Beruflich Dokumente
Kultur Dokumente
Unify security management and enable end-to-end threat detection and analysis across hybrid cloud workloads
and your Azure IoT solution.
Secure your entire IoT solution from IoT devices to Azure cloud
Choose from our seamless agentless solution or take advantage of agent-based comprehensive security, Azure
Security Center for IoT provides threat prevention and analysis for every device, IoT Edge and IoT Hub, across
your IoT assets.
As billions of new devices are connected to the internet, and integrated into our daily lives and our businesses,
your security operations teams must ensure their security strategies evolve quickly enough to cover each new
attack surface. Like any other system, to comprehensively secure your IoT solution, it requires protection at every
stage of implementation.
Azure Security Center for IoT simplifies hybrid workload protection by delivering unified visibility and control,
adaptive threat prevention, and intelligent threat detection and response across workloads running on edge, on-
premises, in Azure, and in other clouds.
Next steps
In this overview, you learned about the features and services of Azure Security Center for IoT. To learn more about
Azure Security Center for IoT architecture, prerequisites, and learn how to get started, see the following articles:
Architecture
Service prerequisites
Getting started
Define your solution
Azure Security Center for IoT FAQ
Azure Security Center for IoT alerts
Azure Security Center for IoT architecture
4/14/2020 • 2 minutes to read • Edit Online
This article explains the functional system architecture of the Azure Security Center for IoT solution.
Device agents, and other applications use the Azure send security message SDK to send security information
into Azure IoT Hub. IoT Hub picks up this information and forwards it to the Azure Security Center for IoT service.
Once the Azure Security Center for IoT service is enabled, in addition to the forwarded data, IoT Hub also sends
out all of its internal data for analysis by Azure Security Center for IoT. This data includes device-cloud operation
logs, device identities, and Hub configuration. All of this information helps to create the Azure Security Center for
IoT analytics pipeline.
Azure Security Center for IoT analytics pipeline also receives additional threat intelligence streams from various
sources within Microsoft and Microsoft partners. The Azure Security Center for IoT entire analytics pipeline works
with every customer configuration made on the service (such as custom alerts and use of the send security
message SDK).
Using the analytics pipeline, Azure Security Center for IoT combines all of the streams of information to generate
actionable recommendations and alerts. The pipeline contains both custom rules created by security researchers
and experts as well as machine learning models searching for deviation from standard device behavior and risk
analysis.
Azure Security Center for IoT recommendations and alerts (analytics pipeline output) is written to the Log
Analytics workspace of each customer. Including the raw events in the workspace as well as the alerts and
recommendations enables deep dive investigations and queries using the exact details of the suspicious activities
detected.
Next steps
In this article, you learned about the basic architecture and workflow of Azure Security Center for IoT solution. To
learn more about prerequisites, how to get started and enable your security solution in IoT Hub, see the following
articles:
Service prerequisites
Getting started
Configure your solution
Enable security in IoT Hub
Azure Security Center for IoT FAQ
Azure Security Center for IoT security alerts
Azure Security Center for IoT Security Solution for
Azure RTOS
8/6/2020 • 2 minutes to read • Edit Online
The Azure Security Center for IoT security module provides a comprehensive security solution for Azure RTOS
devices. Azure RTOS ships with a built-in security module that covers common threats on real-time operating
system devices.
Azure Security Center for IoT security module with Azure RTOS support offers the following features:
Malicious network activity detection
Custom alert based, device behavior baselining
Improve device security hygiene
Detection of malicious network activities
Inbound and outbound network activity of each device is monitored (supported protocols: TCP, UDP, ICMP on IPv4
and IPv6). Azure Security Center for IoT inspects each of these network activities against the Microsoft Threat
Intelligence feed. The feed gets updated in real-time with millions of unique threat indicators collected worldwide.
Device behavior baselining based on custom alerts
Baselining allows for clustering of devices into security groups and defining the expected behavior of each group.
As IoT devices are typically designed to operate in well-defined and limited scenarios, it is easy to create a baseline
that defines their expected behavior using a set of parameters. Any deviation from the baseline, triggers an alert.
Improve your device security hygiene
By leveraging the recommended infrastructure Azure Security Center for IoT provides, gain knowledge and insights
about issues in your environment that impact and damage the security posture of your devices. Poor IoT device
security posture can allow potential attacks to succeed if left unchanged, as security is always measured by the
weakest link within any organization.
Next steps
In this article, you learned about Azure Security Center for IoT Azure RTOS support. To learn how to get started and
enable your security solution in IoT Hub, see the following articles:
Service prerequisites
Getting started
Configure your solution
Enable security in IoT Hub
Azure Security Center for IoT FAQ
Azure Security Center for IoT security alerts
Security agent reference architecture
4/14/2020 • 2 minutes to read • Edit Online
Azure Security Center for IoT provides reference architecture for security agents that log, process, aggregate, and
send security data through IoT Hub.
Security agents are designed to work in a constrained IoT environment, and are highly customizable in terms of
values they provide when compared to the resources they consume.
Security agents support the following features:
Collect raw security events from the underlying Operating System (Linux, Windows). To learn more about
available security data collectors, see Azure Security Center for IoT agent configuration.
Aggregate raw security events into messages sent through IoT Hub.
Authenticate with existing device identity, or a dedicated module identity. See Security agent authentication
methods to learn more.
Configure remotely through use of the azureiotsecurity module twin. To learn more, see Configure an
Azure Security Center for IoT agent.
Azure Security Center for IoT Security agents are developed as open-source projects, and are available from
GitHub:
Azure Security Center for IoT C-based agent
Azure Security Center for IoT C#-based agent
A RC H IT EC T URE L IN UX W IN DO W S DETA IL S
32bit C C#
Next steps
In this article, you learned about Azure Security Center for IoT security agent architecture, and the available
installers.
To continue getting started with Azure Security Center for IoT deployment, use the following articles:
Understand security agent authentication methods
Select and deploy a security agent
Review the Azure Security Center for IoT service prerequisites
Learn how to enable Azure Security Center for IoT service in your IoT Hub
Learn more about the service from the Azure Security Center for IoT FAQ
Azure IoT Edge security module
4/14/2020 • 2 minutes to read • Edit Online
Azure IoT Edge provides powerful capabilities to manage and perform business workflows at the edge. The key
part that IoT Edge plays in IoT environments make it particularly attractive for malicious actors.
Azure Security Center for IoT security module provides a comprehensive security solution for your IoT Edge
devices. Azure Security Center for IoT module collects, aggregates and analyzes raw security data from your
Operating System and container system into actionable security recommendations and alerts.
Similar to Azure Security Center for IoT security agents for IoT devices, the Azure Security Center for IoT Edge
module is highly customizable through its module twin. See Configure your agent to learn more.
Azure Security Center for IoT security module for IoT Edge offers the following features:
Collects raw security events from the underlying Operating System (Linux), and the IoT Edge Container
systems.
See Azure Security Center for IoT agent configuration to learn more about available security data collectors.
Analysis of IoT Edge deployment manifests.
Aggregates raw security events into messages sent through IoT Edge Hub.
Remove configuration through use of the security module twin.
See Configure an Azure Security Center for IoT agent to learn more.
Azure Security Center for IoT security module for IoT Edge runs in a privileged mode under IoT Edge. Privileged
mode is required to allow the module to monitor the Operating System, and other IoT Edge modules.
Next steps
In this article, you learned about the architecture and capabilities of Azure Security Center for IoT security module
for IoT Edge.
To continue getting started with Azure Security Center for IoT deployment, use the following articles:
Deploy security module for IoT Edge
Learn how to configure your security module
Review the Azure Security Center for IoT Service prerequisites
Learn how to Enable Azure Security Center for IoT service in your IoT Hub
Learn more about the service from the Azure Security Center for IoT FAQ
Azure Security Center for IoT prerequisites
8/6/2020 • 2 minutes to read • Edit Online
This article provides an explanation of the different components of the Azure Security Center for IoT service, what
you need to begin, and explains the basic concepts to help understand the service.
Minimum requirements
IoT Hub Standard tier
Azure role Owner level privileges
Log Analytics Workspace
Azure Security Center (recommended)
Use of Azure Security Center is a recommendation, and not a requirement. Without Azure Security
Center, you'll be unable to view your other Azure resources within IoT Hub.
