Tutorial: Investigate security alerts

This tutorial will help you learn how to investigate, and remediate the alerts issued by Defender for IoT. Remediating alerts is the best way to ensure compliance, and protection across your IoT solution.

In this tutorial you'll learn how to:

  • Investigate security alerts
  • Investigate security alert details
  • Investigate alerts in Log Analytics workspace

Note

The Microsoft Defender for IoT legacy experience under IoT Hub has been replaced by our new Defender for IoT standalone experience, in the Defender for IoT area of the Azure portal. The legacy experience under IoT Hub will not be supported after March 31, 2023.

Prerequisites

Investigate security alerts

The Defender for IoT security alert list displays all of the aggregated security alerts for your IoT Hub.

To investigate security alerts:

  1. Sign in to the Azure portal.

  2. Navigate to IoT Hub > Your hub > Defender for IoT > Security Alerts.

  3. Select an alert from the list to open the alert's details.

Investigate security alert details

Opening each aggregated alert displays the detailed alert description, remediation steps, and device ID for each device that triggered an alert. The alert severity, and direct investigation is accessible using Log Analytics.

To investigate security alert details:

  1. Sign in to the Azure portal.

  2. Navigate to IoT Hub > Your hub > Defender for IoT > Security Alerts.

  3. Select any security alert from the list to open it.

  4. Review the alert description, severity, source of the detection, device details of all devices that issued this alert in the aggregation period.

    Investigate and review the details of each device in an aggregated alert.

  5. After reviewing the alert specifics, use the manual remediation step instructions to help remediate, and resolve the issue that caused the alert.

    Follow the manual remediation steps to help resolve or remediate your device security alerts

Investigate alerts in Log Analytics workspace

You can access your alerts and investigate them with the Log Analytics workspace.

To access your alerts in your Log Analytics workspace after configuration:

  1. Sign in to the Azure portal.

  2. Navigate to IoT Hub > Your hub > Defender for IoT > Security Alerts.

  3. Select an alert.

  4. Select Investigate alerts in Log Analytics workspace.

    Screenshot that shows where to select to investigate in the log analytics workspace.

Next steps