MicrosoftDocs
diff --git a/‎articles/defender-for-iot/device-builders/concept-event-aggregation.md
Lines changed: 14 additions & 7 deletions b/‎articles/defender-for-iot/device-builders/concept-event-aggregation.md
Lines changed: 14 additions & 7 deletions
diff --git a/‎articles/defender-for-iot/device-builders/concept-micro-agent-configuration.md
Lines changed: 1 addition & 7 deletions b/‎articles/defender-for-iot/device-builders/concept-micro-agent-configuration.md
Lines changed: 1 addition & 7 deletions
diff --git a/‎articles/defender-for-iot/device-builders/how-to-investigate-cis-benchmark.md
Lines changed: 16 additions & 20 deletions b/‎articles/defender-for-iot/device-builders/how-to-investigate-cis-benchmark.md
Lines changed: 16 additions & 20 deletions
diff --git a/‎articles/defender-for-iot/device-builders/media/how-to-investigate-cis-benchmark/log-analytics.png
538 KB b/‎articles/defender-for-iot/device-builders/media/how-to-investigate-cis-benchmark/log-analytics.png
538 KB
diff --git a/‎articles/defender-for-iot/device-builders/overview.md
Lines changed: 2 additions & 2 deletions b/‎articles/defender-for-iot/device-builders/overview.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/defender-for-iot/device-builders/release-notes.md
Lines changed: 21 additions & 7 deletions b/‎articles/defender-for-iot/device-builders/release-notes.md
Lines changed: 21 additions & 7 deletions
@@ -1,13 +1,17 @@
 ---
 title: Micro agent event collection (Preview)
 description: Defender for IoT security agents collects data and system events from your local device, and sends the data to the Azure cloud for processing, and analytics.
-ms.date: 11/09/2021
+ms.date: 04/26/2022
 ms.topic: conceptual
 ---
 
 # Micro agent event collection (Preview)
 
-Defender for IoT security agents collects data, and system events from your local device, and sends the data to the Azure cloud for processing, and analytics. The Defender for IoT micro agent collects many types of device events including new processes, and all new connection events. Both the new process, and new connection events may occur frequently on a device. This capability is important for comprehensive security, however, the number of messages the security agents send may quickly meet, or exceed your IoT Hub quota, and cost limits. These messages, and events contain highly valuable security information that is crucial to protecting your device.
+Defender for IoT security agents collects data, and system events from your local device, and sends the data to the Azure cloud for processing.
+
+If you've configured and connected a Log Analytics workspace, you'll see these events in Log Analytics. For more information, see [Tutorial: Investigate security alerts](tutorial-investigate-security-alerts.md).
+
+The Defender for IoT micro agent collects many types of device events including new processes, and all new connection events. Both the new process, and new connection events may occur frequently on a device. This capability is important for comprehensive security, however, the number of messages the security agents send may quickly meet, or exceed your IoT Hub quota, and cost limits. These messages, and events contain highly valuable security information that is crucial to protecting your device.
 
 To reduce the number of messages, and costs while maintaining your device's security, Defender for IoT agents aggregate the following types of events:
 
@@ -78,7 +82,7 @@ The Login collector, collects user sign-ins, sign-outs, and failed sign-in attem
 
 The Login collector supports the following types of collection methods:
 
-- **Syslog**. If syslog is running on the device, the Login collector collects SSH sign-in events via the syslog file named **auth.log**.
+- **UTMP and SYSLOG**. UTMP catches SSH interactive events, telnet events, and terminal logins, as well as all failed login events from SSH, telnet, and terminal. If SYSLOG is enabled on the device, the Login collector also collects SSH sign-in events via the SYSLOG file named **auth.log**.
 
 - **Pluggable Authentication Modules (PAM)**. Collects SSH, telnet, and local sign-in events. For more information, see [Configure Pluggable Authentication Modules (PAM) to audit sign-in events](configure-pam-to-audit-sign-in-events.md).
 
@@ -91,9 +95,10 @@ The following data is collected:
 | **user_name** | The Linux user. |
 | **executable** | The terminal device. For example, `tty1..6` or `pts/n`. |
 | **remote_address** | The source of connection, either a remote IP address in IPv6 or IPv4 format, or `127.0.0.1/0.0.0.0` to indicate local connection. |
+| **Login_UsePAM** | Boolean: <br>- **True**: Only the PAM Login collector is used <br>- **False**: The UTMP Login collector is used, with SYSLOG if SYSLOG is enabled |
 
 
-## System information (trigger based collector))
+## System information (trigger based collector)
 
 The data collected for each event is:
 
@@ -118,7 +123,7 @@ The **nics** properties are composed of the following;
 
 ## Baseline (trigger based)
 
-The baseline collector performs CIS checks periodically. Only the failed results are sent to the cloud. The cloud aggregates the results, and provides recommendations.
+The baseline collector performs periodic CIS checks, and *failed*, *pass*, and *skip* check results are sent to the Defender for IoT cloud service. Defender for IoT aggregates the results and provides recommendations based on any failures.
 
