Tutorial: Investigate security recommendations

This tutorial will help you learn how to explore the information available in each IoT security recommendation, and explain how to use the details of each recommendation and related devices, to reduce risks.

Timely analysis and mitigation of recommendations by Defender for IoT is the best way to improve security posture and reduce attack surface across your IoT solution.

In this tutorial you'll learn how to:

• Investigate new recommendations
• Investigate security recommendation details
• Investigate recommendations in a Log Analytics workspace

Note

Defender for IoT plans to retire the micro agent on August 1, 2025.

Prerequisites

• An Azure account with an active subscription. Create an account for free.

• An IoT hub.

• You must have enabled Microsoft Defender for IoT on your Azure IoT Hub.

• You must have added a resource group to your IoT solution.

• You must have created a Defender for IoT micro agent module twin.

• You must have installed the Defender for IoT micro agent.

• You must have configured the Microsoft Defender for IoT agent-based solution.

Investigate recommendations

The IoT Hub recommendations list displays all of the aggregated security recommendations for your IoT Hub.

1. Sign in to the Azure portal.

2. Navigate to IoT Hub > Your hub > Defender for IoT > Recommendations.

3. Select a recommendation from the list to open the recommendation's details.

Investigate security recommendation details

Open each aggregated recommendation to display the detailed recommendation description, remediation steps, and device ID for each device that triggered a recommendation. It also displays recommendation severity and direct-investigation access using Log Analytics.

1. Sign in to the Azure portal.

2. Navigate to IoT Hub > Your hub > Defender for IoT > Recommendations.

3. Review the recommendation description, severity, device details of all devices that issued this recommendation in the aggregation period.

4. After reviewing recommendation specifics, use the manual remediation step instructions to help remediate and resolve the issue that caused the recommendation.

   

5. Explore the recommendation details for a specific device by selecting the desired device in the drill-down page.

   

Investigate recommendations in a Log Analytics workspace

To access your recommendations in a Log Analytics workspace:

1. Sign in to the Azure portal.

2. Navigate to IoT Hub > Your hub > Defender for IoT > Recommendations.

3. Select a recommendation from the list.

4. Select Investigate recommendations in Log Analytics workspace.

   

For more information on querying data from Log Analytics, see Get started with log queries in Azure Monitor.

Clean up resources

There are no resources to clean up.

Next steps

Investigate security alerts