Azure IOT Security PDF

Contents
Azure Security Center for IoT documentation

Overview
Solution architecture
Security solution for Azure RTOS
Security agents
Edge security module
Service prerequisites
Get started with Azure Security Center for IoT
IoT Hub
Security agents
Quickstarts
Onboard Azure Security Center for IoT in IoT Hub
Configure your solution
Create an Azure Security Center for IoT module twin
Create custom security alerts
Concepts
Security agent authentication
Security module
Security alerts
Customizable security alerts
Security recommendations
Baseline
Event aggregation
Pricing and associated costs
How-to guides
Which agent should I deploy?
Select an agent to deploy
Deploy a C#-based security agent on a Windows device
Deploy a C#-based security agent on a Linux device
Deploy a C-based security agent on a Linux device
Troubleshoot a security agent
Troubleshoot Azure Security Center for IoT Linux security agent
Local configuration C
Local configuration C#
Deploy Edge security module
Configure security agents
Send your own security messages
Access raw security data
Investigate a device
Connect to Azure Sentinel
Customize your solution
Resources
Frequently asked questions
Azure Roadmap
Azure Security, Privacy, & Compliance blog
Regional availability
Introducing Azure Security Center for IoT
4/14/2020 • 2 minutes to read • Edit Online
Unify security management and enable end-to-end threat detection and analysis across hybrid cloud workloads
and your Azure IoT solution.
Secure your entire IoT solution from IoT devices to Azure cloud
Choose from our seamless agentless solution or take advantage of agent-based comprehensive security, Azure
Security Center for IoT provides threat prevention and analysis for every device, IoT Edge and IoT Hub, across
your IoT assets.
As billions of new devices are connected to the internet, and integrated into our daily lives and our businesses,
your security operations teams must ensure their security strategies evolve quickly enough to cover each new
attack surface. Like any other system, to comprehensively secure your IoT solution, it requires protection at every
stage of implementation.
Azure Security Center for IoT simplifies hybrid workload protection by delivering unified visibility and control,
adaptive threat prevention, and intelligent threat detection and response across workloads running on edge, on-
premises, in Azure, and in other clouds.
Unified visibility and control

Get a unified view of security across all of your on-premises and cloud workloads, including your Azure IoT
solution. Onboard new devices, and apply security policies across your workloads (Leaf devices, Microsoft Edge
devices, IoT Hub) to ensure compliance with security standards and improved security posture.
Adaptive threat prevention
Use Azure Security Center for IoT to continuously monitor the security of machines, networks, and Azure services.
Choose from hundreds of built-in security assessments or create your own in the central Azure Security Center
for IoT Hub dashboard. Optimize your security settings and improve your security score with actionable
recommendations across virtual machines, networks, apps, and data. With newly added IoT capabilities, you can
now reduce the attack surface for your Azure IoT solution and remediate issues before they can be exploited.
Intelligent threat detection and response
Use advanced analytics and the Microsoft Intelligent Security Graph to get an edge over evolving cyber-attacks.
Built-in behavioral analytics and machine learning identify attacks and zero-day exploits. Monitor your IoT
solution for incoming attacks and post-breach activity. Streamline device investigation and remediation with
interactive tools and contextual threat intelligence.
Next steps
In this overview, you learned about the features and services of Azure Security Center for IoT. To learn more about
Azure Security Center for IoT architecture, prerequisites, and learn how to get started, see the following articles:
Architecture
Getting started
Define your solution
Azure Security Center for IoT FAQ
Azure Security Center for IoT alerts
Azure Security Center for IoT architecture
This article explains the functional system architecture of the Azure Security Center for IoT solution.
Azure Security Center for IoT components

Azure Security Center for IoT is composed of the following components:
IoT Hub integration
Device agents (optional)
Send security message SDK
Analytics pipeline
Azure Security Center for IoT workflows
Azure Security Center for IoT works in one of two feature workflows: Built-in and Enhanced
Built-in
In Built-in mode, Azure Security Center for IoT is enabled when you elect to turn on the Security option in your
IoT Hub. Offering real-time monitoring, recommendations and alerts, Built-in mode offers single-step device
visibility and unmatched security. Build-in mode does not require agent installation on any devices and uses
advanced analytics on logged activities to analyze and protect your field device.
Enhanced
In Enhanced mode, after turning on the Security option in your IoT Hub and installing Azure Security Center for
IoT device agents on your devices, the agents collect, aggregate and analyze raw security events from your
devices. Raw security events can include IP connections, process creation, user logins, and other security-relevant
information. Azure Security Center for IoT device agents also handle event aggregation to help avoid high
network throughput. The agents are highly customizable, allowing you to use them for specific tasks, such as
sending only important information at the fastest SLA, or for aggregating extensive security information and
context into larger segments, avoiding higher service costs.
Device agents, and other applications use the Azure send security message SDK to send security information
into Azure IoT Hub. IoT Hub picks up this information and forwards it to the Azure Security Center for IoT service.
Once the Azure Security Center for IoT service is enabled, in addition to the forwarded data, IoT Hub also sends
out all of its internal data for analysis by Azure Security Center for IoT. This data includes device-cloud operation
logs, device identities, and Hub configuration. All of this information helps to create the Azure Security Center for
IoT analytics pipeline.
Azure Security Center for IoT analytics pipeline also receives additional threat intelligence streams from various
sources within Microsoft and Microsoft partners. The Azure Security Center for IoT entire analytics pipeline works
with every customer configuration made on the service (such as custom alerts and use of the send security
message SDK).
Using the analytics pipeline, Azure Security Center for IoT combines all of the streams of information to generate
actionable recommendations and alerts. The pipeline contains both custom rules created by security researchers
and experts as well as machine learning models searching for deviation from standard device behavior and risk
analysis.
Azure Security Center for IoT recommendations and alerts (analytics pipeline output) is written to the Log
Analytics workspace of each customer. Including the raw events in the workspace as well as the alerts and
recommendations enables deep dive investigations and queries using the exact details of the suspicious activities
detected.
Next steps
In this article, you learned about the basic architecture and workflow of Azure Security Center for IoT solution. To
learn more about prerequisites, how to get started and enable your security solution in IoT Hub, see the following
articles:
Getting started
Enable security in IoT Hub
Azure Security Center for IoT security alerts
Azure Security Center for IoT Security Solution for
Azure RTOS
The Azure Security Center for IoT security module provides a comprehensive security solution for Azure RTOS
devices. Azure RTOS ships with a built-in security module that covers common threats on real-time operating
system devices.
Azure Security Center for IoT security module with Azure RTOS support offers the following features:
Malicious network activity detection
Custom alert based, device behavior baselining
Improve device security hygiene
Detection of malicious network activities
Inbound and outbound network activity of each device is monitored (supported protocols: TCP, UDP, ICMP on IPv4
and IPv6). Azure Security Center for IoT inspects each of these network activities against the Microsoft Threat
Intelligence feed. The feed gets updated in real-time with millions of unique threat indicators collected worldwide.
Device behavior baselining based on custom alerts
Baselining allows for clustering of devices into security groups and defining the expected behavior of each group.
As IoT devices are typically designed to operate in well-defined and limited scenarios, it is easy to create a baseline
that defines their expected behavior using a set of parameters. Any deviation from the baseline, triggers an alert.
Improve your device security hygiene
By leveraging the recommended infrastructure Azure Security Center for IoT provides, gain knowledge and insights
about issues in your environment that impact and damage the security posture of your devices. Poor IoT device
security posture can allow potential attacks to succeed if left unchanged, as security is always measured by the
weakest link within any organization.
Get started protecting Azure RTOS devices

Azure Security Center for IoT security module for Azure RTOS is provided as a free download for your devices.
The Azure Security Center for IoT cloud service is available with a 30 day trial per Azure subscription. Download
the Azure Security Center for IoT security module for Azure RTOS to get started.
Next steps
In this article, you learned about Azure Security Center for IoT Azure RTOS support. To learn how to get started and
enable your security solution in IoT Hub, see the following articles:
Getting started
Enable security in IoT Hub
Security agent reference architecture
Azure Security Center for IoT provides reference architecture for security agents that log, process, aggregate, and
send security data through IoT Hub.
Security agents are designed to work in a constrained IoT environment, and are highly customizable in terms of
values they provide when compared to the resources they consume.
Security agents support the following features:
Collect raw security events from the underlying Operating System (Linux, Windows). To learn more about
available security data collectors, see Azure Security Center for IoT agent configuration.
Aggregate raw security events into messages sent through IoT Hub.
Authenticate with existing device identity, or a dedicated module identity. See Security agent authentication
methods to learn more.
Configure remotely through use of the azureiotsecurity module twin. To learn more, see Configure an
Azure Security Center for IoT agent.
Azure Security Center for IoT Security agents are developed as open-source projects, and are available from
GitHub:
Azure Security Center for IoT C-based agent
Azure Security Center for IoT C#-based agent
Agent supported platforms

Azure Security Center for IoT offers different installer agents for 32bit and 64bit Windows, and the same for 32bit
and 64bit Linux. Make sure you have the correct agent installer for each of your devices according to the following
table:
A RC H IT EC T URE L IN UX W IN DO W S DETA IL S
32bit C C#
64bit C# or C C# We recommend using the C

agent for devices with more
restricted or minimal device
resources.
Next steps
In this article, you learned about Azure Security Center for IoT security agent architecture, and the available
installers.
To continue getting started with Azure Security Center for IoT deployment, use the following articles:
Understand security agent authentication methods
Select and deploy a security agent
Review the Azure Security Center for IoT service prerequisites
Learn how to enable Azure Security Center for IoT service in your IoT Hub
Learn more about the service from the Azure Security Center for IoT FAQ
Azure IoT Edge security module
Azure IoT Edge provides powerful capabilities to manage and perform business workflows at the edge. The key
part that IoT Edge plays in IoT environments make it particularly attractive for malicious actors.
Azure Security Center for IoT security module provides a comprehensive security solution for your IoT Edge
devices. Azure Security Center for IoT module collects, aggregates and analyzes raw security data from your
Operating System and container system into actionable security recommendations and alerts.
Similar to Azure Security Center for IoT security agents for IoT devices, the Azure Security Center for IoT Edge
module is highly customizable through its module twin. See Configure your agent to learn more.
Azure Security Center for IoT security module for IoT Edge offers the following features:
Collects raw security events from the underlying Operating System (Linux), and the IoT Edge Container
systems.
See Azure Security Center for IoT agent configuration to learn more about available security data collectors.
Analysis of IoT Edge deployment manifests.
Aggregates raw security events into messages sent through IoT Edge Hub.
Remove configuration through use of the security module twin.
See Configure an Azure Security Center for IoT agent to learn more.
Azure Security Center for IoT security module for IoT Edge runs in a privileged mode under IoT Edge. Privileged
mode is required to allow the module to monitor the Operating System, and other IoT Edge modules.
Module supported platforms

Azure Security Center for IoT security module for IoT Edge is currently only available for Linux.
Next steps
In this article, you learned about the architecture and capabilities of Azure Security Center for IoT security module
for IoT Edge.
Deploy security module for IoT Edge
Learn how to configure your security module
Review the Azure Security Center for IoT Service prerequisites
Learn how to Enable Azure Security Center for IoT service in your IoT Hub
Azure Security Center for IoT prerequisites
This article provides an explanation of the different components of the Azure Security Center for IoT service, what
you need to begin, and explains the basic concepts to help understand the service.
Minimum requirements
IoT Hub Standard tier
Azure role Owner level privileges
Log Analytics Workspace
Azure Security Center (recommended)
Use of Azure Security Center is a recommendation, and not a requirement. Without Azure Security
Center, you'll be unable to view your other Azure resources within IoT Hub.
Working with Azure Security Center for IoT service

Azure Security Center for IoT insights and reporting are available using Azure IoT Hub and Azure Security Center.
To enable Azure Security Center for IoT on your Azure IoT Hub, an account with Owner level privileges is
required. After enabling ASC for IoT in your IoT Hub, Azure Security Center for IoT insights are displayed as the
Security feature in Azure IoT Hub and as IoT in Azure Security Center.
Supported service regions

Azure Security Center for IoT is currently supported for IoT Hubs in the following Azure regions:
Central US
East US
East US 2
West Central US
West US
West US2
Central US South
North Central US
Canada Central
Canada East
North Europe
Brazil South
France Central
UK West
UK South
West Europe
Northern Europe
Japan West
Japan East
Australia Southeast
Australia East
East Asia
Southeast Asia
Korea Central
Korea South
Central India
South India
Azure Security Center for IoT routes all traffic from all European regions to the West Europe regional data center
and all remaining regions to the Central US regional data center.
Where's my IoT Hub?

Check your IoT Hub location to verify service availability before you begin.
1. Open your IoT Hub.
2. Click Over view .
3. Verify the location listed matches one of the supported service regions.
Supported platforms for agents

Azure Security Center for IoT agents supports a growing list of devices and platforms. See the supported platform
list to check your existing or planned device library.
Next steps
Read the Azure IoT Security Overview
Learn how to Enable the service
Read the Azure Security Center for IoT FAQ
Explore how to Understand Azure Security Center for IoT alerts
Get started with Azure Security Center for IoT
This article provides an explanation of the different components of the Azure Security Center for IoT service and
explains how to get started with the service using two possible deployment options.
Deployment options
Choose the service scenario that best meets your IoT device and environment requirements.
Built-in deployment
Using the seamless, built-in deployment option, Azure Security Center for IoT can be quickly integrated into your
IoT Hub and provide security analysis of the IoT hub configuration, device identity and management, and hub-
device communication patterns.
Start a Built-in deployment featuring IoT Hub monitoring and recommendations.
Enhanced deployment
For enhanced security capabilities, deploying Azure Security Center for IoT agents in addition to enabling IoT Hub
security provides agent-based event collection, analysis and threat detection of key security data from your IoT
devices as well as comprehensive security posture management capabilities.
Start an Enhanced deployment featuring an agent-based comprehensive threat protection and security posture
management solution.
Next steps
Enable Azure Security Center for IoT
Create security modules
Configure custom alerts
Deploy a security agent
Get started with Built-in IoT Hub integration
This option enables you to use the service without using Azure Security Center for IoT security agents.
Enable Built-in IoT Hub integration

