Microsoft Defender for IoT baseline and custom checks
This article explains Defender for IoT baseline, and summarizes all associated properties of baseline custom checks.
Baseline
A baseline establishes standard behavior for each device and makes it easier to establish unusual behavior or deviation from expected norms.
Baseline custom checks
Baseline custom checks establish a custom list of checks for each device baseline using the Module identity twin of the device.
Setting baseline properties
In your IoT Hub, locate and select the device you wish to change.
Click on the device, and then click the azureiotsecurity module.
Click Module Identity Twin.
Upload the baseline custom checks file to the device.
Add baseline properties to the Defender-IoT-micro-agent and click Save.
Baseline custom check file example
To configure baseline custom checks:
"desired": {
"ms_iotn:urn_azureiot_Security_SecurityAgentConfiguration": {
"baselineCustomChecksEnabled": {
"value" : true
},
"baselineCustomChecksFilePath": {
"value" : "/home/user/full_path.xml"
},
"baselineCustomChecksFileHash": {
"value" : "#hashexample!"
}
}
},
Baseline custom check properties
| Name | Status | Valid values | Default values | Description |
|---|---|---|---|---|
| baselineCustomChecksEnabled | Required: true | Valid values: Boolean | Default value: false | Max time interval before high priority messages is sent. |
| baselineCustomChecksFilePath | Required: true | Valid values: String, null | Default value: null | Full path of the baseline xml configuration |
| baselineCustomChecksFileHash | Required: true | Valid values: String, null | Default value: null | sha256sum of the xml configuration file. Use the sha256sum reference for additional information. |
To review additional baseline examples, see custom baseline example -1 and custom baseline example -2.
Next steps
- Access your raw security data
- Investigate a device
- Understand and explore security recommendations
- Understand and explore security alerts