Updates from: 06/29/2021 03:23:48
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c Configure Authentication Sample Web App With Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/configure-authentication-sample-web-app-with-api.md
Previously updated : 06/25/2021 Last updated : 06/28/2021
Under the project root folder, open the `appsettings.json` file. This file conta
|AzureAdB2C|ClientId| The web application ID from [step 2.1](#21-register-the-web-api-app).| |AzureAdB2C | ClientSecret | The web application secret from [step 2.4](#24-create-a-web-app-client-secret). | |AzureAdB2C|SignUpSignInPolicyId|The user flows or custom policy you created in [step 1](#step-1-configure-your-user-flow).|
-| TodoList | TodoListScope | The scopes you from [step 2.5](#25-grant-the-web-app-permissions-for-the-web-api).|
+| TodoList | TodoListScope | The scopes you created in [step 2.5](#25-grant-the-web-app-permissions-for-the-web-api).|
| TodoList | TodoListBaseAddress | The base URI of your web API, for example `https://localhost:44332`| Your final configuration file should look like the following JSON:
For production environment, we recommend you use a distributed memory cache. For
* Learn more [about the code sample](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C#about-the-code) * Learn how to [Enable authentication in your own web application using Azure AD B2C](enable-authentication-web-application.md)
-* [Enable authentication in your own web API](enable-authentication-web-api.md)
+* [Enable authentication in your own web API](enable-authentication-web-api.md)
active-directory Concept Registration Mfa Sspr Combined https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/concept-registration-mfa-sspr-combined.md
Previously updated : 06/16/2021 Last updated : 06/28/2021
A user who has previously set up at least one method navigates to [https://aka.m
A user who has previously set up at least one method that can be used for Multi-Factor Authentication navigates to [https://aka.ms/mysecurityinfo](https://aka.ms/mysecurityinfo). The user changes the current default method to a different default method. When finished, the user sees the new default method on the Security info page.
-An external identity such as a B2B user may need to switch the directory to change the security registration information for a third-party tenant. In the Azure portal, click the user account name in the upper right corner and click **SWitch directory**.
+### Switch directory
+
+An external identity such as a B2B user may need to switch the directory to change the security registration information for a third-party tenant.
+In addition, users who access a resource tenant may be confused when they change settings in their home tenant but don't see the changes reflected in the resource tenant.
+
+For example, a user sets Microsoft Authenticator app push notification as the primary authentication to sign-in to home tenant and also has SMS/Text as another option.
+This user is also configured with SMS/Text option on a resource tenant.
+If this user removes SMS/Text as one of the authentication option on their home tenant, they get confused when access to the resource tenant asks them to respond to SMS/Text message.
++
+To switch the directory in the Azure portal, click the user account name in the upper right corner and click **Switch directory**.
![External users can switch directory.](media/concept-registration-mfa-sspr-combined/switch-directory.png)
active-directory How To Authentication Sms Supported Apps https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/how-to-authentication-sms-supported-apps.md
+
+ Title: App support for SMS-based authentication in Azure Active Directory
+description: Learn which apps are supported for users to sign in to Azure Active Directory using SMS
+++++ Last updated : 06/28/2021++++++++
+# App support for SMS-based authentication
+
+SMS-based authentication is available to Microsoft apps integrated with the Microsoft Identity platform (Azure AD). The table lists some of the web and mobile apps that support SMS-based authentication. If you would like to add or validate any app, [contact us](https://feedback.azure.com/forums/169401-azure-active-directory).
+
+| App | Web/browser app | Native mobile app |
+| |::|::|
+| Office 365- Microsoft Online Services* | ΓùÅ | |
+| Microsoft One Note | ΓùÅ | |
+| Microsoft Teams | ΓùÅ | ΓùÅ |
+| Microsoft Intune/ Company portal | ΓùÅ | ΓùÅ |
+| My Apps Portal | ΓùÅ |Not available|
+| Microsoft Forms | ΓùÅ |Not available|
+| Microsoft Edge | ΓùÅ | |
+| Microsoft Power BI | ΓùÅ | |
+| Microsoft Stream | ΓùÅ | |
+| Microsoft Power Apps | ΓùÅ | |
+| Microsoft Azure | ΓùÅ | ΓùÅ |
+| Azure Virtual Desktop | ΓùÅ | |
+
+*_SMS sign-in isn't available for office applications, such as Word, Excel, etc., when accessed directly on the web, but is available when accessed through the [Office 365 web app](https://www.office.com)_
+
+The above mentioned Microsoft apps support SMS sign-in is because they use the Microsoft Identity login (`https://login.microsoftonline.com/`), which allows user to enter phone number and SMS code.