 ### Data collection
 
@@ -127,7 +132,7 @@ The data collected for each event is:
 | Parameter | Description|
 |--|--|
 | **Check ID** | In CIS format. For example, `CIS-debian-9-Filesystem-1.1.2`. |
-| **Check result** | Can be `Error`, or `Fail`. For example, `Error` in a situation where the check can’t run. |
+| **Check result** | Can be `Fail`, `Pass`, `Skip`, or `Error`. For example, `Error` in a situation where the check can’t run. |
 | **Error** | The error's information, and description. |
 | **Description** | The description of the check from CIS. |
 | **Remediation** | The recommendation for remediation from CIS. |
@@ -144,9 +149,11 @@ The data collected on each package includes:
 |**Name**     |   The package name      |
 |**Version**     |  The package version       |
 |**Vendor**     |    The package's vendor, which is the **Maintainer** field in deb packages     |
-|     |         |
 
 
+> [!NOTE]
+> The SBoM collector currently only collects the first 500 packages ingested.
+
 ## Next steps
 
 Check your [Defender for IoT security alerts](concept-security-alerts.md).
@@ -1,7 +1,7 @@
 ---
 title: Micro agent configurations (Preview)
 description: The collector sends all current data immediately after any configuration change is made. The changes are then applied.
-ms.date: 12/22/2021
+ms.date: 05/03/2022
 ms.topic: conceptual
 ---
 
@@ -24,7 +24,6 @@ Default values are as follows:
 | **Low** | 1440 (24 hours) |
 | **Medium** | 120 (2 hours) |
 | **High** | 30 (.5 hours) |
-| | |
 
 To reduce the number of messages sent to cloud, each priority should be set as a multiple of the one below it. For example, High: 60 minutes, Medium: 120 minutes, Low: 480 minutes.
 
@@ -42,7 +41,6 @@ For example:
 |--|--|--|--|
 | **Baseline_GroupsDisabled** | A list of Baseline group names, separated by a comma. <br><br>For example: `Time Synchronization, Network Parameters Host` | Defines the full list of Baseline group names that should be disabled. | Null |
 | **Baseline_ChecksDisabled** |A list of Baseline check IDs, separated by a comma. <br><br>For example: `3.3.5,2.2.1.1` | Defines the full list of Baseline check IDs that should be disabled. | Null |
-| | | | |
 
 
 ## Event-based collector configurations
@@ -55,14 +53,12 @@ These configurations include process, and network activity collectors.
 | **Aggregation mode** | `True` <br>`False` | Determines whether to process event aggregation for an identical event.  | `True` |
 | **Cache size** | cycle FIFO | Defines the number of events collected in between the times that data is sent. | `256` |
 | **Disable collector** | `True` <br> `False` | Determines whether or not the collector is operational. | `False` |
-| | | | |
 
 ## IoT Hub Module-specific settings
 
 | Setting Name | Setting options | Description | Default |
 |--|--|--|--|
 | **IothubModule_MessageTimeout** | Positive integer, including limits | Defines the number of minutes to retain messages in the outbound queue to the IoT Hub, after which point the messages are dropped. | `2880` (=2 days) |
-| | | | |
 ## Network activity collector-specific settings
 
 | Setting Name | Setting options | Description | Default |
@@ -77,7 +73,6 @@ These configurations include process, and network activity collectors.
 |--|--|--|--|
 | **Process_Mode** | `1` = Auto <br>`2` = Netlink <br>`3`= Polling | Determines the process collector mode. In `Auto` mode, the agent first tries to enable the Netlink mode. <br><br>If that fails, it will automatically fall back / switch to the Polling mode.| `1` |
 |**Process_PollingInterval** |Integer |Defines the polling interval in microseconds. This value is used when the **Process_Mode** is in `Polling` mode. | `100000` (=0.1 second) |
-| | | | |
 
 ## Trigger-based collector configurations
 
@@ -87,7 +82,6 @@ These configurations include system information, and baseline collectors.
 |--|--|--|--|
 | **Interval** | `High` <br>`Medium`<br>`Low`  | The frequency in which data is sent. | `Low` |
 | **Disable collector** | `True` <br> `False` | Whether or not the collector is operational. | `False` |
-| | | | |
 
