MicrosoftDocs
diff --git a/‎articles/asc-for-iot/TOC.yml
Lines changed: 2 additions & 0 deletions b/‎articles/asc-for-iot/TOC.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/asc-for-iot/concept-customizable-security-alerts.md
Lines changed: 61 additions & 0 deletions b/‎articles/asc-for-iot/concept-customizable-security-alerts.md
Lines changed: 61 additions & 0 deletions
diff --git a/‎articles/asc-for-iot/concept-security-alerts.md
Lines changed: 2 additions & 2 deletions b/‎articles/asc-for-iot/concept-security-alerts.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/asc-for-iot/overview.md
Lines changed: 1 addition & 1 deletion b/‎articles/asc-for-iot/overview.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/asc-for-iot/quickstart-create-custom-alerts.md
Lines changed: 2 additions & 25 deletions b/‎articles/asc-for-iot/quickstart-create-custom-alerts.md
Lines changed: 2 additions & 25 deletions
diff --git a/‎articles/iot-dps/about-iot-dps.md
Lines changed: 1 addition & 1 deletion b/‎articles/iot-dps/about-iot-dps.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/iot-hub/TOC.yml
Lines changed: 2 additions & 0 deletions b/‎articles/iot-hub/TOC.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/load-balancer/load-balancer-custom-probe-overview.md
Lines changed: 1 addition & 1 deletion b/‎articles/load-balancer/load-balancer-custom-probe-overview.md
Lines changed: 1 addition & 1 deletion
@@ -37,6 +37,8 @@
     href: concept-security-module.md
   - name: Security alerts
     href: concept-security-alerts.md
+  - name: Customizable security alerts
+    href: concept-customizable-security-alerts.md
   - name: Security recommendations
     href: concept-recommendations.md
   - name: Baseline
 
