Setting Name Setting options Description Default NetworkActivity_CacheSize Positive integer The number of Network Activity events (after aggregation) to keep in the cache between send intervals. Beyond that number, older events will be dropped (lost). 256 NetworkActivity_PacketBufferSize Positive integer Configure the buffer size (in bytes) that will be used to capture packets for a single device per direction (incoming or outcoming traffic). 2097152 (=2MB) Setting Name Setting options Description Default Process_Disabled True / False Disables the Process collector. False Process_MessageFrequency Low / Medium / High Defines the frequency in which to send Process events. Medium Process_PollingInterval Positive Integer Defines the polling interval in microseconds. This value is used when the Process_Mode is in Polling mode. 100000 (=0.1 second) Process_Mode 1 = Auto 2 = Netlink 3= Polling Determines the Process collector mode. In Auto mode, the agent first tries to enable the Netlink mode. If that fails, it will automatically fall back / switch to the Polling mode. 1 Process_CacheSize Positive integer The number of Process events (after aggregation) to keep in the cache between send intervals. Beyond that number, older events will be dropped (lost). 256 Setting Name Setting options Description Default Process collector-specific settings Log collector-specific settings
Setting Name Setting options Description Default LogCollector_Disabled True / False Disables the Logs collector. False LogCollector_MessageFrequency Low / Medium / High Defines the frequency in which to send Log events. Low Setting Name Setting options Description Default FileSystem_Disabled True / False Disables the file system collector. False FileSystem_MessageFrequency Low / Medium / High Defines the frequency in which to send file system events. Low FileSystem_Recursive True / False If set to true, monitors all directories under the given path. True FileSystem_Paths Paths to monitor. For example: /path/to/monitor , /another/path/to/monitor Defines which paths to monitor, more than one path can be monitored. Null FileSystem_CacheSize Positive integer The number of File system events (after aggregation) to keep in the cache between send intervals. Beyond that number, older events will be dropped (lost). 256 Setting Name Setting options Description Default Peripheral_Disabled True / False Disables the peripheral collector. False Peripheral_MessageFrequency Low / Medium / High Defines the frequency in which to send peripheral events. Low File system collector-specific settings Peripheral collector-specific settings
Setting Name Setting options Description Default Peripheral_CacheSize Positive integer The number of peripheral events (after aggregation) to keep in the cache between send intervals. Beyond that number, older events will be dropped (lost). 256 Setting Name Setting options Description Default Statistics_Disabled True / False Disables the statistics collector. False Statistics_MessageFrequency Low / Medium / High Defines the frequency in which to send statistics events. Low Statistics_CacheSize Positive integer The number of statistics events (after aggregation) to keep in the cache between send intervals. Beyond that number, older events will be dropped (lost). 256 For more information, see: Configure a micro agent twin. Micro agent event collection Statistics collector-specific settings Next steps
Micro agent event collection Article • 12/21/2022 Defender for IoT security agents collect data and system events from your local device, and send the data to the Azure cloud for processing. If you've configured and connected a Log Analytics workspace, you'll see these events in Log Analytics. For more information, see Tutorial: Investigate security alerts. The Defender for IoT micro agent collects many types of device events including new processes, and all new connection events. Both the new process and new connection events may occur frequently on a device. This capability is important for comprehensive security, however, the number of messages the security agents send may quickly meet, or exceed your IoT Hub quota, and cost limits. These messages and events contain highly valuable security information that is crucial to protecting your device. To reduce the number of messages and costs while maintaining your device's security, Defender for IoT agents aggregate the following types of events: Process events (Linux only) Network activity events File system events Statistics events For more information, see event aggregation for process and network collectors. Event-based collectors are collectors that are triggered based on corresponding activity from within the device. For example, a process was started in the device . Trigger-based collectors are collectors that are triggered in a scheduled manner based on the customer's configurations. Process events are supported on Linux operating systems. Process events are considered identical when the command line and userid are identical. The default buffer for process events is 256 processes. When this limit is met, the buffer will cycle, and the oldest process event is discarded in order to make room for the newest processed event. A warning to increase the cache size will be logged. Process events (event-based collector)
The data collected for each event is: Parameter Description Timestamp The first time the process was observed. process_id The Linux PID. parent_process_id The Linux parent PID, if it exists. Commandline The command line. Type Can be either fork , or exec . hit_count The aggregate count. The number of executions of the same process, during the same time frame, until the events are sent to the cloud. Network activity events are considered identical when the local port, remote port, transport protocol, local address, and remote address are identical. The default buffer for a network activity event is 256. For situations where the cache is full: Azure RTOS devices: No new network events will be cached until the next collection cycle starts. Linux devices: The oldest event will be replaced by every new event. A warning to increase the cache size will be logged. For Linux devices, only IPv4 is supported. The data collected for each event is: Parameter Description Local address The source address of the connection. Remote address The destination address of the connection. Local port The source port of the connection. Remote port The destination port of the connection. Bytes_in The total aggregated RX bytes of the connection. Bytes_out The total aggregated TX bytes of the connection. Network Activity events (event-based collector)
