You're now ready to move your resource to your new location. Follow these instructions to move your IoT Hub. After transferring, and enabling the resource, you can link to the same log analytics workspace that was configured earlier. In this section, you'll verify that the resource has been moved, that the connection to the IoT Hub has been enabled, and that everything is working correctly. To verify the resource in in the correct region: 1. Sign in to the Azure portal , and then select All Resources. 2. Select Show hidden types. 3. Select the Type filter, and enter iotsecuritysolutions in the search field. 4. Select Apply. Moving IoT Hub Resource verification
5. Select your hub from the list. 6. Ensure that the region has been changed. To ensure everything is working correctly: 1. Navigate to IoT Hub > Your hub > Defender for IoT, and select Recommendations. The recommendations should have transferred and everything should be working correctly. Don’t clean up until you have finished verifying that the resource has moved, and the recommendations have transferred. When you're ready, clean up the old resources by performing these steps: If you haven't already, delete the old hub. This removes all of the active devices from the hub. Clean up source resources
If you have routing resources that you moved to the new location, you can delete the old routing resources. In this tutorial, you moved an Azure resource from one region to another and cleaned up the source resource. Learn more about Moving your resources to a new resource group or subscription.. Learn how to move VMs to another Azure region. Next steps
Defender for IoT micro agent troubleshooting Article • 12/14/2022 If an unexpected error occurs, you can use these troubleshooting methods in an attempt to resolve the issue. To view the status of the service: 1. Run the following command Bash 2. Check that the service is stable by making sure it's active , and that the uptime in the process is appropriate. If the service is listed as inactive , use the following command to start the service: Bash You will know that the service is crashing if, the process uptime is less than 2 minutes. To resolve this issue, you must review the logs. Use the following command to verify that the Defender for IoT micro agent service is running with root privileges. Bash Service status systemctl status defender-iot-micro-agent.service systemctl start defender-iot-micro-agent.service Validate micro agent root privileges
The following sample result shows that the folder 'defender_iot_micro_agent' has root privileges due to the word 'root' appearing as shown by the red box. To review the logs, use the following command: Bash If an issue occurs when the micro agent is run, you can run the micro agent in a temporary state, which will allow you to view the logs using the following command: Bash To restart the service, use the following command: Bash Check out the Feature support and retirement. ps -aux | grep " defender-iot-micro-agent" Review the logs sudo journalctl -u defender-iot-micro-agent | tail -n 200 Quick log review sudo systectl stop defender-iot-micro-agent cd /etc/defender_iot_micro_agent/ sudo ./defender_iot_micro_agent Restart the service sudo systemctl restart defender-iot-micro-agent Next steps
Defender-IoT-micro-agent Article • 06/01/2022 This article explains how Defender for IoT uses device twins and modules. For IoT solutions built in Azure, device twins play a key role in both device management and process automation. Defender for IoT offers full integration with your existing IoT device management platform, enabling you to manage your device security status as well as make use of existing device control capabilities. Integration is achieved by making use of the IoT Hub twin mechanism. Learn more about the concept of Device twins in Azure IoT Hub. Defender for IoT maintains a Defender-IoT-micro-agent twin for each device in the service. The Defender-IoT-micro-agent twin holds all the information relevant to device security for each specific device in your solution. Device security properties are maintained in a dedicated Defender-IoT-micro-agent twin for safer communication and for enabling updates and maintenance that requires fewer resources. See Create Defender-IoT-micro-agent twin and Configure security agents to learn how to create, customize, and configure the twin. See Understand and use module twins in IoT Hub to learn more about the concept of module twins in IoT Hub. Defender for IoT overview Deploy security agents Security agent authentication methods Device twins Defender-IoT-micro-agent twins See also
Microsoft Defender for IoT Edge azureiotsecurity Article • 04/24/2022 Azure IoT Edge provides powerful capabilities to manage and perform business workflows at the edge. The key part that IoT Edge plays in IoT environments make it particularly attractive for malicious actors. Defender for IoT azureiotsecurity provides a comprehensive security solution for your IoT Edge devices. Defender for IoT module collects, aggregates and analyzes raw security data from your Operating System and container system into actionable security recommendations and alerts. Similar to Defender for IoT security agents for IoT devices, the Defender for IoT Edge module is highly customizable through its module twin. See Configure your agent to learn more. Defender for IoT azureiotsecurity for IoT Edge offers the following features: Collects raw security events from the underlying Operating System (Linux), and the IoT Edge Container systems. See Defender for IoT agent configuration to learn more about available security data collectors. Analysis of IoT Edge deployment manifests. Aggregates raw security events into messages sent through IoT Edge Hub. Remove configuration through use of the azureiotsecurity twin. See Configure a Defender for IoT agent to learn more. Defender for IoT azureiotsecurity for IoT Edge runs in a privileged mode under IoT Edge. Privileged mode is required to allow the module to monitor the Operating System, and other IoT Edge modules. Defender for IoT azureiotsecurity for IoT Edge is currently only available for Linux. Module supported platforms
In this article, you learned about the architecture and capabilities of Defender for IoT azureiotsecurity for IoT Edge. To continue getting started with Defender for IoT deployment, use the following articles: Deploy azureiotsecurity for IoT Edge Learn how to configure your Defender-IoT-micro-agent Learn how to Enable Defender for IoT service in your IoT Hub Learn more about the service from the Defender for IoT FAQ Next steps