To enable monitoring your device identity management, device to cloud, and cloud to device communication
patterns, do the following to start the service:
1. Open your IoT Hub .
2. Select the Security over view menu.
3. Click Secure your IoT solution and complete the onboarding form.
Congratulations! You've completed enabling the Azure Security Center for IoT service on your IoT Hub.
Next steps
Get started with Azure Security Center for IoT device
security agents
Azure Security Center for IoT security agents offer enhanced security capabilities, such as monitoring remote
connections, active applications, login events, and operating system configuration best practices. Take control of
your device field threat protection and security posture with a single service.
Reference architecture for Linux and Windows security agents, both in C# and C are provided.
The Azure Security Center for IoT security agents handle raw event collection from the device operating system,
event aggregation to reduce cost, and configuration through a device module twin. Security messages are sent
through your IoT Hub, into Azure Security Center for IoT analytics services.
Use the following workflow to deploy and test your Azure Security Center for IoT security agents:
1. Enable Azure Security Center for IoT service to your IoT Hub
2. If your IoT Hub has no registered devices, Register a new device.
3. Create an azureiotsecurity security module for your devices.
4. To install the agent on an Azure simulated device instead of installing on an actual device, spin up a new Azure
Virtual Machine (VM) in an available zone.
5. Deploy an Azure Security Center for IoT security agent on your IoT device, or new VM.
6. Follow the instructions for trigger_events to run a harmless simulation of an attack.
7. Verify Azure Security Center for IoT alerts in response to the simulated attack in the previous step. Begin
verification five minutes after running the script.
8. Explore alerts, recommendations, and deep dive using Log Analytics using IoT Hub.
Next steps
Quickstart: Onboard Azure Security Center for IoT
service in IoT Hub
This article provides an explanation of how to enable the Azure Security Center for IoT service on your existing
IoT Hub. If you don't currently have an IoT Hub, see Create an IoT Hub using the Azure portal to get started.
NOTE
Azure Security Center for IoT currently only supports standard tier IoT Hubs.
Prerequisites for enabling the service

Log Analytics workspace
Two types of information are stored by default in your Log Analytics workspace by Azure Security
Center for IoT; security aler ts and recommendations .
You can choose to add storage of an additional information type, raw events . Note that storing raw
events in Log Analytics carries additional storage costs.
IoT Hub (standard tier)
Meet all service prerequisites
Enable Azure Security Center for IoT on your IoT Hub

To enable security on your IoT Hub:
1. Open your IoT Hub in Azure portal.
2. Under the Security menu, click Secure your IoT solution .
Congratulations! You've completed enabling Azure Security Center for IoT on your IoT Hub.
Geolocation and IP address handling
To secure your IoT solution, IP addresses of incoming and outgoing connections to and from your IoT devices,
IoT Edge, and IoT Hub(s) are collected and stored by default. This information is essential to detect abnormal
connectivity from suspicious IP sources. For example, when attempts are made to establish connections from an
IP source of a known botnet or from an IP source outside your geolocation. Azure Security Center for IoT service
offers the flexibility to enable and disable collection of IP address data at any time.
To enable or disable collection of IP address data:
1. Open your IoT Hub and then select Over view from the Security menu.
2. Choose the Settings screen and modify the geolocation and/or IP handling settings as you wish.
Log Analytics creation
When Azure Security Center for IoT is turned on, a default Azure Log Analytics workspace is created to store raw
security events, alerts, and recommendations for your IoT devices, IoT Edge, and IoT Hub. Each month, the first
five (5) GB of data ingested per customer to the Azure Log Analytics service is free. Every GB of data ingested
into your Azure Log Analytics workspace is retained at no charge for the first 31 days. Learn more about Log
Analytics pricing.
To change the workspace configuration of Log Analytics:
2. Choose the Settings screen and modify the workspace configuration of Log Analytics settings as you wish.
Customize your IoT security solution
By default, turning on the Azure Security Center for IoT solution automatically secures all IoT Hubs under your
Azure subscription.
To turn Azure Security Center for IoT service on a specific IoT Hub on or off:
2. Choose the Settings screen and modify the security settings of any IoT hub in your Azure subscription as
you wish.
Next steps
Advance to the next article to configure your solution...
Quickstart: Configure your IoT solution
This article provides an explanation of how to perform initial configuration of your IoT security solution using
Azure Security Center for IoT.
Azure Security Center for IoT

Azure Security Center for IoT provides comprehensive end-to-end security for Azure-based IoT solutions.
With Azure Security Center for IoT, you can monitor your entire IoT solution in one dashboard, surfacing all of
your IoT devices, IoT platforms and back-end resources in Azure.
Once enabled on your IoT Hub, Azure Security Center for IoT automatically identifies other Azure services, also
connected to your IoT Hub and related to your IoT solution.
In addition to automatic relationship detection, you can also pick and choose which other Azure resource groups
to tag as part of your IoT solution.
Your selections allow you to add entire subscriptions, resource groups, or single resources.
After defining all of the resource relationships, Azure Security Center for IoT leverages Azure Security Center to
provide you security recommendations and alerts for these resources.
Add Azure resources to your IoT solution

To add new resource to your IoT solution, do the following:
2. Select and open Resources from under Security in the left menu.
3. Select Edit and choose the resources groups that belong to your IoT solution.
4. Click Add .
Congratulations! You've added a new resource group to your IoT solution.
Azure Security Center for IoT now monitors you're newly added resource groups, and surfaces relevant security
recommendations and alerts as part of your IoT solution.
Next steps
Advance to the next article to learn how to create security modules...
Quickstart: Create an azureiotsecurity module twin
This quickstart explains how to create individual azureiotsecurity module twins for new devices, or batch create
module twins for all devices in an IoT Hub.
Understanding azureiotsecurity module twins

For IoT solutions built in Azure, device twins play a key role in both device management and process automation.
Azure Security Center for IoT offers full integration with your existing IoT device management platform, enabling
you to manage your device security status as well as make use of existing device control capabilities. Azure
Security Center for IoT integration is achieved by making use of the IoT Hub twin mechanism.
See IoT Hub module twins to learn more about the general concept of module twins in Azure IoT Hub.
Azure Security Center for IoT makes use of the module twin mechanism and maintains a security module twin
named azureiotsecurity for each of your devices.
The security module twin holds all the information relevant to device security for each of your devices.
To make full use of Azure Security Center for IoT features, you'll need to create, configure and use these security
module twins for every device in the service.
Create azureiotsecurity module twin

azureiotsecurity module twins can be created in two ways:
1. Module batch script - automatically creates module twin for new devices or devices without a module twin
using the default configuration.
2. Manually editing each module twin individually with specific configurations for each device.
NOTE
Using the batch method will not overwrite existing azureiotsecurity module twins. Using the batch method ONLY creates
new module twins for devices that do not already have a security module twin.
See agent configuration to learn how to modify or change the configuration of an existing module twin.
To manually create a new azureiotsecurity module twin for a device use the following instructions:
1. In your IoT Hub, locate and select the device you wish to create a security module twin for.
2. Click on your device, and then on Add module identity .
3. In the Module Identity Name field, enter azureiotsecurity .
4. Click Save .
Verify creation of a module twin

To verify if a security module twin exists for a specific device:
1. In your Azure IoT Hub, select IoT devices from the Explorers menu.
2. Enter the device ID, or select an option in the Quer y device field and click Quer y devices .
3. Select the device or double click it to open the Device details page.
4. Select the Module identities menu, and confirm existence of the azureiotsecurity module in the list of
module identities associated with the device.
To learn more about customizing properties of Azure Security Center for IoT module twins, see Agent
configuration.
Next steps
Advance to the next article to learn how to configure custom alerts...
Quickstart: Create custom alerts
Using custom security groups and alerts, takes full advantage of the end-to-end security information and
categorical device knowledge to ensure better security across your IoT solution.
Why use custom alerts?

You know your IoT devices best.
For customers who fully understand their expected device behavior, Azure Security Center for IoT allows you to
translate this understanding into a device behavior policy and alert on any deviation from expected, normal
behavior.
Security groups
Security groups enable you to define logical groups of devices, and manage their security state in a centralized
way.
These groups can represent devices with specific hardware, devices deployed in a certain location, or any other
group suitable to your specific needs.
Security groups are defined by a device twin tag property named SecurityGroup . By default, each IoT solution
on IoT Hub has one security group named default . Change the value of the SecurityGroup property to change
the security group of a device.
For example:
{
"deviceId": "VM-Contoso12",
"etag": "AAAAAAAAAAM=",
"deviceEtag": "ODA1BzA5QjM2",
"status": "enabled",
"statusUpdateTime": "0001-01-01T00:00:00",
"connectionState": "Disconnected",
"lastActivityTime": "0001-01-01T00:00:00",
"cloudToDeviceMessageCount": 0,
"authenticationType": "sas",
"x509Thumbprint": {
"primaryThumbprint": null,
"secondaryThumbprint": null
},
"version": 4,
"tags": {
"SecurityGroup": "default"
},
Use security groups to group your devices into logical categories. After creating the groups, assign them to the
custom alerts of your choice, for the most effective end-to-end IoT security solution.
Customize an alert
1. Open your IoT Hub.
2. Click Custom aler ts in the Security section.
3. Choose a security group you wish to apply the customization to.
4. Click Add a custom aler t .
5. Select a custom alert from the dropdown list.
6. Edit the required properties, click OK .
7. Make sure to click SAVE . Without saving the new alert, the alert is deleted the next time you close IoT Hub.
Alerts available for customization

Azure Security Center for IoT offers a large number of alerts which can be customized according to your specific
needs. Review the customizable alert table for alert severity, data source, description and our suggested
remediation steps if and when each alert is received.
Next steps
Advance to the next article to learn how to deploy a security agent...
Security agent authentication methods
This article explains the different authentication methods you can use with the AzureIoTSecurity agent to
authenticate with the IoT Hub.
For each device onboarded to Azure Security Center for IoT in the IoT Hub, a security module is required. To
authenticate the device, Azure Security Center for IoT can use one of two methods. Choose the method that works
best for your existing IoT solution.
SecurityModule option
Device option
Authentication methods
The two methods for the AzureIoTSecurity agent to perform authentication:
SecurityModule authentication mode
The agent is authenticated using the security module identity independently of the device identity. Use this
authentication type if you would like the security agent to use a dedicated authentication method through
security module (symmetric key only).
Device authentication mode
In this method, the security agent first authenticates with the device identity. After the initial authentication,
the Azure Security Center for IoT agent performs a REST call to the IoT Hub using the REST API with the
authentication data of the device. The Azure Security Center for IoT agent then requests the security
module authentication method and data from the IoT Hub. In the final step, the Azure Security Center for
IoT agent performs an authentication against the Azure Security Center for IoT module.
Use this authentication type if you would like the security agent to reuse an existing device authentication method
(self-signed certificate or symmetric key).
See Security agent installation parameters to learn how to configure.
Authentication methods known limitations

SecurityModule authentication mode only supports symmetric key authentication.
CA-Signed certificate is not supported by Device authentication mode.
Security agent installation parameters

When deploying a security agent, authentication details must be provided as arguments. These arguments are
documented in the following table.
L IN UX PA RA M ET ER W IN DO W S SH O RT H A N D
NAME PA RA M ET ER N A M E PA RA M ET ER DESC RIP T IO N O P T IO N S
authentication- AuthenticationIdentit aui Authentication SecurityModule or

identity y identity Device
L IN UX PA RA M ET ER W IN DO W S SH O RT H A N D
NAME PA RA M ET ER N A M E PA RA M ET ER DESC RIP T IO N O P T IO N S
authentication- AuthenticationMetho aum Authentication SymmetricKey or

method d method SelfSignedCer tifica
te
file-path FilePath f Absolute full path for

the file containing the
certificate or the
symmetric key
host-name HostName hn FQDN of the IoT Hub Example:

ContosoIotHub.azure
-devices.net
device-id DeviceId di Device ID Example: MyDevice1
certificate-location- CertificateLocationKin cl Certificate storage LocalFile or Store

kind d location
When using the install security agent script, the following configuration is performed automatically. To edit the
security agent authentication manually, edit the config file.
Change authentication method after deployment

When deploying a security agent with an installation script, a configuration file is automatically created.
To change authentication methods after deployment, manual editing of the configuration file is required.
C#-based security agent
Edit Authentication.config with the following parameters:
<Authentication>
<add key="deviceId" value=""/>
<add key="gatewayHostname" value=""/>
<add key="filePath" value=""/>
<add key="type" value=""/>
<add key="identity" value=""/>
<add key="certificateLocationKind" value="" />
</Authentication>
C -based security agent

Edit LocalConfiguration.json with the following parameters:
"Authentication" : {
"Identity" : "",
"AuthenticationMethod" : "",
"FilePath" : "",
"DeviceId" : "",
"HostName" : ""
}
See also
Security agents overview
Deploy security agent
Security module
This article explains how Azure Security Center for IoT uses device twins and modules.
Device twins
For IoT solutions built in Azure, device twins play a key role in both device management and process automation.
Azure Security Center for IoT offers full integration with your existing IoT device management platform, enabling
you to manage your device security status as well as make use of existing device control capabilities. Integration is
achieved by making use of the IoT Hub twin mechanism.
Learn more about the concept of device twins in Azure IoT Hub.
Security module twins

Azure Security Center for IoT maintains a security module twin for each device in the service. The security module
twin holds all the information relevant to device security for each specific device in your solution. Device security
properties are maintained in a dedicated security module twin for safer communication and for enabling updates
and maintenance that requires fewer resources.
See Create security module twin and Configure security agents to learn how to create, customize, and configure the
twin. See Understanding module twins to learn more about the concept of module twins in IoT Hub.
See also
Azure Security Center for IoT overview
Deploy security agents
Security agent authentication methods
Azure Security Center for IoT continuously analyzes your IoT solution using advanced analytics and threat
intelligence to alert you to malicious activity. In addition, you can create custom alerts based on your knowledge
of expected device behavior. An alert acts as an indicator of potential compromise, and should be investigated
and remediated.
In this article, you will find a list of built-in alerts which can be triggered on your IoT Hub and/or IoT devices. In
addition to built-in alerts, Azure Security Center for IoT allows you to define custom alerts based on expected IoT
Hub and/or device behavior. For more details, see customizable alerts.
Built-in alerts for IoT devices

SUGGEST ED
NAME SEVERIT Y DATA SO URC E DESC RIP T IO N REM EDIAT IO N ST EP S
High severity
Binary Command High Agent LA Linux binary Review the command