Parameter Description Transport_protocol Can be TCP, UDP, or ICMP. Application protocol The application protocol associated with the connection. Extended properties The Additional details of the connection. For example, host name . Hit count The count of packets observed The Login collector collects user sign-ins, sign-outs, and failed sign-in attempts. The Login collector supports the following types of collection methods: UTMP and SYSLOG. UTMP catches SSH interactive events, telnet events, and terminal logins, as well as all failed login events from SSH, telnet, and terminal. If SYSLOG is enabled on the device, the Login collector also collects SSH sign-in events via the SYSLOG file named auth.log. Pluggable Authentication Modules (PAM). Collects SSH, telnet, and local sign-in events. For more information, see Configure Pluggable Authentication Modules (PAM) to audit sign-in events. The following data is collected: Parameter Description operation One of the following: Login , Logout , LoginFailed process_id The Linux PID. user_name The Linux user. executable The terminal device. For example, tty1..6 or pts/n . remote_address The source of connection, either a remote IP address in IPv6 or IPv4 format, or 127.0.0.1/0.0.0.0 to indicate local connection. The data collected for each event is: Parameter Description Login collector (event-based collector) System Information (trigger-based collector)
Parameter Description hardware_vendor The name of the vendor of the device. hardware_model The model number of the device. os_dist The distribution of the operating system. For example, Linux . os_version The version of the operating system. For example, Windows 10 , or Ubuntu 20.04.1 . os_platform The OS of the device. os_arch The architecture of the OS. For example, x86_64 . agent_type The type of the agent (Edge/Standalone). agent_version The version of the agent. nics The network interface controller. The full list of properties is listed below. The nics properties are composed of the following; Parameter Description type One of the following values: UNKNOWN , ETH , WIFI , MOBILE , or SATELLITE . vlans The virtual lan associated with the network interface. vendor The vendor of the network controller. info IPS, and MACs associated with the network controller. This Includes the following fields; - ipv4_address: The IPv4 address. - ipv6_address: The IPv6 address. - mac: The MAC address. The baseline collector performs periodic CIS checks, and failed, pass, and skip check results are sent to the Defender for IoT cloud service. Defender for IoT aggregates the results and provides recommendations based on any failures. The data collected for each event is: Parameter Description Check ID In CIS format. For example, CIS-debian-9-Filesystem-1.1.2 . Baseline (trigger-based collector)
Parameter Description Check result Can be Fail , Pass , Skip , or Error . For example, Error in a situation where the check can’t run. Error The error's information, and description. Description The description of the check from CIS. Remediation The recommendation for remediation from CIS. Severity The severity level. The SBoM (Software Bill of Materials) collector collects the packages installed on the device periodically. The data collected on each package includes: Parameter Description Name The package name. Version The package version. Vendor The package's vendor, which is the Maintainer field in deb packages. The Peripheral events collector collect connections and disconnections of USB and Ethernet events. Collected fields depend on the type of event: USB events Parameter Description Timestamp The time the event occurred. ActionType Whether the event was a connection or disconnection event. bus_number Specific controller identifier, each USB device can have several. kernel_device_number Representation in the kernel of the device, not unique and can each time the device is connected. SBoM (trigger-based collector) Peripheral events (event-based collector)
Parameter Description device_class Identifier specifying the class of device. device_subclass Identifier specifying the type of device. device_protocol Identifier specifying the device protocol. interface_class In case device class is 0, indicate the type of device. interface_subclass In case device class is 0, indicate the type of device. interface_protocol In case device class is 0, indicate the type of device. Ethernet events Parameter Description Timestamp The time the event occurred. ActionType Whether the event was a connection or disconnection event. bus_number Specific controller identifier, each USB device can have several. Interface name The interface name. The file system events collector collects events whenever there are changes under watch directories for: creation, deletion, move, and modification of directories and files. To define which directories and files you would like to monitor, see System information collector specific settings. The following data is collected: Parameter Description Timestamp The time the event occurred. Mask Linux inotify mask related to the file system event, the mask identifies the type of the action and can be one of the following: Access/Modified/Metadata changed/Closed/Opened/Moved/Created/Deleted. Path Directory/file path the event was generated to. Hitcount Number of times this event was aggregated. File system events (event-based collector)