Get started with Microsoft Defender for IoT device micro agents Article • 04/24/2022 Defender for IoT security agents offers enhanced security capabilities, such as monitoring operating system configuration best practices. Take control of your device field threat protection and security posture with a single service. The Defender for IoT security agents handle raw event collection from the device operating system, event aggregation to reduce cost, and configuration through a device module twin. Security messages are sent through your IoT Hub, into Defender for IoT analytics services. Use the following workflow to deploy and test your Defender for IoT security agents: 1. Enable Defender for IoT service to your IoT Hub. 2. If your IoT Hub has no registered devices, Register a new device. 3. Create a DefenderIotMicroAgent module twin for your devices. 4. To install the agent on an Azure simulated device instead of installing on an actual device, spin up a new Azure Virtual Machine (VM). 5. Deploy a Defender for IoT security agent on your IoT device, or new VM. 6. Follow the instructions for trigger_events to run an OS baseline event. 7. Verify Defender for IoT recommendations in response to the simulated OS baseline check failure in the previous step. Begin verification 30 minutes after running the script. Configure your solution Create Defender-IoT-micro-agents Configure custom alerts Deploy a security agent Next steps
Security agent authentication methods Article • 04/24/2022 This article explains the different authentication methods you can use with the AzureIoTSecurity agent to authenticate with the IoT Hub. For each device onboarded to Defender for IoT in the IoT Hub, a Defender-IoT-microagent is required. To authenticate the device, Defender for IoT can use one of two methods. Choose the method that works best for your existing IoT solution. SecurityModule option Device option The two methods for the Defender for IoT AzureIoTSecurity agent to perform authentication: Defender-IoT-micro-agent authentication mode The agent is authenticated using the Defender-IoT-micro-agent identity independently of the device identity. Use this authentication type if you would like the security agent to use a dedicated authentication method through DefenderIoT-micro-agent (symmetric key only). Device authentication mode In this method, the security agent first authenticates with the device identity. After the initial authentication, the Defender for IoT agent performs a REST call to the IoT Hub using the REST API with the authentication data of the device. The Defender for IoT agent then requests the Defender-IoT-micro-agent authentication method and data from the IoT Hub. In the final step, the Defender for IoT agent performs an authentication against the Defender for IoT module. Use this authentication type if you would like the security agent to reuse an existing device authentication method (self-signed certificate or symmetric key). See Security agent installation parameters to learn how to configure. SecurityModule authentication mode only supports symmetric key authentication. CA-Signed certificate is not supported by Device authentication mode. Authentication methods Authentication methods known limitations
When deploying a security agent, authentication details must be provided as arguments. These arguments are documented in the following table. Linux Parameter Name Windows Parameter Name Shorthand Parameter Description Options authenticationidentity AuthenticationIdentity aui Authentication identity SecurityModule or Device authenticationmethod AuthenticationMethod aum Authentication method SymmetricKey or SelfSignedCertificate file-path FilePath f Absolute full path for the file containing the certificate or the symmetric key host-name HostName hn FQDN of the IoT Hub Example: ContosoIotHub.azuredevices.net device-id DeviceId di Device ID Example: MyDevice1 certificatelocation-kind CertificateLocationKind cl Certificate storage location LocalFile or Store When using the install security agent script, the following configuration is performed automatically. To edit the security agent authentication manually, edit the config file. When deploying a security agent with an installation script, a configuration file is automatically created. To change authentication methods after deployment, manual editing of the configuration file is required. Security agent installation parameters Change authentication method after deployment C#-based security agent
Edit Authentication.config with the following parameters: XML Edit LocalConfiguration.json with the following parameters: JSON Security agents overview Deploy security agent Access raw security data <Authentication> <add key="deviceId" value=""/> <add key="gatewayHostname" value=""/> <add key="filePath" value=""/> <add key="type" value=""/> <add key="identity" value=""/> <add key="certificateLocationKind" value="" /> </Authentication> C-based security agent "Authentication" : { "Identity" : "", "AuthenticationMethod" : "", "FilePath" : "", "DeviceId" : "", "HostName" : "" } See also
Microsoft Defender for IoT baseline and custom checks Article • 06/02/2022 This article explains Defender for IoT baseline, and summarizes all associated properties of baseline custom checks. A baseline establishes standard behavior for each device and makes it easier to establish unusual behavior or deviation from expected norms. Baseline custom checks establish a custom list of checks for each device baseline using the Module identity twin of the device. 1. In your IoT Hub, locate and select the device you wish to change. 2. Select on the device, and then select the azureiotsecurity module. 3. Select Module Identity Twin. 4. Upload the baseline custom checks file to the device. 5. Add baseline properties to the Defender-IoT-micro-agent and select Save. To configure baseline custom checks: JSON Baseline Baseline custom checks Setting baseline properties Baseline custom check file example "desired": { "ms_iotn:urn_azureiot_Security_SecurityAgentConfiguration": { "baselineCustomChecksEnabled": { "value" : true }, "baselineCustomChecksFilePath": {
