Examine the built-in security alerts
Microsoft Defender for IoT continuously analyzes your IoT solution using advanced analytics and threat intelligence to alert you to malicious activity. In addition built-in alerts, you can create custom alerts based on your knowledge of expected behaviors. An alert acts as an indicator of potential compromise, and should be investigated and remediated.
The following list of built-in alerts can be triggered on your IoT Hub.
Built-in alerts for IoT Hub
Alert types
Description
Suggested remediation
Medium severity alerts
New certificate added to an IoT Hub.
A certificate named '%{DescCertificateName}' was added to IoT Hub '%{DescIoTHubName}'. If this action was made by an unauthorized party, it may indicate malicious activity.
- Make sure the certificate was added by an authorized party.
- If it was not added by an authorized party, remove the certificate and escalate the alert to the organizational security team.
Certificate deleted from an IoT Hub.
A certificate named '%{DescCertificateName}' was deleted from IoT Hub '%{DescIoTHubName}'. If this action was made by an unauthorized party, it may indicate a malicious activity.
- Make sure the certificate was removed by an authorized party.
- If the certificate was not removed by an authorized party, add the certificate back, and escalate the alert to the organizational security team.
Unsuccessful attempt detected to add a certificate to an IoT Hub.
There was an unsuccessful attempt to add certificate '%{DescCertificateName}' to IoT Hub '%{DescIoTHubName}'. If this action was made by an unauthorized party, it may indicate malicious activity.
Make sure permissions to change certificates are only granted to authorized parties.
Unsuccessful attempt detected to delete a certificate from an IoT Hub.
There was an unsuccessful attempt to delete certificate '%{DescCertificateName}' from IoT Hub '%{DescIoTHubName}'. If this action was made by an unauthorized party, it may indicate malicious activity.
Make sure permissions to change certificates are only granted to an authorized party.
x.509 device certificate thumbprint mismatch.
x.509 device certificate thumbprint did not match configuration.
Review alerts on the devices. No further action required.
x.509 certificate expired.
X.509 device certificate has expired.
This could be a legitimate device with an expired certificate or an attempt to impersonate a legitimate device. If the legitimate device is currently communicating correctly this alert is likely an impersonation attempt.
Low severity alerts
Attempt to add or edit a diagnostic setting of an IoT Hub detected.
Attempt to add or edit the diagnostic settings of an IoT Hub has been detected. Diagnostic settings enable you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. If this action was not made by an authorized party, it may indicate malicious activity.
- Make sure the certificate was removed by an authorized party.
- If the certificate was not removed by an authorized party, add the certificate back and escalate the alert to your information security team.
Attempt to delete a diagnostic setting from an IoT Hub detected.
There was %{DescAttemptStatusMessage}' attempt to add or edit diagnostic setting '%{DescDiagnosticSettingName}' of IoT Hub '%{DescIoTHubName}'. Diagnostic setting enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. If this action was not made by an authorized party, it may indicate a malicious activity.
Make sure permissions to change diagnostics settings are granted only to an authorized party.
Expired SAS Token.
Expired SAS token used by a device.
May be a legitimate device with an expired token, or an attempt to impersonate a legitimate device. If the legitimate device is currently communicating correctly, this alert is likely an impersonation attempt.
Invalid SAS token signature.
A SAS token used by a device has an invalid signature. The signature does not match either the primary or secondary key.
Review the alerts on the devices. No further action required.
Built-in custom alerts for IoT Hub
Microsoft Defender for IoT allows you to define custom alerts based on expected IoT Hub and/or device behavior.
Severity
Custom Alert
Description
Low
Custom alert - The number of cloud-to-device messages in AMQP protocol is outside the allowed range.
The number of cloud-to-device messages (AMQP protocol) within a specific time window is outside the currently configured and allowable range.
Low
Custom alert - The number of rejected cloud-to-device messages in AMQP protocol is outside the allowed range.
The number of cloud-to-device messages (AMQP protocol) rejected by the device, within a specific time window is outside the currently configured and allowable range.
Low
Custom alert - The number of device-to-cloud messages in AMQP protocol is outside the allowed range.
The number of device-to-cloud messages (AMQP protocol) within a specific time window is outside the currently configured and allowable range.
Low
Custom alert - The number of times that a direct method is invoked is outside the allowed range.
The number of times that a direct method is invoked within a specific time window is outside the currently configured and allowable range.
Low
Custom alert - The number of file uploads is outside the allowed range.
The number of file uploads within a specific time window is outside the currently configured and allowable range.
Low
Custom alert - The number of cloud-to-device messages in HTTP protocol is outside the allowed range.
The number of cloud-to-device messages (HTTP protocol) in a time window is not in the configured allowed range.
Low
Custom alert - The number of rejected cloud-to-device messages in HTTP protocol is not in the allowed range.
The number of cloud-to-device messages (HTTP protocol) within a specific time window is outside the currently configured and allowable range.
Low
Custom alert - The number of device-to-cloud messages in HTTP protocol is outside the allowed range.
The number of device-to-cloud messages (HTTP protocol) within a specific time window is outside the currently configured and allowable range.
Low
Custom alert - The number of cloud-to-device messages in MQTT protocol is outside the allowed range.
The number of cloud-to-device messages (MQTT protocol) within a specific time window is outside the currently configured and allowable range.
Low
Custom alert - The number of rejected cloud-to-device messages in MQTT protocol is outside the allowed range.
The number of cloud-to-device messages (MQTT protocol) rejected by the device within a specific time window is outside the currently configured and allowable range.
Low
Custom alert - The number of device-to-cloud messages in MQTT protocol is outside the allowed range.
The number of device-to-cloud messages (MQTT protocol) within a specific time window is outside the currently configured and allowable range.
Low
Custom alert - The number of command-queue purges that are outside of the allowed range.
The number of command-queue purges within a specific time window is outside the currently configured and allowable range.
Low
Custom alert - The number of module twin updates is outside the allowed range.
The number of module twin updates within a specific time window is outside the currently configured and allowable range.
Low
Custom alert - The number of unauthorized operations is outside the allowed range.
The number of unauthorized operations within a specific time window is outside the currently configured and allowable range.