The Statistics collector generates various statistics on the different micro agent collectors. These statistics provide information about the performance of the collectors in the previous collection cycle. Examples of possible statistics include the number of events that were successfully sent, and the number of events that were dropped, along with the reasons for the failures. Collected fields: Parameter Description Timestamp The time the event occurred. Name Name of the collector. Events An array of pairs formatted as JSON with description and hit count. Description Whether the message was sent/dropped and the reason for dropping. Hitcount Number of respective messages. How event aggregation works for the Process events and Network Activity events: Defender for IoT agents aggregate events during the send interval defined in the message frequency configuration for each collector, such as Process_MessageFrequency or NetworkActivity_MessageFrequency. Once the send interval period has passed, the agent sends the aggregated events to the Azure cloud for further analysis. The aggregated events are stored in memory until being sent to the Azure cloud. When the agent collects similar events to the ones that are already stored in memory, the agent will increase the hit count of this specific event to reduce the memory footprint of the agent. When the aggregation time window passes, the agent sends the hit count of each type of event that occurred. Event aggregation is the aggregation of the hit counts of similar events. For example, network activity with the same remote host and on the same port, is aggregated as one event, instead of as a separate event for each packet. Statistics data (trigger-based collector) Event aggregation for Process and Network collectors 7 Note
For more information, see: Micro agent configurations Check your Defender for IoT security alerts. By default, the micro agent sends logs and telemetry to the cloud for troubleshooting and monitoring purposes. This behavior can be configured or turned off through the twin. Next steps
Micro agent Linux dependencies Article • 01/10/2023 This article describes the different Linux OS dependencies for the Defender for IoT micro agent. The table below shows the Linux dependencies for each component. Component Dependency Type Required by IoT SDK Notes Core libcurl-openssl (libcurl) Library ✔ libssl Library ✔ uuid Library ✔ pthread ulibc compilation flag ✔ libuv1 Library sudo Package uuid-runtime Package System information collector uname System call Baseline collector BusyBox Linux compilation flag Bash Linux compilation flag Linux dependencies
Component Dependency Type Required by IoT SDK Notes Process collector CONFIG_CONNECTOR=y Kernel config CONFIG_PROC_EVENTS=y Kernel config Network collector libpcap Library CONFIG_PACKET=y Kernel config CONFIG_NETFILTER =y Kernel config Optional – Performance improvement Login collector Wtmp, btmp Log files utmp Install the Defender for IoT micro agent. Next steps
Micro agent security alerts Article • 01/10/2023 Defender for IoT continuously analyzes your IoT solution using advanced analytics and threat intelligence to alert you to malicious activity. In addition, you can create custom alerts based on your knowledge of expected device behavior. An alert acts as an indicator of potential compromise, and should be investigated and remediated. In this article, you'll find a list of built-in alerts, which can be triggered on your IoT devices. Name Severity Data Source Description Suggested remediation steps Alert type Binary Command Line High DefenderIoTmicroagent LA Linux binary being called/executed from the command line was detected. This process may be legitimate activity, or an indication that your device is compromised. Review the command with the user that ran it and check if this is something legitimately expected to run on the device. If not, escalate the alert to your information security team. IoT_BinaryCommandLine Disable firewall High DefenderIoTmicroagent Possible manipulation of onhost firewall detected. Malicious actors often disable the on-host firewall in an attempt to exfiltrate data. Review with the user that ran the command to confirm if this was legitimate expected activity on the device. If not, escalate the alert to your information security team. IoT_DisableFirewall Security alerts High severity
Name Severity Data Source Description Suggested remediation steps Alert type Port forwarding detection High DefenderIoTmicroagent Initiation of port forwarding to an external IP address detected. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_PortForwarding Possible attempt to disable Auditd logging detected High DefenderIoTmicroagent Linux Auditd system provides a way to track securityrelevant information on the system. The system records as much information about the events that are happening on your system as possible. This information is crucial for mission-critical environments to determine who violated the security policy and the actions they performed. Disabling Auditd logging may prevent your ability to discover violations of security policies used on the system. Check with the device owner if this was legitimate activity with business reasons. If not, this event may be hiding activity by malicious actors. Immediately escalated the incident to your information security team. IoT_DisableAuditdLogging
Name Severity Data Source Description Suggested remediation steps Alert type Reverse shells High DefenderIoTmicroagent Analysis of host data on a device detected a potential reverse shell. Reverse shells are often used to get a compromised machine to call back into a machine controlled by a malicious actor. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_ReverseShell Successful local login High DefenderIoTmicroagent Successful local sign-in to the device detected. Make sure the signed in user is an authorized party. IoT_SucessfulLocalLogin Web shell High DefenderIoTmicroagent Possible web shell detected. Malicious actors commonly upload a web shell to a compromised machine to gain persistence or for further exploitation. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_WebShell Behavior similar to ransomware detected High DefenderIoTmicroagent Execution of files similar to known ransomware that may prevent users from accessing their system, or personal files, and may demand ransom payment to regain access. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_Ransomware