Next steps
Read the Azure IoT Security Overview
Learn how to Enable the service
Read the Azure Security Center for IoT FAQ
Explore how to Understand Azure Security Center for IoT alerts
Get started with Azure Security Center for IoT
4/14/2020 • 2 minutes to read • Edit Online
This article provides an explanation of the different components of the Azure Security Center for IoT service and
explains how to get started with the service using two possible deployment options.
Deployment options
Choose the service scenario that best meets your IoT device and environment requirements.
Built-in deployment
Using the seamless, built-in deployment option, Azure Security Center for IoT can be quickly integrated into your
IoT Hub and provide security analysis of the IoT hub configuration, device identity and management, and hub-
device communication patterns.
Start a Built-in deployment featuring IoT Hub monitoring and recommendations.
Enhanced deployment
For enhanced security capabilities, deploying Azure Security Center for IoT agents in addition to enabling IoT Hub
security provides agent-based event collection, analysis and threat detection of key security data from your IoT
devices as well as comprehensive security posture management capabilities.
Start an Enhanced deployment featuring an agent-based comprehensive threat protection and security posture
management solution.
Next steps
Enable Azure Security Center for IoT
Configure your solution
Create security modules
Configure custom alerts
Deploy a security agent
Get started with Built-in IoT Hub integration
4/14/2020 • 2 minutes to read • Edit Online
This option enables you to use the service without using Azure Security Center for IoT security agents.
Next steps
Configure your solution
Create security modules
Configure custom alerts
Get started with Azure Security Center for IoT device
security agents
4/14/2020 • 2 minutes to read • Edit Online
Azure Security Center for IoT security agents offer enhanced security capabilities, such as monitoring remote
connections, active applications, login events, and operating system configuration best practices. Take control of
your device field threat protection and security posture with a single service.
Reference architecture for Linux and Windows security agents, both in C# and C are provided.
The Azure Security Center for IoT security agents handle raw event collection from the device operating system,
event aggregation to reduce cost, and configuration through a device module twin. Security messages are sent
through your IoT Hub, into Azure Security Center for IoT analytics services.
Use the following workflow to deploy and test your Azure Security Center for IoT security agents:
1. Enable Azure Security Center for IoT service to your IoT Hub
2. If your IoT Hub has no registered devices, Register a new device.
3. Create an azureiotsecurity security module for your devices.
4. To install the agent on an Azure simulated device instead of installing on an actual device, spin up a new Azure
Virtual Machine (VM) in an available zone.
5. Deploy an Azure Security Center for IoT security agent on your IoT device, or new VM.
6. Follow the instructions for trigger_events to run a harmless simulation of an attack.
7. Verify Azure Security Center for IoT alerts in response to the simulated attack in the previous step. Begin
verification five minutes after running the script.
8. Explore alerts, recommendations, and deep dive using Log Analytics using IoT Hub.
Next steps
Configure your solution
Create security modules
Configure custom alerts
Deploy a security agent
Quickstart: Onboard Azure Security Center for IoT
service in IoT Hub
4/14/2020 • 2 minutes to read • Edit Online
This article provides an explanation of how to enable the Azure Security Center for IoT service on your existing
IoT Hub. If you don't currently have an IoT Hub, see Create an IoT Hub using the Azure portal to get started.
NOTE
Azure Security Center for IoT currently only supports standard tier IoT Hubs.
Next steps
Advance to the next article to configure your solution...
Configure your solution
Quickstart: Configure your IoT solution
4/14/2020 • 2 minutes to read • Edit Online
This article provides an explanation of how to perform initial configuration of your IoT security solution using
Azure Security Center for IoT.
Next steps
Advance to the next article to learn how to create security modules...
Create security modules
Quickstart: Create an azureiotsecurity module twin
4/14/2020 • 2 minutes to read • Edit Online
This quickstart explains how to create individual azureiotsecurity module twins for new devices, or batch create
module twins for all devices in an IoT Hub.
NOTE
Using the batch method will not overwrite existing azureiotsecurity module twins. Using the batch method ONLY creates
new module twins for devices that do not already have a security module twin.
See agent configuration to learn how to modify or change the configuration of an existing module twin.
To manually create a new azureiotsecurity module twin for a device use the following instructions:
1. In your IoT Hub, locate and select the device you wish to create a security module twin for.
2. Click on your device, and then on Add module identity .
3. In the Module Identity Name field, enter azureiotsecurity .
4. Click Save .
3. Select the device or double click it to open the Device details page.
4. Select the Module identities menu, and confirm existence of the azureiotsecurity module in the list of
module identities associated with the device.
To learn more about customizing properties of Azure Security Center for IoT module twins, see Agent
configuration.
Next steps
Advance to the next article to learn how to configure custom alerts...
Configure custom alerts
Quickstart: Create custom alerts
4/14/2020 • 2 minutes to read • Edit Online
Using custom security groups and alerts, takes full advantage of the end-to-end security information and
categorical device knowledge to ensure better security across your IoT solution.
Security groups
Security groups enable you to define logical groups of devices, and manage their security state in a centralized
way.
These groups can represent devices with specific hardware, devices deployed in a certain location, or any other
group suitable to your specific needs.
Security groups are defined by a device twin tag property named SecurityGroup . By default, each IoT solution
on IoT Hub has one security group named default . Change the value of the SecurityGroup property to change
the security group of a device.
For example:
{
"deviceId": "VM-Contoso12",
"etag": "AAAAAAAAAAM=",
"deviceEtag": "ODA1BzA5QjM2",
"status": "enabled",
"statusUpdateTime": "0001-01-01T00:00:00",
"connectionState": "Disconnected",
"lastActivityTime": "0001-01-01T00:00:00",
"cloudToDeviceMessageCount": 0,
"authenticationType": "sas",
"x509Thumbprint": {
"primaryThumbprint": null,
"secondaryThumbprint": null
},
"version": 4,
"tags": {
"SecurityGroup": "default"
},
Use security groups to group your devices into logical categories. After creating the groups, assign them to the
custom alerts of your choice, for the most effective end-to-end IoT security solution.
Customize an alert
1. Open your IoT Hub.
2. Click Custom aler ts in the Security section.
3. Choose a security group you wish to apply the customization to.
4. Click Add a custom aler t .
5. Select a custom alert from the dropdown list.
6. Edit the required properties, click OK .
7. Make sure to click SAVE . Without saving the new alert, the alert is deleted the next time you close IoT Hub.
Next steps
Advance to the next article to learn how to deploy a security agent...
Deploy a security agent
Security agent authentication methods
4/14/2020 • 2 minutes to read • Edit Online
This article explains the different authentication methods you can use with the AzureIoTSecurity agent to
authenticate with the IoT Hub.
For each device onboarded to Azure Security Center for IoT in the IoT Hub, a security module is required. To
authenticate the device, Azure Security Center for IoT can use one of two methods. Choose the method that works
best for your existing IoT solution.
SecurityModule option
Device option
Authentication methods
The two methods for the AzureIoTSecurity agent to perform authentication:
SecurityModule authentication mode
The agent is authenticated using the security module identity independently of the device identity. Use this
authentication type if you would like the security agent to use a dedicated authentication method through
security module (symmetric key only).
Device authentication mode
In this method, the security agent first authenticates with the device identity. After the initial authentication,
the Azure Security Center for IoT agent performs a REST call to the IoT Hub using the REST API with the
authentication data of the device. The Azure Security Center for IoT agent then requests the security
module authentication method and data from the IoT Hub. In the final step, the Azure Security Center for
IoT agent performs an authentication against the Azure Security Center for IoT module.
Use this authentication type if you would like the security agent to reuse an existing device authentication method
(self-signed certificate or symmetric key).
See Security agent installation parameters to learn how to configure.
L IN UX PA RA M ET ER W IN DO W S SH O RT H A N D
NAME PA RA M ET ER N A M E PA RA M ET ER DESC RIP T IO N O P T IO N S
When using the install security agent script, the following configuration is performed automatically. To edit the
security agent authentication manually, edit the config file.