+
+## Unsupported Microsoft apps
+
+Microsoft 365 desktop (Windows or Mac) apps and Microsoft 365 web apps (except MS One Note) that are accessed directly on the web don't support SMS sign-in. These apps use the Microsoft Office login (`https://office.live.com/start/*`) that requires a password to sign in.
+For the same reason, Microsoft Office mobile apps (except Microsoft Teams, Intune Company Portal, and Microsoft Azure) don't support SMS sign-in.
+
+| Unsupported Microsoft apps| Examples |
+| | |
+| Native desktop Microsoft apps | Microsoft Teams, O365 apps, Word, Excel, etc.|
+| Native mobile Microsoft apps (except Microsoft Teams, Intune Company Portal, and Microsoft Azure) | Outlook, Edge, Power BI, Stream, Sharepoint, Power Apps, Word, etc.|
+| Microsoft 365 web apps (accessed directly on web) | [Outlook](https://outlook.live.com/owa/), [Word](https://office.live.com/start/Word.aspx), [Excel](https://office.live.com/start/Excel.aspx), [PowerPoint](https://office.live.com/start/PowerPoint.aspx), [OneDrive](https://onedrive.live.com/about/signin)|
+
+## Support for Non-Microsoft apps
+
+To make Non-Micorosoft apps compatible with the SMS sign-in feature:
+- Integrate Non-Microsoft web apps with Azure AD and use Azure AD authentication. Use Security Assertion Markup Language [SAML](../manage-apps/add-application-portal-setup-sso.md) or Open ID Connect [OIDC](../manage-apps/add-application-portal-setup-oidc-sso.md) to integrate with Azure AD SSO.
+- Integrate Non-Microsoft on-prem apps with Azure AD using [Azure AD application proxy](../app-proxy/application-proxy-add-on-premises-application.md)
+- Integrate Non-Microsoft client apps with [Microsoft Identity Platform](../develop/v2-overview.md) for authentication
+ - [Sample app iOS](../develop/tutorial-v2-ios.md)
+ - [Sample app Android](../develop/tutorial-v2-android.md)
+
+## Next steps
+
+- [How to enable SMS-based sign-in for users](howto-authentication-sms-signin.md)
+- See the following links to enable SMS sign-in for native mobile apps using MSAL Libraries:
+ - [iOS](https://github.com/AzureAD/microsoft-authentication-library-for-objc)
+ - [Android](https://github.com/AzureAD/microsoft-authentication-library-for-android)
+- [Integrate SAAS application with Azure Active Directory](../saas-apps/tutorial-list.md)
+
+## Recommended content
+
+- [Add an application to your Azure Active Directory](../manage-apps/add-application-portal.md)
+- [Overview of MSAL libraries to acquire token from Microsoft Identity platform to authenticate users](../develop/msal-overview.md)
+- [Configure Microsoft Managed Home Screen with Azure AD](/mem/intune/apps/app-configuration-managed-home-screen-app)
active-directory How To Migrate Mfa Server To Azure Mfa https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/how-to-migrate-mfa-server-to-azure-mfa.md
Common RADIUS client integrations include applications such as [Remote Desktop G
Others might include: - Citrix Gateway
- - [Citrix Gateway](https://docs.citrix.com/advanced-concepts/implementation-guides/citrix-gateway-microsoft-azure.html) supports both RADIUS and NPS extension integration, and a SAML integration.
+ - [Citrix Gateway](https://docs.citrix.com/en-us/citrix-gateway) supports both RADIUS and NPS extension integration, and a SAML integration.