 
 ## Next steps
 
@@ -1,7 +1,7 @@
 ---
 title: Investigate CIS benchmark recommendation
 description: Perform basic and advanced investigations based on OS baseline recommendations.
-ms.date: 11/09/2021
+ms.date: 05/03/2022
 ms.topic: how-to
 ---
 
@@ -12,39 +12,35 @@ Perform basic and advanced investigations based on OS baseline recommendations.
 > [!NOTE]
 > The Microsoft Defender for IoT legacy experience under IoT Hub has been replaced by our new Defender for IoT standalone experience, in the Defender for IoT area of the Azure portal. The legacy experience under IoT Hub will not be supported after **March 31, 2023**.
 
-## Basic OS baseline security recommendation investigation  
+## Basic OS baseline security recommendation investigation
 
 You can investigate OS baseline recommendations by navigating to [Defender for IoT in the Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started). For more information, see how to [Investigate security recommendations](quickstart-investigate-security-recommendations.md).
 
-## Advanced OS baseline security recommendation investigation  
+## Advanced OS baseline security recommendation investigation
 
-This section describes how to better understand the OS baseline test results, and querying events in Azure Log Analytics.  
+This section describes how to better understand the OS baseline test results, and querying events in Azure Log Analytics.
 
-The advanced OS baseline security recommendation investigation is only supported by using log analytics. Connect Defender for IoT to a Log Analytics workspace before continuing. For more information on advanced OS baseline security recommendations, see how to [Configure Microsoft Defender for IoT agent-based solution](how-to-configure-agent-based-solution.md).
+**Prerequisites**:
 
-To query your IoT security events in Log Analytics for alerts:
+The advanced OS baseline security recommendation investigation is only supported by using Azure Log Analytics and you must connect Defender for IoT to a Log Analytics workspace before continuing.
 
-1. Navigate to the **Alerts** page.
+For more information, see [Configure Microsoft Defender for IoT agent-based solution](tutorial-configure-agent-based-solution.md).
 
-1. Select **Investigate recommendations in Log Analytics workspace**.
+**To query your IoT security events in Log Analytics for alerts**:
 
-To query your IoT security events in Log Analytics for recommendations:
+1. In your Log Analytics workspace, go to **Logs** > **AzureSecurityOfThings** > **SecurityAlert**.
 
-1. Navigate to the **Recommendations** page.
+1. In the query editor on the right, enter a KQL query to display the alerts you want to see. 
 
-1. Select **Investigate recommendations in Log Analytics workspace**.
+1. Select **Run** to display the alerts that match your query.
 
-1. Select **Show Operation system (OS) baseline rules details** from the **Recommendation details** quick view page to see the details of a specific device.
+For example:
 
-   :::image type="content" source="media/how-to-investigate-cis-benchmark/recommendation-details.png" alt-text="See the details of a specific device.":::
+:::image type="content" source="media/how-to-investigate-cis-benchmark/log-analytics.png" alt-text="Screenshot of the Log Analytics workspace with a Defender for I o T alert query." lightbox="media/how-to-investigate-cis-benchmark/log-analytics.png":::
 
-To query your IoT security events in Log Analytics workspace directly:
-
-1. Navigate to the **Logs** page.
-
-    :::image type="content" source="media/how-to-investigate-cis-benchmark/logs.png" alt-text="Select logs from the left side pane.":::
-
-1. Select **Investigate the alerts** or, select the **Investigate the alerts in Log Analytics** option from any security recommendation, or alert.
+> [!NOTE]
+> In addition to alerts, you can also use this same procedure to query for recommendations or raw event data.
+>
 
 ## Useful queries to investigate the OS baseline resources
 
 
@@ -34,8 +34,8 @@ The Defender for IoT micro agent enables you to quickly improve your organizatio
 The Defender for IoT micro agent provides deep security protection, and visibility into device behavior.
 
 - The micro agent collects, aggregates, and analyzes raw security events from your devices. Events can include IP connections, process creation, user logons, and other security-relevant information.
-- Defender for IoT device agents handles event aggregation, to help avoid high network throughput.
-- The micro agent has flexible deployment options. The micro agent includes source code, so you can incorporate it into firmware, or customize it to include only what you need. It's also available as a binary package, or integrated directly into other Azure IoT solutions. The micro agent is available for standard IoT operating systems, such as Linux and Azure RTOS.  
+- Defender for IoT device agents handle event aggregation, to help avoid high network throughput.
+- The micro agent has flexible deployment options. The micro agent includes source code, so you can incorporate it into firmware, or customize it to include only what you need. It's also available as a binary package, or integrated directly into other Azure IoT solutions. The micro agent is available for standard IoT operating systems, such as Linux and Azure RTOS.
 - The agents are highly customizable, allowing you to use them for specific tasks, such as sending only important information at the fastest SLA, or for aggregating extensive security information and context into larger segments, avoiding higher service costs.
 