<Authentication>
<add key="deviceId" value=""/>
<add key="gatewayHostname" value=""/>
<add key="filePath" value=""/>
<add key="type" value=""/>
<add key="identity" value=""/>
<add key="certificateLocationKind" value="" />
</Authentication>
"Authentication" : {
"Identity" : "",
"AuthenticationMethod" : "",
"FilePath" : "",
"DeviceId" : "",
"HostName" : ""
}
See also
Security agents overview
Deploy security agent
Access raw security data
Security module
4/14/2020 • 2 minutes to read • Edit Online
This article explains how Azure Security Center for IoT uses device twins and modules.
Device twins
For IoT solutions built in Azure, device twins play a key role in both device management and process automation.
Azure Security Center for IoT offers full integration with your existing IoT device management platform, enabling
you to manage your device security status as well as make use of existing device control capabilities. Integration is
achieved by making use of the IoT Hub twin mechanism.
Learn more about the concept of device twins in Azure IoT Hub.
See also
Azure Security Center for IoT overview
Deploy security agents
Security agent authentication methods
Azure Security Center for IoT security alerts
4/14/2020 • 14 minutes to read • Edit Online
Azure Security Center for IoT continuously analyzes your IoT solution using advanced analytics and threat
intelligence to alert you to malicious activity. In addition, you can create custom alerts based on your knowledge
of expected device behavior. An alert acts as an indicator of potential compromise, and should be investigated
and remediated.
In this article, you will find a list of built-in alerts which can be triggered on your IoT Hub and/or IoT devices. In
addition to built-in alerts, Azure Security Center for IoT allows you to define custom alerts based on expected IoT
Hub and/or device behavior. For more details, see customizable alerts.
High severity
Disable firewall High Agent Possible manipulation Review with the user
of on-host firewall that ran the
detected. Malicious command to confirm
actors often disable if this was legitimate
the on-host firewall expected activity on
in an attempt to the device. If not,
exfiltrate data. escalate the alert to
your information
security team.
Port forwarding High Agent Initiation of port Review with the user
detection forwarding to an that ran the
external IP address command if this was
detected. legitimate activity
that you expect to
see on the device. If
not, escalate the alert
to the information
security team.
SUGGEST ED
NAME SEVERIT Y DATA SO URC E DESC RIP T IO N REM EDIAT IO N ST EP S
Possible attempt to High Agent Linux Auditd system Check with the device
disable Auditd provides a way to owner if this was
logging detected track security- legitimate activity
relevant information with business
on the system. The reasons. If not, this
system records as event may be hiding
much information activity by malicious
about the events actors. Immediately
that are happening escalated the incident
on your system as to your information
possible. This security team.
information is crucial
for mission-critical
environments to
determine who
violated the security
policy and the
actions they
performed. Disabling
Auditd logging may
prevent your ability
to discover violations
of security policies
used on the system.
Reverse shells High Agent Analysis of host data Review with the user
on a device detected that ran the
a potential reverse command if this was
shell. Reverse shells legitimate activity
are often used to get that you expect to
a compromised see on the device. If
machine to call back not, escalate the alert
into a machine to the information
controlled by a security team.
malicious actor.
Successful local login High Agent Successful local sign Make sure the signed
in to the device in user is an
detected authorized party.
SUGGEST ED
NAME SEVERIT Y DATA SO URC E DESC RIP T IO N REM EDIAT IO N ST EP S
Web shell High Agent Possible web shell Review with the user
detected. Malicious that ran the
actors commonly command if this was
upload a web shell to legitimate activity
a compromised that you expect to
machine to gain see on the device. If
persistence or for not, escalate the alert
further exploitation. to the information
security team.
Medium severity
Behavior similar to Medium Agent Execution of rm -rf Review with the user
Fairware ransomware commands applied to that ran the
detected suspicious locations command this was
detected using legitimate activity
analysis of host data. that you expect to
Because rm -rf see on the device. If
recursively deletes not, escalate the alert
files, it is normally to the information
only used on discrete security team.
folders. In this case, it
is being used in a
location that could
remove a large
amount of data.
Fairware ransomware
is known to execute
rm -rf commands in
this folder.
Behavior similar to Medium Agent Execution of files Review with the user
ransomware detected similar to known that ran the
ransomware that command if this was
may prevent users legitimate activity
from accessing their that you expect to
system, or personal see on the device. If
files, and may not, escalate the alert
demand ransom to the information
payment to regain security team.
access.
SUGGEST ED
NAME SEVERIT Y DATA SO URC E DESC RIP T IO N REM EDIAT IO N ST EP S
Crypto coin miner Medium Agent Execution of a Verify with the user
image process normally that ran the
associated with command if this was
digital currency legitimate activity on
mining detected. the device. If not,
escalate the alert to
the information
security team.
Detected suspicious Medium Agent Suspicious use of the Review with the user
use of the nohup nohup command on that ran the
command host detected. command if this was
Malicious actors legitimate activity
commonly run the that you expect to
nohup command see on the device. If
from a temporary not, escalate the alert
directory, effectively to the information
allowing their security team.
executables to run in
the background.
Seeing this command
run on files located in
a temporary
directory is not
expected or usual
behavior.
Detected suspicious Medium Agent Suspicious use of the Review with the user
use of the useradd useradd command that ran the
command detected on the command if this was
device. legitimate activity
that you expect to
see on the device. If
not, escalate the alert
to the information
security team.
SUGGEST ED
NAME SEVERIT Y DATA SO URC E DESC RIP T IO N REM EDIAT IO N ST EP S
Exposed Docker Medium Agent Machine logs indicate Review with the user
daemon by TCP that your Docker that ran the
socket daemon (dockerd) command if this was
exposes a TCP socket. legitimate activity
By default, Docker that you expect to
configuration, does see on the device. If
not use encryption not, escalate the alert
or authentication to the information
when a TCP socket is security team.
enabled. Default
Docker configuration
enables full access to
the Docker daemon,
by anyone with
access to the relevant
port.
Failed local login Medium Agent A failed local login Make sure no
attempt to the device unauthorized party
was detected. has physical access to
the device.
File downloads from Medium Agent Download of a file Review with the user
a known malicious from a known that ran the
source detected malware source command if this was
detected. legitimate activity
that you expect to
see on the device. If
not, escalate the alert
to the information
security team.
htaccess file access Medium Agent Analysis of host data Confirm this is
detected detected possible legitimate expected
manipulation of an activity on the host. If
htaccess file. Htaccess not, escalate the alert
is a powerful to your information
configuration file that security team.
allows you to make
multiple changes to a
web server running
Apache Web
software, including
basic redirect
functionality, and
more advanced
functions, such as
basic password
protection. Malicious
actors often modify
htaccess files on
compromised
machines to gain
persistence.
SUGGEST ED
NAME SEVERIT Y DATA SO URC E DESC RIP T IO N REM EDIAT IO N ST EP S
Known attack tool Medium Agent A tool often Review with the user
associated with that ran the
malicious users command if this was
attacking other legitimate activity
machines in some that you expect to
way was detected. see on the device. If
not, escalate the alert
to the information
security team.
IoT agent attempted Medium Agent The Azure Security Validate your module
and failed to parse Center for IoT twin configuration
the module twin security agent failed against the IoT agent
configuration to parse the module configuration
twin configuration schema, fix all
due to type mismatches.
mismatches in the
configuration object
Mismatch between Medium Agent Mismatch between Review with the user
script interpreter and the script interpreter that ran the
file extension and the extension of command if this was
the script file legitimate activity
provided as input that you expect to
detected. This type of see on the device. If
mismatch is not, escalate the alert
commonly associated to the information
with attacker script security team.
executions.
Possible backdoor Medium Agent A suspicious file was Review with the user
detected downloaded and that ran the
then run on a host in command if this was
your subscription. legitimate activity
This type of activity is that you expect to
commonly associated see on the device. If
with the installation not, escalate the alert
of a backdoor. to the information
security team.
Potential loss of data Medium Agent Possible data egress Review with the user
detected condition detected that ran the
using analysis of host command if this was
data. Malicious actors legitimate activity
often egress data that you expect to
from compromised see on the device. If
machines. not, escalate the alert
to the information
security team.
SUGGEST ED
NAME SEVERIT Y DATA SO URC E DESC RIP T IO N REM EDIAT IO N ST EP S
Potential overriding Medium Agent Common executable Review with the user
of common files overwritten on the that ran the
device. Malicious command if this was
actors are known to legitimate activity
overwrite common that you expect to
files as a way to hide see on the device. If
their actions or as a not, escalate the alert
way to gain to the information
persistence. security team.
