Toegang tot uw beveiligings gegevensAccess your security data

Azure Security Center voor IoT worden beveiligings waarschuwingen, aanbevelingen en onbewerkte beveiligings gegevens opgeslagen (als u ervoor kiest om deze op te slaan) in uw Log Analytics-werk ruimte.Azure Security Center for IoT stores security alerts, recommendations, and raw security data (if you choose to save it) in your Log Analytics workspace.

Log AnalyticsLog Analytics

Configureren welke Log Analytics-werk ruimte wordt gebruikt:To configure which Log Analytics workspace is used:

  1. Open uw IoT-hub.Open your IoT hub.
  2. Klik op de Blade overzicht onder het gedeelte beveiligingClick the Overview blade under the Security section
  3. Klik op instellingenen wijzig de configuratie van uw log Analytics-werk ruimte.Click Settings, and change your Log Analytics workspace configuration.

Voor toegang tot uw waarschuwingen en aanbevelingen in uw Log Analytics-werk ruimte na de configuratie:To access your alerts and recommendations in your Log Analytics workspace after configuration:

  1. Kies een waarschuwing of aanbeveling in Azure Security Center voor IoT.Choose an alert or recommendation in Azure Security Center for IoT.
  2. Klik op nader onderzoeken klik vervolgens op de kolom DeviceID om te zien op welke apparaten deze waarschuwing wordt weer gegeven.Click further investigation, then click To see which devices have this alert click here and view the DeviceId column.

Zie aan de slag met query's in log Analyticsvoor meer informatie over het opvragen van gegevens uit log Analytics.For details on querying data from Log Analytics, see Get started with queries in Log Analytics.

BeveiligingswaarschuwingenSecurity alerts

Beveiligings waarschuwingen worden opgeslagen in de tabel AzureSecurityOfThings. SecurityAlert in de werk ruimte log Analytics die is geconfigureerd voor de Azure Security Center voor IOT-oplossing.Security alerts are stored in AzureSecurityOfThings.SecurityAlert table in the Log Analytics workspace configured for the Azure Security Center for IoT solution.

We hebben een aantal nuttige query's ontvangen waarmee u aan de slag kunt met het verkennen van beveiligings waarschuwingen.We've provided a number of useful queries to help you get started exploring security alerts.

Voorbeeld recordsSample records

Selecteer een paar wille keurige recordsSelect a few random records

// Select a few random records
//
SecurityAlert
| project 
    TimeGenerated, 
    IoTHubId=ResourceId, 
    DeviceId=tostring(parse_json(ExtendedProperties)["DeviceId"]),
    AlertSeverity, 
    DisplayName,
    Description,
    ExtendedProperties
| take 3
TimeGeneratedTimeGenerated IoTHubIdIoTHubId DeviceIdDeviceId AlertSeverityAlertSeverity DisplayNameDisplayName DescriptionDescription ExtendedPropertiesExtendedProperties
2018-11-18T18:10:29.0002018-11-18T18:10:29.000 /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub>/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> < device_name ><device_name> HoogHigh Beveiligings aanval geslaagdBrute force attack succeeded Er is een beveiligings aanval op het apparaat geslaagdA Brute force attack on the device was Successful {' Volledig bron adres ': ' ["10.165.12.18:"] ', ' gebruikers namen ': ' [""] ', ' DeviceID ': "IoT-Device-Linux"}{ "Full Source Address": "["10.165.12.18:"]", "User Names": "[""]", "DeviceId": "IoT-Device-Linux" }
2018-11-19T12:40:31.0002018-11-19T12:40:31.000 /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub>/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> < device_name ><device_name> HoogHigh Geslaagde lokale aanmelding op het apparaatSuccessful local login on device Er is een geslaagde lokale aanmelding voor het apparaat gedetecteerdA successful local login to the device was detected { "Remote Address": "?", "Remote Port": "", "Local Port": "", "Login Shell": "/bin/su", "Login Process Id": "28207", "gebruikers naam": "aanvaller", "DeviceId": "IoT-Device-Linux"}{ "Remote Address": "?", "Remote Port": "", "Local Port": "", "Login Shell": "/bin/su", "Login Process Id": "28207", "User Name": "attacker", "DeviceId": "IoT-Device-Linux" }
2018-11-19T12:40:31.0002018-11-19T12:40:31.000 /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub>/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> < device_name ><device_name> HoogHigh De lokale aanmeldings poging op het apparaat is misluktFailed local login attempt on device Er is een mislukte lokale aanmeldings poging op het apparaat gedetecteerdA failed local login attempt to the device was detected { "Remote Address": "?", "Remote Port": "", "Local Port": "", "Login Shell": "/bin/su", "Login Process Id": "22644", "gebruikers naam": "aanvaller", "DeviceId": "IoT-Device-Linux"}{ "Remote Address": "?", "Remote Port": "", "Local Port": "", "Login Shell": "/bin/su", "Login Process Id": "22644", "User Name": "attacker", "DeviceId": "IoT-Device-Linux" }

Overzicht van apparatenDevice summary

Het aantal afzonderlijke beveiligings waarschuwingen in de afgelopen week ontvangen, gegroepeerd op IoT Hub, apparaat, ernst van waarschuwing, waarschuwings type.Get the number of distinct security alerts detected in the last week, grouped by IoT Hub, device, alert severity, alert type.