Name Status Valid values Default values Description baselineCustomChecksEnabled Required: true Valid values: Boolean Default value: false Max time interval before high priority messages is sent. baselineCustomChecksFilePath Required: true Valid values: String, null Default value: null Full path of the baseline xml configuration baselineCustomChecksFileHash Required: true Valid values: String, null Default value: null sha256sum of the xml configuration file. Use the sha256sum reference for additional information. To review additional baseline examples, see custom baseline example -1 and custom baseline example -2 . Access your raw security data Investigate a device Understand and explore security recommendations Understand and explore security alerts "value" : "/home/user/full_path.xml" }, "baselineCustomChecksFileHash": { "value" : "#hashexample!" } } }, Baseline custom check properties Next steps
Azure security baseline for Microsoft Defender for IoT Article • 10/12/2022 This security baseline applies guidance from the Microsoft cloud security benchmark version 1.0 to Microsoft Defender for IoT. The Microsoft cloud security benchmark provides recommendations on how you can secure your cloud solutions on Azure. The content is grouped by the security controls defined by the Microsoft cloud security benchmark and the related guidance applicable to Microsoft Defender for IoT. You can monitor this security baseline and its recommendations using Microsoft Defender for Cloud. Azure Policy definitions will be listed in the Regulatory Compliance section of the Microsoft Defender for Cloud dashboard. When a feature has relevant Azure Policy Definitions, they are listed in this baseline to help you measure compliance to the Microsoft cloud security benchmark controls and recommendations. Some recommendations may require a paid Microsoft Defender plan to enable certain security scenarios. The security profile summarizes high-impact behaviors of Microsoft Defender for IoT, which may result in increased security considerations. Service Behavior Attribute Value Product Category IoT, Security Customer can access HOST / OS No Access Service can be deployed into customer's virtual network False Stores customer content at rest True 7 Note Features not applicable to Microsoft Defender for IoT have been excluded. To see how Microsoft Defender for IoT completely maps to the Microsoft cloud security benchmark, see the full Microsoft Defender for IoT security baseline mapping file . Security profile
For more information, see the Microsoft cloud security benchmark: Network security. Description: Service supports deployment into customer's private Virtual Network (VNet). Learn more. Supported Enabled By Default Configuration Responsibility False Not Applicable Not Applicable Configuration Guidance: This feature is not supported to secure this service. For more information, see the Microsoft cloud security benchmark: Identity management. Description: Service supports using Azure AD authentication for data plane access. Learn more. Supported Enabled By Default Configuration Responsibility True True Microsoft Configuration Guidance: No additional configurations are required as this is enabled on a default deployment. Reference: About Defender for IoT console users Network security NS-1: Establish network segmentation boundaries Features Virtual Network Integration Identity management IM-1: Use centralized identity and authentication system Features Azure AD Authentication Required for Data Plane Access
Description: Local authentications methods supported for data plane access, such as a local username and password. Learn more. Supported Enabled By Default Configuration Responsibility False Not Applicable Not Applicable Configuration Guidance: This feature is not supported to secure this service. Description: Data plane access can be controlled using Azure AD Conditional Access Policies. Learn more. Supported Enabled By Default Configuration Responsibility True True Microsoft Feature notes: Access to the data plane is provisioned through ARM, and controlled by the RBAC model. Configuration Guidance: No additional configurations are required as this is enabled on a default deployment. Description: Data plane supports native use of Azure Key Vault for credential and secrets store. Learn more. Supported Enabled By Default Configuration Responsibility Local Authentication Methods for Data Plane Access IM-7: Restrict resource access based on conditions Features Conditional Access for Data Plane IM-8: Restrict the exposure of credential and secrets Features Service Credential and Secrets Support Integration and Storage in Azure Key Vault
Supported Enabled By Default Configuration Responsibility False Not Applicable Not Applicable Configuration Guidance: This feature is not supported to secure this service. For more information, see the Microsoft cloud security benchmark: Privileged access. Description: Service has the concept of a local administrative account. Learn more. Supported Enabled By Default Configuration Responsibility False Not Applicable Not Applicable Configuration Guidance: This feature is not supported to secure this service. Description: Azure Role-Based Access Control (Azure RBAC) can be used to managed access to service's data plane actions. Learn more. Supported Enabled By Default Configuration Responsibility False Not Applicable Not Applicable Configuration Guidance: This feature is not supported to secure this service. Privileged access PA-1: Separate and limit highly privileged/administrative users Features Local Admin Accounts PA-7: Follow just enough administration (least privilege) principle Features Azure RBAC for Data Plane
Description: Customer Lockbox can be used for Microsoft support access. Learn more. Supported Enabled By Default Configuration Responsibility False Not Applicable Not Applicable Configuration Guidance: This feature is not supported to secure this service. For more information, see the Microsoft cloud security benchmark: Data protection. Description: Tools (such as Azure Purview or Azure Information Protection) can be used for data discovery and classification in the service. Learn more. Supported Enabled By Default Configuration Responsibility False Not Applicable Not Applicable Configuration Guidance: This feature is not supported to secure this service. PA-8: Determine access process for cloud provider support Features Customer Lockbox Data protection DP-1: Discover, classify, and label sensitive data Features Sensitive Data Discovery and Classification DP-2: Monitor anomalies and threats targeting sensitive data Features