Line being called/executed with the user that ran
from the command it and check if this is
line was detected. something
This process may be legitimately expected
legitimate activity, or to run on the device.
an indication that If not, escalate the
your device is alert to your
compromised. information security
team.
Disable firewall High Agent Possible manipulation Review with the user
of on-host firewall that ran the
detected. Malicious command to confirm
actors often disable if this was legitimate
the on-host firewall expected activity on
in an attempt to the device. If not,
exfiltrate data. escalate the alert to
your information
security team.
Port forwarding High Agent Initiation of port Review with the user
detection forwarding to an that ran the
external IP address command if this was
detected. legitimate activity
that you expect to
see on the device. If
not, escalate the alert
to the information
security team.
SUGGEST ED
Possible attempt to High Agent Linux Auditd system Check with the device
disable Auditd provides a way to owner if this was
logging detected track security- legitimate activity
relevant information with business
on the system. The reasons. If not, this
system records as event may be hiding
much information activity by malicious
about the events actors. Immediately
that are happening escalated the incident
on your system as to your information
possible. This security team.
information is crucial
for mission-critical
environments to
determine who
violated the security
policy and the
actions they
performed. Disabling
Auditd logging may
prevent your ability
to discover violations
of security policies
used on the system.
Reverse shells High Agent Analysis of host data Review with the user
on a device detected that ran the
a potential reverse command if this was
shell. Reverse shells legitimate activity
are often used to get that you expect to
a compromised see on the device. If
machine to call back not, escalate the alert
into a machine to the information
controlled by a security team.
malicious actor.
Successful Bruteforce High Agent Multiple unsuccessful Review SSH

attempt login attempts were Bruteforce alert and
identified, followed the activity on the
by a successful login. devices.
Attempted If the activity was
Bruteforce attack malicious:
may have succeeded Roll out password
on the device. reset for
compromised
accounts.
Investigate and
remediate (if found)
devices for malware.
Successful local login High Agent Successful local sign Make sure the signed
in to the device in user is an
detected authorized party.
SUGGEST ED
Web shell High Agent Possible web shell Review with the user
detected. Malicious that ran the
actors commonly command if this was
upload a web shell to legitimate activity
a compromised that you expect to
machine to gain see on the device. If
persistence or for not, escalate the alert
further exploitation. to the information
security team.
Medium severity
Behavior similar to Medium Agent Execution of a Review with the user

common Linux bots process normally that ran the
detected associated with command if this was
common Linux legitimate activity
botnets detected. that you expect to
to the information
security team.
Behavior similar to Medium Agent Execution of rm -rf Review with the user
Fairware ransomware commands applied to that ran the
detected suspicious locations command this was
detected using legitimate activity
analysis of host data. that you expect to
Because rm -rf see on the device. If
recursively deletes not, escalate the alert
files, it is normally to the information
only used on discrete security team.
folders. In this case, it
is being used in a
location that could
remove a large
amount of data.
Fairware ransomware
is known to execute
rm -rf commands in
this folder.
Behavior similar to Medium Agent Execution of files Review with the user
ransomware detected similar to known that ran the
ransomware that command if this was
may prevent users legitimate activity
from accessing their that you expect to
system, or personal see on the device. If
files, and may not, escalate the alert
demand ransom to the information
payment to regain security team.
access.
SUGGEST ED
Crypto coin miner Medium Agent Container detecting 1. If this behavior is

container image running known not intended, delete
detected digital currency the relevant
mining images. container image.
2. Make sure that the
Docker daemon is
not accessible via an
unsafe TCP socket.
3. Escalate the alert
to the information
security team.
Crypto coin miner Medium Agent Execution of a Verify with the user
image process normally that ran the
associated with command if this was
digital currency legitimate activity on
mining detected. the device. If not,
escalate the alert to
the information
security team.
Detected suspicious Medium Agent Suspicious use of the Review with the user
use of the nohup nohup command on that ran the
command host detected. command if this was
Malicious actors legitimate activity
commonly run the that you expect to
nohup command see on the device. If
from a temporary not, escalate the alert
directory, effectively to the information
allowing their security team.
executables to run in
the background.
Seeing this command
run on files located in
a temporary
directory is not
expected or usual
behavior.
Detected suspicious Medium Agent Suspicious use of the Review with the user
use of the useradd useradd command that ran the
command detected on the command if this was
device. legitimate activity
that you expect to
to the information
security team.
SUGGEST ED
Exposed Docker Medium Agent Machine logs indicate Review with the user
daemon by TCP that your Docker that ran the
socket daemon (dockerd) command if this was
exposes a TCP socket. legitimate activity
By default, Docker that you expect to
configuration, does see on the device. If
not use encryption not, escalate the alert
or authentication to the information
when a TCP socket is security team.
enabled. Default
Docker configuration
enables full access to
the Docker daemon,
by anyone with
access to the relevant
port.
Failed local login Medium Agent A failed local login Make sure no
attempt to the device unauthorized party
was detected. has physical access to
the device.
File downloads from Medium Agent Download of a file Review with the user
a known malicious from a known that ran the
source detected malware source command if this was
detected. legitimate activity
that you expect to
to the information
security team.
htaccess file access Medium Agent Analysis of host data Confirm this is
detected detected possible legitimate expected
manipulation of an activity on the host. If
htaccess file. Htaccess not, escalate the alert
is a powerful to your information
configuration file that security team.
allows you to make
multiple changes to a
web server running
Apache Web
software, including
basic redirect
functionality, and
more advanced
functions, such as
basic password
protection. Malicious
actors often modify
htaccess files on
compromised
machines to gain
persistence.
SUGGEST ED
Known attack tool Medium Agent A tool often Review with the user
associated with that ran the
malicious users command if this was
attacking other legitimate activity
machines in some that you expect to
way was detected. see on the device. If
to the information
security team.
IoT agent attempted Medium Agent The Azure Security Validate your module
and failed to parse Center for IoT twin configuration
the module twin security agent failed against the IoT agent
configuration to parse the module configuration
twin configuration schema, fix all
due to type mismatches.
mismatches in the
configuration object
Local host Medium Agent Execution of a Review the suspicious

reconnaissance command normally command line to
detected associated with confirm that it was
common Linux bot executed by a
reconnaissance legitimate user. If not,
detected. escalate the alert to
your information
security team.
Mismatch between Medium Agent Mismatch between Review with the user
script interpreter and the script interpreter that ran the
file extension and the extension of command if this was
the script file legitimate activity
provided as input that you expect to
detected. This type of see on the device. If
mismatch is not, escalate the alert
commonly associated to the information
with attacker script security team.
executions.
Possible backdoor Medium Agent A suspicious file was Review with the user
detected downloaded and that ran the
then run on a host in command if this was
your subscription. legitimate activity
This type of activity is that you expect to
commonly associated see on the device. If
with the installation not, escalate the alert
of a backdoor. to the information
security team.
Potential loss of data Medium Agent Possible data egress Review with the user
detected condition detected that ran the
using analysis of host command if this was
data. Malicious actors legitimate activity
often egress data that you expect to
from compromised see on the device. If
machines. not, escalate the alert
to the information
security team.
SUGGEST ED
Potential overriding Medium Agent Common executable Review with the user
of common files overwritten on the that ran the
device. Malicious command if this was
actors are known to legitimate activity
overwrite common that you expect to
files as a way to hide see on the device. If
their actions or as a not, escalate the alert
way to gain to the information
persistence. security team.
Privileged container Medium Agent Machine logs indicate If the container

detected that a privileged doesn't need to run
Docker container is in privileged mode,
running. A privileged remove the privileges
container has full from the container.
access to host
resources. If
compromised, a
malicious actor can
use the privileged
container to gain
access to the host
machine.
Removal of system Medium Agent Suspicious removal of Review with the user
logs files detected log files on the host that ran the
detected. command if this was
legitimate activity
that you expect to
to the information
security team.
Space after filename Medium Agent Execution of a Review with the user
process with a that ran the
suspicious extension command if this was
detected using legitimate activity
analysis of host data. that you expect to
Suspicious extensions see on the device. If
may trick users into not, escalate the alert
thinking files are safe to the information
to be opened and security team.
can indicate the
presence of malware
on the system.
Suspected malicious Medium Agent Detection usage of a Review with the user
credentials access tool commonly that ran the
tools detected associated with command if this was
malicious attempts to legitimate activity
access credentials. that you expect to
to the information
security team.
SUGGEST ED
Suspicious Medium Agent Suspicious Review with the user

compilation detected compilation detected. that ran the
Malicious actors command if this was
often compile legitimate activity
exploits on a that you expect to
compromised see on the device. If
machine to escalate not, escalate the alert
privileges. to the information
security team.
Suspicious file Medium Agent Analysis of host data Review with the user
download followed detected a file that that ran the
by file run activity was downloaded and command if this was
run in the same legitimate activity
command. This that you expect to
technique is see on the device. If
commonly used by not, escalate the alert
malicious actors to to the information
get infected files onto security team.
victim machines.
Suspicious IP address Medium Agent Communication with Verify if the

communication a suspicious IP connection is
address detected. legitimate. Consider
blocking
communication with
the suspicious IP.
LOW severity
Bash history cleared Low Agent Bash history log Review with the user
cleared. Malicious that ran the
actors commonly command that the
erase bash history to activity in this alert to
hide their own see if you recognize
commands from this as legitimate
appearing in the logs. administrative
activity. If not,
escalate the alert to
the information
security team.
Device silent Low Agent Device has not sent Make sure device is
any telemetry data in online and sending
the last 72 hours. data. Check that the
Azure Security Agent
is running on the
device.
Failed Bruteforce Low Agent Multiple unsuccessful Review SSH

attempt login attempts Bruteforce alerts and
identified. Potential the activity on the
Bruteforce attack device. No further
attempt failed on the action required.
device.
SUGGEST ED
Local user added to Low Agent New local user added Verify if the change is
one or more groups to a group on this consistent with the
device. Changes to permissions required
user groups are by the affected user.
uncommon, and can If the change is
indicate a malicious inconsistent, escalate
actor may be to your Information
collecting additional Security team.
permissions.
Local user deleted Low Agent A local user was Verify if the change is
from one or more deleted from one or consistent with the
groups more groups. permissions required
Malicious actors are by the affected user.
known to use this If the change is
method in an inconsistent, escalate
attempt to deny to your Information
access to legitimate Security team.
users or to delete the
history of their
actions.
Local user deletion Low Agent Deletion of a local Verify if the change is
detected user detected. Local consistent with the
user deletion is permissions required
uncommon, a by the affected user.
malicious actor may If the change is
be trying to deny inconsistent, escalate
access to legitimate to your Information
users or to delete the Security team.
history of their
actions.
Built-in alerts for IoT Hub

SEVERIT Y NAME DESC RIP T IO N SUGGEST ED REM EDIAT IO N
Medium severity
New certificate added to an Medium A certificate named '% 1. Make sure the certificate
IoT Hub {DescCertificateName}' was was added by an authorized
added to IoT Hub '% party.
{DescIoTHubName}'. If this 2. If it was not added by an
action was made by an authorized party, remove
unauthorized party, it may the certificate and escalate
indicate malicious activity. the alert to the
organizational security
team.
Certificate deleted from an Medium A certificate named '% 1. Make sure the certificate
IoT Hub {DescCertificateName}' was was removed by an
deleted from IoT Hub '% authorized party.
{DescIoTHubName}'. If this 2. If the certificate was not
action was made by an removed by an authorized
unauthorized party, it may party, add the certificate
indicate a malicious activity. back, and escalate the alert
to the organizational
security team.
Unsuccessful attempt Medium There was an unsuccessful Make sure permissions to

detected to add a certificate attempt to add certificate change certificates are only
to an IoT Hub '%{DescCertificateName}' to granted to authorized
IoT Hub '% parties.
{DescIoTHubName}'. If this
action was made by an
unauthorized party, it may
indicate malicious activity.
Unsuccessful attempt Medium There was an unsuccessful Make sure permissions to

detected to delete a attempt to delete certificate change certificates are only
certificate from an IoT Hub '%{DescCertificateName}' granted to an authorized
from IoT Hub '% party.
{DescIoTHubName}'. If this
action was made by an
unauthorized party, it may
x.509 device certificate Medium x.509 device certificate Review alerts on the
thumbprint mismatch thumbprint did not match devices. No further action
configuration. required.
x.509 certificate expired Medium X.509 device certificate has This could be a legitimate
expired. device with an expired
certificate or an attempt to
impersonate a legitimate
device. If the legitimate
device is currently
communicating correctly
this is likely an
impersonation attempt.
Low severity
Attempt to add or edit a Low Attempt to add or edit the 1. Make sure the certificate
diagnostic setting of an IoT diagnostic settings of an IoT was removed by an
Hub detected Hub has been detected. authorized party.
Diagnostic settings enable 2. If the certificate was not
you to recreate activity removed by an authorized
trails for investigation party, add the certificate
purposes when a security back and escalate the alert
incident occurs or your to your information security
network is compromised. If team.
this action was not made by
an authorized party, it may
Attempt to delete a Low There was % Make sure permissions to

diagnostic setting from an {DescAttemptStatusMessag change diagnostics settings
IoT Hub detected e}' attempt to add or edit are granted only to an
diagnostic setting '% authorized party.
{DescDiagnosticSettingNam
e}' of IoT Hub '%
{DescIoTHubName}'.
Diagnostic setting enables
you to recreate activity
trails for investigation
purposes when a security
incident occurs or your
network is compromised. If
this action was not made by
an authorized party, it may
indicate a malicious activity.
Expired SAS Token Low Expired SAS token used by May be a legitimate device
a device with an expired token, or an
attempt to impersonate a
legitimate device. If the
legitimate device is currently
communicating correctly,
this is likely an
impersonation attempt.
Invalid SAS token signature Low A SAS token used by a Review the alerts on the
device has an invalid devices. No further action
signature. The signature required.
does not match either the
primary or secondary key.
Next steps
Azure Security Center for IoT service Overview
Learn how to Access your security data
Learn more about Investigating a device
Azure Security Center for IoT customizable security
alerts
Azure Security Center for IoT continuously analyzes your IoT solution using advanced analytics and threat
intelligence to alert you to malicious activity.
We encourage you to create custom alerts based on your knowledge of expected device behavior to ensure alerts
act as the most efficient indicators of potential compromise in your unique organizational deployment and
landscape.
The following list of Azure Security Center for IoT alerts are definable by you based on your expected IoT Hub
and/or device behavior. For more details about how to customize each alert, see create custom alerts.
IoT Hub alerts available for customization

SUGGEST ED
SEVERIT Y A L ERT N A M E DATA SO URC E DESC RIP T IO N REM EDIAT IO N
Low Custom alert - IoT Hub Number of cloud to

number of cloud to device messages
device messages in (AMQP protocol)
AMQP protocol is within a specific time
outside the allowed window is outside the
range currently configured
and allowable range.
Low Custom alert - IoT Hub Number of cloud to

number of rejected device messages
cloud to device (AMQP protocol)
messages in AMQP rejected by the device,
protocol is outside within a specific time
the allowed range window is outside the
currently configured
Low Custom alert - IoT Hub The amount of device

number of device to to cloud messages
cloud messages in (AMQP protocol)
AMQP protocol is within a specific time
Low Custom alert - IoT Hub The amount of direct

number of direct method invokes
method invokes is within a specific time
SUGGEST ED
Low Custom alert - IoT Hub The amount of file

number of file uploads within a
uploads is outside the specific time window
allowed range is outside the
Low Custom alert - IoT Hub The amount of cloud

number of cloud to to device messages
device messages in (HTTP protocol) in a
HTTP protocol is time window is not in
outside the allowed the configured
range allowed range

number of rejected to device messages
cloud to device (HTTP protocol) within
messages in HTTP a specific time window
protocol is not in the is outside the
allowed range currently configured

cloud messages in (HTTP protocol)within
HTTP protocol is a specific time window
outside the allowed is outside the

number of cloud to to device messages
device messages in (MQTT protocol)
MQTT protocol is within a specific time

number of rejected to device messages
cloud to device (MQTT protocol)
messages in MQTT rejected by the device
protocol is outside within a specific time
the allowed range window is outside the

cloud messages in (MQTT protocol)
MQTT protocol is within a specific time
SUGGEST ED
Low Custom alert - IoT Hub The amount of

number of command command queue
queue purges is purges within a
outside the allowed specific time window
range is outside the

number of module module twin updates
twin updates is within a specific time

number of unauthorized
unauthorized operations within a
operations is outside specific time window
the allowed range is outside the
Agent alerts available for customization

