the new configuration, the value of "latest_state" , under the "reported" section will show "failed" . If this occurs, the "desired": { "Baseline_Disabled": false, "Baseline_MessageFrequency": "Low", "Baseline_GroupsDisabled": "", "Baseline_ChecksDisabled": "", "SystemInformation_Disabled": false, "SystemInformation_MessageFrequency": "Low", "SBoM_Disabled": false, "SBoM_MessageFrequency": "Low", "NetworkActivity_Disabled": false, "NetworkActivity_MessageFrequency": "Medium", "NetworkActivity_Devices": "eth0", "NetworkActivity_CacheSize": 256, "Process_Disabled": false, "Process_MessageFrequency": "Medium", "Process_PollingInterval": 100000, "Process_Mode": 1, "Process_CacheSize": 256, "LogCollector_Disabled": false, "LogCollector_MessageFrequency": "Low", "Heartbeat_Disabled": false, "Heartbeat_MessageFrequency": "Low", "Login_Disabled": false, "Login_MessageFrequency": "Medium", "IothubModule_MessageTimeout": 2880, "CollectorsCore_PriorityIntervals": "30,120,1440" }
"latest_invalid_fields" will contain a list of the fields that are invalid. You learned how to configure a micro agent twin. For more information about micro agent configurations and event aggregation, see: Micro agent configurations Micro agent event collection Next steps
Configure Pluggable Authentication Modules (PAM) to audit sign-in events Article • 12/14/2022 This article provides a sample process for configuring Pluggable Authentication Modules (PAM) to audit SSH, Telnet, and terminal sign-in events on an unmodified Ubuntu 20.04 or 18.04 installation. PAM configurations may vary between devices and Linux distributions. For more information, see Login collector (event-based collector). Before you get started, make sure that you have a Defender for IoT Micro Agent. Configuring PAM requires technical knowledge. For more information, see Tutorial: Install the Defender for IoT micro agent. This procedure provides a sample process for configuring the collection of successful sign-in events. Our example is based on an unmodified Ubuntu 20.04 or 18.04 installation, and the steps in this process may differ for your system. 1. Locate the following files: /etc/pam.d/sshd /etc/pam.d/login 2. Append the following lines to the end of each file: txt Prerequisites Modify PAM configuration to report sign-in and sign-out events // report login session [default=ignore] pam_exec.so type=open_session /usr/libexec/defender_iot_micro_agent/pam/pam_audit.sh 0
This procedure provides a sample process for configuring the collection of failed sign-in attempts. This example in this procedure is based on an unmodified Ubuntu 18.04 or 20.04 installation. The files and commands listed below may differ per configuration or as a result of modifications. 1. Locate the /etc/pam.d/common-auth file and look for the following lines: txt This section authenticates via the pam_unix.so module. In case of authentication failure, this section continues to the pam_deny.so module to prevent access. 2. Replace the indicated lines of code with the following: txt In this modified section, PAM skips one module to the pam_echo.so module, and then skips the pam_deny.so module and authenticates successfully. In case of failure, PAM continues to report the sign-in failure to the agent log file, and then skips one module to the pam_deny.so module, which blocks access. // report logout session [default=ignore] pam_exec.so type=close_session /usr/libexec/defender_iot_micro_agent/pam/pam_audit.sh 1 Modify the PAM configuration to report sign-in failures # here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_unix.so nullok_secure # here's the fallback if no module succeeds auth requisite pam_deny.so # here are the per-package modules (the "Primary" block) auth [success=1 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_exec.so quiet /usr/libexec/defender_iot_micro_agent/pam/pam_audit.sh 2 auth [success=1 default=ignore] pam_echo.so # here's the fallback if no module succeeds auth requisite pam_deny.so
This procedure describes how to verify that you've configured PAM correctly to audit sign-in events. 1. Sign in to the device using SSH, and then sign-out. 2. Sign in to the device using SSH, using incorrect credentials to create a failed signin event. 3. Access your device and run the following command: Bash 4. Verify that lines similar to the following are logged, for a successful sign-in ( open_session ), sign-out ( close_session ), and a sign-in failure ( auth ): txt 5. Repeat the verification procedure with Telnet and terminal connections. For more information, see Micro agent event collection. Validate your configuration cat /var/lib/defender_iot_micro_agent/pam.log 2021-10- 31T18:10:31+02:00,16356631,2589842,open_session,sshd,user,192.168.0.101 ,ssh,0 2021-10-31T18:26:19+02:00,16356719,199164,close_session,sshd, user,192.168.0.201,ssh,1 2021-10- 28T17:44:13+03:00,163543223,3572596,auth,sshd,user,143.24.20.36,ssh,2 Next steps