@@ -0,0 +1,61 @@
+---
+title: Customizable security alert guide for Azure Security Center for IoT| Microsoft Docs
+description: Learn about customizable security alerts and recommended remediation using Azure Security Center for IoT features and service.
+services: asc-for-iot
+ms.service: asc-for-iot
+documentationcenter: na
+author: mlottner
+manager: rkarlin
+editor: ''
+
+ms.subservice: asc-for-iot
+ms.devlang: na
+ms.topic: conceptual
+ms.tgt_pltfrm: na
+ms.workload: na
+ms.date: 1/27/2020
+ms.author: mlottner
+
+---
+# Azure Security Center for IoT security alerts
+
+Azure Security Center for IoT continuously analyzes your IoT solution using advanced analytics and threat intelligence to alert you to malicious activity.
+
+We encourage you to create custom alerts based on your knowledge of expected device behavior to ensure alerts act as the most efficient indicators of potential compromise in your unique organizational deployment and landscape. 
+
+The following list of Azure Security Center for IoT alerts are definable by you based on your expected IoT Hub and/or device behavior. For more details about how to customize each alert, see [create custom alerts](quickstart-create-custom-alerts.md).
+
+## Azure Security Center for IoT alerts available for customization 
+
+
+
+| Severity | Alert name | Data source | Description | Suggested remediation|
+|---|---|---|---|---|
+| Low      | Custom alert - number of cloud to device messages in AMQP protocol is outside the allowed range          | IoT Hub     | Number of cloud to device messages (AMQP protocol) within a specific time window is outside the currently configured and allowable range.||
+| Low      | Custom alert - number of rejected cloud to device messages in AMQP protocol is outside the allowed range | IoT Hub     | Number of cloud to device messages (AMQP protocol) rejected by the device, within a specific time window is outside the currently configured and allowable range.||
+| Low      | Custom alert - number of device to cloud messages in AMQP protocol is outside the allowed range      | IoT Hub     | The amount of device to cloud messages (AMQP protocol) within a specific time window is outside the currently configured and allowable range.|   |
+| Low      | Custom alert - number of direct method invokes is outside the allowed range | IoT Hub     | The amount of direct method invokes within a specific time window is outside the currently configured and allowable range.||
+| Low      | Custom alert - number of file uploads is outside the allowed range | IoT Hub     | The amount of file uploads within a specific time window is outside the currently configured and allowable range.| |
+| Low      | Custom alert - number of cloud to device messages in HTTP protocol is outside the allowed range | IoT Hub     | The amount of cloud to device messages (HTTP protocol) in a time window is not in the configured allowed range                                  |
+| Low      | Custom alert - number of rejected cloud to device messages in HTTP protocol is not in the allowed range | IoT Hub     | The amount of cloud to device messages (HTTP protocol) within a specific time window is outside the currently configured and allowable range. |
+| Low      | Custom alert - number of device to cloud messages in HTTP protocol is outside the allowed range | IoT Hub| The amount of device to cloud messages (HTTP protocol)within a specific time window is outside the currently configured and allowable range.|    |
+| Low      | Custom alert - number of cloud to device messages in MQTT protocol is outside the allowed range | IoT Hub     | The amount of cloud to device messages (MQTT protocol) within a specific time window is outside the currently configured and allowable range.|   |
+| Low      | Custom alert - number of rejected cloud to device messages in MQTT protocol is outside the allowed range | IoT Hub     | The amount of cloud to device messages (MQTT protocol) rejected by the device within a specific time window is outside the currently configured and allowable range. |
+| Low      | Custom alert - number of device to cloud messages in MQTT protocol is outside the allowed range          | IoT Hub     | The amount of device to cloud messages (MQTT protocol) within a specific time window is outside the currently configured and allowable range.|
+| Low      | Custom alert - number of command queue purges is outside the allowed range                               | IoT Hub     | The amount of command queue purges within a specific time window is outside the currently configured and allowable range.||
+| Low      | Custom alert - number of module twin updates is outside the allowed range                                       | IoT Hub     | The amount of module twin updates within a specific time window is outside the currently configured and allowable range.|
+| Low      | Custom alert - number of unauthorized operations is outside the allowed range  | IoT Hub     | The amount of unauthorized operations within a specific time window is outside the currently configured and allowable range.|
+| Low      | Custom alert - number of active connections is outside the allowed range  | Agent       | Number of active connections within a specific time window is outside the currently configured and allowable range.|  Investigate the device logs. Learn where the connection originated and determine if it is benign or malicious. If malicious, remove possible malware and understand source. If benign, add the source to the allowed connection list.  |
+| Low      | Custom alert - outbound connection created to an IP that isn't allowed                             | Agent       | An outbound connection was created to an IP that is outside your allowed IP list. |Investigate the device logs. Learn where the connection originated and determine if it is benign or malicious. If malicious, remove possible malware and understand source. If benign, add the source to the allowed IP list.                        |
+| Low      | Custom alert - number of failed local logins is outside the allowed range                               | Agent       | The amount of failed local logins within a specific time window is outside the currently configured and allowable range. |   |
+| Low      | Custom alert - login of a user that is not on the allowed user list | Agent       | A local user outside your allowed user list, logged in to the device.|  If you are saving raw data, navigate to your log analytics account and use the data to investigate the device, identify the source and then fix the allow/block list for those settings. If you are not currently saving raw data, go to the device and fix the allow/block list for those settings.|
+| Low      | Custom alert - a process was executed that is not allowed | Agent       | A process that is not allowed was executed on the device. |If you are saving raw data, navigate to your log analytics account and use the data to investigate the device, identify the source and then fix the allow/block list for those settings. If you are not currently saving raw data, go to the device and fix the allow/block list for those settings.  |
+|
+
+
+## Next steps
+
+- Learn how to [customize an alert](quickstart-create-custom-alerts.md)
+- Azure Security Center for IoT service [Overview](overview.md)
+- Learn how to [Access your security data](how-to-security-data-access.md)
+- Learn more about [Investigating a device](how-to-investigate-device.md)
@@ -14,7 +14,7 @@ ms.devlang: na
 ms.topic: conceptual
 ms.tgt_pltfrm: na
 ms.workload: na
-ms.date: 10/16/2019
+ms.date: 1/27/2020
 ms.author: mlottner
 
 ---
@@ -26,7 +26,7 @@ An alert acts as an indicator of potential compromise, and should be investigate
 
 In this article, you will find a list of built-in alerts which can be triggered on your IoT Hub and/or IoT devices.
 In addition to built-in alerts, Azure Security Center for IoT allows you to define custom alerts based on expected IoT Hub and/or device behavior.
-For more details, see [Create custom alerts](quickstart-create-custom-alerts.md).
+For more details, see [customizable alerts](concept-customizable-security-alerts.md).
 