Description: Service supports DLP solution to monitor sensitive data movement (in customer's content). Learn more. Supported Enabled By Default Configuration Responsibility False Not Applicable Not Applicable Configuration Guidance: This feature is not supported to secure this service. Description: Service supports data in-transit encryption for data plane. Learn more. Supported Enabled By Default Configuration Responsibility True True Microsoft Configuration Guidance: No additional configurations are required as this is enabled on a default deployment. Description: Data at-rest encryption using platform keys is supported, any customer content at rest is encrypted with these Microsoft managed keys. Learn more. Supported Enabled By Default Configuration Responsibility True True Microsoft Configuration Guidance: No additional configurations are required as this is enabled on a default deployment. Data Leakage/Loss Prevention DP-3: Encrypt sensitive data in transit Features Data in Transit Encryption DP-4: Enable data at rest encryption by default Features Data at Rest Encryption Using Platform Keys
Description: Data at-rest encryption using customer-managed keys is supported for customer content stored by the service. Learn more. Supported Enabled By Default Configuration Responsibility False Not Applicable Not Applicable Configuration Guidance: This feature is not supported to secure this service. Description: The service supports Azure Key Vault integration for any customer keys, secrets, or certificates. Learn more. Supported Enabled By Default Configuration Responsibility False Not Applicable Not Applicable Configuration Guidance: This feature is not supported to secure this service. Description: The service supports Azure Key Vault integration for any customer certificates. Learn more. DP-5: Use customer-managed key option in data at rest encryption when required Features Data at Rest Encryption Using CMK DP-6: Use a secure key management process Features Key Management in Azure Key Vault DP-7: Use a secure certificate management process Features Certificate Management in Azure Key Vault
Suppor Supportteded Enabled By Default Enabled By Default Configuration R Configuration Responsibility esponsibility False Not Applicable Not Applicable Configuration Guidance: This feature is not supported to secure this service. For more information, see the Microsoft cloud security benchmark: Asset management. Description: Service configurations can be monitored and enforced via Azure Policy. Learn more. Supported Enabled By Default Configuration Responsibility False Not Applicable Not Applicable Configuration Guidance: This feature is not supported to secure this service. For more information, see the Microsoft cloud security benchmark: Logging and threat detection. Description: Service has an offering-specific Microsoft Defender solution to monitor and alert on security issues. Learn more. Asset management AM-2: Use only approved services Features Azure Policy Support Logging and threat detection LT-1: Enable threat detection capabilities Features Microsoft Defender for Service / Product Offering
Supported Enabled By Default Enabled By Default Configuration R Configuration Responsibility esponsibility False Not Applicable Not Applicable Configuration Guidance: This feature is not supported to secure this service. Description: Service produces resource logs that can provide enhanced service-specific metrics and logging. The customer can configure these resource logs and send them to their own data sink like a storage account or log analytics workspace. Learn more. Supported Enabled By Default Configuration Responsibility False Not Applicable Not Applicable Configuration Guidance: This feature is not supported to secure this service. For more information, see the Microsoft cloud security benchmark: Backup and recovery. Description: Service supports its own native backup capability (if not using Azure Backup). Learn more. Supported Enabled By Default Configuration Responsibility False Not Applicable Not Applicable Configuration Guidance: This feature is not supported to secure this service. LT-4: Enable logging for security investigation Features Azure Resource Logs Backup and recovery BR-1: Ensure regular automated backups Features Service Native Backup Capability
See the Microsoft cloud security benchmark overview Learn more about Azure security baselines Next steps
Defender-IoT-micro-agent legacy event aggregation Article • 04/24/2022 Defender for IoT security agents collects data and system events from your local device and send this data to the Azure cloud for processing and analytics. The security agent collects many types of device events including new process and new connection events. Both new process and new connection events may legitimately occur frequently on a device within a second, and while important for robust and comprehensive security, the number of messages the security agents are forced to send may quickly reach or exceed your IoT Hub quota and cost limits. However, these events contain highly valuable security information that is crucial to protecting your device. To reduce the extra quota, and costs while keeping your devices protected, Defender for IoT Agents aggregates these types of events. Event aggregation is On by default, and although not recommended, can be manually turned Off at any time. Aggregation is currently available for the following types of events: ProcessCreate ConnectionCreate ProcessTerminate (Windows only) When event aggregation is left On, Defender for IoT agents aggregate events for the interval period or time window. Once the interval period has passed, the agent sends the aggregated events to the Azure cloud for further analysis. The aggregated events are stored in memory until being sent to the Azure cloud. To reduce the memory footprint of the agent, whenever the agent collects an identical event to one that is already being kept in memory, the agent increases the hit count of this specific event. When the aggregation time window passes, the agent sends the hit count of each specific type of event that occurred. Event aggregation is simply the aggregation of the hit counts of each collected type of event. Events are considered identical only when the following conditions are met: How does event aggregation work?