Name Severity Data Source Description Suggested remediation steps Alert type Crypto coin miner image High DefenderIoTmicroagent Execution of a process normally associated with digital currency mining detected. Verify with the user that ran the command if this was legitimate activity on the device. If not, escalate the alert to the information security team. IoT_CryptoMiner New USB Connection High DefenderIoTmicroagent A USB device connection was detected. This may indicate malicious activity. Confirm this is a legitimate expected activity on the host. If not, escalate the alert to your information security team. IoT_USBConnection USB Disconnection High DefenderIoTmicroagent A USB device disconnection was detected. This may indicate malicious activity. Confirm this is a legitimate expected activity on the host. If not, escalate the alert to your information security team. IoT_UsbDisconnection New Ethernet Connection High DefenderIoTmicroagent A new Ethernet connection was detected. This may indicate malicious activity. Confirm this is a legitimate expected activity on the host. If not, escalate the alert to your information security team. IoT_EthernetConnection
Name Severity Data Source Description Suggested remediation steps Alert type Ethernet Disconnection High DefenderIoTmicroagent A new Ethernet disconnection was detected. This may indicate malicious activity. Confirm this is a legitimate expected activity on the host. If not, escalate the alert to your information security team. IoT_EthernetDisconnection New File Created High DefenderIoTmicroagent A new file was detected. This may indicate malicious activity. Confirm this is a legitimate expected activity on the host. If not, escalate the alert to your information security team. IoT_FileCreated File Modified High DefenderIoTmicroagent File modification was detected. This may indicate malicious activity. Confirm this is a legitimate expected activity on the host. If not, escalate the alert to your information security team. IoT_FileModified File Deleted High DefenderIoTmicroagent File deletion was detected. This may indicate malicious activity. Confirm this is a legitimate expected activity on the host. If not, escalate the alert to your information security team. IoT_FileDeleted Name Severity Data Source Description Suggested remediation steps Alert type Medium severity
Name Severity Data Source Description Suggested remediation steps Alert type Behavior similar to common Linux bots detected Medium DefenderIoTmicroagent Execution of a process normally associated with common Linux botnets detected. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_CommonBots Behavior similar to Fairware ransomware detected Medium DefenderIoTmicroagent Execution of rm -rf commands applied to suspicious locations detected using analysis of host data. Because rm -rf recursively deletes files, it's normally only used on discrete folders. In this case, it's being used in a location that could remove a large amount of data. Fairware ransomware is known to execute rm -rf commands in this folder. Review with the user that ran the command this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_FairwareMalware
Name Severity Data Source Description Suggested remediation steps Alert type Crypto coin miner container image detected Medium DefenderIoTmicroagent Container detecting running known digital currency mining images. 1. If this behavior isn't intended, delete the relevant container image. 2. Make sure that the Docker daemon isn't accessible via an unsafe TCP socket. 3. Escalate the alert to the information security team. IoT_CryptoMinerContainer Detected suspicious use of the nohup command Medium DefenderIoTmicroagent Suspicious use of the nohup command on host detected. Malicious actors commonly run the nohup command from a temporary directory, effectively allowing their executables to run in the background. Seeing this command run on files located in a temporary directory is not expected or usual behavior. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_SuspiciousNohup
Name Severity Data Source Description Suggested remediation steps Alert type Detected suspicious use of the useradd command Medium DefenderIoTmicroagent Suspicious use of the useradd command detected on the device. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_SuspiciousUseradd Exposed Docker daemon by TCP socket Medium DefenderIoTmicroagent Machine logs indicate that your Docker daemon (dockerd) exposes a TCP socket. By default, Docker configuration, does not use encryption or authentication when a TCP socket is enabled. Default Docker configuration enables full access to the Docker daemon, by anyone with access to the relevant port. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_ExposedDocker Failed local login Medium DefenderIoTmicroagent A failed local login attempt to the device was detected. Make sure no unauthorized party has physical access to the device. IoT_FailedLocalLogin
Name Severity Data Source Description Suggested remediation steps Alert type Detected file download from a malicious source Medium DefenderIoTmicroagent Download of a file from a known malware source detected. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_PossibleMalware htaccess file access detected Medium DefenderIoTmicroagent Analysis of host data detected possible manipulation of a htaccess file. Htaccess is a powerful configuration file that allows you to make multiple changes to a web server running Apache Web software, including basic redirect functionality, and more advanced functions, such as basic password protection. Malicious actors often modify htaccess files on compromised machines to gain persistence. Confirm this is legitimate expected activity on the host. If not, escalate the alert to your information security team. IoT_AccessingHtaccessFile