SUGGEST ED
Low Custom alert - Agent Number of active Investigate the device

number of active connections within a logs. Learn where the
connections is outside specific time window connection originated
the allowed range is outside the and determine if it is
currently configured benign or malicious. If
and allowable range. malicious, remove
possible malware and
understand source. If
benign, add the
source to the allowed
connection list.
Low Custom alert - Agent An outbound Investigate the device

outbound connection connection was logs. Learn where the
created to an IP that created to an IP that connection originated
isn't allowed is outside your and determine if it is
allowed IP list. benign or malicious. If
malicious, remove
possible malware and
understand source. If
benign, add the
source to the allowed
IP list.
SUGGEST ED
Low Custom alert - Agent The amount of failed

number of failed local local logins within a
logins is outside the specific time window
allowed range is outside the
Low Custom alert - login Agent A local user outside If you are saving raw
of a user that is not your allowed user list, data, navigate to your
on the allowed user logged in to the log analytics account
list device. and use the data to
investigate the device,
identify the source
and then fix the
allow/block list for
those settings. If you
are not currently
saving raw data, go to
the device and fix the
those settings.
Low Custom alert - a Agent A process that is not If you are saving raw
process was executed allowed was executed data, navigate to your
that is not allowed on the device. log analytics account
and use the data to
investigate the device,
identify the source
and then fix the
those settings. If you
are not currently
saving raw data, go to
the device and fix the
those settings.
Next steps
Learn how to customize an alert
Azure Security Center for IoT scans your Azure resources and IoT devices and provides security recommendations
to reduce your attack surface. Security recommendations are actionable and aim to aid customers in complying to
security best practices.
In this article, you will find a list of recommendations which can be triggered on your IoT Hub and/or IoT devices.
Recommendations for IoT devices

Device recommendations provide insights and suggestions to improve device security posture.
SEVERIT Y NAME DATA SO URC E DESC RIP T IO N
Medium Open Ports on device Agent A listening endpoint was

found on the device .
Medium Permissive firewall policy Agent Allowed firewall policy found

found in one of the chains. (INPUT/OUTPUT). Firewall
policy should deny all traffic
by default, and define rules
to allow necessary
communication to/from the
device.
Medium Permissive firewall rule in the Agent A rule in the firewall has
input chain was found been found that contains a
permissive pattern for a
wide range of IP addresses
or ports.
Medium Permissive firewall rule in the Agent A rule in the firewall has
output chain was found been found that contains a
permissive pattern for a
wide range of IP addresses
or ports.
Medium Operation system baseline Agent Device doesn't comply with

validation has failed CIS Linux benchmarks.
Operational recommendations for IoT devices

Operational recommendations provide insights and suggestions to improve security agent configuration.
Low Agent sends Agent 10% or more of

unutilized messages security messages
were smaller than 4
KB during the last 24
hours.
Low Security twin Agent Security twin

configuration not configuration is not
optimal optimal.
Low Security twin Agent Conflicts were

configuration conflict identified in the
security twin
configuration.
Recommendations for IoT Hub

Recommendation alerts provide insight and suggestions for actions to improve the security posture of your
environment.
High Identical authentication IoT Hub IoT Hub authentication

credentials used by multiple credentials are used by
devices multiple devices. This may
indicate an illegitimate
device impersonating a
legitimate device. Duplicate
credential use increases the
risk of device impersonation
by a malicious actor.
Medium Default IP filter policy should IoT Hub IP filter configuration should
be deny have rules defined for
allowed traffic, and should
by default, deny all other
traffic by default.
Medium IP filter rule includes large IP IoT Hub An allow IP filter rule source
range IP range is too large. Overly
permissive rules can expose
your IoT hub to malicious
actors.
Low Enable diagnostics logs in IoT Hub Enable logs and retain them
IoT Hub for up to a year. Retaining
logs enables you to recreate
activity trails for
investigation purposes when
a security incident occurs or
your network is
compromised.
Next steps
Azure Security Center for IoT baseline and custom
checks
This article explains Azure Security Center for IoT baseline, and summarizes all associated properties of baseline
custom checks.
Baseline
A baseline establishes standard behavior for each device and makes it easier to establish unusual behavior or
deviation from expected norms.
Baseline custom checks

Baseline custom checks establish a custom list of checks for each device baseline using the Module identity twin
of the device.
Setting baseline properties

1. In your IoT Hub, locate and select the device you wish to change.
2. Click on the device, and then click the azureiotsecurity module.
3. Click Module Identity Twin .
4. Upload the baseline custom checks file to the device.
5. Add baseline properties to the security module and click Save .
Baseline custom check file example
To configure baseline custom checks:
"desired": {
"ms_iotn:urn_azureiot_Security_SecurityAgentConfiguration": {
"baselineCustomChecksEnabled": {
"value" : true
},
"baselineCustomChecksFilePath": {
"value" : "/home/user/full_path.xml"
},
"baselineCustomChecksFileHash": {
"value" : "#hashexample!"
}
}
},
Baseline custom check properties

NAME STAT US VA L ID VA L UES DEFA ULT VA L UES DESC RIP T IO N
baselineCustomCheck Required: true Valid values: Boolean Default value: false Max time interval
sEnabled before high priority
messages is sent.
baselineCustomCheck Required: true Valid values: String , Default value: null Full path of the
sFilePath null baseline xml
configuration
baselineCustomCheck Required: true Valid values: String , Default value: null sha256sum of the
sFileHash null xml configuration file.
Use the sha256sum
reference for
additional
information.
To review additional baseline examples, see custom baseline example -1 and custom baseline example -2.
Next steps
Access your raw security data
Understand and explore security recommendations
Understand and explore security alerts
Azure Security Center for IoT event aggregation
Azure Security Center for IoT security agents collects data and system events from your local device and send this
data to the Azure cloud for processing and analytics. The security agent collects many types of device events
including new process and new connection events. Both new process and new connection events may legitimately
occur frequently on a device within a second, and while important for robust and comprehensive security, the
number of messages security agents are forced to send may quickly reach or exceed your IoT Hub quota and cost
limits. However, these events contain highly valuable security information that is crucial to protecting your device.
To reduce the additional quota and costs while keeping your devices protected, Azure Security Center for IoT Agents
aggregate these types of events.
Event aggregation is On by default, and although not recommended, can be manually turned Off at any time.
Aggregation is currently available for the following types of events:
ProcessCreate
ConnectionCreate
ProcessTerminate (Windows only)
How does event aggregation work?

When event aggregation is left On , Azure Security Center for IoT agents aggregate events for the interval period or
time window. Once the interval period has passed, the agent sends the aggregated events to the Azure cloud for
further analysis. The aggregated events are stored in memory until being sent to the Azure cloud.
To reduce the memory footprint of the agent, whenever the agent collects an identical event to one that is already
being kept in memory, the agent increases the hit count of this specific event. When the aggregation time window
passes, the agent sends the hit count of each specific type of event that occurred. Event aggregation is simply the
aggregation of the hit counts of each collected type of event.
Events are considered identical only when the following conditions are met:
ProcessCreate events - when commandLine , executable , username , and userid are identical
ConnectionCreate events - when commandLine , userId , direction , local address , remote address ,
**protocol, and destination por t are identical
ProcessTerminate events - when executable and exit status are identical
Working with aggregated events
During aggregation, event properties that are not aggregated are discarded, and appear in log analytics with a
value of 0.
ProcessCreate events - processId , and parentProcessId are set to 0
ConnectionCreate events - processId , and source por t are set to 0
Event aggregation based alerts

After analysis, Azure Security Center for IoT creates security alerts for suspicious aggregated events. Alerts created
from aggregated events appear only once for each aggregated event.
Aggregation start time, end time, and hit count for each event are logged in the event ExtraDetails field within Log
Analytics for use during investigations.
Each aggregated event represents a 24-hour period of collected alerts. Using the event options menu on the upper
left of each event, you can dismiss each individual aggregated event.
Event aggregation twin configuration

Make changes to the configuration of Azure Security Center for IoT event aggregation inside the agent
configuration object of the module twin identity of the azureiotsecurity module.
C O N F IGURAT IO N N A M E P O SSIB L E VA L UES DETA IL S REM A RK S
aggregationEnabledProcessC boolean Enable / disable event

reate aggregation for process
create events
aggregationIntervalProcessC ISO8601 Timespan string Aggregation interval for

reate process create events
aggregationEnabledConnecti boolean Enable / disable event

onCreate aggregation for connection
create events
aggregationIntervalConnecti ISO8601 Timespan string Aggregation interval for

onCreate connection create events
aggregationEnabledProcessT boolean Enable / disable event Windows only

erminate aggregation for process
terminate events
aggregationIntervalProcessT ISO8601 Timespan string Aggregation interval for Windows only

erminate process terminate events
Default configurations settings

C O N F IGURAT IO N N A M E DEFA ULT VA L UES
aggregationEnabledProcessCreate true
aggregationIntervalProcessCreate "PT1H"
aggregationEnabledConnectionCreate true
aggregationIntervalConnectionCreate "PT1H"
aggregationEnabledProcessTerminate true
aggregationIntervalProcessTerminate "PT1H"
Next steps
In this article, you learned about Azure Security Center for IoT security agent aggregation, and the available event
configuration options.
Understand Security agent authentication methods
Select and deploy a security agent
Review Azure Security Center for IoT service prerequisites
Learn how to Enable Azure Security Center for IoT service in your IoT Hub
Pricing and associated costs
This article explains Azure Security Center for IoT pricing model, summarizes all associated costs and explains how
to manage them.
Pricing
The Azure Security Center for IoT pricing model is comprised of two parts, and is billed once an IoT Hub is enabled
in Azure Security Center for IoT:
Cost by device - built-in security capabilities based on analysis of IoT Hub logs.
Cost by message - enhanced security capabilities based on security messages from IoT Edge or leaf devices.
For more information, see Security Center pricing.
Associated costs
Azure Security Center for IoT has associated costs, which are not part of the direct pricing:
Log Analytics storage costs
You can reduce associated costs by opting out of certain solution features. Opt out by changing your settings.
To change your settings:
1. Open IoT Hub.
2. Under Security , click Over view .
3. Click Settings .
The following table provides a summary of associated costs and implications of each option.
O P T IO N USA GE C O M M EN T
Log Analytics storage
Device recommendation and alerts Security recommendation and alerts Not optional
generated by the service
Raw security data Raw security data from IoT devices, Disable store raw device security events
collected by security agents
IMPORTANT
Opting out has severe implications to Azure Security Center for IoT security feature availability.
O P T O UT IM P L IC AT IO N S
Twin metadata collection Disable custom alerts
Disable IoT Edge manifest recommendations
Disable device identity-based recommendations and alerts
Store raw device security events Details on device OS baseline recommendations are not
available
Details on alert and recommendation investigations are not

available
See also
Access your raw security data
Understand and explore security recommendations
Understand and explore security alerts
Select and deploy a security agent on your IoT
device
Azure Security Center for IoT provides reference architectures for security agents that monitor and collect data
from IoT devices. To learn more, see Security agent reference architecture.
Agents are developed as open-source projects, and are available in two flavors:
C, and C#.
In this article, you learn how to:
Compare security agent flavors
Discover supported agent platforms
Choose the right agent flavor for your solution
Understand security agent options

Every Azure Security Center for IoT security agent flavor offers the same set of features, and supports similar
configuration options.
The C-based security agent has a lower memory footprint, and is the ideal choice for devices with fewer
available resources.
C - B A SED SEC URIT Y A GEN T C #- B A SED SEC URIT Y A GEN T
Open-source Available under MIT license in GitHub Available under MIT license in GitHub
Development language C C#
Suppor ted Windows platforms? No Yes
Windows prerequisites --- WMI
Suppor ted Linux platforms? Yes, x64 and x86 Yes, x64 only
Linux prerequisites libunwind8, libcurl3, uuid-runtime, libunwind8, libcurl3, uuid-runtime,

auditd, audispd-plugins auditd, audispd-plugins, sudo, netstat,
iptables
Disk footprint 10.5 MB 90 MB
Memor y footprint (on average) 5.5 MB 33 MB
Authentication to IoT Hub Yes Yes
Security data collection Yes Yes
Event aggregation Yes Yes

C - B A SED SEC URIT Y A GEN T C #- B A SED SEC URIT Y A GEN T
Remote configuration through Yes Yes

security module twin
Security agent installation guidelines

For Windows : The Install SecurityAgent.ps1 script must be executed from an Administrator PowerShell window.
For Linux : The InstallSecurityAgent.sh must be run as superuser. We recommend prefixing the installation
command with "sudo".
Choose an agent flavor

Answer the following questions about your IoT devices to select the correct agent:
Are you using Windows Server or Windows IoT Core?
Deploy a C#-based security agent for Windows.
Are you using a Linux distribution with x86 architecture?
Deploy a C-based security agent for Linux.
Are you using a Linux distribution with x64 architecture?
Both agent flavors can be used.
Deploy a C-based security agent for Linux and/or Deploy a C#-based security agent for Linux.
Both agent flavors offer the same set of features and support similar configuration options. See Security agent
comparison to learn more.
Supported platforms
The following list includes all currently supported platforms.
A Z URE SEC URIT Y C EN T ER F O R IOT

A GEN T O P ERAT IN G SY ST EM A RC H IT EC T URE
C Ubuntu 16.04 x64
C Ubuntu 18.04 x64, ARMv7
C Debian 9 x64, x86
C# Ubuntu 16.04 x64
C# Ubuntu 18.04 x64, ARMv7
C# Debian 9 x64
C# Windows Server 2016 X64
C# Windows 10 IoT Core, build 17763 x64

Next steps
To learn more about configuration options, continue to the how-to guide for agent configuration.
Agent configuration how to guide
Deploy an Azure Security Center for IoT C#-based
security agent for Windows
This guide explains how to install the Azure Security Center for IoT C#-based security agent on Windows.
In this guide, you learn how to:
Install
Verify deployment
Uninstall the agent
Troubleshoot
Prerequisites
For other platforms and agent flavors, see Choose the right security agent.
1. Local admin rights on the machine you wish to install on.
2. Create a security module for the device.
Installation
To install the security agent, use the following workflow:
1. Install the Azure Security Center for IoT Windows C# agent on the device. Download the most recent version
to your machine from the Azure Security Center for IoT GitHub repository.
2. Extract the contents of the package, and navigate to the /Install folder.
3. Open Windows PowerShell as Administrator.
4. Add running permissions to the InstallSecurityAgent script by running:
Unblock-File .\InstallSecurityAgent.ps1
then run:
.\InstallSecurityAgent.ps1 -Install -aui <authentication identity> -aum <authentication method> -f <file

path> -hn <host name> -di <device id> -cl <certificate location kind>
For example:
.\InstallSecurityAgent.ps1 -Install -aui Device -aum SymmetricKey -f c:\Temp\Key.txt -hn MyIotHub.azure-

devices.net -di Mydevice1 -cl store
For more information about authentication parameters, see How to configure authentication.
This script does the following actions:
Installs prerequisites.
Adds a service user (with interactive sign in disabled).
Installs the agent as a System Ser vice .
Configures the agent with the provided authentication parameters.
For additional help, use the Get-Help command in PowerShell.
Get-Help example: Get-Help .\InstallSecurityAgent.ps1
Verify deployment status