Removal of system Medium Agent Suspicious removal of Review with the user
logs files detected log files on the host that ran the
detected. command if this was
legitimate activity
that you expect to
see on the device. If
not, escalate the alert
to the information
security team.
Space after filename Medium Agent Execution of a Review with the user
process with a that ran the
suspicious extension command if this was
detected using legitimate activity
analysis of host data. that you expect to
Suspicious extensions see on the device. If
may trick users into not, escalate the alert
thinking files are safe to the information
to be opened and security team.
can indicate the
presence of malware
on the system.
Suspected malicious Medium Agent Detection usage of a Review with the user
credentials access tool commonly that ran the
tools detected associated with command if this was
malicious attempts to legitimate activity
access credentials. that you expect to
see on the device. If
not, escalate the alert
to the information
security team.
SUGGEST ED
NAME SEVERIT Y DATA SO URC E DESC RIP T IO N REM EDIAT IO N ST EP S
Suspicious file Medium Agent Analysis of host data Review with the user
download followed detected a file that that ran the
by file run activity was downloaded and command if this was
run in the same legitimate activity
command. This that you expect to
technique is see on the device. If
commonly used by not, escalate the alert
malicious actors to to the information
get infected files onto security team.
victim machines.
LOW severity
Bash history cleared Low Agent Bash history log Review with the user
cleared. Malicious that ran the
actors commonly command that the
erase bash history to activity in this alert to
hide their own see if you recognize
commands from this as legitimate
appearing in the logs. administrative
activity. If not,
escalate the alert to
the information
security team.
Device silent Low Agent Device has not sent Make sure device is
any telemetry data in online and sending
the last 72 hours. data. Check that the
Azure Security Agent
is running on the
device.
Local user added to Low Agent New local user added Verify if the change is
one or more groups to a group on this consistent with the
device. Changes to permissions required
user groups are by the affected user.
uncommon, and can If the change is
indicate a malicious inconsistent, escalate
actor may be to your Information
collecting additional Security team.
permissions.
Local user deleted Low Agent A local user was Verify if the change is
from one or more deleted from one or consistent with the
groups more groups. permissions required
Malicious actors are by the affected user.
known to use this If the change is
method in an inconsistent, escalate
attempt to deny to your Information
access to legitimate Security team.
users or to delete the
history of their
actions.
Local user deletion Low Agent Deletion of a local Verify if the change is
detected user detected. Local consistent with the
user deletion is permissions required
uncommon, a by the affected user.
malicious actor may If the change is
be trying to deny inconsistent, escalate
access to legitimate to your Information
users or to delete the Security team.
history of their
actions.
Medium severity
New certificate added to an Medium A certificate named '% 1. Make sure the certificate
IoT Hub {DescCertificateName}' was was added by an authorized
added to IoT Hub '% party.
{DescIoTHubName}'. If this 2. If it was not added by an
action was made by an authorized party, remove
unauthorized party, it may the certificate and escalate
indicate malicious activity. the alert to the
organizational security
team.
SEVERIT Y NAME DESC RIP T IO N SUGGEST ED REM EDIAT IO N
Certificate deleted from an Medium A certificate named '% 1. Make sure the certificate
IoT Hub {DescCertificateName}' was was removed by an
deleted from IoT Hub '% authorized party.
{DescIoTHubName}'. If this 2. If the certificate was not
action was made by an removed by an authorized
unauthorized party, it may party, add the certificate
indicate a malicious activity. back, and escalate the alert
to the organizational
security team.
x.509 device certificate Medium x.509 device certificate Review alerts on the
thumbprint mismatch thumbprint did not match devices. No further action
configuration. required.
x.509 certificate expired Medium X.509 device certificate has This could be a legitimate
expired. device with an expired
certificate or an attempt to
impersonate a legitimate
device. If the legitimate
device is currently
communicating correctly
this is likely an
impersonation attempt.
Low severity
Attempt to add or edit a Low Attempt to add or edit the 1. Make sure the certificate
diagnostic setting of an IoT diagnostic settings of an IoT was removed by an
Hub detected Hub has been detected. authorized party.
Diagnostic settings enable 2. If the certificate was not
you to recreate activity removed by an authorized
trails for investigation party, add the certificate
purposes when a security back and escalate the alert
incident occurs or your to your information security
network is compromised. If team.
this action was not made by
an authorized party, it may
indicate malicious activity.
SEVERIT Y NAME DESC RIP T IO N SUGGEST ED REM EDIAT IO N
Expired SAS Token Low Expired SAS token used by May be a legitimate device
a device with an expired token, or an
attempt to impersonate a
legitimate device. If the
legitimate device is currently
communicating correctly,
this is likely an
impersonation attempt.
Invalid SAS token signature Low A SAS token used by a Review the alerts on the
device has an invalid devices. No further action
signature. The signature required.
does not match either the
primary or secondary key.
Next steps
Azure Security Center for IoT service Overview
Learn how to Access your security data
Learn more about Investigating a device
Azure Security Center for IoT customizable security
alerts
8/6/2020 • 5 minutes to read • Edit Online
Azure Security Center for IoT continuously analyzes your IoT solution using advanced analytics and threat
intelligence to alert you to malicious activity.
We encourage you to create custom alerts based on your knowledge of expected device behavior to ensure alerts
act as the most efficient indicators of potential compromise in your unique organizational deployment and
landscape.
The following list of Azure Security Center for IoT alerts are definable by you based on your expected IoT Hub
and/or device behavior. For more details about how to customize each alert, see create custom alerts.
Low Custom alert - login Agent A local user outside If you are saving raw
of a user that is not your allowed user list, data, navigate to your
on the allowed user logged in to the log analytics account
list device. and use the data to
investigate the device,
identify the source
and then fix the
allow/block list for
those settings. If you
are not currently
saving raw data, go to
the device and fix the
allow/block list for
those settings.
Low Custom alert - a Agent A process that is not If you are saving raw
process was executed allowed was executed data, navigate to your
that is not allowed on the device. log analytics account
and use the data to
investigate the device,
identify the source
and then fix the
allow/block list for
those settings. If you
are not currently
saving raw data, go to
the device and fix the
allow/block list for
those settings.
Next steps
Learn how to customize an alert
Azure Security Center for IoT service Overview
Learn how to Access your security data
Learn more about Investigating a device
Security recommendations
4/14/2020 • 2 minutes to read • Edit Online
Azure Security Center for IoT scans your Azure resources and IoT devices and provides security recommendations
to reduce your attack surface. Security recommendations are actionable and aim to aid customers in complying to
security best practices.
In this article, you will find a list of recommendations which can be triggered on your IoT Hub and/or IoT devices.
Medium Permissive firewall rule in the Agent A rule in the firewall has
input chain was found been found that contains a
permissive pattern for a
wide range of IP addresses
or ports.
Medium Permissive firewall rule in the Agent A rule in the firewall has
output chain was found been found that contains a
permissive pattern for a
wide range of IP addresses
or ports.
Medium Default IP filter policy should IoT Hub IP filter configuration should
be deny have rules defined for
allowed traffic, and should
by default, deny all other
traffic by default.
Medium IP filter rule includes large IP IoT Hub An allow IP filter rule source
range IP range is too large. Overly
permissive rules can expose
your IoT hub to malicious
actors.
Low Enable diagnostics logs in IoT Hub Enable logs and retain them
IoT Hub for up to a year. Retaining
logs enables you to recreate
activity trails for
investigation purposes when
a security incident occurs or
your network is
compromised.
Next steps
Azure Security Center for IoT service Overview
Learn how to Access your security data
Learn more about Investigating a device
Azure Security Center for IoT baseline and custom
checks
4/14/2020 • 2 minutes to read • Edit Online
This article explains Azure Security Center for IoT baseline, and summarizes all associated properties of baseline
custom checks.
Baseline
A baseline establishes standard behavior for each device and makes it easier to establish unusual behavior or
deviation from expected norms.
"desired": {
"ms_iotn:urn_azureiot_Security_SecurityAgentConfiguration": {
"baselineCustomChecksEnabled": {
"value" : true
},
"baselineCustomChecksFilePath": {
"value" : "/home/user/full_path.xml"
},
"baselineCustomChecksFileHash": {
"value" : "#hashexample!"