// Get the number of distinct security alerts detected in the last week, grouped by 
//   IoT hub, device, alert severity, alert type
//
SecurityAlert
| where TimeGenerated > ago(7d)
| summarize Cnt=dcount(SystemAlertId) by
    IoTHubId=ResourceId, 
    DeviceId=tostring(parse_json(ExtendedProperties)["DeviceId"]),
    AlertSeverity,
    DisplayName
IoTHubIdIoTHubId DeviceIdDeviceId AlertSeverityAlertSeverity DisplayNameDisplayName CountCount
/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub>/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> < device_name ><device_name> HoogHigh Beveiligings aanval geslaagdBrute force attack succeeded 99
/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub>/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> < device_name ><device_name> GemiddeldMedium De lokale aanmeldings poging op het apparaat is misluktFailed local login attempt on device 242242
/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub>/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> < device_name ><device_name> HoogHigh Geslaagde lokale aanmelding op het apparaatSuccessful local login on device 3131
/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub>/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> < device_name ><device_name> GemiddeldMedium Crypto-munten MinerCrypto Coin Miner 44

Overzicht van IoT hubIoT hub summary

Selecteer een aantal afzonderlijke apparaten met waarschuwingen in de afgelopen week, per IoT Hub, ernst van waarschuwing, waarschuwings typeSelect a number of distinct devices that had alerts in the last week, by IoT Hub, alert severity, alert type

// Select number of distinct devices which had alerts in the last week, by 
//   IoT hub, alert severity, alert type
//
SecurityAlert
| where TimeGenerated > ago(7d)
| extend DeviceId=tostring(parse_json(ExtendedProperties)["DeviceId"])
| summarize CntDevices=dcount(DeviceId) by
    IoTHubId=ResourceId, 
    AlertSeverity,
    DisplayName
IoTHubIdIoTHubId AlertSeverityAlertSeverity DisplayNameDisplayName CntDevicesCntDevices
/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub>/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> HoogHigh Beveiligings aanval geslaagdBrute force attack succeeded 11
/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub>/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> GemiddeldMedium De lokale aanmeldings poging op het apparaat is misluktFailed local login attempt on device 11
/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub>/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> HoogHigh Geslaagde lokale aanmelding op het apparaatSuccessful local login on device 11
/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub>/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> GemiddeldMedium Crypto-munten MinerCrypto Coin Miner 11

Aanbevelingen voor beveiligingSecurity recommendations

Beveiligings aanbevelingen worden opgeslagen in de tabel AzureSecurityOfThings. SecurityRecommendation in de werk ruimte log Analytics die is geconfigureerd voor de Azure Security Center voor IOT-oplossing.Security recommendations are stored in AzureSecurityOfThings.SecurityRecommendation table in the Log Analytics workspace configured for the Azure Security Center for IoT solution.

We hebben een aantal nuttige query's ontvangen waarmee u kunt beginnen met het verkennen van beveiligings aanbevelingen.We've provided a number of useful queries to help you get start exploring security recommendations.

Voorbeeld recordsSample records

Selecteer een paar wille keurige recordsSelect a few random records

// Select a few random records
//
SecurityRecommendation
| project 
    TimeGenerated, 
    IoTHubId=AssessedResourceId, 
    DeviceId,
    RecommendationSeverity,
    RecommendationState,
    RecommendationDisplayName,
    Description,
    RecommendationAdditionalData
| take 2
TimeGeneratedTimeGenerated IoTHubIdIoTHubId DeviceIdDeviceId RecommendationSeverityRecommendationSeverity RecommendationStateRecommendationState RecommendationDisplayNameRecommendationDisplayName DescriptionDescription RecommendationAdditionalDataRecommendationAdditionalData
2019-03-22T10:21:06.0602019-03-22T10:21:06.060 /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub>/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> < device_name ><device_name> GemiddeldMedium ActiefActive Er is een strikte firewall regel in de invoer keten gevondenPermissive firewall rule in the input chain was found Er is een regel in de firewall aangetroffen die een patroon met veel machtigingen voor een groot aantal IP-adressen of poorten bevat.A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports {"Regels": "[{"SourceAddress":"","SourcePort":",DestinationAddress":" """ ,"DestinationPort":"1337}]"}"{"Rules":"[{"SourceAddress":"","SourcePort":"","DestinationAddress":"","DestinationPort":"1337"}]"}
2019-03-22T10:50:27.2372019-03-22T10:50:27.237 /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub>/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> < device_name ><device_name> GemiddeldMedium ActiefActive Er is een strikte firewall regel in de invoer keten gevondenPermissive firewall rule in the input chain was found Er is een regel in de firewall aangetroffen die een patroon met veel machtigingen voor een groot aantal IP-adressen of poorten bevat.A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports {"Regels": "[{"SourceAddress":"","SourcePort":",DestinationAddress":" """ ,"DestinationPort":"1337}]"}"{"Rules":"[{"SourceAddress":"","SourcePort":"","DestinationAddress":"","DestinationPort":"1337"}]"}

Overzicht van apparatenDevice summary

Haal het aantal verschillende actieve beveiligings aanbevelingen op, gegroepeerd op IoT Hub, apparaat, urgentie ernst en type.Get the number of distinct active security recommendations, grouped by IoT Hub, device, recommendation severity, and type.

// Get the number of distinct active security recommendations, grouped by by 
//   IoT hub, device, recommendation severity and type
//
SecurityRecommendation
| extend IoTHubId=AssessedResourceId
| summarize CurrentState=arg_max(RecommendationState, DiscoveredTimeUTC) by IoTHubId, DeviceId, RecommendationSeverity, RecommendationDisplayName
| where CurrentState == "Active"
| summarize Cnt=count() by IoTHubId, DeviceId, RecommendationSeverity
IoTHubIdIoTHubId DeviceIdDeviceId RecommendationSeverityRecommendationSeverity CountCount
/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub>/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> < device_name ><device_name> HoogHigh 22
/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub>/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> < device_name ><device_name> GemiddeldMedium 11
/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub>/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> < device_name ><device_name> HoogHigh 11
/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub>/subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> < device_name ><device_name> GemiddeldMedium 44

Volgende stappenNext steps