Check the agent deployment status by running:
sc.exe query "ASC IoT Agent"
Uninstall the agent

To uninstall the agent:
1. Run the following PowerShell script with the -mode parameter set to Uninstall .
.\InstallSecurityAgent.ps1 -Uninstall
Troubleshooting
If the agent fails to start, turn on logging (logging is off by default) to get more information.
To turn on logging:
1. Open the configuration file (General.config) for editing using a standard file editor.
2. Edit the following values:
<add key="logLevel" value="Debug" />

<add key="fileLogLevel" value="Debug"/>
<add key="diagnosticVerbosityLevel" value="Some" />
<add key="logFilePath" value="IoTAgentLog.log" />
NOTE
We recommend turning logging off after troubleshooting is complete. Leaving logging on increases log file size and
data usage.
3. Restart the agent by running the following PowerShell or command line:

Powershell
Restart-Service "ASC IoT Agent"
or
CMD
sc.exe stop "ASC IoT Agent"

sc.exe start "ASC IoT Agent"
4. Review the log file for more information about the failure. The log file would be present in the working
directory where we run the script.
Log file location: .\IoTAgentLog.log
Next steps
Read the Azure Security Center for IoT service Overview
Learn more about Azure Security Center for IoT Architecture
Enable the service
Read the FAQ
Understand alerts
Deploy Azure Security Center for IoT C# based
security agent for Linux
This guide explains how to install and deploy the Azure Security Center for IoT C#-based security agent on Linux.
Install
Verify deployment
Uninstall the agent
Troubleshoot
Prerequisites
1. To deploy the security agent, local admin rights are required on the machine you wish to install on.
Installation
To deploy the security agent, use the following steps:
1. Download the most recent version to your machine from GitHub.
2. Extract the contents of the package and navigate to the /Install folder.
3. Add running permissions to the InstallSecurityAgent script by running
chmod +x InstallSecurityAgent.sh
4. Next, run the following command with root privileges :
./InstallSecurityAgent.sh -i -aui <authentication identity> -aum <authentication method> -f <file

path> -hn <host name> -di <device id> -cl <certificate location kind>
for more information about authentication parameters, see How to configure authentication.
This script performs the following actions:
Installs prerequisites.
Adds a service user (with interactive sign in disabled).
Installs the agent as a Daemon - assumes the device uses systemd for classic deployment model.
Configures sudoers to allow the agent to do certain tasks as root.
Configures the agent with the provided authentication parameters.
For additional help, run the script with the –help parameter: ./InstallSecurityAgent.sh --help
Uninstall the agent

To uninstall the agent, run the script with the –u parameter: ./InstallSecurityAgent.sh -u .
NOTE
Uninstall does not remove any missing prerequisites that were installed during installation.
Troubleshooting
1. Check the deployment status by running:
systemctl status ASCIoTAgent.service
2. Enable logging. If the agent fails to start, turn on logging to get more information.
Turn on the logging by:
a. Open the configuration file for editing in any Linux editor:
vi /var/ASCIoTAgent/General.config
b. Edit the following values:
<add key="logLevel" value="Debug"/>

<add key="fileLogLevel" value="Debug"/>
<add key="logFilePath" value="IotAgentLog.log"/>
The logFilePath value is configurable.
NOTE
We recommend turning logging off after troubleshooting is complete. Leaving logging on increases log file
size and data usage.
c. Restart the agent by running:

systemctl restart ASCIoTAgent.service
d. View the log file for more information about the failure.
Log file location is: /var/ASCIoTAgent/IotAgentLog.log
Change the file location path according to the name you chose for the logFilePath in step 2.
Next steps
Enable the service
Read the FAQ
Understand alerts
Deploy Azure Security Center for IoT C based
security agent for Linux
This guide explains how to install and deploy the Azure Security Center for IoT C-based security agent on Linux.
Install
Verify deployment
Uninstall the agent
Troubleshoot
Prerequisites
1. To deploy the security agent, local admin rights are required on the machine you wish to install on (sudo).
Installation
To install and deploy the security agent, use the following workflow:
1. Download the most recent version to your machine from GitHub.
2. Extract the contents of the package and navigate to the /src/installation folder.
3. Add running permissions to the InstallSecurityAgent script by running the following command:
chmod +x InstallSecurityAgent.sh
4. Next, run:
./InstallSecurityAgent.sh -aui <authentication identity> -aum <authentication method> -f <file path> -

hn <host name> -di <device id> -i
See How to configure authentication for more information about authentication parameters.
This script performs the following function:
1. Installs prerequisites.
2. Adds a service user (with interactive sign in disabled).
3. Installs the agent as a Daemon - assumes the device uses systemd for service management.
4. Configures the agent with the authentication parameters provided.
For additional help, run the script with the –help parameter:
./InstallSecurityAgent.sh --help
Uninstall the agent
To uninstall the agent, run the script with the –-uninstall parameter:
./InstallSecurityAgent.sh -–uninstall
Troubleshooting
Check the deployment status by running:
systemctl status ASCIoTAgent.service
Next steps
Enable the service
Read the FAQ
Understand security alerts
Security agent troubleshoot guide (Linux)
This article explains how to solve potential problems in the security agent start-up process.
Azure Security Center for IoT agent self-starts immediately after installation. The agent start up process includes
reading local configuration, connecting to Azure IoT Hub, and retrieving the remote twin configuration. Failure in
any one of these steps may cause the security agent to fail.
In this troubleshooting guide you'll learn how to:
Validate if the security agent is running
Get security agent errors
Understand and remediate security agent errors
Validate if the security agent is running

1. To validate is the security agent is running, wait a few minutes after installing the agent and and run the
following command.
C agent
grep "ASC for IoT Agent initialized" /var/log/syslog
C# agent
grep "Agent is initialized!" /var/log/syslog
2. If the command returns an empty line, the security agent was unable to start successfully.
Force stop the security agent

In cases where the security agent is unable to start, stop the agent with the following command, then continue to
the error table below:
systemctl stop ASCIoTAgent.service
Get security agent errors

1. Retrieve security agent error(s) by running the following command:
grep ASCIoTAgent /var/log/syslog
2. The get security agent error command retrieves all logs created by the Azure Security Center for IoT agent.
Use the following table to understand the errors and take the correct steps for remediation.
NOTE
Error logs are shown in chronological order. Make sure to note the timestamp of each error to help your remediation.
Restart the agent

1. After locating and fixing a security agent error, try to restart the agent by running the following command.
2. Repeat the previous process to retrieve stop and retrieve the errors if the agent continues to fail the startup
process.
Understand security agent errors

Most of the Security agent errors are displayed in the following format:
Azure Security Center for IoT agent encountered an error! Error in: {Error Code}, reason: {Error sub code},
extra details: {error specific details}
ERRO R C O DE ERRO R SUB C O DE ERRO R DETA IL S REM EDIAT E C REM EDIAT E C #
Local Missing A configuration is Add the missing Add the missing

Configuration configuration missing in the key to the key to the
local /var/LocalConfigu General.config
configuration file. ration.json file, file, see the c#-
The error see the cs- localconfig-
message should localconfig- reference for
state which key is reference for details.
missing. details.
Local Cant Parse A configuration Fix the value of Fix the value of
Configuration Configuration value can't be the key in the key in
parsed. The error /var/LocalConfigu General.config file
message should ration.json file so so that it
state which key that it matches matches the
can't be parsed. A the schema, see the
configuration LocalConfiguratio cs-localconfig-
value cannot be n schema, see the reference for
parsed either c#-localconfig- details.
because the value reference for
is not in the details.
expected type, or
the value is out
of range.
Local File Format Failed to parse The configuration

Configuration configuration file. file is corrupted,
download the
agent and re-
install.
Remote Timeout The agent could Make sure The agent could Make sure
Configuration not fetch the authentication not fetch the authentication
azureiotsecurity configuration is azureiotsecurity configuration is
module twin correct and try module twin correct and try
within the again. within timeout again.
timeout period. period.
Authentication File Not Exist The file in the Make sure the file Make sure the file
given path does exists in the given exists in the given
not exist. path or go to the path or go to the
LocalConfigura Authentication.
tion.json file and config file and
change the change the
FilePath filePath
configuration. configuration.
Authentication File Permission The agent does Give the Make sure the file
not have asciotagent is accessible.
sufficient user read
permissions to permissions on
open the file. the file in the
given path.
Authentication File Format The given file is Make sure the file Make sure the file
not in the correct is in the correct is a valid
format. format. The certificate file.
supported file
types are .pfx and
.pem.
Authentication Unauthorized The agent was Validate Validate

not able to authentication authentication
authenticate configuration in configuration in
against IoT Hub LocalConfiguratio Authentication.co
with the given n file, go through nfig, go through
credentials. the the
authentication authentication
configuration and configuration and
make sure all the make sure all the
details are details are
correct, validate correct, then
that the secret in validate that the
the file matches secret in the file
the authenticated matches the
identity. authenticated
identity.
Authentication Not Found The device / Validate Validate

module was authentication authentication
found. configuration - configuration -
make sure the make sure the
hostname is hostname is
correct, the correct, the
device exists in device exists in
IoT Hub and has IoT Hub and has
an an
azureiotsecurity azureiotsecurity
twin module. twin module.
Authentication Missing A configuration is Add the missing Add the missing

Configuration missing in the key to the key to the
Authentication.co LocalConfiguratio Authentication.co
nfig file. The error n.json file. nfig file, see the
message should c#-localconfig-
state which key is reference for
missing. details.
Authentication Cant Parse A configuration Fix the value of Fix the value of
Configuration value can't be the key in the the key in
parsed. The error LocalConfigura Authentication.
message should tion.json file. config file to
state which key match the
can't be parsed. A schema, see the
configuration cs-localconfig-
value can not be reference for
parsed because details.
either the value is
not of the
expected type, or
the value is out
of range.
Restart the agent

1. After locating and fixing a security agent error, restart the agent by running the following command:
2. If required, repeat the previous processes to force stop the agent and retrieve the errors if the agent
continues to fail the startup process.
Next steps
Enable the Azure Security Center for IoT service
Read the Azure Security Center for IoT service FAQ
Learn how to access raw security data
Understand recommendations
Understanding the LocalConfiguration.json file - C
agent
The Azure Security Center for IoT security agent uses configurations from a local configuration file. The security
agent reads the configuration once, at agent start-up. The configuration found in the local configuration file
contains authentication configuration and other agent related configurations. The file contains configurations in
"Key-Value" pairs in JSON notation and the configurations get populated when the agent is installed.
By default, the file is located at: /var/ASCIoTAgent/LocalConfiguration.json
Changes to the configuration file take place when the agent is restarted.
Security agent configurations for C

C O N F IGURAT IO N N A M E P O SSIB L E VA L UES DETA IL S
AgentId GUID The agent Unique identifier
TriggerdEventsInterval ISO8601 string Scheduler interval for triggered events

collection
ConnectionTimeout ISO8601 string Time period before the connection to

IoThub gets timed out
Authentication JsonObject Authentication configuration. This

object contains all the information
needed for authentication against
IoTHub
Identity "DPS", "SecurityModule", "Device" Authentication identity - DPS if

authentication is made through DPS,
SecurityModule if authentication is
made via security module credentials or
device if authentication is made with
Device credentials
AuthenticationMethod "SasToken", "SelfSignedCertificate" the user secret for authentication -

Choose SasToken if the use secret is a
Symmetric key, choose self signed
certificate if the secret is a self signed
certificate
FilePath Path to file (string) Path to the file that contains the
authentication secret
HostName string The host name of the azure iot hub.

usually .azure-devices.net
DeviceId string The ID of the device (as registered in

Azure IoT Hub)
DPS JsonObject DPS related configurations
IDScope string ID scope of DPS
RegistrationId string DPS device registration ID
Logging JsonObject Agent logger related configurations
SystemLoggerMinimumSeverity 0 <= number <= 4 log messages equal and above this
severity will be logged to
/var/log/syslog (0 is the lowest severity)
DiagnosticEventMinimumSeverity 0 <= number <= 4 log messages equal and above this
severity will be sent as diagnostic
events (0 is the lowest severity)
Security agent configurations code example

{
"Configuration" : {
"AgentId" : "b97faf0a-0f57-471f-9dab-46a8e1764946",
"TriggerdEventsInterval" : "PT2M",
"ConnectionTimeout" : "PT30S",
"Authentication" : {
"Identity" : "Device",
"AuthenticationMethod" : "SasToken",
"FilePath" : "/path/to/my/SymmetricKey",
"DeviceId" : "my-device",
"HostName" : "my-iothub.azure-devices.net",
"DPS" : {
"IDScope" : "",
"RegistrationId" : ""
}
},
"Logging": {
"SystemLoggerMinimumSeverity": 0,
"DiagnoticEventMinimumSeverity": 2
}
}
}
Next steps
Understanding the local configuration file (C# agent)
The Azure Security Center for IoT security agent uses configurations from a local configuration file.
The security agent reads the configuration file once when the agent starts up. Configurations found in the local
configuration file contains both authentication configuration and other agent related configurations.
The C# security agent uses multiple configuration files:
General.config - Agent related configurations.
Authentication.config - Authentication related configuration (including authentication details).
SecurityIotInterface.config - IoT related configurations.
The configuration files contain the default configuration. Authentication configuration is populated during agent
installation and changes to the configuration file are made when the agent is restarted.
Configuration file location

For Linux:
Operating system configuration files are located in /var/ASCIoTAgent .
For Windows:
Operating system configuration files are located within the directory of the security agent.
General.config configurations
agentId GUID Agent unique identifier
readRemoteConfigurationTimeout TimeSpan Time period for fetching remote

configuration from IoT Hub. If the
agent can't fetch the configuration
within the specified time, the operation
will time out.
schedulerInterval TimeSpan Internal scheduler interval.
producerInterval TimeSpan Event producer worker interval.
consumerInterval TimeSpan Event consumer worker interval.
highPriorityQueueSizePercentage 0 < number < 1 The portion of total cache dedicated for
high priority messages.
logLevel "Off", "Fatal", "Error", "Warning", Log messages equal and above this
"Information", "Debug" severity are logged to debug console
(Syslog in Linux).
fileLogLevel "Off", "Fatal", "Error", "Warning", Log messages equal and above this
"Information", "Debug" severity are logged to file (Syslog in
Linux).
diagnosticVerbosityLevel "None", "Some", "All", Verbosity level of diagnostic events.