}
}
},
baselineCustomCheck Required: true Valid values: Boolean Default value: false Max time interval
sEnabled before high priority
messages is sent.
NAME STAT US VA L ID VA L UES DEFA ULT VA L UES DESC RIP T IO N
baselineCustomCheck Required: true Valid values: String , Default value: null Full path of the
sFilePath null baseline xml
configuration
baselineCustomCheck Required: true Valid values: String , Default value: null sha256sum of the
sFileHash null xml configuration file.
Use the sha256sum
reference for
additional
information.
To review additional baseline examples, see custom baseline example -1 and custom baseline example -2.
Next steps
Access your raw security data
Investigate a device
Understand and explore security recommendations
Understand and explore security alerts
Azure Security Center for IoT event aggregation
4/14/2020 • 3 minutes to read • Edit Online
Azure Security Center for IoT security agents collects data and system events from your local device and send this
data to the Azure cloud for processing and analytics. The security agent collects many types of device events
including new process and new connection events. Both new process and new connection events may legitimately
occur frequently on a device within a second, and while important for robust and comprehensive security, the
number of messages security agents are forced to send may quickly reach or exceed your IoT Hub quota and cost
limits. However, these events contain highly valuable security information that is crucial to protecting your device.
To reduce the additional quota and costs while keeping your devices protected, Azure Security Center for IoT Agents
aggregate these types of events.
Event aggregation is On by default, and although not recommended, can be manually turned Off at any time.
Aggregation is currently available for the following types of events:
ProcessCreate
ConnectionCreate
ProcessTerminate (Windows only)
aggregationEnabledProcessCreate true
aggregationIntervalProcessCreate "PT1H"
aggregationEnabledConnectionCreate true
aggregationIntervalConnectionCreate "PT1H"
aggregationEnabledProcessTerminate true
aggregationIntervalProcessTerminate "PT1H"
Next steps
In this article, you learned about Azure Security Center for IoT security agent aggregation, and the available event
configuration options.
To continue getting started with Azure Security Center for IoT deployment, use the following articles:
Understand Security agent authentication methods
Select and deploy a security agent
Review Azure Security Center for IoT service prerequisites
Learn how to Enable Azure Security Center for IoT service in your IoT Hub
Learn more about the service from the Azure Security Center for IoT FAQ
Pricing and associated costs
8/6/2020 • 2 minutes to read • Edit Online
This article explains Azure Security Center for IoT pricing model, summarizes all associated costs and explains how
to manage them.
Pricing
The Azure Security Center for IoT pricing model is comprised of two parts, and is billed once an IoT Hub is enabled
in Azure Security Center for IoT:
Cost by device - built-in security capabilities based on analysis of IoT Hub logs.
Cost by message - enhanced security capabilities based on security messages from IoT Edge or leaf devices.
For more information, see Security Center pricing.
Associated costs
Azure Security Center for IoT has associated costs, which are not part of the direct pricing:
Log Analytics storage costs
You can reduce associated costs by opting out of certain solution features. Opt out by changing your settings.
To change your settings:
1. Open IoT Hub.
2. Under Security , click Over view .
3. Click Settings .
The following table provides a summary of associated costs and implications of each option.
O P T IO N USA GE C O M M EN T
Device recommendation and alerts Security recommendation and alerts Not optional
generated by the service
Raw security data Raw security data from IoT devices, Disable store raw device security events
collected by security agents
IMPORTANT
Opting out has severe implications to Azure Security Center for IoT security feature availability.
O P T O UT IM P L IC AT IO N S
Store raw device security events Details on device OS baseline recommendations are not
available
See also
Access your raw security data
Investigate a device
Understand and explore security recommendations
Understand and explore security alerts
Select and deploy a security agent on your IoT
device
8/6/2020 • 2 minutes to read • Edit Online
Azure Security Center for IoT provides reference architectures for security agents that monitor and collect data
from IoT devices. To learn more, see Security agent reference architecture.
Agents are developed as open-source projects, and are available in two flavors:
C, and C#.
In this article, you learn how to:
Compare security agent flavors
Discover supported agent platforms
Choose the right agent flavor for your solution
Open-source Available under MIT license in GitHub Available under MIT license in GitHub
Development language C C#
Suppor ted Linux platforms? Yes, x64 and x86 Yes, x64 only
Supported platforms
The following list includes all currently supported platforms.
C# Debian 9 x64
This guide explains how to install the Azure Security Center for IoT C#-based security agent on Windows.
In this guide, you learn how to:
Install
Verify deployment
Uninstall the agent
Troubleshoot
Prerequisites
For other platforms and agent flavors, see Choose the right security agent.
1. Local admin rights on the machine you wish to install on.
2. Create a security module for the device.
Installation
To install the security agent, use the following workflow:
1. Install the Azure Security Center for IoT Windows C# agent on the device. Download the most recent version
to your machine from the Azure Security Center for IoT GitHub repository.
2. Extract the contents of the package, and navigate to the /Install folder.
3. Open Windows PowerShell as Administrator.
4. Add running permissions to the InstallSecurityAgent script by running:
Unblock-File .\InstallSecurityAgent.ps1
then run:
For example:
For more information about authentication parameters, see How to configure authentication.
This script does the following actions:
Installs prerequisites.
Adds a service user (with interactive sign in disabled).
Installs the agent as a System Ser vice .
Configures the agent with the provided authentication parameters.
For additional help, use the Get-Help command in PowerShell.
Get-Help example: Get-Help .\InstallSecurityAgent.ps1
.\InstallSecurityAgent.ps1 -Uninstall
Troubleshooting
If the agent fails to start, turn on logging (logging is off by default) to get more information.
To turn on logging:
1. Open the configuration file (General.config) for editing using a standard file editor.
2. Edit the following values:
NOTE
We recommend turning logging off after troubleshooting is complete. Leaving logging on increases log file size and
data usage.
or
CMD
4. Review the log file for more information about the failure. The log file would be present in the working
directory where we run the script.
Log file location: .\IoTAgentLog.log
Next steps
Read the Azure Security Center for IoT service Overview
Learn more about Azure Security Center for IoT Architecture
Enable the service
Read the FAQ
Understand alerts
Deploy Azure Security Center for IoT C# based
security agent for Linux
4/14/2020 • 2 minutes to read • Edit Online
This guide explains how to install and deploy the Azure Security Center for IoT C#-based security agent on Linux.
In this guide, you learn how to:
Install
Verify deployment
Uninstall the agent
Troubleshoot
Prerequisites
For other platforms and agent flavors, see Choose the right security agent.
1. To deploy the security agent, local admin rights are required on the machine you wish to install on.
2. Create a security module for the device.
Installation
To deploy the security agent, use the following steps:
1. Download the most recent version to your machine from GitHub.
2. Extract the contents of the package and navigate to the /Install folder.
3. Add running permissions to the InstallSecurityAgent script by running
chmod +x InstallSecurityAgent.sh
for more information about authentication parameters, see How to configure authentication.
This script performs the following actions:
Installs prerequisites.
Adds a service user (with interactive sign in disabled).
Installs the agent as a Daemon - assumes the device uses systemd for classic deployment model.
Configures sudoers to allow the agent to do certain tasks as root.
Configures the agent with the provided authentication parameters.
For additional help, run the script with the –help parameter: ./InstallSecurityAgent.sh --help
NOTE
Uninstall does not remove any missing prerequisites that were installed during installation.
Troubleshooting
1. Check the deployment status by running:
systemctl status ASCIoTAgent.service
2. Enable logging. If the agent fails to start, turn on logging to get more information.
Turn on the logging by:
a. Open the configuration file for editing in any Linux editor:
vi /var/ASCIoTAgent/General.config
NOTE
We recommend turning logging off after troubleshooting is complete. Leaving logging on increases log file
size and data usage.
d. View the log file for more information about the failure.
Log file location is: /var/ASCIoTAgent/IotAgentLog.log
Change the file location path according to the name you chose for the logFilePath in step 2.
Next steps
Read the Azure Security Center for IoT service Overview
Learn more about Azure Security Center for IoT Architecture
Enable the service
Read the FAQ
Understand alerts
Deploy Azure Security Center for IoT C based
security agent for Linux
4/14/2020 • 2 minutes to read • Edit Online
This guide explains how to install and deploy the Azure Security Center for IoT C-based security agent on Linux.