Provision the Microsoft Defender for IoT micro agent using DPS Article • 01/11/2023 This article explains how to provision the standalone Microsoft Defender for IoT micro agent using Azure IoT Hub Device Provisioning Service with X.509 certificate attestation. To learn how to configure the Microsoft Defender for IoT micro agent for Edge devices see Create and provision IoT Edge devices at scale An Azure account with an active subscription. For more information, see Create an Azure account . An IoT hub. IoT Hub Device Provisioning Service. 1. In the Azure portal , go to your instance of the IoT Hub device provisioning service. 2. Under Settings, select Manage enrollments. 3. Select Add individual enrollment, and then complete the steps to configure the enrollment: In the Mechanism field, select X.509 at the identity attestation Mechanism and choose your CA. 4. Navigate into your destination IoT Hub. 5. Create a new module issued by the same certificate. 6. Configure the micro agent to use the created module (note that the device does not have to exist yet). 7. Navigate back to DPS and provision the device through DPS. 8. Navigate to the configured device in the destination IoT Hub. Prerequisites Provision
9. Create a new module for the device issued by the same CA authenticator. 10. Run the agent that you configured in step 4 to confirm it connects to the device. Configure Microsoft Defender for IoT agent-based solution Configure pluggable Authentication Modules (PAM) to audit sign-in events (Preview) 7 Note When using this procedure, while you don't need the device to exist before configuring the agent, you do need to know the device name in advance in order to issue the certificate for the final module correctly. Next steps
Create custom alerts Article • 01/10/2023 Using custom security groups and alerts, takes full advantage of the end-to-end security information and categorical device knowledge to ensure better security across your IoT solution. You know your IoT devices best. For customers who fully understand their expected device behavior, Defender for IoT allows you to translate this understanding into a device behavior policy and alert on any deviation from expected, normal behavior. Security groups enable you to define logical groups of devices, and manage their security state in a centralized way. These groups can represent devices with specific hardware, devices deployed in a certain location, or any other group suitable to your specific needs. Security groups are defined by a device twin tag property named SecurityGroup. By default, each IoT solution on IoT Hub has one security group named default. Change the value of the SecurityGroup property to change the security group of a device. For example: 7 Note The Microsoft Defender for IoT legacy experience under IoT Hub has been replaced by our new Defender for IoT standalone experience, in the Defender for IoT area of the Azure portal. The legacy experience under IoT Hub will not be supported after March 31, 2023. Why use custom alerts? Security groups { "deviceId": "VM-Contoso12", "etag": "AAAAAAAAAAM=",
Use security groups to group your devices into logical categories. After creating the groups, assign them to the custom alerts of your choice, for the most effective end-toend IoT security solution. 1. Open your IoT Hub and select Settings from the Security menu. 2. Select on Custom alerts. 3. Choose a security group you wish to apply the customization to. 4. Select Add a custom alert. 5. Select a custom alert from the dropdown list. 6. Edit the required properties, select OK. 7. Make sure to select SAVE. Without saving the new alert, the alert is deleted the next time you close IoT Hub. Defender for IoT offers a large number of alerts, which can be customized according to your specific needs. Review the customizable alert table for alert severity, data source, description, and our suggested remediation steps if and when each alert is received. "deviceEtag": "ODA1BzA5QjM2", "status": "enabled", "statusUpdateTime": "0001-01-01T00:00:00", "connectionState": "Disconnected", "lastActivityTime": "0001-01-01T00:00:00", "cloudToDeviceMessageCount": 0, "authenticationType": "sas", "x509Thumbprint": { "primaryThumbprint": null, "secondaryThumbprint": null }, "version": 4, "tags": { "SecurityGroup": "default" }, Customize an alert Alerts available for customization Next steps
Advance to the next article to learn how to deploy a security agent... Deploy a security agent
Overview: Defender for IoT DefenderIoT-micro-agent for Azure RTOS Article • 01/10/2023 The Microsoft Defender for IoT micro module provides a comprehensive security solution for devices that use Azure RTOS. It provides coverage for common threats and potential malicious activities on real-time operating system (RTOS) devices. Azure RTOS now ships with the Azure IoT Defender-IoT-micro-agent built in. The micro module for Azure RTOS offers the following features: Malicious network activity detection Custom alert-based device behavior baselining Improved device security hygiene Inbound and outbound network activity of each device is monitored. Supported protocols are TCP, UDP, and ICMP on IPv4 and IPv6. Defender for IoT inspects each of these network activities against the Microsoft threat intelligence feed. The feed gets updated in real time with millions of unique threat indicators collected worldwide. Baselining allows for clustering of devices into security groups and defining the expected behavior of each group. Because IoT devices are typically designed to operate in well-defined and limited scenarios, it's easy to create a baseline that defines their expected behavior by using a set of parameters. Any deviation from the baseline triggers an alert. Detect malicious network activities Device behavior baselining based on custom alerts