- Cisco VPN - The Cisco VPN supports both RADIUS and [SAML authentication for SSO](../saas-apps/cisco-anyconnect.md). - By moving from RADIUS authentication to SAML, you can integrate the Cisco VPN without deploying the NPS extension.
active-directory Howto Authentication Sms Signin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/howto-authentication-sms-signin.md
Previously updated : 03/15/2021 Last updated : 06/09/2021 -+
To simplify and secure sign in to applications and services, Azure Active Directory (Azure AD) provides multiple authentication options. SMS-based authentication lets users sign in without providing, or even knowing, their user name and password. After their account is created by an identity administrator, they can enter their phone number at the sign-in prompt. They receive an authentication code via text message that they can provide to complete the sign in. This authentication method simplifies access to applications and services, especially for Frontline workers.
-This article shows you how to enable SMS-based authentication for select users or groups in Azure AD.
+This article shows you how to enable SMS-based authentication for select users or groups in Azure AD. For a list apps that support using SMS-based sign-in, see [App support for SMS-based authentication](how-to-authentication-sms-supported-apps.md).
## Before you begin
To complete this article, you need the following resources and privileges:
* If needed, [create an Azure Active Directory tenant][create-azure-ad-tenant] or [associate an Azure subscription with your account][associate-azure-ad-tenant]. * You need *global administrator* privileges in your Azure AD tenant to enable SMS-based authentication. * Each user that's enabled in the text message authentication method policy must be licensed, even if they don't use it. Each enabled user must have one of the following Azure AD, EMS, Microsoft 365 licenses:
- * [Microsoft 365 (M365) F1 or F3][m365-firstline-workers-licensing]
- * [Enterprise Mobility + Security (EMS) E3 or E5][ems-licensing] or [Microsoft 365 (M365) E3 or E5][m365-licensing]
+ * [Microsoft 365 F1 or F3][m365-firstline-workers-licensing]
+ * [Enterprise Mobility + Security (EMS) E3 or E5][ems-licensing] or [Microsoft 365 E3 or E5][m365-licensing]
* [Office 365 F3][o365-f3] ## Known issues
To test the user account that's now enabled for SMS-based sign-in, complete the
1. The user is now signed in without the need to provide a username or password. + ## Troubleshoot SMS-based sign-in
-The following scenarios and troubleshooting steps can used if you have problems with enabling and using SMS-based sign in.
+The following scenarios and troubleshooting steps can used if you have problems with enabling and using SMS-based sign in.
+For a list of apps that support using SMS-based sign-in, see [App support for SMS-based authentication](how-to-authentication-sms-supported-apps.md).
+ ### Phone number already set for a user account
If you receive an error when you try to set a phone number for a user account in
## Next steps
-For additional ways to sign in to Azure AD without a password, such as the Microsoft Authenticator App or FIDO2 security keys, see [Passwordless authentication options for Azure AD][concepts-passwordless].
+- For a list of apps that support using SMS-based sign-in, see [App support for SMS-based authentication](how-to-authentication-sms-supported-apps.md).
+- For additional ways to sign in to Azure AD without a password, such as the Microsoft Authenticator App or FIDO2 security keys, see [Passwordless authentication options for Azure AD][concepts-passwordless].
+- You can also use the Microsoft Graph REST API to [enable][rest-enable] or [disable][rest-disable] SMS-based sign-in.
-You can also use the Microsoft Graph REST API to [enable][rest-enable] or [disable][rest-disable] SMS-based sign-in.
<!-- INTERNAL LINKS --> [create-azure-ad-tenant]: ../fundamentals/sign-up-organization.md
active-directory Troubleshoot Sspr https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/authentication/troubleshoot-sspr.md
Previously updated : 06/25/2021 Last updated : 06/28/2021
For more information, see [Getting started with Azure AD Connect](../hybrid/how-
If you have problems with SSPR reporting in the Azure portal, review the following troubleshooting steps:
+### I see an authentication method that I have disabled in the Add method option in combined registration.