ProcessCreate events - when commandLine, executable, username, and userid are identical ConnectionCreate events - when commandLine, userId, direction, local address, remote address, protocol, and destination port are identical. ProcessTerminate events - when executable and exit status are identical During aggregation, event properties that are not aggregated are discarded, and appear in log analytics with a value of 0. ProcessCreate events - processId, and parentProcessId are set to 0 ConnectionCreate events - processId, and source port are set to 0 After analysis, Defender for IoT creates security alerts for suspicious aggregated events. Alerts created from aggregated events appear only once for each aggregated event. Aggregation start time, end time, and hit count for each event are logged in the event ExtraDetails field within Log Analytics for use during investigations. Each aggregated event represents a 24-hour period of collected alerts. Using the event options menu on the upper left of each event, you can dismiss each individual aggregated event. Make changes to the configuration of Defender for IoT event aggregation inside the agent configuration object of the module twin identity of the azureiotsecurity module. Configuration name Possible values Details Remarks aggregationEnabledProcessCreate boolean Enable / disable event aggregation for process create events aggregationIntervalProcessCreate ISO8601 Timespan string Aggregation interval for process creates events Working with aggregated events Event aggregation-based alerts Event aggregation twin configuration
Configuration name Possible values Details Remarks aggregationEnabledConnectionCreate boolean Enable / disable event aggregation for connection create events aggregationIntervalConnectionCreate ISO8601 Timespan string Aggregation interval for connection creates events aggregationEnabledProcessTerminate boolean Enable / disable event aggregation for process terminate events Windows only aggregationIntervalProcessTerminate ISO8601 Timespan string Aggregation interval for process terminates events Windows only Configuration name Default values aggregationEnabledProcessCreate true aggregationIntervalProcessCreate "PT1H" aggregationEnabledConnectionCreate true aggregationIntervalConnectionCreate "PT1H" aggregationEnabledProcessTerminate true aggregationIntervalProcessTerminate "PT1H" In this article, you learned about Defender for IoT security agent aggregation, and the available event configuration options. To continue getting started with Defender for IoT deployment, use the following articles: Understand Security agent authentication methods Select and deploy a security agent Learn how to Enable Defender for IoT service in your IoT Hub Default configurations settings Next steps
Learn more about the service from the Defender for IoT FAQ
Legacy Defender for IoT devices security alerts Article • 01/10/2023 Defender for IoT continuously analyzes your IoT solution using advanced analytics and threat intelligence to alert you to malicious activity. In addition, you can create custom alerts based on your knowledge of expected device behavior. An alert acts as an indicator of potential compromise, and should be investigated and remediated. In this article, you will find a list of built-in alerts, which can be triggered on your IoT devices. In addition to built-in alerts, Defender for IoT allows you to define custom alerts based on expected IoT Hub and/or device behavior. For more information, see customizable alerts. Name Severity Data Source Description Suggested remediation steps High severity 7 Note The Microsoft Defender for IoT legacy agent has been replaced by our newer micro-agent experience. For more information, see Tutorial: Investigate security alerts. As of March 31, 2022, the legacy agent is sunset and no new features are being developed. The legacy agent will be fully retired on March 31, 2023, at which point we will no longer provide bug fixes or other support for the legacy agent. Agent based security alerts
Name Severity Data Source Description Suggested remediation steps Binary Command Line High Legacy DefenderIoTmicroagent LA Linux binary being called/executed from the command line was detected. This process may be legitimate activity, or an indication that your device is compromised. Review the command with the user that ran it and check if this is something legitimately expected to run on the device. If not, escalate the alert to your information security team. Disable firewall High Legacy DefenderIoTmicroagent Possible manipulation of on-host firewall detected. Malicious actors often disable the on-host firewall in an attempt to exfiltrate data. Review with the user that ran the command to confirm if this was legitimate expected activity on the device. If not, escalate the alert to your information security team. Port forwarding detection High Legacy DefenderIoTmicroagent Initiation of port forwarding to an external IP address detected. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
Name Severity Data Source Description Suggested remediation steps Possible attempt to disable Auditd logging detected High Legacy DefenderIoTmicroagent Linux Auditd system provides a way to track security-relevant information on the system. The system records as much information about the events that are happening on your system as possible. This information is crucial for missioncritical environments to determine who violated the security policy and the actions they performed. Disabling Auditd logging may prevent your ability to discover violations of security policies used on the system. Check with the device owner if this was legitimate activity with business reasons. If not, this event may be hiding activity by malicious actors. Immediately escalated the incident to your information security team. Reverse shells High Legacy DefenderIoTmicroagent Analysis of host data on a device detected a potential reverse shell. Reverse shells are often used to get a compromised machine to call back into a machine controlled by a malicious actor. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
Name Severity Data Source Description Suggested remediation steps Successful Bruteforce attempt High Legacy DefenderIoTmicroagent Multiple unsuccessful login attempts were identified, followed by a successful login. Attempted Brute force attack may have succeeded on the device. Review SSH Brute force alert and the activity on the devices. If the activity was malicious: Roll out password reset for compromised accounts. Investigate and remediate (if found) devices for malware. Successful local login High Legacy DefenderIoTmicroagent Successful local sign in to the device detected Make sure the signed in user is an authorized party. Web shell High Legacy DefenderIoTmicroagent Possible web shell detected. Malicious actors commonly upload a web shell to a compromised machine to gain persistence or for further exploitation. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. Medium severity