By using the recommended infrastructure Defender for IoT provides, you can gain knowledge and insights about issues in your environment that affect and damage the security posture of your devices. A weak IoT-device security posture can allow potential attacks to succeed if it's left unchanged. Security is always measured by the weakest link within any organization. Defender-IoT-micro-agent for Azure RTOS is provided as a free download for your devices. The Defender for IoT cloud service is available with a 30-day trial per Azure subscription. To get started, download the Defender-IoT-micro-agent for Azure RTOS . In this article, you learned about the Defender-IoT-micro-agent for Azure RTOS. To learn more about the Defender-IoT-micro-agent and get started, see the following articles: Azure RTOS IoT Defender-IoT-micro-agent concepts Quickstart: Azure RTOS IoT Defender-IoT-micro-agent Improve your device security hygiene Get started protecting Azure RTOS devices Next steps
Configure and customize Defender-IoTmicro-agent for Azure RTOS Article • 01/10/2023 This article describes how to configure the Defender-IoT-micro-agent for your Azure RTOS device, to meet your network, bandwidth, and memory requirements. You must select a target distribution file that has a *.dist extension, from the netxduo/addons/azure_iot/azure_iot_security_module/configs directory. When using a CMake compilation environment, you must set a command line parameter to IOT_SECURITY_MODULE_DIST_TARGET for the chosen value. For example, - DIOT_SECURITY_MODULE_DIST_TARGET=RTOS_BASE . In an IAR, or other non CMake compilation environment, you must add the netxduo/addons/azure_iot/azure_iot_security_module/inc/configs/<target distribution>/ path to any known included paths. For example, netxduo/addons/azure_iot/azure_iot_security_module/inc/configs/RTOS_BASE . Use the following file to configure your device behavior. netxduo/addons/azure_iot/azure_iot_security_module/inc/configs/<target distribution>/asc_config.h In a CMake compilation environment, you must change the default configuration by editing the netxduo/addons/azure_iot/azure_iot_security_module/configs/<target distribution>.dist file. Use the following CMake format set(ASC_XXX ON) , or the following file netxduo/addons/azure_iot/azure_iot_security_module/inc/configs/<target distribution>/asc_config.h for all other environments. For example, #define ASC_XXX . The default behavior of each configuration is provided in the following tables: Configuration steps Device behavior General configuration
Name Type Default Details ASC_SECURITY_MODULE_ID String defenderiotmicroagent The unique identifier of the device. SECURITY_MODULE_VERSION_(MAJOR)(MINOR) (PATCH) Number 3.2.1 The version. ASC_SECURITY_MODULE_SEND_MESSAGE_RETRY_TIME Number 3 The amount of time the Defender-IoTmicro-agent will take to send the security message after a fail. (in seconds) ASC_SECURITY_MODULE_PENDING_TIME Number 300 The DefenderIoT-micro-agent pending time (in seconds). The state will change to suspend, if the time is exceeded. Name Type Default Details ASC_FIRST_COLLECTION_INTERVAL Number 30 The Collector's startup collection interval offset. During startup, the value will be added to the collection of the system in order to avoid sending messages from multiple devices simultaneously. ASC_HIGH_PRIORITY_INTERVAL Number 10 The collector's high priority group interval (in seconds). ASC_MEDIUM_PRIORITY_INTERVAL Number 30 The collector's medium priority group interval (in seconds). ASC_LOW_PRIORITY_INTERVAL Number 145,440 The collector's low priority group interval (in seconds). Collection configuration
To customize your collector network activity configuration, use the following: Name Type Default Details ASC_COLLECTOR_NETWORK_ACTIVITY_TCP_DISABLED Boolean false Filters the TCP network activity. ASC_COLLECTOR_NETWORK_ACTIVITY_UDP_DISABLED Boolean false Filters the UDP network activity events. ASC_COLLECTOR_NETWORK_ACTIVITY_ICMP_DISABLED Boolean false Filters the ICMP network activity events. ASC_COLLECTOR_NETWORK_ACTIVITY_CAPTURE_UNICAST_ONLY Boolean true Captures the unicast incoming packets only. When set to false, it will also capture both Broadcast, and Multicast. ASC_COLLECTOR_NETWORK_ACTIVITY_SEND_EMPTY_EVENTS Boolean false Sends an empty events of collector. Collector network activity