+
+The combined registration takes into account three policies to determine what methods are shown in **Add method**:
+
+- [Self-service password reset](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/PasswordReset)
+- [MFA](https://account.activedirectory.windowsazure.com/UserManagement/MfaSettings.aspx)
+- [Authentication methods](https://portal.azure.com/#blade/Microsoft_AAD_IAM/AuthenticationMethodsMenuBlade/AdminAuthMethods)
+
+If you disable app notifications in SSPR but enable it in MFA policy, that option appears in combined registration. For another example, if a user disables **Office phone** in SSPR, it is still displayed as an option if the user has the **Phone/Office** phone property set.
+ ### I don't see any password management activity types in the **Self-Service Password Management** audit event category. This can happen if you don't have an Azure AD license assigned to the administrator performing the operation.
active-directory Concept Conditional Access Grant https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/concept-conditional-access-grant.md
Previously updated : 03/29/2021 Last updated : 06/25/2021
When using the [device-code OAuth flow](../develop/v2-oauth2-device-code.md), th
Organizations can require that an access attempt to the selected cloud apps needs to be made from an approved client app. These approved client apps support [Intune app protection policies](/intune/app-protection-policy) independent of any mobile-device management (MDM) solution.
-In order to leverage this grant control, Conditional Access requires that the device be registered in Azure Active Directory which requires the use of a broker app. The broker app can be the Microsoft Authenticator for iOS, or either the Microsoft Authenticator or Microsoft Company portal for Android devices. If a broker app is not installed on the device when the user attempts to authenticate, the user gets redirected to the appropriate app store to install the required broker app.
+In order to apply this grant control, Conditional Access requires that the device is registered in Azure Active Directory, which requires the use of a broker app. The broker app can be the Microsoft Authenticator for iOS, or either the Microsoft Authenticator or Microsoft Company portal for Android devices. If a broker app is not installed on the device when the user attempts to authenticate, the user gets redirected to the appropriate app store to install the required broker app.
The following client apps have been confirmed to support this setting:
See the article, [How to: Require approved client apps for cloud app access with
In your Conditional Access policy, you can require an [Intune app protection policy](/intune/app-protection-policy) be present on the client app before access is available to the selected cloud apps.
-In order to leverage this grant control, Conditional Access requires that the device be registered in Azure Active Directory which requires the use of a broker app. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices. If a broker app is not installed on the device when the user attempts to authenticate, the user gets redirected to the app store to install the broker app.
+In order to apply this grant control, Conditional Access requires that the device is registered in Azure Active Directory, which requires the use of a broker app. The broker app can be either the Microsoft Authenticator for iOS, or the Microsoft Company portal for Android devices. If a broker app is not installed on the device when the user attempts to authenticate, the user gets redirected to the app store to install the broker app.
Applications are required to have the **Intune SDK** with **Policy Assurance** implemented and meet certain other requirements to support this setting. Developers implementing applications with the Intune SDK can find more information in the SDK documentation on these requirements.
The following client apps have been confirmed to support this setting:
- Nine Mail - Email & Calendar > [!NOTE]
-> Microsoft Teams, Microsoft Kaizala, Microsoft Skype for Business and Microsoft Visio do not support the **Require app protection policy** grant. If you require these apps to work, please use the **Require approved apps** grant exclusively. The use of the or clause between the two grants will not work for these three applications.
+> Microsoft Kaizala, Microsoft Skype for Business and Microsoft Visio do not support the **Require app protection policy** grant. If you require these apps to work, please use the **Require approved apps** grant exclusively. The use of the or clause between the two grants will not work for these three applications.
**Remarks**
See the article, [How to: Require app protection policy and an approved client a
### Require password change
-When user risk is detected, using the user risk policy conditions, administrators can choose to have the user securely change the password using Azure AD self-service password reset. If user risk is detected, users can perform a self-service password reset to self-remediate, this will close the user risk event to prevent unnecessary noise for administrators.
+When user risk is detected, using the user risk policy conditions, administrators can choose to have the user securely change the password using Azure AD self-service password reset. If user risk is detected, users can perform a self-service password reset to self-remediate, this process will close the user risk event to prevent unnecessary noise for administrators.
When a user is prompted to change their password, they will first be required to complete multi-factor authentication. YouΓÇÖll want to make sure all of your users have registered for multi-factor authentication, so they are prepared in case risk is detected for their account. > [!WARNING] > Users must have previously registered for self-service password reset before triggering the user risk policy.