In this guide, you learn how to:
Install
Verify deployment
Uninstall the agent
Troubleshoot
Prerequisites
For other platforms and agent flavors, see Choose the right security agent.
1. To deploy the security agent, local admin rights are required on the machine you wish to install on (sudo).
2. Create a security module for the device.
Installation
To install and deploy the security agent, use the following workflow:
1. Download the most recent version to your machine from GitHub.
2. Extract the contents of the package and navigate to the /src/installation folder.
3. Add running permissions to the InstallSecurityAgent script by running the following command:
chmod +x InstallSecurityAgent.sh
4. Next, run:
See How to configure authentication for more information about authentication parameters.
This script performs the following function:
1. Installs prerequisites.
2. Adds a service user (with interactive sign in disabled).
3. Installs the agent as a Daemon - assumes the device uses systemd for service management.
4. Configures the agent with the authentication parameters provided.
For additional help, run the script with the –help parameter:
./InstallSecurityAgent.sh --help
Uninstall the agent
To uninstall the agent, run the script with the –-uninstall parameter:
./InstallSecurityAgent.sh -–uninstall
Troubleshooting
Check the deployment status by running:
systemctl status ASCIoTAgent.service
Next steps
Read the Azure Security Center for IoT service Overview
Learn more about Azure Security Center for IoT Architecture
Enable the service
Read the FAQ
Understand security alerts
Security agent troubleshoot guide (Linux)
4/14/2020 • 4 minutes to read • Edit Online
This article explains how to solve potential problems in the security agent start-up process.
Azure Security Center for IoT agent self-starts immediately after installation. The agent start up process includes
reading local configuration, connecting to Azure IoT Hub, and retrieving the remote twin configuration. Failure in
any one of these steps may cause the security agent to fail.
In this troubleshooting guide you'll learn how to:
Validate if the security agent is running
Get security agent errors
Understand and remediate security agent errors
C# agent
2. If the command returns an empty line, the security agent was unable to start successfully.
2. The get security agent error command retrieves all logs created by the Azure Security Center for IoT agent.
Use the following table to understand the errors and take the correct steps for remediation.
NOTE
Error logs are shown in chronological order. Make sure to note the timestamp of each error to help your remediation.
2. Repeat the previous process to retrieve stop and retrieve the errors if the agent continues to fail the startup
process.
Azure Security Center for IoT agent encountered an error! Error in: {Error Code}, reason: {Error sub code},
extra details: {error specific details}
Local Cant Parse A configuration Fix the value of Fix the value of
Configuration Configuration value can't be the key in the key in
parsed. The error /var/LocalConfigu General.config file
message should ration.json file so so that it
state which key that it matches matches the
can't be parsed. A the schema, see the
configuration LocalConfiguratio cs-localconfig-
value cannot be n schema, see the reference for
parsed either c#-localconfig- details.
because the value reference for
is not in the details.
expected type, or
the value is out
of range.
Remote Timeout The agent could Make sure The agent could Make sure
Configuration not fetch the authentication not fetch the authentication
azureiotsecurity configuration is azureiotsecurity configuration is
module twin correct and try module twin correct and try
within the again. within timeout again.
timeout period. period.
Authentication File Not Exist The file in the Make sure the file Make sure the file
given path does exists in the given exists in the given
not exist. path or go to the path or go to the
LocalConfigura Authentication.
tion.json file and config file and
change the change the
FilePath filePath
configuration. configuration.
Authentication File Permission The agent does Give the Make sure the file
not have asciotagent is accessible.
sufficient user read
permissions to permissions on
open the file. the file in the
given path.
Authentication File Format The given file is Make sure the file Make sure the file
not in the correct is in the correct is a valid
format. format. The certificate file.
supported file
types are .pfx and
.pem.
Authentication Cant Parse A configuration Fix the value of Fix the value of
Configuration value can't be the key in the the key in
parsed. The error LocalConfigura Authentication.
message should tion.json file. config file to
state which key match the
can't be parsed. A schema, see the
configuration cs-localconfig-
value can not be reference for
parsed because details.
either the value is
not of the
expected type, or
the value is out
of range.
2. If required, repeat the previous processes to force stop the agent and retrieve the errors if the agent
continues to fail the startup process.
Next steps
Read the Azure Security Center for IoT service Overview
Learn more about Azure Security Center for IoT Architecture
Enable the Azure Security Center for IoT service
Read the Azure Security Center for IoT service FAQ
Learn how to access raw security data
Understand recommendations
Understand security alerts
Understanding the LocalConfiguration.json file - C
agent
8/6/2020 • 2 minutes to read • Edit Online
The Azure Security Center for IoT security agent uses configurations from a local configuration file. The security
agent reads the configuration once, at agent start-up. The configuration found in the local configuration file
contains authentication configuration and other agent related configurations. The file contains configurations in
"Key-Value" pairs in JSON notation and the configurations get populated when the agent is installed.
By default, the file is located at: /var/ASCIoTAgent/LocalConfiguration.json
Changes to the configuration file take place when the agent is restarted.
FilePath Path to file (string) Path to the file that contains the
authentication secret
SystemLoggerMinimumSeverity 0 <= number <= 4 log messages equal and above this
severity will be logged to
/var/log/syslog (0 is the lowest severity)
DiagnosticEventMinimumSeverity 0 <= number <= 4 log messages equal and above this
severity will be sent as diagnostic
events (0 is the lowest severity)
Next steps
Read the Azure Security Center for IoT service Overview
Learn more about Azure Security Center for IoT Architecture
Enable the Azure Security Center for IoT service
Read the Azure Security Center for IoT service FAQ
Learn how to access raw security data
Understand recommendations
Understand security alerts
Understanding the local configuration file (C# agent)
8/6/2020 • 3 minutes to read • Edit Online
The Azure Security Center for IoT security agent uses configurations from a local configuration file.
The security agent reads the configuration file once when the agent starts up. Configurations found in the local
configuration file contains both authentication configuration and other agent related configurations.
The C# security agent uses multiple configuration files:
General.config - Agent related configurations.
Authentication.config - Authentication related configuration (including authentication details).
SecurityIotInterface.config - IoT related configurations.
The configuration files contain the default configuration. Authentication configuration is populated during agent
installation and changes to the configuration file are made when the agent is restarted.
highPriorityQueueSizePercentage 0 < number < 1 The portion of total cache dedicated for
high priority messages.
logLevel "Off", "Fatal", "Error", "Warning", Log messages equal and above this
"Information", "Debug" severity are logged to debug console
(Syslog in Linux).
C O N F IGURAT IO N N A M E P O SSIB L E VA L UES DETA IL S
fileLogLevel "Off", "Fatal", "Error", "Warning", Log messages equal and above this
"Information", "Debug" severity are logged to file (Syslog in
Linux).
General.config example
Authentication.config
C O N F IGURAT I P O SSIB L E
ON NAME VA L UES DETA IL S
Authentication.config example
SecurityIotInterface.config
C O N F IGURAT IO N N A M E P O SSIB L E VA L UES DETA IL S
SecurityIotInterface.config example
<ExternalInterface>
<add key="facadeType" value="Microsoft.Azure.Security.IoT.Agent.Common.SecurityIoTHubInterface,
Security.Common" />
<add key="transportType" value="Amqp"/>
</ExternalInterface>
Next steps
Read the Azure Security Center for IoT service Overview
Learn more about Azure Security Center for IoT Architecture
Enable the Azure Security Center for IoT service
Read the Azure Security Center for IoT service FAQ
Learn how to access raw security data
Understand recommendations
Understand security alerts
Deploy a security module on your IoT Edge device
4/14/2020 • 3 minutes to read • Edit Online
Azure Security Center for IoT module provides a comprehensive security solution for your IoT Edge devices.
The security module collects, aggregates, and analyzes raw security data from your Operating System and
Container system into actionable security recommendations and alerts. To learn more, see Security module for IoT
Edge.
In this article, you'll learn how to deploy a security module on your IoT Edge device.
Complete each step to complete your IoT Edge deployment for Azure Security Center for IoT.