Name Type Default Details ASC_COLLECTOR_NETWORK_ACTIVITY_MAX_IPV4_OBJECTS_IN_CACHE Number 64 The maximum number of IPv4 network events to store in memory. ASC_COLLECTOR_NETWORK_ACTIVITY_MAX_IPV6_OBJECTS_IN_CACHE Number 64 The maximum number of IPv6 network events to store in memory. Name Type Default Details ASC_COLLECTOR_HEARTBEAT_ENABLED Boolean ON Enables the heartbeat collector. ASC_COLLECTOR_NETWORK_ACTIVITY_ENABLED Boolean ON Enables the network activity collector. ASC_COLLECTOR_SYSTEM_INFORMATION_ENABLED Boolean ON Enables the system information collector. Other configurations flags are advanced, and have unsupported features. Contact support to change this, or for more information. The Defender-IoT-micro-agent for Azure RTOS supports specific security alerts and recommendations. Make sure to review and customize the relevant alert and recommendation values for your service. Collectors Supported security alerts and recommendations Log Analytics (optional)
You can enable and configure Log Analytics to investigate device events and activities. Read about how to setup, and use Log Analytics with the Defender for IoT service to learn more. Review and customize Defender-IoT-micro-agent for Azure RTOS security alerts and recommendations Refer to the Defender-IoT-micro-agent for Azure RTOS API as needed. Next steps
Defender-IoT-micro-agent for Azure RTOS Article • 01/10/2023 Use this article to get a better understanding of the Defender-IoT-micro-agent for Azure RTOS, including features and benefits as well as links to relevant configuration and reference resources. Defender-IoT-micro-agent for Azure RTOS provides a comprehensive security solution for Azure RTOS devices as part of the NetX Duo offering. Within the NetX Duo offering, Azure RTOS ships with the Azure IoT Defender-IoT-micro-agent built-in, and provides coverage for common threats on your real-time operating system devices once activated. The Defender-IoT-micro-agent for Azure RTOS runs in the background, and provides a seamless user experience, while sending security messages using each customer's unique connections to their IoT Hub. The Defender-IoT-micro-agent for Azure RTOS is enabled by default. Azure RTOS NetX Duo is an advanced, industrial-grade TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications. Azure RTOS NetX Duo is a dual IPv4 and IPv6 network stack providing a rich set of protocols, including security and cloud. Learn more about Azure RTOS NetX Duo solutions. The module offers the following features: Detect malicious network activities Device behavior baselines based on custom alerts Improve device security hygiene Azure RTOS IoT Defender-IoT-micro-agent Azure RTOS NetX Duo Defender-IoT-micro-agent for Azure RTOS architecture
The Defender-IoT-micro-agent for Azure RTOS is initialized by the Azure IoT middleware platform and uses IoT Hub clients to send security telemetry to the Hub. The Defender-IoT-micro-agent for Azure RTOS monitors the following device activity and information using three collectors: Device network activity TCP, UDP, and ICM System information as Threadx and NetX Duo versions Heartbeat events Each collector is linked to a priority group and each priority group has its own interval with possible values of Low, Medium, and High. The intervals affect the time interval in which the data is collected and sent. Each time interval is configurable and the IoT connectors can be enabled and disabled in order to further customize your solution. The Defender-IoT-micro-agent for Azure RTOS supports specific security alerts and recommendations. Make sure to review and customize the relevant alert and recommendation values for your service after completing the initial configuration. Supported security alerts and recommendations
Defender-IoT-micro-agent for Azure RTOS is provided as a free download for your IoT devices. The Defender for IoT cloud service is available with a 30-day trial per Azure subscription. Download the Defender-IoT-micro-agent now and let's get started. Get started with Defender-IoT-micro-agent for Azure RTOS prerequisites and setup. Learn more about Defender-IoT-micro-agent for Azure RTOS security alerts and recommendation support. Use the Defender-IoT-micro-agent for Azure RTOS reference API. Ready to begin? Next steps
Defender-IoT-micro-agent for Azure RTOS security alerts and recommendations (preview) Article • 01/10/2023 Defender-IoT-micro-agent for Azure RTOS continuously analyzes your IoT solution using advanced analytics and threat intelligence to alert you to potential malicious activity and suspicious system modifications. You can also create custom alerts based on your knowledge of expected device behavior and baselines. A Defender-IoT-micro-agent for Azure RTOS alert acts as an indicator of potential compromise, and should be investigated and remediated. A Defender-IoT-micro-agent for Azure RTOS recommendation identifies weak security posture to be remediated and updated. In this article, you'll find a list of built-in alerts and recommendations that are triggered based on the