-There exist a couple restriction in place when you configure a policy using the password change control.
+Restrictions when you configure a policy using the password change control.
-1. The policy must be assigned to ΓÇÿall cloud appsΓÇÖ. This prevents an attacker from using a different app to change the userΓÇÖs password and reset account risk, by simply signing into a different app.
+1. The policy must be assigned to ΓÇÿall cloud appsΓÇÖ. This requirement prevents an attacker from using a different app to change the userΓÇÖs password and reset account risk, by signing into a different app.
1. Require password change cannot be used with other controls, like requiring a compliant device. 1. The password change control can only be used with the user and group assignment condition, cloud app assignment condition (which must be set to all) and user risk conditions. ### Terms of use
-If your organization has created terms of use, additional options may be visible under grant controls. These options allow administrators to require acknowledgment of terms of use as a condition of accessing the resources protected by the policy. More information about terms of use can be found in the article, [Azure Active Directory terms of use](terms-of-use.md).
+If your organization has created terms of use, other options may be visible under grant controls. These options allow administrators to require acknowledgment of terms of use as a condition of accessing the resources protected by the policy. More information about terms of use can be found in the article, [Azure Active Directory terms of use](terms-of-use.md).
## Next steps
active-directory Concept Conditional Access Report Only https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/concept-conditional-access-report-only.md
Conditional Access is widely used by our customers to stay secure by applying th
Report-only mode is a new Conditional Access policy state that allows administrators to evaluate the impact of Conditional Access policies before enabling them in their environment. With the release of report-only mode: -- Conditional Access policies can be enabled in report-only mode.
+- Conditional Access policies can be enabled in report-only mode, this is not applicable with the "User Actions" scope.
- During sign-in, policies in report-only mode are evaluated but not enforced. - Results are logged in the **Conditional Access** and **Report-only** tabs of the Sign-in log details. - Customers with an Azure Monitor subscription can monitor the impact of their Conditional Access policies using the Conditional Access insights workbook.
active-directory Active Directory Signing Key Rollover https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-signing-key-rollover.md
If you created a web API application in Visual Studio 2013 using the Web API tem
If you manually configured authentication, follow the instructions below to learn how to configure your web API to automatically update its key information.
-The following code snippet demonstrates how to get the latest keys from the federation metadata document, and then use the [JWT Token Handler](/previous-versions/dotnet/framework/security/json-web-token-handler) to validate the token. The code snippet assumes that you will use your own caching mechanism for persisting the key to validate future tokens from Microsoft identity platform, whether it be in a database, configuration file, or elsewhere.
+The following code snippet demonstrates how to get the latest keys from the federation metadata document, and then use the [JWT Token Handler](/previous-versions/dotnet/framework/windows-identity-foundation/json-web-token-handler) to validate the token. The code snippet assumes that you will use your own caching mechanism for persisting the key to validate future tokens from Microsoft identity platform, whether it be in a database, configuration file, or elsewhere.
``` using System;
namespace JWTValidation
``` ### <a name="vs2012"></a>Web applications protecting resources and created with Visual Studio 2012
-If your application was built in Visual Studio 2012, you probably used the Identity and Access Tool to configure your application. ItΓÇÖs also likely that you are using the [Validating Issuer Name Registry (VINR)](/previous-versions/dotnet/framework/security/validating-issuer-name-registry). The VINR is responsible for maintaining information about trusted identity providers (Microsoft identity platform) and the keys used to validate tokens issued by them. The VINR also makes it easy to automatically update the key information stored in a Web.config file by downloading the latest federation metadata document associated with your directory, checking if the configuration is out of date with the latest document, and updating the application to use the new key as necessary.
+If your application was built in Visual Studio 2012, you probably used the Identity and Access Tool to configure your application. ItΓÇÖs also likely that you are using the [Validating Issuer Name Registry (VINR)](/previous-versions/dotnet/framework/windows-identity-foundation/validating-issuer-name-registry). The VINR is responsible for maintaining information about trusted identity providers (Microsoft identity platform) and the keys used to validate tokens issued by them. The VINR also makes it easy to automatically update the key information stored in a Web.config file by downloading the latest federation metadata document associated with your directory, checking if the configuration is out of date with the latest document, and updating the application to use the new key as necessary.
