Tutorial: Investigate security alerts

This tutorial will help you learn how to investigate, and remediate the alerts issued by Defender for IoT. Remediating alerts is the best way to ensure compliance, and protection across your IoT solution.

In this tutorial you'll learn how to:

• Investigate security alerts
• Investigate security alert details
• Investigate alerts in Log Analytics workspace

Note

Defender for IoT plans to retire the micro agent on August 1, 2025.

Prerequisites

• An Azure account with an active subscription. Create an account for free.

• An IoT hub.

• You must have enabled Microsoft Defender for IoT on your Azure IoT Hub.

• You must have added a resource group to your IoT solution.

• You must have created a Defender for IoT micro agent module twin.

• You must have installed the Defender for IoT micro agent.

• You must have configured the Microsoft Defender for IoT agent-based solution.

• Learned how to investigate security recommendations.

Investigate security alerts

The Defender for IoT security alert list displays all of the aggregated security alerts for your IoT Hub.

To investigate security alerts:

1. Sign in to the Azure portal.

2. Navigate to IoT Hub > Your hub > Defender for IoT > Security Alerts.

3. Select an alert from the list to open the alert's details.

Investigate security alert details

Opening each aggregated alert displays the detailed alert description, remediation steps, and device ID for each device that triggered an alert. The alert severity and direct investigation is accessible using Log Analytics.

To investigate security alert details:

1. Sign in to the Azure portal.

2. Navigate to IoT Hub > Your hub > Defender for IoT > Security Alerts.

3. Select any security alert from the list to open it.

4. Review the alert description, severity, source of the detection, and device details of all devices that issued this alert in the aggregation period.

   

5. After reviewing the alert specifics, use the manual remediation step instructions to help remediate and resolve the issue that caused the alert.

   

Investigate alerts in your Log Analytics workspace

You can access your alerts and investigate them with the Log Analytics workspace.

To access your alerts in your Log Analytics workspace after configuration:

1. Sign in to the Azure portal.

2. Navigate to IoT Hub > Your hub > Defender for IoT > Security Alerts.

3. Select an alert.

4. Select Investigate alerts in Log Analytics workspace.

   

Next steps

Learn how to integrate Microsoft Sentinel and Microsoft Defender for IoT