 ## Built-in alerts for IoT devices
 
 
@@ -1,6 +1,6 @@
 ---
 title: What is Azure Security Center for IoT | Microsoft Docs
-description: Learn more about Azure Security Center for IoT features and service, and understand how Azure Security Center for IoT provides comprehensive IoT security across all of your IoT assets.
+description: Learn more about Azure Security Center for IoT features and services, and understand how Azure Security Center for IoT provides comprehensive IoT security.
 services: asc-for-iot
 ms.service: asc-for-iot
 documentationcenter: na
 
@@ -15,7 +15,7 @@ ms.devlang: na
 ms.topic: quickstart
 ms.tgt_pltfrm: na
 ms.workload: na
-ms.date: 11/08/2019
+ms.date: 1/27/2020
 ms.author: mlottner
 
 ---
@@ -76,30 +76,7 @@ Use security groups to group your devices into logical categories. After creatin
 
 ## Alerts available for customization
 
-The following table provides a summary of alerts available for customization.
-
-
-| Severity | Name | Data Source | Description | Suggested remediation|
-|---|---|---|---|---|
-| Low      | Custom alert - number of cloud to device messages in AMQP protocol is outside the allowed range          | IoT Hub     | Number of cloud to device messages (AMQP protocol) within a specific time window is outside the currently configured and allowable range.||
-| Low      | Custom alert - number of rejected cloud to device messages in AMQP protocol is outside the allowed range | IoT Hub     | Number of cloud to device messages (AMQP protocol) rejected by the device, within a specific time window is outside the currently configured and allowable range.||
-| Low      | Custom alert - number of device to cloud messages in AMQP protocol is outside the allowed range      | IoT Hub     | The amount of device to cloud messages (AMQP protocol) within a specific time window is outside the currently configured and allowable range.|   |
-| Low      | Custom alert - number of direct method invokes is outside the allowed range | IoT Hub     | The amount of direct method invokes within a specific time window is outside the currently configured and allowable range.||
-| Low      | Custom alert - number of file uploads is outside the allowed range | IoT Hub     | The amount of file uploads within a specific time window is outside the currently configured and allowable range.| |
-| Low      | Custom alert - number of cloud to device messages in HTTP protocol is outside the allowed range | IoT Hub     | The amount of cloud to device messages (HTTP protocol) in a time window is not in the configured allowed range                                  |
-| Low      | Custom alert - number of rejected cloud to device messages in HTTP protocol is not in the allowed range | IoT Hub     | The amount of cloud to device messages (HTTP protocol) within a specific time window is outside the currently configured and allowable range. |
-| Low      | Custom alert - number of device to cloud messages in HTTP protocol is outside the allowed range | IoT Hub| The amount of device to cloud messages (HTTP protocol)within a specific time window is outside the currently configured and allowable range.|    |
-| Low      | Custom alert - number of cloud to device messages in MQTT protocol is outside the allowed range | IoT Hub     | The amount of cloud to device messages (MQTT protocol) within a specific time window is outside the currently configured and allowable range.|   |
-| Low      | Custom alert - number of rejected cloud to device messages in MQTT protocol is outside the allowed range | IoT Hub     | The amount of cloud to device messages (MQTT protocol) rejected by the device within a specific time window is outside the currently configured and allowable range. |
-| Low      | Custom alert - number of device to cloud messages in MQTT protocol is outside the allowed range          | IoT Hub     | The amount of device to cloud messages (MQTT protocol) within a specific time window is outside the currently configured and allowable range.|
-| Low      | Custom alert - number of command queue purges is outside the allowed range                               | IoT Hub     | The amount of command queue purges within a specific time window is outside the currently configured and allowable range.||
-| Low      | Custom alert - number of module twin updates is outside the allowed range                                       | IoT Hub     | The amount of module twin updates within a specific time window is outside the currently configured and allowable range.|
-| Low      | Custom alert - number of unauthorized operations is outside the allowed range  | IoT Hub     | The amount of unauthorized operations within a specific time window is outside the currently configured and allowable range.|
-| Low      | Custom alert - number of active connections is outside the allowed range  | Agent       | Number of active connections within a specific time window is outside the currently configured and allowable range.|  Investigate the device logs. Learn where the connection originated and determine if it is benign or malicious. If malicious, remove possible malware and understand source. If benign, add the source to the allowed connection list.  |
-| Low      | Custom alert - outbound connection created to an IP that isn't allowed                             | Agent       | An outbound connection was created to an IP that is outside your allowed IP list. |Investigate the device logs. Learn where the connection originated and determine if it is benign or malicious. If malicious, remove possible malware and understand source. If benign, add the source to the allowed IP list.                        |
-| Low      | Custom alert - number of failed local logins is outside the allowed range                               | Agent       | The amount of failed local logins within a specific time window is outside the currently configured and allowable range. |   |
-| Low      | Custom alert - login of a user that is not on the allowed user list | Agent       | A local user outside your allowed user list, logged in to the device.|  If you are saving raw data, navigate to your log analytics account and use the data to investigate the device, identify the source and then fix the allow/block list for those settings. If you are not currently saving raw data, go to the device and fix the allow/block list for those settings.|
-| Low      | Custom alert - a process was executed that is not allowed | Agent       | A process that is not allowed was executed on the device. |If you are saving raw data, navigate to your log analytics account and use the data to investigate the device, identify the source and then fix the allow/block list for those settings. If you are not currently saving raw data, go to the device and fix the allow/block list for those settings.  |
+Azure Security Center for IoT offers a large number of alerts which can be customized according to your specific needs. Review the [customizable alert table](concept-customizable-security-alerts.md) for alert severity, data source, description and our suggested remediation steps if and when each alert is received. 
 |
 