Name Severity Data Source Description Suggested remediation steps Alert type Known attack tool Medium DefenderIoTmicroagent A tool often associated with malicious users attacking other machines in some way was detected. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_KnownAttackTools Local host reconnaissance detected Medium DefenderIoTmicroagent Execution of a command normally associated with common Linux bot reconnaissance detected. Review the suspicious command line to confirm that it was executed by a legitimate user. If not, escalate the alert to your information security team. IoT_LinuxReconnaissance Mismatch between script interpreter and file extension Medium DefenderIoTmicroagent Mismatch between the script interpreter and the extension of the script file provided as input detected. This type of mismatch is commonly associated with attacker script executions. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_ScriptInterpreterMismatch
Name Severity Data Source Description Suggested remediation steps Alert type Possible backdoor detected Medium DefenderIoTmicroagent A suspicious file was downloaded and then run on a host in your subscription. This type of activity is commonly associated with the installation of a backdoor. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_LinuxBackdoor Possible loss of data detected Medium DefenderIoTmicroagent Possible data egress condition detected using analysis of host data. Malicious actors often egress data from compromised machines. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_EgressData Privileged container detected Medium DefenderIoTmicroagent Machine logs indicate that a privileged Docker container is running. A privileged container has full access to host resources. If compromised, a malicious actor can use the privileged container to gain access to the host machine. If the container doesn't need to run in privileged mode, remove the privileges from the container. IoT_PrivilegedContainer
Name Severity Data Source Description Suggested remediation steps Alert type Removal of system logs files detected Medium DefenderIoTmicroagent Suspicious removal of log files on the host detected. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_RemovelOfSystemLogs Space after filename Medium DefenderIoTmicroagent Execution of a process with a suspicious extension detected using analysis of host data. Suspicious extensions may trick users into thinking files are safe to be opened and can indicate the presence of malware on the system. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_ExecuteFileWithTrailingSpace Tools commonly used for malicious credentials access detected Medium DefenderIoTmicroagent Detection usage of a tool commonly associated with malicious attempts to access credentials. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_CredentialAccessTools
Name Severity Data Source Description Suggested remediation steps Alert type Suspicious compilation detected Medium DefenderIoTmicroagent Suspicious compilation detected. Malicious actors often compile exploits on a compromised machine to escalate privileges. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_SuspiciousCompilation Suspicious file download followed by file run activity Medium DefenderIoTmicroagent Analysis of host data detected a file that was downloaded and run in the same command. This technique is commonly used by malicious actors to get infected files onto victim machines. Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. IoT_DownloadFileThenRun Suspicious IP address communication Medium DefenderIoTmicroagent Communication with a suspicious IP address detected. Verify if the connection is legitimate. Consider blocking communication with the suspicious IP. IoT_TiConnection Malicious Domain Name Request Medium DefenderIoTmicroagent Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. Disconnect the source from the network. Perform incident response. IoT_MaliciousNameQueriesDetection
Name Severity Data Source Description Suggested remediation steps Alert type Bash history cleared Low DefenderIoTmicroagent Bash history log cleared. Malicious actors commonly erase bash history to hide their own commands from appearing in the logs. Review with the user that ran the command that the activity in this alert to see if you recognize this as legitimate administrative activity. If not, escalate the alert to the information security team. IoT_ClearHistoryFile Defender for IoT service Overview Low severity Next steps
Defender for IoT Hub security alerts Article • 01/10/2023 Defender for IoT continuously analyzes your IoT solution using advanced analytics and threat intelligence to alert you to malicious activity. In addition, you can create custom alerts based on your knowledge of expected device behavior. An alert acts as an indicator of potential compromise, and should be investigated and remediated. In this article, you will find a list of built-in alerts, which can be triggered on your IoT Hub. In addition to built-in alerts, Defender for IoT allows you to define custom alerts based on expected IoT Hub and/or device behavior. For more information, see customizable alerts. Name Severity Data Source Description Suggested remediation AlertType New certificate added to an IoT Hub Medium IoT Hub A certificate was added to an IoT Hub. If this action was made by an unauthorized party, it may indicate malicious activity. 1. Make sure the certificate was added by an authorized party. 2. If it was not added by an authorized party, remove the certificate and escalate the alert to the organizational security team. IoT_CertificateSuccessfullyAddedToHub Built-in alerts for IoT Hub Medium severity
