You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-iot/device-builders/concept-security-alerts.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
title: Built-in & custom alerts list
3
3
description: Learn about security alerts and recommended remediation using Defender for IoT Hub's features and service.
4
4
ms.topic: conceptual
5
-
ms.date: 10/18/2021
5
+
ms.date: 10/19/2021
6
6
---
7
7
8
8
# Defender for IoT Hub security alerts
@@ -21,10 +21,10 @@ For more information, see [customizable alerts](concept-customizable-security-al
21
21
22
22
| Name | Severity | Data Source | Description | Suggested remediation | AlertType |
23
23
|--|--|--|--|--|--|
24
-
| New certificate added to an IoT Hub | Medium | IoT Hub | A certificate named '%{DescCertificateName}' was added to IoT Hub '%{DescIoTHubName}'. If this action was made by an unauthorized party, it may indicate malicious activity. | 1. Make sure the certificate was added by an authorized party. <br> 2. If it was not added by an authorized party, remove the certificate and escalate the alert to the organizational security team. | IoT_CertificateSuccessfullyAddedToHub |
25
-
| Certificate deleted from an IoT Hub | Medium | IoT Hub | A certificate named '%{DescCertificateName}' was deleted from IoT Hub '%{DescIoTHubName}'. If this action was made by an unauthorized party, it may indicate a malicious activity. | 1. Make sure the certificate was removed by an authorized party. <br> 2. If the certificate was not removed by an authorized party, add the certificate back, and escalate the alert to the organizational security team. | IoT_CertificateSuccessfullyDeletedFromHub |
26
-
| Unsuccessful attempt detected to add a certificate to an IoT Hub | Medium | IoT Hub | There was an unsuccessful attempt to add certificate '%{DescCertificateName}' to IoT Hub '%{DescIoTHubName}'. If this action was made by an unauthorized party, it may indicate malicious activity. | Make sure permissions to change certificates are only granted to authorized parties. | Hub_CertificateFailedToBeAddedToHub |
27
-
| Unsuccessful attempt detected to delete a certificate from an IoT Hub | Medium | IoT Hub | There was an unsuccessful attempt to delete certificate '%{DescCertificateName}' from IoT Hub '%{DescIoTHubName}'. If this action was made by an unauthorized party, it may indicate malicious activity. | Make sure permissions to change certificates are only granted to an authorized party. | IoT.Hub_CertificateFailedToBeDeletedFromHub |
24
+
| New certificate added to an IoT Hub | Medium | IoT Hub | A certificate was added to an IoT Hub. If this action was made by an unauthorized party, it may indicate malicious activity. | 1. Make sure the certificate was added by an authorized party. <br> 2. If it was not added by an authorized party, remove the certificate and escalate the alert to the organizational security team. | IoT_CertificateSuccessfullyAddedToHub |
25
+
| Certificate deleted from an IoT Hub | Medium | IoT Hub | A certificate was deleted from an IoT Hub. If this action was made by an unauthorized party, it may indicate a malicious activity. | 1. Make sure the certificate was removed by an authorized party. <br> 2. If the certificate was not removed by an authorized party, add the certificate back, and escalate the alert to the organizational security team. | IoT_CertificateSuccessfullyDeletedFromHub |
26
+
| Unsuccessful attempt detected to add a certificate to an IoT Hub | Medium | IoT Hub | There was an unsuccessful attempt to add a certificate to an IoT Hub. If this action was made by an unauthorized party, it may indicate malicious activity. | Make sure permissions to change certificates are only granted to authorized parties. | Hub_CertificateFailedToBeAddedToHub |
27
+
| Unsuccessful attempt detected to delete a certificate from an IoT Hub | Medium | IoT Hub | There was an unsuccessful attempt to delete a certificate from an IoT Hub. If this action was made by an unauthorized party, it may indicate malicious activity. | Make sure permissions to change certificates are only granted to an authorized party. | IoT.Hub_CertificateFailedToBeDeletedFromHub |
28
28
| x.509 device certificate thumbprint mismatch | Medium | IoT Hub | x.509 device certificate thumbprint did not match configuration. | Review alerts on the devices. No further action required. | IoT_Cert_Print_Mismatch |
29
29
| x.509 certificate expired | Medium | IoT Hub | X.509 device certificate has expired. | This could be a legitimate device with an expired certificate or an attempt to impersonate a legitimate device. If the legitimate device is currently communicating correctly this is likely an impersonation attempt. | IoT_Cert_Expired |
30
30
@@ -33,7 +33,7 @@ For more information, see [customizable alerts](concept-customizable-security-al
33
33
| Name | Severity | Data Source | Description | Suggested remediation | AlertType |
34
34
|--|--|--|--|--|--|
35
35
| Attempt to add or edit a diagnostic setting of an IoT Hub detected | Low | IoT Hub | Attempt to add or edit the diagnostic settings of an IoT Hub has been detected. Diagnostic settings enable you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. If this action was not made by an authorized party, it may indicate malicious activity. | 1. Make sure the certificate was removed by an authorized party. <br> 2. If the certificate was not removed by an authorized party, add the certificate back and escalate the alert to your information security team. | IoT_DiagnosticSettingAddedOrEditedOnHub |
36
-
| Attempt to delete a diagnostic setting from an IoT Hub detected | Low | IoT Hub |There was %{DescAttemptStatusMessage}' attempt to add or edit diagnostic setting '%{DescDiagnosticSettingName}' of IoT Hub '%{DescIoTHubName}'. Diagnostic setting enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. If this action was not made by an authorized party, it may indicate a malicious activity. | Make sure permissions to change diagnostics settings are granted only to an authorized party. | IoT_DiagnosticSettingDeletedFromHub |
36
+
| Attempt to delete a diagnostic setting from an IoT Hub detected | Low | IoT Hub |Attempt to add or edit the diagnostic settings of an IoT Hub has been detected. Diagnostic settings enable you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. If this action was not made by an authorized party, it may indicate malicious activity. | Make sure permissions to change diagnostics settings are granted only to an authorized party. | IoT_DiagnosticSettingDeletedFromHub |
37
37
| Expired SAS Token | Low | IoT Hub | Expired SAS token used by a device | May be a legitimate device with an expired token, or an attempt to impersonate a legitimate device. If the legitimate device is currently communicating correctly, this is likely an impersonation attempt. | IoT_Expired_SAS_Token |
38
38
| Invalid SAS token signature | Low | IoT Hub | A SAS token used by a device has an invalid signature. The signature does not match either the primary or secondary key. | Review the alerts on the devices. No further action required. | IoT_Invalid_SAS_Token |
0 commit comments