Step 1: Modules
1. Select the AzureSecurityCenterforIoT module.
2. On the Module Settings tab, change the name to azureiotsecurity .
3. On the Enviroment Variables tab, add a variable if needed (for example, debug level).
4. On the Container Create Options tab, add the following configuration:
{
"NetworkingConfig": {
"EndpointsConfig": {
"host": {}
}
},
"HostConfig": {
"Privileged": true,
"NetworkMode": "host",
"PidMode": "host",
"Binds": [
"/:/host"
]
}
}
"ms_iotn:urn_azureiot_Security_SecurityAgentConfiguration"
6. Select Update .
Step 2: Runtime settings
1. Select Runtime Settings .
2. Under Edge Hub , change the Image to mcr.microsoft.com/azureiotedge-hub:1.0.8.3 .
3. Verify Create Options is set to the following configuration:
{
"HostConfig":{
"PortBindings":{
"8883/tcp":[
{
"HostPort":"8883"
}
],
"443/tcp":[
{
"HostPort":"443"
}
],
"5671/tcp":[
{
"HostPort":"5671"
}
]
}
}
}
4. Select Save .
5. Select Next .
Step 3: Specify routes
1. On the Specify Routes tab, make sure you have a route (explicit or implicit) that will forward messages
from the azureiotsecurity module to $upstream according to the following examples. Only when the
route is in place, select Next .
Example routes:
2. Select Next .
Step 4: Review deployment
On the Review Deployment tab, review your deployment information, then select Create to complete the
deployment.
Diagnostic steps
If you encounter an issue, container logs are the best way to learn about the state of an IoT Edge security module
device. Use the commands and tools in this section to gather information.
Verify the required containers are installed and functioning as expected
1. Run the following command on your IoT Edge device:
sudo docker ps
azureiotsecurity mcr.microsoft.com/ascforiot/azureiotsecurity:1.0.2
edgeHub mcr.microsoft.com/azureiotedge-hub:1.0.8.3
edgeAgent mcr.microsoft.com/azureiotedge-agent:1.0.1
If the minimum required containers are not present, check if your IoT Edge deployment manifest is aligned
with the recommended settings. For more information, see Deploy IoT Edge module.
Inspect the module logs for errors
1. Run the following command on your IoT Edge device:
sudo docker logs azureiotsecurity
2. For more verbose logs, add the following environment variable to the azureiotsecurity module
deployment: logLevel=Debug .
Next steps
To learn more about configuration options, continue to the how-to guide for module configuration.
Module configuration how-to guide
Tutorial: Configure security agents
4/14/2020 • 4 minutes to read • Edit Online
This article explains Azure Security Center for IoT security agents, and details how to change and configure
them.
Configure security agents
Change agent behavior by editing twin properties
Discover default configuration
Agents
Azure Security Center for IoT security agents collect data from IoT devices and perform security actions to
mitigate the detected vulnerabilities. Security agent configuration is controllable using a set of module twin
properties you can customize. In general, secondary updates to these properties are infrequent.
Azure Security Center for IoT's security agent twin configuration object is a JSON format object. The
configuration object is a set of controllable properties that you can define to control the behavior of the agent.
These configurations help you customize the agent for each scenario required. For example, automatically
excluding some events, or keeping power consumption to a minimal level are possible by configuring these
properties.
Use the Azure Security Center for IoT security agent configuration schema to make changes.
Configuration objects
Properties related to every Azure Security Center for IoT security agent are located in the agent configuration
object, within the desired properties section, of the azureiotsecurity module.
To modify the configuration, create and modify this object inside the azureiotsecurity module twin identity.
If the agent configuration object does not exist in the azureiotsecurity module twin, all security agent property
values are set to default.
"desired": {
"ms_iotn:urn_azureiot_Security_SecurityAgentConfiguration": {
}
}
NOTE
A configuration error alert will be fired from the agent in case that the agent was not able to parse the desired
configuration. Compare the reported and desired section to understand if the alert still applies
Editing a property
All custom properties must be set inside the agent configuration object within the azureiotsecurity module
twin. To use a default property value, remove the property from the configuration object.
Setting a property
1. In your IoT Hub, locate and select the device you wish to change.
2. Click on your device, and then on azureiotsecurity module.
3. Click on Module Identity Twin .
4. Edit the properties you wish to change in the security module.
For example, to configure connection events as high priority and collect high priority events every 7
minutes, use the following configuration.
"desired": {
"ms_iotn:urn_azureiot_Security_SecurityAgentConfiguration": {
"highPriorityMessageFrequency": {
"value": "PT7M"
},
"eventPriorityConnectionCreate": {
"value": "High"
}
}
}
5. Click Save .
Using a default value
To use a default property value, remove the property from the configuration object.
Default properties
The following table contains the controllable properties of Azure Security Center for IoT security agents.
Default values are available in the proper schema in GitHub.
highPriorityMessage Required: false Valid values: Duration Default value: PT7M Max time interval
Frequency in ISO 8601 Format before high priority
messages are sent.
lowPriorityMessageFr Required: false Valid values: Duration Default value: PT5H Max time before low-
equency in ISO 8601 Format priority messages are
sent.
snapshotFrequency Require: false Valid values: Duration Default value PT13H Time interval for the
in ISO 8601 Format creation of device
status snapshots.
maxLocalCacheSizeIn Required: false Valid values: Default value: Maximum storage (in
Bytes 2560000, larger than bytes) allowed for the
8192 message cache of an
agent. Maximum
amount of space
allowed to store
messages on the
device, before
messages are sent.
eventPriority${Event Required: false Valid values: High, Default values: Priority of every
Name} Low, Off agent-generated
event
Next steps
Understand Azure Security Center for IoT recommendations
Explore Azure Security Center for IoT alerts
Access raw security data
Send security messages SDK
8/6/2020 • 4 minutes to read • Edit Online
This how-to guide explains the Azure Security Center for IoT service capabilities when you choose to collect and
send your device security messages without using an Azure Security Center for IoT agent, and explains how to do
so.
In this guide, you learn how to:
Send security messages using the Azure IoT C SDK
Send security messages using the Azure IoT C# SDK
Send security messages using the Azure IoT Python SDK
Send security messages using the Azure IoT Node.js SDK
Send security messages using the Azure IoT Java SDK
Security message
Azure Security Center for IoT defines a security message using the following criteria:
If the message was sent with Azure IoT SDK
If the message conforms to the security message schema
If the message was set as a security message prior to sending
Each security message includes the metadata of the sender such as AgentId , AgentVersion , MessageSchemaVersion
and a list of security events. The schema defines the valid and required properties of the security message including
the types of events.
NOTE
Messages sent that do not comply with the schema are ignored. Make sure to verify the schema before initiating sending
data as ignored messages are not currently stored.
NOTE
Messages sent that were not set as a security message using the Azure IoT SDK will not be routed to the Azure Security
Center for IoT pipeline.
Once set as a security message and sent, this message will be processed by Azure Security Center for IoT.
"AgentVersion": "0.0.1",
"AgentId": "e89dc5f5-feac-4c3e-87e2-93c16f010c25",
"MessageSchemaVersion": "1.0",
"Events": [
{
"EventType": "Security",
"Category": "Triggered",
"Name": "ProcessCreate",
"IsEmpty": false,
"PayloadSchemaVersion": "1.0",
"Id": "21a2db0b-44fe-42e9-9cff-bbb2d8fdf874",
"TimestampLocal": "2019-01-27 15:48:52Z",
"TimestampUTC": "2019-01-27 13:48:52Z",
"Payload":
[
{
"Executable": "/usr/bin/myApp",
"ProcessId": 11750,
"ParentProcessId": 1593,
"UserName": "aUser",
"CommandLine": "myApp -a -b"
}
]
}
]
if (messageHandle == NULL) {
success = false;
goto cleanup;
}
if (IoTHubMessage_SetAsSecurityMessage(messageHandle) != IOTHUB_MESSAGE_OK) {
success = false;
goto cleanup;
}
cleanup:
if (messageHandle != NULL) {
IoTHubMessage_Destroy(messageHandle);
}
return success;
}
if (result != IOTHUB_CLIENT_CONFIRMATION_OK){
//error handling
}
}
C# API
Node.js API
var Protocol = require('azure-iot-device-mqtt').Mqtt
function SendSecurityMessage(messageContent)
{
var client = Client.fromConnectionString(connectionString, Protocol);
client.on('disconnect', function () {
clearInterval(sendInterval);
client.removeAllListeners();
client.open(connectCallback);
});
}
};
client.open(connectCallback);
}
Python API
To use the Python API you need to install the package azure-iot-device.