Name Severity Data Source Description Suggested remediation AlertType Certificate deleted from an IoT Hub Medium IoT Hub A certificate was deleted from an IoT Hub. If this action was made by an unauthorized party, it may indicate a malicious activity. 1. Make sure the certificate was removed by an authorized party. 2. If the certificate was not removed by an authorized party, add the certificate back, and escalate the alert to the organizational security team. IoT_CertificateSuccessfullyDeletedFromHub Unsuccessful attempt detected to add a certificate to an IoT Hub Medium IoT Hub There was an unsuccessful attempt to add a certificate to an IoT Hub. If this action was made by an unauthorized party, it may indicate malicious activity. Make sure permissions to change certificates are only granted to authorized parties. Hub_CertificateFailedToBeAddedToHub Unsuccessful attempt detected to delete a certificate from an IoT Hub Medium IoT Hub There was an unsuccessful attempt to delete a certificate from an IoT Hub. If this action was made by an unauthorized party, it may indicate malicious activity. Make sure permissions to change certificates are only granted to an authorized party. IoT.Hub_CertificateFailedToBeDeletedFromHub
Name Severity Data Source Description Suggested remediation AlertType x.509 device certificate thumbprint mismatch Medium IoT Hub x.509 device certificate thumbprint did not match configuration. Review alerts on the devices. No further action required. IoT_Cert_Print_Mismatch x.509 certificate expired Medium IoT Hub X.509 device certificate has expired. This could be a legitimate device with an expired certificate or an attempt to impersonate a legitimate device. If the legitimate device is currently communicating correctly this is likely an impersonation attempt. IoT_Cert_Expired Name Severity Data Source Description Suggested remediation AlertType Low severity
Name Severity Data Source Description Suggested remediation AlertType Attempt to add or edit a diagnostic setting of an IoT Hub detected Low IoT Hub Attempt to add or edit the diagnostic settings of an IoT Hub has been detected. Diagnostic settings enable you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. If this action was not made by an authorized party, it may indicate malicious activity. 1. Make sure the certificate was removed by an authorized party. 2. If the certificate was not removed by an authorized party, add the certificate back and escalate the alert to your information security team. IoT_DiagnosticSettingAddedOrEditedOnHub
Name Severity Data Source Description Suggested remediation AlertType Attempt to delete a diagnostic setting from an IoT Hub detected Low IoT Hub Attempt to add or edit the diagnostic settings of an IoT Hub has been detected. Diagnostic settings enable you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. If this action was not made by an authorized party, it may indicate malicious activity. Make sure permissions to change diagnostics settings are granted only to an authorized party. IoT_DiagnosticSettingDeletedFromHub Expired SAS Token Low IoT Hub Expired SAS token used by a device May be a legitimate device with an expired token, or an attempt to impersonate a legitimate device. If the legitimate device is currently communicating correctly, this is likely an impersonation attempt. IoT_Expired_SAS_Token
Name Severity Data Source Description Suggested remediation AlertType Invalid SAS token signature Low IoT Hub A SAS token used by a device has an invalid signature. The signature does not match either the primary or secondary key. Review the alerts on the devices. No further action required. IoT_Invalid_SAS_Token Defender for IoT service Overview Next steps
Defender for IoT Hub custom security alerts Article • 01/10/2023 Defender for IoT continuously analyzes your IoT solution using advanced analytics and threat intelligence to alert you to malicious activity. Create custom alerts based on your knowledge of each expected device's behavior. These alerts act as the most efficient indicators of any potential changes to your organizational deployment, or landscape. The following lists of Defender for IoT alerts are definable by you based on your expected IoT Hub behavior. For more information about how to customize each alert, see create custom alerts. Alert name Severity Data source Description Alert Type Custom alert - The number of cloud to device messages in AMQP protocol is outside the allowed range Low IoT Hub The number of cloud to device messages (AMQP protocol) within a specific time window is outside the currently configured and allowable range. IoT_CA_AmqpC2DMessagesNotInAllowedRange Built-in custom alerts in the IoT Hub Low severity
Alert name Severity Data source Description Alert Type Custom alert - The number of rejected cloud to device messages in AMQP protocol is outside the allowed range Low IoT Hub The number of cloud to device messages (AMQP protocol) rejected by the device, within a specific time window is outside the currently configured and allowable range. IoT_CA_AmqpC2DRejectedMessagesNotInAllowedRange Custom alert - The number of device to cloud messages in AMQP protocol is outside the allowed range Low IoT Hub The amount of device to cloud messages (AMQP protocol) within a specific time window is outside the currently configured and allowable range. IoT_CA_AmqpD2CMessagesNotInAllowedRange Custom alert - The number of direct method invokes are outside the allowed range Low IoT Hub The amount of direct method invokes within a specific time window is outside the currently configured and allowable range. IoT_CA_DirectMethodInvokesNotInAllowedRange