Name Severity Data Source Description Suggested remediation steps Behavior similar to common Linux bots detected Medium Legacy DefenderIoTmicroagent Execution of a process normally associated with common Linux botnets detected. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. Behavior similar to Fairware ransomware detected Medium Legacy DefenderIoTmicroagent Execution of rm -rf commands applied to suspicious locations detected using analysis of host data. Because rm -rf recursively deletes files, it is normally only used on discrete folders. In this case, it is being used in a location that could remove a large amount of data. Fairware ransomware is known to execute rm -rf commands in this folder. Review with the user that ran the command this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. Behavior similar to ransomware detected Medium Legacy DefenderIoTmicroagent Execution of files similar to known ransomware that may prevent users from accessing their system, or personal files, and may demand ransom payment to regain access. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
Name Severity Data Source Description Suggested remediation steps Crypto coin miner container image detected Medium Legacy DefenderIoTmicroagent Container detecting running known digital currency mining images. 1. If this behavior is not intended, delete the relevant container image. 2. Make sure that the Docker daemon is not accessible via an unsafe TCP socket. 3. Escalate the alert to the information security team. Crypto coin miner image Medium Legacy DefenderIoTmicroagent Execution of a process normally associated with digital currency mining detected. Verify with the user that ran the command if this was legitimate activity on the device. If not, escalate the alert to the information security team. Detected suspicious use of the nohup command Medium Legacy DefenderIoTmicroagent Suspicious use of the nohup command on host detected. Malicious actors commonly run the nohup command from a temporary directory, effectively allowing their executables to run in the background. Seeing this command run on files located in a temporary directory is not expected or usual behavior. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
Name Severity Data Source Description Suggested remediation steps Detected suspicious use of the useradd command Medium Legacy DefenderIoTmicroagent Suspicious use of the useradd command detected on the device. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. Exposed Docker daemon by TCP socket Medium Legacy DefenderIoTmicroagent Machine logs indicate that your Docker daemon (dockerd) exposes a TCP socket. By default, Docker configuration, does not use encryption or authentication when a TCP socket is enabled. Default Docker configuration enables full access to the Docker daemon, by anyone with access to the relevant port. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. Failed local login Medium Legacy DefenderIoTmicroagent A failed local login attempt to the device was detected. Make sure no unauthorized party has physical access to the device. File downloads from a known malicious source detected Medium Legacy DefenderIoTmicroagent Download of a file from a known malware source detected. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
Name Severity Data Source Description Suggested remediation steps htaccess file access detected Medium Legacy DefenderIoTmicroagent Analysis of host data detected possible manipulation of a htaccess file. Htaccess is a powerful configuration file that allows you to make multiple changes to a web server running Apache Web software, including basic redirect functionality, and more advanced functions, such as basic password protection. Malicious actors often modify htaccess files on compromised machines to gain persistence. Confirm this is legitimate expected activity on the host. If not, escalate the alert to your information security team. Known attack tool Medium Legacy DefenderIoTmicroagent A tool often associated with malicious users attacking other machines in some way was detected. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT agent attempted and failed to parse the module twin configuration Medium Legacy DefenderIoTmicroagent The Defender for IoT security agent failed to parse the module twin configuration due to type mismatches in the configuration object Validate your module twin configuration against the IoT agent configuration schema, fix all mismatches.
Name Severity Data Source Description Suggested remediation steps Local host reconnaissance detected Medium Legacy DefenderIoTmicroagent Execution of a command normally associated with common Linux bot reconnaissance detected. Review the suspicious command line to confirm that it was executed by a legitimate user. If not, escalate the alert to your information security team. Mismatch between script interpreter and file extension Medium Legacy DefenderIoTmicroagent Mismatch between the script interpreter and the extension of the script file provided as input detected. This type of mismatch is commonly associated with attacker script executions. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. Possible backdoor detected Medium Legacy DefenderIoTmicroagent A suspicious file was downloaded and then run on a host in your subscription. This type of activity is commonly associated with the installation of a backdoor. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
Name Severity Data Source Description Suggested remediation steps Potential loss of data detected Medium Legacy DefenderIoTmicroagent Possible data egress condition detected using analysis of host data. Malicious actors often egress data from compromised machines. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. Potential overriding of common files Medium Legacy DefenderIoTmicroagent Common executable overwritten on the device. Malicious actors are known to overwrite common files as a way to hide their actions or as a way to gain persistence. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. Privileged container detected Medium Legacy DefenderIoTmicroagent Machine logs indicate that a privileged Docker container is running. A privileged container has full access to host resources. If compromised, a malicious actor can use the privileged container to gain access to the host machine. If the container doesn't need to run in privileged mode, remove the privileges from the container.