default ranges, and customizable with your own values, based on expected or baseline behavior. For more information on how alert customization works in the Defender for IoT service, see customizable alerts. The specific alerts and recommendations available for customization when using the Defender-IoT-micro-agent for Azure RTOS are detailed in the following tables. Device-related security alert activity Alert name IP address Communication with a suspicious IP address detected X.509 device certificate thumbprint X.509 device certificate thumbprint mismatch X.509 certificate X.509 certificate expired SAS Token Expired SAS Token SAS Token Invalid SAS Token signature Defender-IoT-micro-agent for Azure RTOS supported security alerts Device-related security alerts
IoT Hub security alert activity Alert name Add a certificate Detected unsuccessful attempt to add a certificate to an IoT Hub Addition or editing of a diagnostic setting Detected an attempt to add or edit a diagnostic setting of an IoT Hub Delete a certificate Detected unsuccessful attempt to delete a certificate from an IoT Hub Delete a diagnostic setting Detected attempt to delete a diagnostic setting from an IoT Hub Deleted certificate Detected deletion of a certificate from an IoT Hub New certificate Detected addition of new certificate to an IoT Hub Device related activity Alert name Active connections Number of active connections is not in the allowed range Cloud to device messages in MQTT protocol Number of cloud to device messages in MQTT protocol is not in the allowed range Outbound connection Outbound connection to an IP that isn't allowed Hub related activity Alert name Command queue purges Number of command queue purges outside the allowed range Cloud to device messages in MQTT protocol Number of Cloud to device messages in MQTT protocol outside the allowed range IoT Hub-related security alerts Defender-IoT-micro-agent for Azure RTOS supported customizable alerts Device related customizable alerts Hub related customizable alerts
Hub related activity Alert name Device to cloud messages in MQTT protocol Number of device to cloud messages in MQTT protocol outside the allowed range Direct method invokes Number of direct method invokes outside the allowed range Rejected cloud to device messages in MQTT protocol Number of rejected cloud to device messages in MQTT protocol outside the allowed range Updates to twin modules Number of updates to twin modules outside the allowed range Unauthorized operations Number of unauthorized operations outside the allowed range Device-related activity Recommendation name Authentication credentials Identical authentication credentials used by multiple devices IoT Hub-related activity Recommendation name IP filter policy The Default IP filter policy should be set to deny IP filter rule IP filter rule includes a large IP range Diagnostics logs Suggestion to enable diagnostics logs in IoT Hub For a complete list of all Defender for IoT service related alerts and recommendations, see IoT security alerts, IoT security recommendations. Defender-IoT-micro-agent for Azure RTOS supported recommendations Device-related recommendations Hub-related recommendations All Defender for IoT alerts and recommendations Next steps
Quickstart: Defender-IoT-micro-agent for Azure RTOS Configure and customize Defender-IoT-micro-agent for Azure RTOS Refer to the Defender-IoT-micro-agent for Azure RTOS API
Manage your IoT devices with the device inventory Article • 01/10/2023 The device inventory can be used to view device systems, and network information. The search, filter, edit columns, and export tools can be used to manage this information. Some of the benefits of the device inventory include: Identify all IOT, and OT devices from different inputs. For example, allowing you to understand which devices in your environment aren't communicating, and will require troubleshooting. Group, and filter devices by site, type, or vendor. Gain visibility into each device, and investigate the different threats, and alerts for each one. Export the entire device inventory to a CSV file for your reports. The Device inventory gives you an overview of all devices within your environment. Here you can see the individual details of each device and filter, and order your search by various options. The following table describes the different device properties in the device inventory. Device inventory overview