 
 
@@ -75,7 +75,7 @@ The Device Provisioning Service has many features, making it ideal for provision
 * **Enrollment list** containing the complete record of devices/groups of devices that may at some point register. The enrollment list contains information about the desired configuration of the device once it registers, and it can be updated at any time.
 * **Multiple allocation policies** to control how the Device Provisioning Service assigns devices to IoT hubs in support of your scenarios: Lowest latency, evenly weighted distribution (default), and static configuration via the enrollment list. Note that latency is determined using the same method as [Traffic Manager](https://docs.microsoft.com/azure/traffic-manager/traffic-manager-routing-methods#performance).
 * **Monitoring and diagnostics logging** to make sure everything is working properly.
-* **Multi-hub support** allows the Device Provisioning Service to assign devices to more than one IoT hub. The Device Provisioning Service can talk to hubs across multiple Azure subscriptions.
+* **Multi-hub support** allows the Device Provisioning Service to late-bind devices to an IoT hub at runtime. The Device Provisioning Service can talk to hubs across multiple Azure subscriptions.
 * **Cross-region support** allows the Device Provisioning Service to assign devices to IoT hubs in other regions.
 
 You can learn more about the concepts and features involved in device provisioning in [device concepts](concepts-device.md), [service concepts](concepts-service.md), and [security concepts](concepts-security.md).
 
@@ -378,6 +378,8 @@
   items:
     - name: Azure CLI
       href: /cli/azure/iot
+    - name: Azure PowerShell
+      href: /powershell/module/az.iothub#iot
     - name: .NET (Service)
       href: /dotnet/api/microsoft.azure.devices
     - name: .NET (Devices)
 
@@ -195,7 +195,7 @@ Load Balancer is a pass through service (does not terminate TCP connections) and
 
 UDP datagrams will be delivered to healthy backend endpoints.
 
-UDP is connectionless and there is no flow state tracked for UDP. If any backend endpoint's health probe fails, existing UDP flows may move to another healthy instance in the backend pool.
+UDP is connectionless and there is no flow state tracked for UDP. If any backend endpoint's health probe fails, existing UDP flows will move to another healthy instance in the backend pool.
 
 If all probes for all instances in a backend pool fail, existing UDP flows will terminate for Basic and Standard Load Balancers.