None - diagnostic events are not sent,
Some - Only diagnostic events with
high importance are sent, All - all logs
are also sent as diagnostic events.
logFilePath Path to file If fileLogLevel > Off, logs are written to

this file.
defaultEventPriority "High", "Low", "Off" Default event priority.
General.config example
<?xml version="1.0" encoding="utf-8"?>

<General>
<add key="agentId" value="da00006c-dae9-4273-9abc-bcb7b7b4a987" />
<add key="readRemoteConfigurationTimeout" value="00:00:30" />
<add key="schedulerInterval" value="00:00:01" />
<add key="producerInterval" value="00:02:00" />
<add key="consumerInterval" value="00:02:00" />
<add key="highPriorityQueueSizePercentage" value="0.5" />
<add key="logLevel" value="Information" />
<add key="fileLogLevel" value="Off"/>
<add key="logFilePath" value="IotAgentLog.log" />
<add key="defaultEventPriority" value="Low"/>
</General>
Authentication.config
C O N F IGURAT I P O SSIB L E
ON NAME VA L UES DETA IL S
moduleName string Name of the

security
module
identity. This
name must
correspond to
the module
identity name
in the device.
deviceId string ID of the schedulerInter TimeSpan Internal

device (as val string scheduler
registered in interval.
Azure IoT
Hub).
gatewayHostn string Host name of

ame the Azure Iot
Hub. Usually
.azure-
devices.net
filePath string - path Path to the

to file file that
contains the
authentication
secret.
type "SymmetricKe The user

y", secret for
"SelfSignedCer authentication
tificate" . Choose
SymmetricKey
if the user
secret is a
Symmetric
key, choose
self-signed
certificate if
the secret is a
self signed
certificate.
identity "DPS", Authenticatio

"Module", n identity -
"Device" DPS if
authentication
is made
through DPS,
Module if
authentication
is made using
module
credentials, or
device if
authentication
is made using
device
credentials.
certificateLoca "LocalFile", LocalFile if the

tionKind "Store" certificate is
stored in a
file, store if
the certificate
is located in a
certificate
store.
idScope string ID scope of

DPS
registrationId string DPS device

registration
ID.
Authentication.config example
<?xml version="1.0" encoding="utf-8"?>

<Authentication>
<add key="moduleName" value="azureiotsecurity"/>
<add key="deviceId" value="d1"/>
<add key="gatewayHostname" value=""/>
<add key="filePath" value="c:\p-dps-d1.pfx"/>
<add key="type" value="SelfSignedCertificate" /> 
<add key="identity" value="DPS" /> 
<add key="certificateLocationKind" value="LocalFile" /> 
<add key="idScope" value="0ne0005335B"/>
<add key="registrationId" value="d1"/>
</Authentication>
SecurityIotInterface.config
transportType "Ampq" "Mqtt" IoT Hub transport type.
SecurityIotInterface.config example
<ExternalInterface>
<add key="facadeType" value="Microsoft.Azure.Security.IoT.Agent.Common.SecurityIoTHubInterface,
Security.Common" />
<add key="transportType" value="Amqp"/>
</ExternalInterface>
Next steps
Deploy a security module on your IoT Edge device
Azure Security Center for IoT module provides a comprehensive security solution for your IoT Edge devices.
The security module collects, aggregates, and analyzes raw security data from your Operating System and
Container system into actionable security recommendations and alerts. To learn more, see Security module for IoT
Edge.
In this article, you'll learn how to deploy a security module on your IoT Edge device.
Deploy security module

Use the following steps to deploy an Azure Security Center for IoT security module for IoT Edge.
Prerequisites
1. In your IoT Hub, make sure your device is registered as an IoT Edge device.
2. Azure Security Center for IoT Edge module requires the AuditD framework is installed on the IoT Edge
device.
Install the framework by running the following command on your IoT Edge device:
sudo apt-get install auditd audispd-plugins
Verify AuditD is active by running the following command:

sudo systemctl status auditd
Expected response is: active (running)
Deployment using Azure portal

1. From the Azure portal, open Marketplace .
2. Select Internet of Things , then search for Azure Security Center for IoT and select it.
3. Click Create to configure the deployment.

4. Choose the Azure Subscription of your IoT Hub, then select your IoT Hub .
Select Deploy to a device to target a single device or select Deploy at Scale to target multiple devices,
and click Create . For more information about deploying at scale, see How to deploy.
NOTE
If you selected Deploy at Scale , add the device name and details before continuing to the Add Modules tab in the
following instructions.
Complete each step to complete your IoT Edge deployment for Azure Security Center for IoT.
Step 1: Modules
1. Select the AzureSecurityCenterforIoT module.
2. On the Module Settings tab, change the name to azureiotsecurity .
3. On the Enviroment Variables tab, add a variable if needed (for example, debug level).
4. On the Container Create Options tab, add the following configuration:
{
"NetworkingConfig": {
"EndpointsConfig": {
"host": {}
}
},
"HostConfig": {
"Privileged": true,
"NetworkMode": "host",
"PidMode": "host",
"Binds": [
"/:/host"
]
}
}
5. On the Module Twin Settings tab, add the following configuration:
"ms_iotn:urn_azureiot_Security_SecurityAgentConfiguration"
6. Select Update .
Step 2: Runtime settings
1. Select Runtime Settings .
2. Under Edge Hub , change the Image to mcr.microsoft.com/azureiotedge-hub:1.0.8.3 .
3. Verify Create Options is set to the following configuration:
{
"HostConfig":{
"PortBindings":{
"8883/tcp":[
{
"HostPort":"8883"
}
],
"443/tcp":[
{
"HostPort":"443"
}
],
"5671/tcp":[
{
"HostPort":"5671"
}
]
}
}
}
4. Select Save .
5. Select Next .
Step 3: Specify routes
1. On the Specify Routes tab, make sure you have a route (explicit or implicit) that will forward messages
from the azureiotsecurity module to $upstream according to the following examples. Only when the
route is in place, select Next .
Example routes:
"route": "FROM /messages/* INTO $upstream"
"ASCForIoTRoute": "FROM /messages/modules/azureiotsecurity/* INTO $upstream"
2. Select Next .
Step 4: Review deployment
On the Review Deployment tab, review your deployment information, then select Create to complete the
deployment.
Diagnostic steps
If you encounter an issue, container logs are the best way to learn about the state of an IoT Edge security module
device. Use the commands and tools in this section to gather information.
Verify the required containers are installed and functioning as expected
1. Run the following command on your IoT Edge device:
sudo docker ps
2. Verify that the following containers are running:

NAME IM A GE
azureiotsecurity mcr.microsoft.com/ascforiot/azureiotsecurity:1.0.2
edgeHub mcr.microsoft.com/azureiotedge-hub:1.0.8.3
edgeAgent mcr.microsoft.com/azureiotedge-agent:1.0.1
If the minimum required containers are not present, check if your IoT Edge deployment manifest is aligned
with the recommended settings. For more information, see Deploy IoT Edge module.
Inspect the module logs for errors
1. Run the following command on your IoT Edge device:
sudo docker logs azureiotsecurity
2. For more verbose logs, add the following environment variable to the azureiotsecurity module
deployment: logLevel=Debug .
Next steps
To learn more about configuration options, continue to the how-to guide for module configuration.
Module configuration how-to guide
Tutorial: Configure security agents
This article explains Azure Security Center for IoT security agents, and details how to change and configure
them.
Configure security agents
Change agent behavior by editing twin properties
Discover default configuration
Agents
Azure Security Center for IoT security agents collect data from IoT devices and perform security actions to
mitigate the detected vulnerabilities. Security agent configuration is controllable using a set of module twin
properties you can customize. In general, secondary updates to these properties are infrequent.
Azure Security Center for IoT's security agent twin configuration object is a JSON format object. The
configuration object is a set of controllable properties that you can define to control the behavior of the agent.
These configurations help you customize the agent for each scenario required. For example, automatically
excluding some events, or keeping power consumption to a minimal level are possible by configuring these
properties.
Use the Azure Security Center for IoT security agent configuration schema to make changes.
Configuration objects
Properties related to every Azure Security Center for IoT security agent are located in the agent configuration
object, within the desired properties section, of the azureiotsecurity module.
To modify the configuration, create and modify this object inside the azureiotsecurity module twin identity.
If the agent configuration object does not exist in the azureiotsecurity module twin, all security agent property
values are set to default.
"desired": {
}
}
Configuration schema and validation

Make sure to validate your agent configuration against this schema. An agent will not launch if the
configuration object does not match the schema.
If, while the agent is running, the configuration object is changed to a non-valid configuration (the configuration
does not match the schema), the agent will ignore the invalid configuration and will continue using the current
configuration.
Configuration validation
Azure Security Center for IoT security agent reports its current configuration inside the reported properties
section of the azureiotsecurity module twin identity. The agent reports all the available properties, if a
property was not set by the user, the agent reports the default configuration.
In order to validate your configuration, compare the values set on the desired section with the values reported
in the reported section.
If there is a mismatch between the desired and the reported properties, then the agent was not able to parse the
configuration.
Validate your desired properties against the schema, fix the errors and set your desired properties again!
NOTE
A configuration error alert will be fired from the agent in case that the agent was not able to parse the desired
configuration. Compare the reported and desired section to understand if the alert still applies
Editing a property
All custom properties must be set inside the agent configuration object within the azureiotsecurity module
twin. To use a default property value, remove the property from the configuration object.
Setting a property
1. In your IoT Hub, locate and select the device you wish to change.
2. Click on your device, and then on azureiotsecurity module.
3. Click on Module Identity Twin .
4. Edit the properties you wish to change in the security module.
For example, to configure connection events as high priority and collect high priority events every 7
minutes, use the following configuration.
"desired": {
"highPriorityMessageFrequency": {
"value": "PT7M"
},
"eventPriorityConnectionCreate": {
"value": "High"
}
}
}
5. Click Save .
Using a default value
To use a default property value, remove the property from the configuration object.
Default properties
The following table contains the controllable properties of Azure Security Center for IoT security agents.
Default values are available in the proper schema in GitHub.

highPriorityMessage Required: false Valid values: Duration Default value: PT7M Max time interval
Frequency in ISO 8601 Format before high priority
messages are sent.
lowPriorityMessageFr Required: false Valid values: Duration Default value: PT5H Max time before low-
equency in ISO 8601 Format priority messages are
sent.
snapshotFrequency Require: false Valid values: Duration Default value PT13H Time interval for the
in ISO 8601 Format creation of device
status snapshots.
maxLocalCacheSizeIn Required: false Valid values: Default value: Maximum storage (in
Bytes 2560000, larger than bytes) allowed for the
8192 message cache of an
agent. Maximum
amount of space
allowed to store
messages on the
device, before
messages are sent.
maxMessageSizeInBy Required: false Valid values: A Default value: Maximum allowed

tes positive number, 204800 size of an agent to
larger than 8192, less cloud message. This
than 262144 setting controls the
amount of maximum
data sent in each
message.
eventPriority${Event Required: false Valid values: High, Default values: Priority of every
Name} Low, Off agent-generated
event
Supported security events

EVEN T N A M E P RO P ERT Y N A M E DEFA ULT VA L UE SN A P SH OT EVEN T DETA IL S STAT US
Diagnostic event eventPriorityDiagnos Off False Agent related

tic diagnostic events.
Use this event for
verbose logging.
Configuration error eventPriorityConfigur Low False Agent failed to parse

ationError the configuration.
Verify the
configuration against
the schema.
Dropped events eventPriorityDroppe Low True Agent related event

statistics dEventsStatistics statistics.
Connected hardware eventPriorityConnect Low True Snapshot of all

edHardware hardware connected
to the device.
EVEN T N A M E P RO P ERT Y N A M E DEFA ULT VA L UE SN A P SH OT EVEN T DETA IL S STAT US
Listening ports eventPriorityListenin High True Snapshot of all open

gPorts listening ports on the
device.
Process create eventPriorityProcess Low False Audits process

Create creation on the
device.
Process terminate eventPriorityProcessT Low False Audits process

erminate termination on the
device.
System information eventPrioritySystemI Low True A snapshot of system

nformation information (for
example: OS or CPU).
Local users eventPriorityLocalUs High True A snapshot of the

ers registered local users
within the system.
Login eventPriorityLogin High False Audit the login

events to the device
(local and remote
logins).
Connection create eventPriorityConnect Low False Audits TCP

ionCreate connections created
to and from the
device.
Firewall configuration eventPriorityFirewall Low True Snapshot of device

Configuration firewall configuration
(firewall rules).
OS baseline eventPriorityOSBaseli Low True Snapshot of device

ne OS baseline check.
Next steps
Understand Azure Security Center for IoT recommendations
Explore Azure Security Center for IoT alerts
Send security messages SDK
This how-to guide explains the Azure Security Center for IoT service capabilities when you choose to collect and
send your device security messages without using an Azure Security Center for IoT agent, and explains how to do
so.
Send security messages using the Azure IoT C SDK
Send security messages using the Azure IoT C# SDK
Send security messages using the Azure IoT Python SDK
Send security messages using the Azure IoT Node.js SDK
Send security messages using the Azure IoT Java SDK
Azure Security Center for IoT capabilities

Azure Security Center for IoT can process and analyze any kind of security message data as long as the data sent
conforms to the Azure Security Center for IoT schema and the message is set as a security message.
Security message
Azure Security Center for IoT defines a security message using the following criteria:
If the message was sent with Azure IoT SDK
If the message conforms to the security message schema
If the message was set as a security message prior to sending
Each security message includes the metadata of the sender such as AgentId , AgentVersion , MessageSchemaVersion
and a list of security events. The schema defines the valid and required properties of the security message including
the types of events.
NOTE
Messages sent that do not comply with the schema are ignored. Make sure to verify the schema before initiating sending
data as ignored messages are not currently stored.
NOTE
Messages sent that were not set as a security message using the Azure IoT SDK will not be routed to the Azure Security
Center for IoT pipeline.
Valid message example

The example below shows a valid security message object. The example contains the message metadata and one
ProcessCreate security event.
Once set as a security message and sent, this message will be processed by Azure Security Center for IoT.
"AgentVersion": "0.0.1",
"AgentId": "e89dc5f5-feac-4c3e-87e2-93c16f010c25",
"MessageSchemaVersion": "1.0",
"Events": [
{
"EventType": "Security",
"Category": "Triggered",
"Name": "ProcessCreate",
"IsEmpty": false,
"PayloadSchemaVersion": "1.0",
"Id": "21a2db0b-44fe-42e9-9cff-bbb2d8fdf874",
"TimestampLocal": "2019-01-27 15:48:52Z",
"TimestampUTC": "2019-01-27 13:48:52Z",
"Payload":
[
{
"Executable": "/usr/bin/myApp",
"ProcessId": 11750,
"ParentProcessId": 1593,
"UserName": "aUser",
"CommandLine": "myApp -a -b"
}
]
}
]
Send security messages

Send security messages without using Azure Security Center for IoT agent, by using the Azure IoT C device SDK,
Azure IoT C# device SDK, , Azure IoT Node.js SDK, Azure IoT Python SDK, or Azure IoT Java SDK.
To send the device data from your devices for processing by Azure Security Center for IoT, use one of the following
APIs to mark messages for correct routing to Azure Security Center for IoT processing pipeline.
All data that is sent, even if marked with the correct header, must also comply with the Azure Security Center for IoT
message schema.
Send security message API
The Send security messages API is currently available in C and C#, Python, Node.js, and Java.
C API
bool SendMessageAsync(IoTHubAdapter* iotHubAdapter, const void* data, size_t dataSize) {
bool success = true;