Parameter Description Default value Parameter Description Default value Data source The source of the data, such as Micro Agent, OtSensor, and Mde. MicroAgent Device class The class of the device. IoT Device model The device's model. - Device name The name of the device as the sensor discovered it, or as entered by the user. - Device subtype The subtype of the device, such as speaker and smart tv. Managed Device Device Type The type of device, such as communication, and industrial. Miscellaneous First seen The date, and time the device was first seen. Presented in format MM/DD/YYYY HH:MM:SS AM/PM. - IP Address The IP address of the device. - Last Activity The date, and time the device last sent an event to the cloud. Presented in format MM/DD/YYYY HH:MM:SS AM/PM. - Last update time The date, and time the device last sent a system information event to the cloud. Presented in format MM/DD/YYYY HH:MM:SS AM/PM. - MAC Address The MAC address of the device. - OS architecture The architecture of the operating system. - OS distribution The distribution of the operating system, such as Android, Linux, and Haiku. - OS platform The OS of the device, if detected. - OS version The version of the operating system, such as Windows 10 and Ubuntu 20.04.1. - Site The site that contains this device. - Vendor The name of the device's vendor, as defined in the MAC address. - To view the device inventory:
1. Open the Azure portal . 2. Navigate to Defender for IoT > Device inventory. In the device inventory table, you can add or remove columns. You can also change the column order by dragging and dropping a field. To customize the device inventory table: 1. Select the button. 2. In the Edit columns tab, select the drop-down menu to change the value of a column. Customize the device inventory table
3. Add a column by selecting the button. 4. Reorder the columns by dragging a column parameter to a new location. 5. Delete a column by selecting the button. 6. Select Save to save any changes made. If you want to reset the device inventory to the default settings, in the Edit columns window, select the button.
You can search, and filter the device inventory to define what information the table displays. For a list of filters that can be applied to the device inventory table, see the Device inventory overview. To filter the device inventory: 1. Select Add filter 2. In the Add filter window, select the column drop-down menu to choose which column to filter. 3. Enter a value in the filter field to filter by. 4. Select the Apply button. Multiple filters can be applied at one time. The filters aren't saved when you leave the Device inventory page. Filter the device inventory View device information
To view a specific devices information, select the device and the device information window appears. You can export your device inventory to a CSV file. Any filters that you apply to the device inventory table will be exported, when you export the table. Select the button to export your current device inventory to a CSV file. If you are under the impression that certain devices are not actively communicating, there's a way to check, and see which devices have not communicated in a specified time period. To identify all devices that have not communicated recently: 1. Open the Azure portal . 2. Navigate to Defender for IoT > Device inventory. 3. Select the button. 4. Add a column by selecting the button. 5. Select Last Activity. Export the device inventory to CSV How to identify devices that have not recently communicated with the Azure cloud
6. Select Save 7. On the main Device inventory page, select Last activity to sort the page by last activity. 8. Select the to add a filter on the last activity column. 9. Enter a time period, or a custom date range, and select Apply. Welcome to Microsoft Defender for IoT for organizations See next
Move an "iotsecuritysolutions" resource to another region by using the Azure portal Article • 06/16/2022 There are various scenarios for moving an existing resource from one region to another. For example, you might want to take advantage of features, and services that are only available in specific regions, to meet internal policy and governance requirements, or in response to capacity planning requirements. You can move a Microsoft Defender for IoT "iotsecuritysolutions" resource to a different Azure region. The "iotsecuritysolutions" resource is a hidden resource that is connected to a specific IoT hub resource that is used to enable security on the hub. Learn how to configure, and create this resource. Make sure that the resource is in the Azure region that you want to move from. An existing "iotsecuritysolutions" resource. Make sure that your Azure subscription allows you to create "iotsecuritysolutions" resources in the target region. Make sure that your subscription has enough resources to support the addition of resources for this process. For more information, see Azure subscription and service limits, quotas, and constraints In this section, you'll prepare to move the resource for the move by finding the resource and confirming it is in a region you wish to move from. Before transitioning the resource to the new region, we recommended using log analytics to store alerts, and raw events. To find the resource you want to move: 1. Sign in to the Azure portal , and then select All Resources. Resource prerequisites Alert preparation
2. Select Show hidden types. 3. Select the Type filter, and enter iotsecuritysolutions in the search field. 4. Select Apply. 5. Select your hub from the list. 6. Ensure that you've selected the correct hub, and that it is in the region you want to move it from.