 
 
@@ -2,7 +2,7 @@
 title: What's new in Microsoft Defender for IoT for device builders
 description: Learn about the latest updates for Defender for IoT device builders.
 ms.topic: conceptual
-ms.date: 02/20/2022
+ms.date: 04/26/2022
 ---
 
 # What's new
@@ -13,9 +13,23 @@ This article lists new features and feature enhancements in Microsoft Defender f
 
 Noted features are in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
-## Versioning and support
+For more information, see [Upgrade the Microsoft Defender for IoT micro agent](upgrade-micro-agent.md).
 
-Listed below are the support, breaking change policies for Defender for IoT, and the versions of Defender for IoT that are currently available.
+## July 2022
+
+**Version 4.2.4**
+
+- **Proxy connection updates**: Now you can connect your micro-agent to an IoT Hub via a proxy. For more information, see [Connect via a proxy](tutorial-standalone-agent-binary-installation.md#connect-via-a-proxy).
+
+- **Support for TPM-backed certificates**: Now you can use OpenSSL certificates backed by TPM. For more information, see [Authenticate using a certificate](tutorial-standalone-agent-binary-installation.md#authenticate-using-a-certificate).
+
+- **AMQP support**: Now you can add AMQP support after installing your micro-agent. For more information, see [Add AMQP protocol support](tutorial-standalone-agent-binary-installation.md#add-amqp-protocol-support).
+
+- **Baseline collector updates**: The baseline collector now sends *pass* and *skip* checks to the cloud in addition to *failed* results. For more information, see [Micro agent event collection](concept-event-aggregation.md#baseline-trigger-based).
+
+- **Login collector via UTMP**: The login collector now supports UTMP to catch SSH interactive events, telnet events, and terminal logins, including failed login events. For more information, see [Login collector (event-based collector)](concept-event-aggregation.md#login-collector-event-based-collector).
+
+- **SBoM collector known issue**: The SBoM collector currently only collects the first 500 packages ingested. For more information, see [SBoM (trigger based)](concept-event-aggregation.md#sbom-trigger-based) collection.
 
 ## February 2022
 
@@ -41,8 +55,7 @@ Listed below are the support, breaking change policies for Defender for IoT, and
 
     For more information, see [Network Connection events (event-based collector)](concept-event-aggregation.md#network-connection-events-event-based-collector).
 
-- **Login Collector**: Now supporting login collector using: SYSLOG collecting SSH login events and PAM collecting SSH, telnet and local login events using the pluggable authentication modules stack. For more information, see [Micro agent event collection (Preview)](concept-event-aggregation.md).
-
+- **Login Collector**: Now supporting login collector using: SYSLOG collecting SSH login events and PAM collecting SSH, telnet and local login events using the pluggable authentication modules stack. For more information, see [Login collector (event-based collector)](concept-event-aggregation.md#login-collector-event-based-collector).
 
 ## November 2021
 
@@ -66,7 +79,7 @@ Listed below are the support, breaking change policies for Defender for IoT, and
 
 - **[Login collector](concept-event-aggregation.md#login-collector-event-based-collector)** - The login collectors gather user logins, logouts, and failed login attempts. Such as SSH & telnet.
 
-- **[System information collector](concept-event-aggregation.md#system-information-trigger-based-collector)** - The system information collector gatherers information related to the device’s operating system and hardware details.
+- **[System information collector](concept-event-aggregation.md#system-information-trigger-based-collector)** - The system information collector gathers information related to the device’s operating system and hardware details.
 
 - **[Event aggregation](concept-event-aggregation.md#how-does-event-aggregation-work)** - The Defender for IoT agent aggregates events such as process, login, network events that reduce the number of messages sent and costs, all while maintaining your device's security.  
 
@@ -94,4 +107,5 @@ This feature set is available with the current public preview cloud release.
 
 ## Next steps
 
-[Onboard to Defender for IoT](quickstart-onboard-iot-hub.md)
+- [Onboard to Defender for IoT](quickstart-onboard-iot-hub.md)
+- [Upgrade the Microsoft Defender for IoT micro agent](upgrade-micro-agent.md)