When using the Python API, you can either send the security message through the module or through the device
using the unique device or module connection string. When using the following Python script example, with a
device, use IoTHubDeviceClient , and with a module, use IoTHubModuleClient .
Java API
Next steps
Read the Azure Security Center for IoT service Overview
Learn more about Azure Security Center for IoT Architecture
Enable the service
Read the FAQ
Learn how to access raw security data
Understand recommendations
Understand alerts
Access your security data
4/14/2020 • 3 minutes to read • Edit Online
Azure Security Center for IoT stores security alerts, recommendations, and raw security data (if you choose to
save it) in your Log Analytics workspace.
Log Analytics
To configure which Log Analytics workspace is used:
1. Open your IoT hub.
2. Click the Over view blade under the Security section
3. Click Settings , and change your Log Analytics workspace configuration.
To access your alerts and recommendations in your Log Analytics workspace after configuration:
1. Choose an alert or recommendation in Azure Security Center for IoT.
2. Click fur ther investigation , then click To see which devices have this aler t click here and view the
DeviceId column .
For details on querying data from Log Analytics, see Get started with queries in Log Analytics.
Security alerts
Security alerts are stored in AzureSecurityOfThings.SecurityAlert table in the Log Analytics workspace
configured for the Azure Security Center for IoT solution.
We've provided a number of useful queries to help you get started exploring security alerts.
Sample records
Select a few random records
2018-11- /subscriptions <device_nam High Brute force A Brute force { "Full Source
18T18:10:29. /<subscriptio e> attack attack on the Address": "
000 n_id>/resourc succeeded device was ["10.165.12.1
eGroups/<res Successful 8:"]", "User
ource_group Names": "[""]",
>/providers/ "DeviceId":
Microsoft.Dev "IoT-Device-
ices/IotHubs/ Linux" }
<iot_hub>
Device summary
Get the number of distinct security alerts detected in the last week, grouped by IoT Hub, device, alert severity,
alert type.
// Get the number of distinct security alerts detected in the last week, grouped by
// IoT hub, device, alert severity, alert type
//
SecurityAlert
| where TimeGenerated > ago(7d)
| summarize Cnt=dcount(SystemAlertId) by
IoTHubId=ResourceId,
DeviceId=tostring(parse_json(ExtendedProperties)["DeviceId"]),
AlertSeverity,
DisplayName
IOT H UB ID DEVIC EID A L ERT SEVERIT Y DISP L AY N A M E C O UN T
// Select number of distinct devices which had alerts in the last week, by
// IoT hub, alert severity, alert type
//
SecurityAlert
| where TimeGenerated > ago(7d)
| extend DeviceId=tostring(parse_json(ExtendedProperties)["DeviceId"])
| summarize CntDevices=dcount(DeviceId) by
IoTHubId=ResourceId,
AlertSeverity,
DisplayName
Security recommendations
Security recommendations are stored in AzureSecurityOfThings.SecurityRecommendation table in the Log
Analytics workspace configured for the Azure Security Center for IoT solution.
We've provided a number of useful queries to help you get start exploring security recommendations.
Sample records
Select a few random records
REC O M M E REC O M M E
REC O M M E REC O M M E N DAT IO N DI N DAT IO N A
T IM EGEN E N DAT IO N S N DAT IO N S SP L AY N A M DESC RIP T I DDIT IO N A L
RAT ED IOT H UB ID DEVIC EID EVERIT Y TAT E E ON DATA
Device summary
Get the number of distinct active security recommendations, grouped by IoT Hub, device, recommendation
severity, and type.
Next steps
Read the Azure Security Center for IoT Overview
Learn about Azure Security Center for IoT Architecture
Understand and explore Azure Security Center for IoT alerts
Understand and explore Azure Security Center for IoT recommendation
Investigate a suspicious IoT device
4/14/2020 • 3 minutes to read • Edit Online
Azure Security Center for IoT service alerts provide clear indications when IoT devices are suspected of
involvement in suspicious activities or when indications exist that a device is compromised.
In this guide, use the investigation suggestions provided to help determine the potential risks to your
organization, decide how to remediate, and discover the best ways to prevent similar attacks in the future.
Find your device data
Investigate using kql queries
IMPORTANT
The Azure Security Center for IoT data connector in Azure Sentinel is currently in public preview. This feature is provided
without a service level agreement, and it's not recommended for production workloads. Certain features might not be
supported or might have constrained capabilities. For more information, see Supplemental Terms of Use for Microsoft Azure
Previews.
In this guide, learn how to connect your Azure Security Center for IoT data to Azure Sentinel.
Prerequisites
Connection settings
Log Analytics alert view
Connect alerts from Azure Security Center for IoT and stream them directly into Azure Sentinel.
Prerequisites
You must have Workspace read and write permissions.
Azure Security Center for IoT must be enabled on your relevant IoT Hub(s).
You must have both read and write permissions on the Azure IoT Hub you wish to connect.
You must also have read and write permissions on the Azure IoT Hub resource group .
NOTE
You must have the Azure Security Center Standard tier licensing running on your subscription to send general Azure resource
alerts. With the free tier licensing required for Azure Security Center for IoT, only Azure Security Center for IoT related alerts
will be forwarded to Azure Sentinel.
Service notes
After connecting an IoT Hub, the hub data is available in Azure Sentinel approximately 15 minutes later.
Next steps
In this document, you learned how to connect Azure Security Center for IoT to Azure Sentinel. To learn more about
threat detection and security data access, see the following articles:
Learn how to use Azure Sentinel to get visibility into your data, and potential threats.
Learn how to Access your IoT security data
Customize your Azure Security Center for IoT
solution
4/14/2020 • 2 minutes to read • Edit Online
In this guide, learn how to customize different settings in Azure Security Center for IoT.
Configure solution recommendations
Change settings
Change settings
Manage your Azure Security Center for IoT setting:
On your IoT Hub, go to the security overview blade on the top left corner, see "settings" To configure your Azure
Security Center for IoT settings, do the following:
1. Open your IoT Hub in Azure portal.
2. From the left menu under Security , select and open Over view .
3. Under Settings, select the solution setting you'd like to change.
4. Remember to always click Save at the top of any setting screen to save your setting changes.
Next steps
Azure Security Center for IoT service Overview
Learn how to Access your security data
Learn more about Investigating a device
Azure Security Center for IoT frequently asked
questions
5/3/2020 • 6 minutes to read • Edit Online
This article provides a list of frequently asked questions and answers about Azure Security Center for IoT.
How does Azure Security Center for IoT compare to the competition?
While other solutions provide a set of capabilities that allow customers to create their own solutions, Azure
Security Center for IoT provides a unique end-to-end IoT security solution that provides a wide view across the
security of all of your related Azure resources. Azure enables fast deployment and full integration with IoT Hub
module twins for easy integration with existing device management tools.
What does the Azure Security Center for IoT agent do?
Azure Security Center for IoT agent provides device level threat coverage for device configuration, behavior, and
access (by scanning the configuration), process & connectivity. The Azure Security Center for IoT security agent
does not scan business-related data or activity.
Where can I get the Azure Security Center for IoT security agent?
The Azure Security Center for IoT security agent is open source and available on GitHub in 32 bit and 64-bit
Windows and Linux versions: https://github.com/Azure/Azure-IoT-Security.
Where does the Azure Security Center for IoT agent get installed?
Detailed installation and agent deployment information can be found in GitHub:
https://github.com/Azure/Azure-IoT-Security.
Can the agent affect the performance of the device or other installed
software?
The agent consumes machine resources as any other application/process and should not disrupt normal device
activity. Resource consumption on the device the agent runs on is coupled with its setup and configuration. We
recommend testing your agent configuration in a contained environment, along with interoperability with your
other IoT applications and functionality, before attempting to deploy in a production environment.
I'm making some maintenance on the device. Can I turn off the
agent?
The agent cannot be turned off.
Next steps
To learn more about how to get started with Azure Security Center for IoT, see the following articles:
Read the Azure Security Center for IoT overview
Verify the Service prerequisites
Learn more about how to Get started
Understand Azure Security Center for IoT security alerts