Investigate OS baseline (based on CIS benchmark) recommendation

Je li ova stranica od pomoći?

Imate dodatne povratne informacije?

Povratne informacije će biti poslane kompaniji Microsoft: pritiskom na dugme za slanje, vaše povratne informacije će se koristiti za unapređivanje proizvoda i usluga kompanije Microsoft. Pravila privatnosti.

Perform basic and advanced investigations based on OS baseline recommendations.

Note

The Microsoft Defender for IoT legacy experience under IoT Hub has been replaced by our new Defender for IoT standalone experience, in the Defender for IoT area of the Azure portal. The legacy experience under IoT Hub will not be supported after March 31, 2023.

Basic OS baseline security recommendation investigation

You can investigate OS baseline recommendations by navigating to Defender for IoT in the Azure portal. For more information, see how to Investigate security recommendations.

Advanced OS baseline security recommendation investigation

This section describes how to better understand the OS baseline test results, and querying events in Azure Log Analytics.

The advanced OS baseline security recommendation investigation is only supported by using log analytics. Connect Defender for IoT to a Log Analytics workspace before continuing. For more information on advanced OS baseline security recommendations, see how to Configure Microsoft Defender for IoT agent-based solution.

To query your IoT security events in Log Analytics for alerts:

1. Navigate to the Alerts page.

2. Select Investigate recommendations in Log Analytics workspace.

To query your IoT security events in Log Analytics for recommendations:

1. Navigate to the Recommendations page.

2. Select Investigate recommendations in Log Analytics workspace.

3. Select Show Operation system (OS) baseline rules details from the Recommendation details quick view page to see the details of a specific device.

   

To query your IoT security events in Log Analytics workspace directly:

1. Navigate to the Logs page.

   

2. Select Investigate the alerts or, select the Investigate the alerts in Log Analytics option from any security recommendation, or alert.

Useful queries to investigate the OS baseline resources

Note

Make sure to Replace <device-id> with the name(s) you gave your device in each of the following queries.

Retrieve the latest information

• Device fleet failure: Run the following query to retrieve the latest information about checks that failed across the device fleet:

  let lastDates = SecurityIoTRawEvent |
  where RawEventName == "Baseline" |
  summarize TimeStamp=max(TimeStamp) by DeviceId;
  lastDates | join kind=inner (SecurityIoTRawEvent) on TimeStamp, DeviceId |
  extend event = parse_json(EventDetails) |
  where event.BaselineCheckResult == "FAIL" |
  project DeviceId, event.BaselineCheckId, event.BaselineCheckDescription
  

• Specific device failure - Run the following query to retrieve the latest information about checks that failed on a specific device:

  let id = SecurityIoTRawEvent | 
  extend IoTRawEventId = extractjson("$.EventId", EventDetails, typeof(string)) |
  where TimeGenerated <= now() |
  where RawEventName == "Baseline" |
  where DeviceId == "<device-id>" |
  summarize arg_max(TimeGenerated, IoTRawEventId) |
  project IoTRawEventId;
  SecurityIoTRawEvent |
  extend IoTRawEventId = extractjson("$.EventId", EventDetails, typeof(string)), extraDetails = todynamic(EventDetails) |
  where IoTRawEventId == toscalar(id) |
  where extraDetails.BaselineCheckResult == "FAIL" |
  project DeviceId, CceId = extraDetails.BaselineCheckId, Description = extraDetails.BaselineCheckDescription
  

• Specific device error - Run this query to retrieve the latest information about checks that have an error on a specific device:

  let id = SecurityIoTRawEvent |
  extend IoTRawEventId = extractjson("$.EventId", EventDetails, typeof(string)) |
  where TimeGenerated <= now() |
  where RawEventName == "Baseline" |
  where DeviceId == "<device-id>" |
  summarize arg_max(TimeGenerated, IoTRawEventId) |
  project IoTRawEventId;
  SecurityIoTRawEvent |
  extend IoTRawEventId = extractjson("$.EventId", EventDetails, typeof(string)), extraDetails = todynamic(EventDetails) |
  where IoTRawEventId == toscalar(id) |
  where extraDetails.BaselineCheckResult == "ERROR" |
  project DeviceId, CceId = extraDetails.BaselineCheckId, Description = extraDetails.BaselineCheckDescription
  

• Update device list for device fleet that failed a specific check - Run this query to retrieve updated list of devices (across the device fleet) that failed a specific check: 

  let lastDates = SecurityIoTRawEvent |
  where RawEventName == "Baseline" |
  summarize TimeStamp=max(TimeStamp) by DeviceId;
  lastDates | join kind=inner (SecurityIoTRawEvent) on TimeStamp, DeviceId |
  extend event = parse_json(EventDetails) |
  where event.BaselineCheckResult == "FAIL" |
  where event.BaselineCheckId contains "6.2.8" |
  project DeviceId;
  

Next steps

Investigate security recommendations.