Tutorial: Investigate security recommendations

This tutorial will help you learn how to explore the information available in each IoT security recommendation, and explain how to use the details of each recommendation and related devices, to reduce risks.

Timely analysis and mitigation of recommendations by Defender for IoT is the best way to improve security posture and reduce attack surface across your IoT solution.

In this tutorial you'll learn how to:

  • Investigate new recommendations
  • Investigate security recommendation details
  • Investigate recommendations in a Log Analytics workspace

Note

The Microsoft Defender for IoT legacy experience under IoT Hub has been replaced by our new Defender for IoT standalone experience, in the Defender for IoT area of the Azure portal. The legacy experience under IoT Hub will not be supported after March 31, 2023.

Prerequisites

Investigate recommendations

The IoT Hub recommendations list displays all of the aggregated security recommendations for your IoT Hub.

  1. Sign in to the Azure portal.

  2. Navigate to IoT Hub > Your hub > Defender for IoT > Recommendations.

  3. Select a recommendation from the list to open the recommendation's details.

Investigate security recommendation details

Open each aggregated recommendation to display the detailed recommendation description, remediation steps, and device ID for each device that triggered a recommendation. It also displays recommendation severity and direct-investigation access using Log Analytics.

  1. Sign in to the Azure portal.

  2. Navigate to IoT Hub > Your hub > Defender for IoT > Recommendations.

  3. Review the recommendation description, severity, device details of all devices that issued this recommendation in the aggregation period.

  4. After reviewing recommendation specifics, use the manual remediation step instructions to help remediate and resolve the issue that caused the recommendation.

    Remediate security recommendations with Defender for IoT

  5. Explore the recommendation details for a specific device by selecting the desired device in the drill-down page.

    Investigate specific security recommendations for a device with Defender for IoT

Investigate recommendations in a Log Analytics workspace

To access your recommendations in a Log Analytics workspace:

  1. Sign in to the Azure portal.

  2. Navigate to IoT Hub > Your hub > Defender for IoT > Recommendations.

  3. Select a recommendation from the list.

  4. Select Investigate recommendations in Log Analytics workspace.

    Screenshot showing how to view a recommendation in the log analytics workspace.

For more information on querying data from Log Analytics, see Get started with log queries in Azure Monitor.

Clean up resources

There are no resources to clean up.

Next steps