Alert name Severity Data source Description Alert Type Custom alert - The number of file uploads is outside the allowed range Low IoT Hub The amount of file uploads within a specific time window is outside the currently configured and allowable range. IoT_CA_FileUploadsNotInAllowedRange Custom alert - The number of cloud to device messages in HTTP protocol is outside the allowed range Low IoT Hub The amount of cloud to device messages (HTTP protocol) in a time window isn't in the configured allowed range IoT_CA_HttpC2DMessagesNotInAllowedRange Custom alert - The number of rejected cloud to device messages in HTTP protocol isn't in the allowed range Low IoT Hub The amount of cloud to device messages (HTTP protocol) within a specific time window is outside the currently configured and allowable range. IoT_CA_HttpC2DRejectedMessagesNotInAllowedRange
Alert name Severity Data source Description Alert Type Custom alert - The number of device to cloud messages in HTTP protocol is outside the allowed range Low IoT Hub The amount of device to cloud messages (HTTP protocol) within a specific time window is outside the currently configured and allowable range. IoT_CA_HttpD2CMessagesNotInAllowedRange Custom alert - The number of cloud to device messages in MQTT protocol is outside the allowed range Low IoT Hub The amount of cloud to device messages (MQTT protocol) within a specific time window is outside the currently configured and allowable range. IoT_CA_MqttC2DMessagesNotInAllowedRange
Alert name Severity Data source Description Alert Type Custom alert - The number of rejected cloud to device messages in MQTT protocol is outside the allowed range Low IoT Hub The amount of cloud to device messages (MQTT protocol) rejected by the device within a specific time window is outside the currently configured and allowable range. IoT_CA_MqttC2DRejectedMessagesNotInAllowedRange Custom alert - The number of device to cloud messages in MQTT protocol is outside the allowed range Low IoT Hub The amount of device to cloud messages (MQTT protocol) within a specific time window is outside the currently configured and allowable range. IoT_CA_MqttD2CMessagesNotInAllowedRange Custom alert - The number of command queue purges that are outside of the allowed range Low IoT Hub The amount of command queue purges within a specific time window is outside the currently configured and allowable range. IoT_CA_QueuePurgesNotInAllowedRange
Alert name Severity Data source Description Alert Type Custom alert - The number of module twin updates is outside the allowed range Low IoT Hub The number of module twin updates within a specific time window is outside the currently configured and allowable range. IoT_CA_TwinUpdatesNotInAllowedRange Custom alert - The number of unauthorized operations is outside the allowed range Low IoT Hub The number of unauthorized operations within a specific time window is outside the currently configured and allowable range. IoT_CA_UnauthorizedOperationsNotInAllowedRange Learn how to customize an alert Defender for IoT service Overview Next steps
Security recommendations for IoT Hub Article • 01/10/2023 Defender for IoT scans your Azure resources and IoT devices and provides security recommendations to reduce your attack surface. Security recommendations are actionable and aim to aid customers in complying with security best practices. In this article, you will find a list of recommendations, which can be triggered on your IoT Hub. Recommendation alerts provide insight and suggestions for actions to improve the security posture of your environment. Severity Name Data Source Description RecommendationType High Same authentication credentials used by multiple devices IoT Hub IoT Hub authentication credentials are used by multiple devices. This could indicate an illegitimate device is impersonating a legitimate device and also exposes the risk of device impersonation by a malicious actor. IoT_SharedCredentials 7 Note The Microsoft Defender for IoT legacy experience under IoT Hub has been replaced by our new Defender for IoT standalone experience, in the Defender for IoT area of the Azure portal. The legacy experience under IoT Hub will not be supported after March 31, 2023. Built in recommendations in IoT Hub High severity
Severity Name Data Source Description RecommendationType High High level permissions configured in IoT Edge model twin for IoT Edge module IoT Hub IoT Edge module is configured to run in privileged mode, with extensive Linux capabilities or with host-level network access (send/receive data to host machine). IoT_PrivilegedDockerOptions Severity Name Data Source Description RecommendationType Medium Service principal not used with ACR repository IoT Hub Authentication schema used to pull an IoT Edge module from an ACR repository does not use Service Principal Authentication. IoT_ACRAuthentication Medium TLS cipher suite upgrade needed IoT Hub Unsecured TLS configurations detected. Immediate TLS cipher suite upgrade recommended. IoT_VulnerableTLSCipherSuite Medium Default IP filter policy should be deny IoT Hub By default, IP filter configuration needs rules defined for allowed traffic and should deny all other traffic. IoT_IPFilter_DenyAll Medium severity
Severity Name Data Source Description RecommendationType Medium IP filter rule includes a large IP range IoT Hub An IP filter rule source allowable IP range is too large. Overly permissive rules can expose your IoT Hub to malicious actors. IoT_IPFilter_PermissiveRule Medium Recommended Rules for ip filter IoT Hub We Recommend you to change your IP filter to the following rules, the rules obtained by your IotHub behavior IoT_RecommendedIpRulesByBaseLine Medium SecurityGroup has inconsistent module settings IoT Hub Within this device security group, an anomaly device has inconsistent IoT Edge module settings when compared with the rest of the security group. IoT_InconsistentModuleSettings Severity Name Data Source Description RecommendationType Low IoT Edge Hub memory can be optimized IoT Hub Optimize your IoT Edge Hub memory usage by turning off protocol heads for any protocols not used by Edge modules in your solution. IoT_EdgeHubMemOptimize Low No logging configured for IoT Edge module IoT Hub Logging is disabled for this IoT Edge module. IoT_EdgeLoggingOptions Low severity Next steps