IOTHUB_MESSAGE_HANDLE messageHandle = NULL;
messageHandle = IoTHubMessage_CreateFromByteArray(data, dataSize);
if (messageHandle == NULL) {
success = false;
goto cleanup;
}
if (IoTHubMessage_SetAsSecurityMessage(messageHandle) != IOTHUB_MESSAGE_OK) {
success = false;
goto cleanup;
}
if (IoTHubModuleClient_SendEventAsync(iotHubAdapter->moduleHandle, messageHandle, SendConfirmCallback,

iotHubAdapter) != IOTHUB_CLIENT_OK) {
success = false;
goto cleanup;
}
cleanup:
if (messageHandle != NULL) {
IoTHubMessage_Destroy(messageHandle);
}
return success;
}
static void SendConfirmCallback(IOTHUB_CLIENT_CONFIRMATION_RESULT result, void* userContextCallback) {

if (userContextCallback == NULL) {
//error handling
return;
}
if (result != IOTHUB_CLIENT_CONFIRMATION_OK){
//error handling
}
}
C# API
private static async Task SendSecurityMessageAsync(string messageContent)

{
ModuleClient client = ModuleClient.CreateFromConnectionString("<connection_string>");
Message securityMessage = new Message(Encoding.UTF8.GetBytes(messageContent));
securityMessage.SetAsSecurityMessage();
await client.SendEventAsync(securityMessage);
}
Node.js API
var Protocol = require('azure-iot-device-mqtt').Mqtt
function SendSecurityMessage(messageContent)
{
var client = Client.fromConnectionString(connectionString, Protocol);
var connectCallback = function (err) {

if (err) {
console.error('Could not connect: ' + err.message);
} else {
var message = new Message(messageContent);
message.setAsSecurityMessage();
client.sendEvent(message);
client.on('error', function (err) {

console.error(err.message);
});
client.on('disconnect', function () {
clearInterval(sendInterval);
client.removeAllListeners();
client.open(connectCallback);
});
}
};
client.open(connectCallback);
}
Python API
To use the Python API you need to install the package azure-iot-device.
When using the Python API, you can either send the security message through the module or through the device
using the unique device or module connection string. When using the following Python script example, with a
device, use IoTHubDeviceClient , and with a module, use IoTHubModuleClient .
from azure.iot.device.aio import IoTHubDeviceClient, IoTHubModuleClient

from azure.iot.device import Message
async def send_security_message_async(message_content):

conn_str = os.getenv("<connection_string>")
device_client = IoTHubDeviceClient.create_from_connection_string(conn_str)
await device_client.connect()
security_message = Message(message_content)
security_message.set_as_security_message()
await device_client.send_message(security_message)
await device_client.disconnect()
Java API
public void SendSecurityMessage(string message)

{
ModuleClient client = new ModuleClient("<connection_string>", IotHubClientProtocol.MQTT);
Message msg = new Message(message);
msg.setAsSecurityMessage();
EventCallback callback = new EventCallback();
string context = "<user_context>";
client.sendEventAsync(msg, callback, context);
}
Next steps
Enable the service
Read the FAQ
Understand alerts
Access your security data
Azure Security Center for IoT stores security alerts, recommendations, and raw security data (if you choose to
save it) in your Log Analytics workspace.
Log Analytics
To configure which Log Analytics workspace is used:
1. Open your IoT hub.
2. Click the Over view blade under the Security section
3. Click Settings , and change your Log Analytics workspace configuration.
To access your alerts and recommendations in your Log Analytics workspace after configuration:
1. Choose an alert or recommendation in Azure Security Center for IoT.
2. Click fur ther investigation , then click To see which devices have this aler t click here and view the
DeviceId column .
For details on querying data from Log Analytics, see Get started with queries in Log Analytics.
Security alerts
Security alerts are stored in AzureSecurityOfThings.SecurityAlert table in the Log Analytics workspace
configured for the Azure Security Center for IoT solution.
We've provided a number of useful queries to help you get started exploring security alerts.
Sample records
Select a few random records
// Select a few random records

//
SecurityAlert
| project
TimeGenerated,
IoTHubId=ResourceId,
DeviceId=tostring(parse_json(ExtendedProperties)["DeviceId"]),
AlertSeverity,
DisplayName,
Description,
ExtendedProperties
| take 3
T IM EGEN ERA A L ERT SEVERI DISP L AY N A M EXT EN DEDP R

T ED IOT H UB ID DEVIC EID TY E DESC RIP T IO N O P ERT IES
T IM EGEN ERA A L ERT SEVERI DISP L AY N A M EXT EN DEDP R
T ED IOT H UB ID DEVIC EID TY E DESC RIP T IO N O P ERT IES
2018-11- /subscriptions <device_nam High Brute force A Brute force { "Full Source
18T18:10:29. /<subscriptio e> attack attack on the Address": "
000 n_id>/resourc succeeded device was ["10.165.12.1
eGroups/<res Successful 8:"]", "User
ource_group Names": "[""]",
>/providers/ "DeviceId":
Microsoft.Dev "IoT-Device-
ices/IotHubs/ Linux" }
<iot_hub>
2018-11- /subscriptions <device_nam High Successful A successful { "Remote

19T12:40:31. /<subscriptio e> local login on local login to Address": "?",
000 n_id>/resourc device the device "Remote
eGroups/<res was detected Port": "",
ource_group "Local Port":
>/providers/ "", "Login
Microsoft.Dev Shell":
ices/IotHubs/ "/bin/su",
<iot_hub> "Login
Process Id":
"28207",
"User Name":
"attacker",
"DeviceId":
"IoT-Device-
Linux" }
2018-11- /subscriptions <device_nam High Failed local A failed local { "Remote

19T12:40:31. /<subscriptio e> login attempt login attempt Address": "?",
000 n_id>/resourc on device to the device "Remote
eGroups/<res was detected Port": "",
ource_group "Local Port":
>/providers/ "", "Login
Microsoft.Dev Shell":
ices/IotHubs/ "/bin/su",
<iot_hub> "Login
Process Id":
"22644",
"User Name":
"attacker",
"DeviceId":
"IoT-Device-
Linux" }
Device summary
Get the number of distinct security alerts detected in the last week, grouped by IoT Hub, device, alert severity,
alert type.
// Get the number of distinct security alerts detected in the last week, grouped by
// IoT hub, device, alert severity, alert type
//
SecurityAlert
| where TimeGenerated > ago(7d)
| summarize Cnt=dcount(SystemAlertId) by
DeviceId=tostring(parse_json(ExtendedProperties)["DeviceId"]),
AlertSeverity,
DisplayName
IOT H UB ID DEVIC EID A L ERT SEVERIT Y DISP L AY N A M E C O UN T
/subscriptions/<subs <device_name> High Brute force attack 9

cription_id>/resource succeeded
Groups/<resource_gr
oup>/providers/Micr
osoft.Devices/IotHub
s/<iot_hub>
/subscriptions/<subs <device_name> Medium Failed local login 242

cription_id>/resource attempt on device
Groups/<resource_gr
oup>/providers/Micr
s/<iot_hub>
/subscriptions/<subs <device_name> High Successful local login 31

cription_id>/resource on device
Groups/<resource_gr
oup>/providers/Micr
s/<iot_hub>
/subscriptions/<subs <device_name> Medium Crypto Coin Miner 4

cription_id>/resource
Groups/<resource_gr
oup>/providers/Micr
s/<iot_hub>
IoT hub summary

Select a number of distinct devices that had alerts in the last week, by IoT Hub, alert severity, alert type
// Select number of distinct devices which had alerts in the last week, by
// IoT hub, alert severity, alert type
//
SecurityAlert
| where TimeGenerated > ago(7d)
| extend DeviceId=tostring(parse_json(ExtendedProperties)["DeviceId"])
| summarize CntDevices=dcount(DeviceId) by
AlertSeverity,
DisplayName
IOT H UB ID A L ERT SEVERIT Y DISP L AY N A M E C N T DEVIC ES
/subscriptions/<subscriptio High Brute force attack 1

n_id>/resourceGroups/<res succeeded
ource_group>/providers/Mi
crosoft.Devices/IotHubs/<io
t_hub>
/subscriptions/<subscriptio Medium Failed local login attempt on 1

n_id>/resourceGroups/<res device
t_hub>
IOT H UB ID A L ERT SEVERIT Y DISP L AY N A M E C N T DEVIC ES
/subscriptions/<subscriptio High Successful local login on 1

n_id>/resourceGroups/<res device
t_hub>
/subscriptions/<subscriptio Medium Crypto Coin Miner 1

n_id>/resourceGroups/<res
t_hub>
Security recommendations are stored in AzureSecurityOfThings.SecurityRecommendation table in the Log
Analytics workspace configured for the Azure Security Center for IoT solution.
We've provided a number of useful queries to help you get start exploring security recommendations.
Sample records
Select a few random records
// Select a few random records

//
SecurityRecommendation
| project
TimeGenerated,
IoTHubId=AssessedResourceId,
DeviceId,
RecommendationSeverity,
RecommendationState,
RecommendationDisplayName,
Description,
RecommendationAdditionalData
| take 2
REC O M M E REC O M M E
REC O M M E REC O M M E N DAT IO N DI N DAT IO N A
T IM EGEN E N DAT IO N S N DAT IO N S SP L AY N A M DESC RIP T I DDIT IO N A L
RAT ED IOT H UB ID DEVIC EID EVERIT Y TAT E E ON DATA
2019-03- /subscriptio <device_na Medium Active Permissive A rule in {"Rules":"

22T10:21:0 ns/<subscri me> firewall rule the firewall [{"SourceAd
6.060 ption_id>/r in the input has been dress":"","S
esourceGro chain was found that ourcePort":
ups/<resou found contains a "","Destinati
rce_group> permissive onAddress"
/providers/ pattern for :"","Destinat
Microsoft.D a wide ionPort":"1
evices/IotH range of IP 337"}]"}
ubs/<iot_h addresses
ub> or Ports
REC O M M E REC O M M E
REC O M M E REC O M M E N DAT IO N DI N DAT IO N A
T IM EGEN E N DAT IO N S N DAT IO N S SP L AY N A M DESC RIP T I DDIT IO N A L
RAT ED IOT H UB ID DEVIC EID EVERIT Y TAT E E ON DATA
2019-03- /subscriptio <device_na Medium Active Permissive A rule in {"Rules":"

22T10:50:2 ns/<subscri me> firewall rule the firewall [{"SourceAd
7.237 ption_id>/r in the input has been dress":"","S
esourceGro chain was found that ourcePort":
ups/<resou found contains a "","Destinati
rce_group> permissive onAddress"
/providers/ pattern for :"","Destinat
Microsoft.D a wide ionPort":"1
evices/IotH range of IP 337"}]"}
ubs/<iot_h addresses
ub> or Ports
Device summary
Get the number of distinct active security recommendations, grouped by IoT Hub, device, recommendation
severity, and type.
// Get the number of distinct active security recommendations, grouped by by

// IoT hub, device, recommendation severity and type
//
SecurityRecommendation
| extend IoTHubId=AssessedResourceId
| summarize CurrentState=arg_max(RecommendationState, DiscoveredTimeUTC) by IoTHubId, DeviceId,
RecommendationSeverity, RecommendationDisplayName
| where CurrentState == "Active"
| summarize Cnt=count() by IoTHubId, DeviceId, RecommendationSeverity
REC O M M EN DAT IO N SEVERI

IOT H UB ID DEVIC EID TY C O UN T
/subscriptions/<subscriptio <device_name> High 2

t_hub>
/subscriptions/<subscriptio <device_name> Medium 1

t_hub>
/subscriptions/<subscriptio <device_name> High 1

t_hub>
/subscriptions/<subscriptio <device_name> Medium 4

t_hub>
Next steps
Read the Azure Security Center for IoT Overview
Learn about Azure Security Center for IoT Architecture
Understand and explore Azure Security Center for IoT alerts
Understand and explore Azure Security Center for IoT recommendation
Investigate a suspicious IoT device
Azure Security Center for IoT service alerts provide clear indications when IoT devices are suspected of
involvement in suspicious activities or when indications exist that a device is compromised.
In this guide, use the investigation suggestions provided to help determine the potential risks to your
organization, decide how to remediate, and discover the best ways to prevent similar attacks in the future.
Find your device data
Investigate using kql queries
How can I access my data?

By default, Azure Security Center for IoT stores your security alerts and recommendations in your Log Analytics
workspace. You can also choose to store your raw security data.
To locate your Log Analytics workspace for data storage:
1. Open your IoT hub,
2. Under Security , click Over view , and then select Settings .
3. Change your Log Analytics workspace configuration details.
4. Click Save .
Following configuration, do the following to access data stored in your Log Analytics workspace:
1. Select and click on an Azure Security Center for IoT alert in your IoT Hub.
2. Click Fur ther investigation .
3. Select To see which devices have this aler t click here and view the DeviceId column .
Investigation steps for suspicious IoT devices

To view insights and raw data about your IoT devices, go to your Log Analytics workspace to access your data.
See the sample kql queries below to get started with investigating alerts and activities on your device.
Related alerts
To find out if other alerts were triggered around the same time use the following kql query:
let device = "YOUR_DEVICE_ID";

let hub = "YOUR_HUB_NAME";
SecurityAlert
| where ExtendedProperties contains device and ResourceId contains tolower(hub)
| project TimeGenerated, AlertName, AlertSeverity, Description, ExtendedProperties
Users with access

To find out which users have access to this device use the following kql query:
SecurityIoTRawEvent
| where
DeviceId == device and AssociatedResourceId contains tolower(hub)
and RawEventName == "LocalUsers"
| project
TimestampLocal=extractjson("$.TimestampLocal", EventDetails, typeof(datetime)),
GroupNames=extractjson("$.GroupNames", EventDetails, typeof(string)),
UserName=extractjson("$.UserName", EventDetails, typeof(string))
| summarize FirstObserved=min(TimestampLocal) by GroupNames, UserName
Use this data to discover:

Which users have access to the device?
Do the users with access have the expected permission levels?
Open ports
To find out which ports in the device are currently in use or were used, use the following kql query:

SecurityIoTRawEvent
| where
and RawEventName == "ListeningPorts"
and extractjson("$.LocalPort", EventDetails, typeof(int)) <= 1024 // avoid short-lived TCP ports
(Ephemeral)
| project
Protocol=extractjson("$.Protocol", EventDetails, typeof(string)),
LocalAddress=extractjson("$.LocalAddress", EventDetails, typeof(string)),
LocalPort=extractjson("$.LocalPort", EventDetails, typeof(int)),
RemoteAddress=extractjson("$.RemoteAddress", EventDetails, typeof(string)),
RemotePort=extractjson("$.RemotePort", EventDetails, typeof(string))
| summarize MinObservedTime=min(TimestampLocal), MaxObservedTime=max(TimestampLocal),
AllowedRemoteIPAddress=makeset(RemoteAddress), AllowedRemotePort=makeset(RemotePort) by Protocol, LocalPort
Use this data to discover:

Which listening sockets are currently active on the device?
Should the listening sockets that are currently active be allowed?
Are there any suspicious remote addresses connected to the device?
User logins
To find users that logged into the device use the following kql query:
SecurityIoTRawEvent
| where
and RawEventName == "Login"
// filter out local, invalid and failed logins
and EventDetails contains "RemoteAddress"
and EventDetails !contains '"RemoteAddress":"127.0.0.1"'
and EventDetails !contains '"UserName":"(invalid user)"'
and EventDetails !contains '"UserName":"(unknown user)"'
//and EventDetails !contains '"Result":"Fail"'
| project
UserName=extractjson("$.UserName", EventDetails, typeof(string)),
LoginHandler=extractjson("$.Executable", EventDetails, typeof(string)),
RemoteAddress=extractjson("$.RemoteAddress", EventDetails, typeof(string)),
Result=extractjson("$.Result", EventDetails, typeof(string))
| summarize CntLoginAttempts=count(), MinObservedTime=min(TimestampLocal),
MaxObservedTime=max(TimestampLocal), CntIPAddress=dcount(RemoteAddress), IPAddress=makeset(RemoteAddress) by
UserName, Result, LoginHandler
Use the query results to discover:

Which users logged in to the device?
Are the users that logged in, supposed to log in?
Did the users that logged in connect from expected or unexpected IP addresses?
Process list
To find out if the process list is as expected, use the following kql query:

SecurityIoTRawEvent
| where
and RawEventName == "ProcessCreate"
| project
Executable=extractjson("$.Executable", EventDetails, typeof(string)),
UserId=extractjson("$.UserId", EventDetails, typeof(string)),
CommandLine=extractjson("$.CommandLine", EventDetails, typeof(string))
| join kind=leftouter (
// user UserId details
SecurityIoTRawEvent
| where
and RawEventName == "LocalUsers"
| project
UserId=extractjson("$.UserId", EventDetails, typeof(string)),
UserName=extractjson("$.UserName", EventDetails, typeof(string))
| distinct UserId, UserName
) on UserId
| extend UserIdName = strcat("Id:", UserId, ", Name:", UserName)
| summarize CntExecutions=count(), MinObservedTime=min(TimestampLocal), MaxObservedTime=max(TimestampLocal),
ExecutingUsers=makeset(UserIdName), ExecutionCommandLines=makeset(CommandLine) by Executable
Use the query results to discover:

Were there any suspicious processes running on the device?
Were processes executed by appropriate users?
Did any command line executions contain the correct and expected arguments?
Next steps
After investigating a device, and gaining a better understanding of your risks, you may want to consider
Configuring custom alerts to improve your IoT solution security posture. If you don't already have a device agent,
consider Deploying a security agent or changing the configuration of an existing device agent to improve your
results.
Connect your data from Azure Security Center for
IoT to Azure Sentinel (preview)
IMPORTANT
The Azure Security Center for IoT data connector in Azure Sentinel is currently in public preview. This feature is provided
without a service level agreement, and it's not recommended for production workloads. Certain features might not be
supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure
Previews.
In this guide, learn how to connect your Azure Security Center for IoT data to Azure Sentinel.
Prerequisites
Connection settings
Log Analytics alert view
Connect alerts from Azure Security Center for IoT and stream them directly into Azure Sentinel.
Prerequisites
You must have Workspace read and write permissions.
Azure Security Center for IoT must be enabled on your relevant IoT Hub(s).
You must have both read and write permissions on the Azure IoT Hub you wish to connect.
You must also have read and write permissions on the Azure IoT Hub resource group .
NOTE
You must have the Azure Security Center Standard tier licensing running on your subscription to send general Azure resource
alerts. With the free tier licensing required for Azure Security Center for IoT, only Azure Security Center for IoT related alerts
will be forwarded to Azure Sentinel.
Connect to Azure Security Center for IoT

1. In Azure Sentinel, select Data connectors and then click the Azure Security Center for IoT tile.
2. From the bottom of the right pane, click Open connector page .
3. Click Connect , next to each IoT Hub subscription whose alerts and device alerts you want to stream into Azure
Sentinel.
If Azure Security Center for IoT isn't enabled on that Hub, you'll see an Enable warning message. Click the
Enable link to start and enable the service.
4. You can decide whether you want the alerts from Azure Security Center for IoT to automatically generate
incidents in Azure Sentinel. Under Create incidents , select Enable to enable the rule to automatically create
incidents from the generated alerts. This rule can be changed or edited under Analytics > Active rules.
NOTE
It can take 10 seconds or more to refresh the hub list after making connection changes.
Log Analytics alert display

To use the relevant schema in Log Analytics to display the Azure Security Center for IoT alerts:
1. Open Logs > SecurityInsights > SecurityAler t , or search for SecurityAler t .
2. Filter to see only Azure Security Center for IoT generated alerts using the following kql filter:
SecurityAlert | where ProductName == "Azure Security Center for IoT"
Service notes
After connecting an IoT Hub, the hub data is available in Azure Sentinel approximately 15 minutes later.
Next steps
In this document, you learned how to connect Azure Security Center for IoT to Azure Sentinel. To learn more about
threat detection and security data access, see the following articles:
Learn how to use Azure Sentinel to get visibility into your data, and potential threats.
Learn how to Access your IoT security data
Customize your Azure Security Center for IoT
solution
In this guide, learn how to customize different settings in Azure Security Center for IoT.
Configure solution recommendations
Change settings
Change settings
Manage your Azure Security Center for IoT setting:
On your IoT Hub, go to the security overview blade on the top left corner, see "settings" To configure your Azure
Security Center for IoT settings, do the following:
2. From the left menu under Security , select and open Over view .
3. Under Settings, select the solution setting you'd like to change.
4. Remember to always click Save at the top of any setting screen to save your setting changes.
Configure solution recommendations

To configure your Azure Security Center for IoT solution recommendations, do the following:
2. Select and open Over view under Security in the left menu.
3. Under Settings, select Recommended Configuration from the left menu.
4. Disable/enable the solution recommendations relevant for your organization and workflows.
5. Select Save at the top of the screen to save your selections.
Next steps
Azure Security Center for IoT frequently asked
questions
This article provides a list of frequently asked questions and answers about Azure Security Center for IoT.
Does Azure provide support for IoT security?

Azure provides an integrated view for monitoring and managing your IoT security as part of your overall
security solution through Azure Security Center. If you are an application developer, you can use IoT Hub view to
manage your IoT application security.
What is Azure's unique value proposition for IoT security?

Azure Security Center for IoT enables enterprises to extend their existing cyber security view to their entire IoT
solution. Azure provides an end to end view of your business solution, enabling you to take business-related
actions and decisions based on your enterprise security posture and collected data. Combined security using
Azure IoT, Azure IoT Edge, and Azure Security Center enable you to create the solution you want with the
security you need.
Who is Azure Security Center for IoT made for?

Azure Security Center for IoT is integrated within Azure IoT Hub Security and provides management for the day
to day business solution security operations. Azure Security Center for IoT is also integrated into Azure Security
Center capabilities and provide an integrated view for monitoring and managing your IoT security as part of
your overall security solution.
How does Azure Security Center for IoT compare to the competition?
While other solutions provide a set of capabilities that allow customers to create their own solutions, Azure
Security Center for IoT provides a unique end-to-end IoT security solution that provides a wide view across the
security of all of your related Azure resources. Azure enables fast deployment and full integration with IoT Hub
module twins for easy integration with existing device management tools.
Do I have to be an Azure Security Center customer to use this

service?
No, but it is recommended. Without Azure Security Center, Azure Security Center for IoT receives limited
connected resource data and provides a limited analysis of your potential attack surface, threats, and potential
attacks.
Do I have to be an Azure IoT customer?

Yes. Azure Security Center for IoT relies on Azure IoT connectivity and infrastructure.
Do I have to install an agent?

Agent installation on your IoT devices isn't mandatory in order to enable the Microsoft Azure Security Center
for IoT. You can choose between the following three options, gaining different levels of security monitoring and
management capabilities according to your selection:
1. Install the Azure Security Center for IoT security agent with or without modifications. This option
provides the highest level of enhanced security insights into device behavior and access.
2. Create your own agent and implement Microsoft Azure Security Center for IoT security message schema.
This option enables usage of Microsoft Azure Security Center for IoT analysis tools on top of your device
security agent.
3. No security agent installation on your IoT devices. This option enables IoT Hub communication
monitoring, with reduced security monitoring and management capabilities.
What does the Azure Security Center for IoT agent do?
Azure Security Center for IoT agent provides device level threat coverage for device configuration, behavior, and
access (by scanning the configuration), process & connectivity. The Azure Security Center for IoT security agent
does not scan business-related data or activity.
Where can I get the Azure Security Center for IoT security agent?
The Azure Security Center for IoT security agent is open source and available on GitHub in 32 bit and 64-bit
Windows and Linux versions: https://github.com/Azure/Azure-IoT-Security.
Where does the Azure Security Center for IoT agent get installed?
Detailed installation and agent deployment information can be found in GitHub:
https://github.com/Azure/Azure-IoT-Security.
What are the dependencies and prerequisites of the agent?

Azure Security Center for IoT supports a wide variety of platforms. See Supported Device platforms to verify
support for your specific devices.
Which data is collected by the agent?

Connectivity, access, firewall configuration, process list & OS baseline are collected by the agent.
How much data will the agent generate?

Agent data generation is driven by device, application, connectivity type, and customer agent configuration. Due
to the high variability between devices and IoT solutions, we recommend first deploying the agent in a lab or
test setting to observe, learn, and set the specific configuration that fits your needs, while measuring the
amount of generated data. After starting the service, the Azure Security Center for IoT agent provides
operational recommendations for optimizing agent throughput to help you with the configuration and
customization process.
How can I control my billing?

Azure Security Center for IoT provides configurable agent scans, data buffers, and the ability to create custom
alerts that increase or reduce the amount of data generated by the agent.
Do agent messages use up quota from IoT Hub?

Yes. Agent transmitted data is counted in your IoT Hub quota.
What next? I've installed an agent and don't see any activities or
logs...
1. Check the agent type fits the designated OS platform of your device
2. Confirm the agent is running on the device.
3. Check the service was enabled successfully to Security in your IoT Hub.
4. Check that the device is configured in IoT Hub with the Azure Security Center for IoT module.
If the activities or logs are still unavailable, contact your Azure Security Center for IoT partner for additional
help.
What happens when the internet connection stops working?

The agent continues to run and store data as long as the device is running. Data is stored in the security
message cache according to size configuration. When the device regains connectivity, security messages
resume sending.
If the device is restarted, will the security agent self-recover?

The security agent is designed to rerun automatically with each device restart.
Can the agent affect the performance of the device or other installed
software?
The agent consumes machine resources as any other application/process and should not disrupt normal device
activity. Resource consumption on the device the agent runs on is coupled with its setup and configuration. We
recommend testing your agent configuration in a contained environment, along with interoperability with your
other IoT applications and functionality, before attempting to deploy in a production environment.
I'm making some maintenance on the device. Can I turn off the
agent?
The agent cannot be turned off.
Is there a way to test if the agent is working correctly?

If the agent stops communicating or fails to send security messages, a Device is silent alert is generated.
Can I create my own alerts?

Yes. You can set a customized alert on pre-determined set of behaviors such as IP address and open ports. See
Create custom alerts to learn more about custom alerts and how to make them.
Where can I see logs? Can I customize logs?

View alerts and recommendations using your connected Log Analytics workspace. Configure storage
size and duration in the workspace.
Raw data from your security agent can also be stored in your Log Analytics account. Consider size,
duration, storage requirements, and associated costs before changing the configuration of this option.
Why should I add Azure Security Center for IoT to the module
identity? What is it used for?
The Azure Security Center for IoT module is used for agent configuration and management.
Next steps
To learn more about how to get started with Azure Security Center for IoT, see the following articles:
Read the Azure Security Center for IoT overview
Verify the Service prerequisites
Learn more about how to Get started
Understand Azure Security Center for IoT security alerts

Azure IOT Security PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Azure IOT Security PDF

Hochgeladen von

Copyright:

Verfügbare Formate

Contents

Azure Security Center for IoT documentation

Unified visibility and control

Azure Security Center for IoT components

Get started protecting Azure RTOS devices

Agent supported platforms

64bit C# or C C# We recommend using the C

Module supported platforms

Working with Azure Security Center for IoT service

Supported service regions

Where's my IoT Hub?

Supported platforms for agents

Enable Built-in IoT Hub integration

Prerequisites for enabling the service

Enable Azure Security Center for IoT on your IoT Hub

Azure Security Center for IoT

Add Azure resources to your IoT solution

Understanding azureiotsecurity module twins

Create azureiotsecurity module twin

Verify creation of a module twin

Why use custom alerts?

Alerts available for customization

Authentication methods known limitations

Security agent installation parameters

authentication- AuthenticationIdentit aui Authentication SecurityModule or

authentication- AuthenticationMetho aum Authentication SymmetricKey or

file-path FilePath f Absolute full path for

host-name HostName hn FQDN of the IoT Hub Example:

device-id DeviceId di Device ID Example: MyDevice1

certificate-location- CertificateLocationKin cl Certificate storage LocalFile or Store

Change authentication method after deployment

C -based security agent

Security module twins

Built-in alerts for IoT devices

Binary Command High Agent LA Linux binary Review the command

Successful Bruteforce High Agent Multiple unsuccessful Review SSH

Behavior similar to Medium Agent Execution of a Review with the user

Crypto coin miner Medium Agent Container detecting 1. If this behavior is

Local host Medium Agent Execution of a Review the suspicious

Privileged container Medium Agent Machine logs indicate If the container

Suspicious Medium Agent Suspicious Review with the user

Suspicious IP address Medium Agent Communication with Verify if the

Failed Bruteforce Low Agent Multiple unsuccessful Review SSH

Built-in alerts for IoT Hub

Unsuccessful attempt Medium There was an unsuccessful Make sure permissions to

Unsuccessful attempt Medium There was an unsuccessful Make sure permissions to

Attempt to delete a Low There was % Make sure permissions to

IoT Hub alerts available for customization

Low Custom alert - IoT Hub Number of cloud to

Low Custom alert - IoT Hub Number of cloud to

Low Custom alert - IoT Hub The amount of device

Low Custom alert - IoT Hub The amount of direct

Low Custom alert - IoT Hub The amount of file

Low Custom alert - IoT Hub The amount of cloud

Low Custom alert - IoT Hub The amount of cloud

Low Custom alert - IoT Hub The amount of device

Low Custom alert - IoT Hub The amount of cloud

Low Custom alert - IoT Hub The amount of cloud

Low Custom alert - IoT Hub The amount of device

Low Custom alert - IoT Hub The amount of

Low Custom alert - IoT Hub The amount of

Low Custom alert - IoT Hub The amount of

Agent alerts available for customization