Name Severity Data Source Description Suggested remediation steps Removal of system logs files detected Medium Legacy DefenderIoTmicroagent Suspicious removal of log files on the host detected. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. Space after filename Medium Legacy DefenderIoTmicroagent Execution of a process with a suspicious extension detected using analysis of host data. Suspicious extensions may trick users into thinking files are safe to be opened and can indicate the presence of malware on the system. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. Suspected malicious credentials access tools detected Medium Legacy DefenderIoTmicroagent Detection usage of a tool commonly associated with malicious attempts to access credentials. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team.
Name Severity Data Source Description Suggested remediation steps Suspicious compilation detected Medium Legacy DefenderIoTmicroagent Suspicious compilation detected. Malicious actors often compile exploits on a compromised machine to escalate privileges. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. Suspicious file download followed by file run activity Medium Legacy DefenderIoTmicroagent Analysis of host data detected a file that was downloaded and run in the same command. This technique is commonly used by malicious actors to get infected files onto victim machines. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. Suspicious IP address communication Medium Legacy DefenderIoTmicroagent Communication with a suspicious IP address detected. Verify if the connection is legitimate. Consider blocking communication with the suspicious IP. LOW severity
Name Severity Data Source Description Suggested remediation steps Bash history cleared Low Legacy DefenderIoTmicroagent Bash history log cleared. Malicious actors commonly erase bash history to hide their own commands from appearing in the logs. Review with the user that ran the command that the activity in this alert to see if you recognize this as legitimate administrative activity. If not, escalate the alert to the information security team. Device silent Low Legacy DefenderIoTmicroagent Device has not sent any telemetry data in the last 72 hours. Make sure device is online and sending data. Check that the Azure Security Agent is running on the device. Failed Bruteforce attempt Low Legacy DefenderIoTmicroagent Multiple unsuccessful login attempts identified. Potential Brute force attack attempt failed on the device. Review SSH Brute force alerts and the activity on the device. No further action required. Local user added to one or more groups Low Legacy DefenderIoTmicroagent New local user added to a group on this device. Changes to user groups are uncommon, and can indicate a malicious actor may be collecting extra permissions. Verify if the change is consistent with the permissions required by the affected user. If the change is inconsistent, escalate to your Information Security team.
Name Severity Data Source Description Suggested remediation steps Local user deleted from one or more groups Low Legacy DefenderIoTmicroagent A local user was deleted from one or more groups. Malicious actors are known to use this method in an attempt to deny access to legitimate users or to delete the history of their actions. Verify if the change is consistent with the permissions required by the affected user. If the change is inconsistent, escalate to your Information Security team. Local user deletion detected Low Legacy DefenderIoTmicroagent Deletion of a local user detected. Local user deletion is uncommon, a malicious actor may be trying to deny access to legitimate users or to delete the history of their actions. Verify if the change is consistent with the permissions required by the affected user. If the change is inconsistent, escalate to your Information Security team. Defender for IoT service Overview Learn how to Access your security data Learn more about Investigating a device Next steps
Defender for IoT devices custom security alerts Article • 04/24/2022 Defender for IoT continuously analyzes your IoT solution using advanced analytics and threat intelligence to alert you to malicious activity. We encourage you to create custom alerts based on your knowledge of expected device behavior to ensure alerts act as the most efficient indicators of potential compromise in your unique organizational deployment and landscape. The following lists of Defender for IoT alerts are definable by you based on your expected IoT device behavior. For more information about how to customize each alert, see create custom alerts. Severity Alert name Data source Description Suggested remediation Low Custom alert - The number of active connections is outside the allowed range Legacy DefenderIoTmicroagent, Azure RTOS Number of active connections within a specific time window is outside the currently configured and allowable range. Investigate the device logs. Learn where the connection originated and determine if it is benign or malicious. If malicious, remove possible malware and understand source. If benign, add the source to the allowed connection list. Low Custom alert - The outbound connection created to an IP that isn't allowed Legacy DefenderIoTmicroagent, Azure RTOS An outbound connection was created to an IP that is outside your allowed IP list. Investigate the device logs. Learn where the connection originated and determine if it is benign or malicious. If malicious, remove possible malware and understand source. If benign, add the source to the allowed IP list. Agent-based security custom alerts
Severity Alert name Data source Description Suggested remediation Low Custom alert - The number of failed local logins is outside the allowed range Legacy DefenderIoTmicroagent, Azure RTOS The number of failed local logins within a specific time window is outside the currently configured and allowable range. Low Custom alert - The sign in of a user that is not on the allowed user list Legacy DefenderIoTmicroagent, Azure RTOS A local user outside your allowed user list, logged in to the device. If you are saving raw data, navigate to your log analytics account and use the data to investigate the device, identify the source, and then fix the allow/block list for those settings. If you are not currently saving raw data, go to the device and fix the allow/block list for those settings. Low Custom alert - A process was executed that is not allowed Legacy DefenderIoTmicroagent, Azure RTOS A process that is not allowed was executed on the device. If you are saving raw data, navigate to your log analytics account and use the data to investigate the device, identify the source, and then fix the allow/block list for those settings. If you are not currently saving raw data, go to the device and fix the allow/block list for those settings. Learn how to customize an alert Defender for IoT service Overview Learn how to Access your security data Learn more about Investigating a device Next steps