Learn more about the Legacy Defender for IoT devices security alerts
Firmware analysis for device builders Article • 07/18/2023 Just like computers have operating systems, IoT devices have firmware, and it's the firmware that runs and controls IoT devices. For IoT device builders, security is a nearuniversal concern as IoT devices have traditionally lacked basic security measures. For example, IoT attack vectors typically use easily exploitable--but easily correctable-- weaknesses such as hardcoded user accounts, outdated and vulnerable open-source packages, or a manufacturer's private cryptographic signing key. Use Microsoft Defender for IoT's firmware analysis to identify embedded security threats, vulnerabilities, and common weaknesses that may be otherwise undetectable. Defender for IoT can analyze your firmware for common weaknesses and vulnerabilities, and provide insight into your firmware security. This analysis is useful whether you build the firmware in-house or receive firmware from your supply chain. Software bill of materials (SBOM): Receive a detailed listing of open-source packages used during the firmware's build process. See the package version and what license governs the use of the open-source package. CVE analysis: See which firmware components have publicly known security vulnerabilities and exposures. Binary hardening analysis: Identify binaries that haven't enabled specific security flags during compilation like buffer overflow protection, position independent executables, and more common hardening techniques. SSL certificate analysis: Reveal expired and revoked TLS/SSL certificates. Public and private key analysis: Verify that the public and private cryptographic keys discovered in the firmware are necessary and not accidental. 7 Note The Defender for IoT Firmware analysis page is in PREVIEW. The Azure Preview Supplemental Terms include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. How to be sure your firmware is secure
Password hash extraction: Ensure that user account password hashes use secure cryptographic algorithms. Analyze a firmware image Next steps
Install Defender for IoT micro agent for Edge Article • 12/14/2022 This article explains how to install, and authenticate the Defender micro agent for Edge. 1. Navigate to your IoT Hub or, create a new IoT hub. 2. Register an Iot Edge device in IoT Hub and retrieve connection strings. 3. Add the appropriate Microsoft package repository. a. Download the repository configuration that matches your device operating system. For Ubuntu 18.04 Bash For Ubuntu 20.04 Bash For Debian 9 (both AMD64 and ARM64) Bash b. Copy the repository configuration to the sources.list.d directory. Prerequisites curl https://packages.microsoft.com/config/ubuntu/18.04/multiarch/pr od.list > ./microsoft-prod.list curl https://packages.microsoft.com/config/ubuntu/20.04/prod.list > ./microsoft-prod.list curl https://packages.microsoft.com/config/debian/stretch/multiarch/ prod.list > ./microsoft-prod.list
Bash c. Update the list of packages from the repository that you added with the following command: Bash 4. Install and configure Edge runtime version 1.2 1. Install the Defender micro agent package on Debian, and Ubuntu based Linux distributions, using the following command: Bash 2. Validate your installation. a. Ensure the micro agent is running properly with the following command: Bash b. Ensure that the service is stable by making sure it's active and that the uptime of the process is appropriate 3. Test the system end-to-end by creating a trigger file on the device. The trigger file will cause a baseline scan in the agent, that will detect the file as a baseline violation. Create a file on the file system with the following command: sudo cp ./microsoft-prod.list /etc/apt/sources.list.d/ sudo apt-get update Installation sudo apt-get install defender-iot-micro-agent-edge systemctl status defender-iot-micro-agent.service
Bash A baseline validation failure recommendation will occur in the hub, with a CceId of CIS-debian-9-DEFENDER_FOR_IOT_TEST_CHECKS-0.0 : Allow up to one hour for the recommendation to appear in the hub. 4. Install a specific version of the Defender IoT micro agent, use the following command: Bash sudo touch /tmp/DefenderForIoTOSBaselineTrigger.txt sudo apt-get install defender-iot-micro-agent-edge=<version> Next steps Configure Microsoft Defender for IoT agent-based solution
Upgrade the Microsoft Defender for IoT micro agent Article • 12/28/2022 This article describes how to upgrade a Microsoft Defender for IoT micro agent with the latest software version. For more information, see our release notes for device builders. When upgrading the micro agent from version 4.2.* to 4.6.2, you would first need to remove the package and then reinstall it. Standalone micro agent: 1. Remove the current package. Run: Bash 2. Ensure that you've upgraded the apt. Run: Bash 3. Install the Defender for IoT micro agent on Debian or Ubuntu-based Linux distributions. Run: Bash Micro agent for Edge: 1. Remove the current package. Run: Bash Upgrade a micro agent from version 4.2.* to 4.6.2 sudo apt-get remove defender-iot-micro-agent sudo apt-get update sudo apt-get install defender-iot-micro-agent
2. Ensure that you've upgraded the apt. Run: Bash 3. Install the Defender for IoT micro agent on Debian or Ubuntu-based Linux distributions. Run: Bash 1. Ensure that you've upgraded the apt. Run: Bash 2. Install the Defender for IoT micro agent on Debian or Ubuntu-based Linux distributions. Run: Bash 1. Ensure that you've upgraded the apt. Run: Bash 2. Install the Defender for IoT micro agent on Debian or Ubuntu-based Linux distributions for Edge. Run: sudo apt-get remove defender-iot-micro-agent-edge sudo apt-get update sudo apt-get install defender-iot-micro-agent-edge Upgrade a standalone micro agent sudo apt-get update sudo apt-get install defender-iot-micro-agent Upgrade a micro agent for Edge sudo apt-get update