Defender for IoT Hub security alerts
Defender for IoT continuously analyzes your IoT solution using advanced analytics and threat intelligence to alert you to malicious activity. In addition, you can create custom alerts based on your knowledge of expected device behavior. An alert acts as an indicator of potential compromise, and should be investigated and remediated.
In this article, you will find a list of built-in alerts, which can be triggered on your IoT Hub. In addition to built-in alerts, Defender for IoT allows you to define custom alerts based on expected IoT Hub and/or device behavior. For more information, see customizable alerts.
Built-in alerts for IoT Hub
Medium severity
| Name | Severity | Data Source | Description | Suggested remediation | AlertType |
|---|---|---|---|---|---|
| New certificate added to an IoT Hub | Medium | IoT Hub | A certificate was added to an IoT Hub. If this action was made by an unauthorized party, it may indicate malicious activity. | 1. Make sure the certificate was added by an authorized party. 2. If it was not added by an authorized party, remove the certificate and escalate the alert to the organizational security team. |
IoT_CertificateSuccessfullyAddedToHub |
| Certificate deleted from an IoT Hub | Medium | IoT Hub | A certificate was deleted from an IoT Hub. If this action was made by an unauthorized party, it may indicate a malicious activity. | 1. Make sure the certificate was removed by an authorized party. 2. If the certificate was not removed by an authorized party, add the certificate back, and escalate the alert to the organizational security team. |
IoT_CertificateSuccessfullyDeletedFromHub |
| Unsuccessful attempt detected to add a certificate to an IoT Hub | Medium | IoT Hub | There was an unsuccessful attempt to add a certificate to an IoT Hub. If this action was made by an unauthorized party, it may indicate malicious activity. | Make sure permissions to change certificates are only granted to authorized parties. | Hub_CertificateFailedToBeAddedToHub |
| Unsuccessful attempt detected to delete a certificate from an IoT Hub | Medium | IoT Hub | There was an unsuccessful attempt to delete a certificate from an IoT Hub. If this action was made by an unauthorized party, it may indicate malicious activity. | Make sure permissions to change certificates are only granted to an authorized party. | IoT.Hub_CertificateFailedToBeDeletedFromHub |
| x.509 device certificate thumbprint mismatch | Medium | IoT Hub | x.509 device certificate thumbprint did not match configuration. | Review alerts on the devices. No further action required. | IoT_Cert_Print_Mismatch |
| x.509 certificate expired | Medium | IoT Hub | X.509 device certificate has expired. | This could be a legitimate device with an expired certificate or an attempt to impersonate a legitimate device. If the legitimate device is currently communicating correctly this is likely an impersonation attempt. | IoT_Cert_Expired |
Low severity
| Name | Severity | Data Source | Description | Suggested remediation | AlertType |
|---|---|---|---|---|---|
| Attempt to add or edit a diagnostic setting of an IoT Hub detected | Low | IoT Hub | Attempt to add or edit the diagnostic settings of an IoT Hub has been detected. Diagnostic settings enable you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. If this action was not made by an authorized party, it may indicate malicious activity. | 1. Make sure the certificate was removed by an authorized party. 2. If the certificate was not removed by an authorized party, add the certificate back and escalate the alert to your information security team. |
IoT_DiagnosticSettingAddedOrEditedOnHub |
| Attempt to delete a diagnostic setting from an IoT Hub detected | Low | IoT Hub | Attempt to add or edit the diagnostic settings of an IoT Hub has been detected. Diagnostic settings enable you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. If this action was not made by an authorized party, it may indicate malicious activity. | Make sure permissions to change diagnostics settings are granted only to an authorized party. | IoT_DiagnosticSettingDeletedFromHub |
| Expired SAS Token | Low | IoT Hub | Expired SAS token used by a device | May be a legitimate device with an expired token, or an attempt to impersonate a legitimate device. If the legitimate device is currently communicating correctly, this is likely an impersonation attempt. | IoT_Expired_SAS_Token |
| Invalid SAS token signature | Low | IoT Hub | A SAS token used by a device has an invalid signature. The signature does not match either the primary or secondary key. | Review the alerts on the devices. No further action required. | IoT_Invalid_SAS_Token |
Next steps
- Defender for IoT service Overview