Security recommendations for IoT devices Article • 06/02/2022 Defender for IoT scans your Azure resources and IoT devices and provides security recommendations to reduce your attack surface. Security recommendations are actionable and aim to aid customers in complying with security best practices. In this article, you'll find a list of recommendations, which can be triggered on your IoT devices. Device recommendations provide insights and suggestions to improve device security posture. Severity Name Data Source Description Medium Open Ports on device Legacy DefenderIoTmicroagent A listening endpoint was found on the device. Medium Permissive firewall policy found in one of the chains. Legacy DefenderIoTmicroagent Allowed firewall policy found (INPUT/OUTPUT). Firewall policy should deny all traffic by default, and define rules to allow necessary communication to/from the device. Medium Permissive firewall rule in the input chain was found Legacy DefenderIoTmicroagent A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports. Medium Permissive firewall rule in the output chain was found Legacy DefenderIoTmicroagent A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports. Agent based recommendations
Severity Name Data Source Description Medium Operation system baseline validation has failed Legacy DefenderIoTmicroagent Device doesn't comply with CIS Linux benchmarks . Operational recommendations provide insights and suggestions to improve security agent configuration. Severity Name Data Source Description Low Agent sends unutilized messages Legacy Defender-IoTmicro-agent 10% or more of security messages were smaller than 4 KB during the last 24 hours. Low Security twin configuration not optimal Legacy Defender-IoTmicro-agent Security twin configuration isn't optimal. Low Security twin configuration conflict Legacy Defender-IoTmicro-agent Conflicts were identified in the security twin configuration. Defender for IoT service Overview Learn how to Access your security data Learn more about Investigating a device Agent based operational recommendations Next steps
Quickstart: Security agent reference architecture Article • 06/01/2022 Microsoft Defender for IoT provides reference architecture for security agents that log, process, aggregate, and send security data through IoT Hub. Security agents are designed to work in a constrained IoT environment, and are highly customizable in terms of values they provide when compared to the resources they consume. Security agents support the following features: Authenticate with existing device identity, or a dedicated module identity. To learn more, see Security agent authentication methods. Collect raw security events from the underlying Operating System (Linux, Windows). To learn more about available security data collectors, see Defender for IoT agent configuration. Aggregate raw security events into messages sent through IoT Hub. Configure remotely through use of the azureiotsecurity module twin. To learn more, see Configure a Defender for IoT agent. Defender for IoT Security agents is developed as open-source projects, and are available from GitHub: Defender for IoT C-based agent Defender for IoT C#-based agent None Defender for IoT offers different installer agents for 32 bit and 64-bit Windows, and the same for 32 bit and 64-bit Linux. Make sure you have the correct agent installer for each of your devices according to the following table: Prerequisites Agent supported platforms
Ar Archit chitectur ecturee Linux Linux Windows Windows Details Details 32 bit C C# 64 bit C# or C C# We recommend using the C agent for devices with more restricted or minimal device resources. In this article, you got a high-level overview about Defender for IoT Defender-IoT-microagent architecture, and the available installers. To continue getting started with Defender for IoT deployment, review the security agent authentication methods that are available. Next steps Security agent authentication methods
Quickstart: Create an azureiotsecurity module twin Article • 04/24/2022 This quickstart explains how to create individual azureiotsecurity module twins for new devices, or batch create module twins for all devices in an IoT Hub. None For IoT solutions built in Azure, device twins play a key role in both device management and process automation. Defender for IoT offers full integration with your existing IoT device management platform, enabling you to manage your device security status and make use of existing device control capabilities. Defender for IoT integration is achieved by making use of the IoT Hub twin mechanism. See IoT Hub module twins[IoT Hub module twins] to learn more about the general concept of module twins in Azure IoT Hub. Defender for IoT makes use of the module twin mechanism and maintains a security module twin named azureiotsecurity for each of your devices. The Defender-IoT-micro-agent twin holds all the information relevant to device security for each of your devices. To make full use of Defender for IoT features, you'll need to create, configure, and use this Defender-IoT-micro-agent twins for every device in the service. azureiotsecurity module twins can be created in two ways: 1. Module batch script - automatically creates module twin for new devices or devices without a module twin using the default configuration. Prerequisites Understanding azureiotsecurity module twins Create azureiotsecurity module twin
2. Manually editing each module twin individually with specific configurations for each device. See agent configuration to learn how to modify or change the configuration of an existing module twin. To manually create a new azureiotsecurity module twin for a device: 1. In your IoT Hub, locate and select the device you wish to create a security module twin for. 2. Select on your device, and then on Add module identity. 3. In the Module Identity Name field, enter azureiotsecurity. 4. Select Save. To verify if a security module twin exists for a specific device: 1. In your Azure IoT Hub, select IoT devices from the Explorers menu. 2. Enter the device ID, or select an option in the Query device field and select Query devices. 7 Note Using the batch method will not overwrite existing azureiotsecurity module twins. Using the batch method ONLY creates new module twins for devices that do not already have a security module twin. Verify creation of a module twin