If you created your application using any of the code samples or walkthrough documentation provided by Microsoft, the key rollover logic is already included in your project. You will notice that the code below already exists in your project. If your application does not already have this logic, follow the steps below to add it and to verify that itΓÇÖs working correctly.
Follow the steps below to verify that the key rollover logic is working.
If you built an application on WIF v1.0, there is no provided mechanism to automatically refresh your applicationΓÇÖs configuration to use a new key. * *Easiest way* Use the FedUtil tooling included in the WIF SDK, which can retrieve the latest metadata document and update your configuration.
-* Update your application to .NET 4.5, which includes the newest version of WIF located in the System namespace. You can then use the [Validating Issuer Name Registry (VINR)](/previous-versions/dotnet/framework/security/validating-issuer-name-registry) to perform automatic updates of the applicationΓÇÖs configuration.
+* Update your application to .NET 4.5, which includes the newest version of WIF located in the System namespace. You can then use the [Validating Issuer Name Registry (VINR)](/previous-versions/dotnet/framework/windows-identity-foundation/validating-issuer-name-registry) to perform automatic updates of the applicationΓÇÖs configuration.
* Perform a manual rollover as per the instructions at the end of this guidance document. Instructions to use the FedUtil to update your configuration:
active-directory Msal Node Migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/msal-node-migration.md
Most of the public methods in ADAL Node have equivalents in MSAL Node:
| ADAL | MSAL | Notes | |-|--|--| | `acquireToken` | `acquireTokenSilent` | Renamed and now expects an [account](https://azuread.github.io/microsoft-authentication-library-for-js/ref/modules/_azure_msal_common.html#accountinfo) object |
-| `acquireTokenWithAuthorizationCode` | `acquireByAuthorizationCode` | |
+| `acquireTokenWithAuthorizationCode` | `acquireTokenByCode` | |
| `acquireTokenWithClientCredentials` | `acquireTokenByClientCredential` | | | `acquireTokenWithRefreshToken` | `acquireTokenByRefreshToken` | | | `acquireTokenWithDeviceCode` | `acquireTokenByDeviceCode` | Now abstracts user code acquisition (see below) |
active-directory Sansan Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sansan-tutorial.md
Previously updated : 06/16/2021 Last updated : 06/25/2021
To configure and test Azure AD SSO with Sansan, perform the following steps:
1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** to enable your users to use this feature. 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** to test Azure AD single sign-on with Britta Simon. 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** to enable Britta Simon to use Azure AD single sign-on.
-1. **[Configure Sansan](#configure-sansan)** to configure the SSO settings on application side.
+1. **[Configure Sansan SSO](#configure-sansan-sso)** to configure the SSO settings on application side.
1. **[Create Sansan test user](#create-sansan-test-user)** to have a counterpart of Britta Simon in Sansan that is linked to the Azure AD representation of user. 1. **[Test SSO](#test-sso)** to verify whether the configuration works.
Follow these steps to enable Azure AD SSO in the Azure portal.
![Copy configuration URLs](common/copy-configuration-urls.png)
+ ```Logout URL
+ https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
+ ```
+ ### Create an Azure AD test user In this section, you'll create a test user in the Azure portal called Britta Simon.
In this section, you'll enable Britta Simon to use Azure single sign-on by grant
1. If you're expecting any role value in the SAML assertion, in the **Select Role** dialog, select the appropriate role for the user from the list and then click the **Select** button at the bottom of the screen. 1. In the **Add Assignment** dialog, click the **Assign** button.
-## Configure Sansan
+## Configure Sansan SSO
To perform the **Single Sign-On settings** on the **Sansan** side, please follow the below steps according to your requirement.
active-directory Sonarqube Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/sonarqube-tutorial.md
Previously updated : 09/29/2020 Last updated : 06/25/2021
To get started, you need the following items:
In this tutorial, you configure and test Azure AD SSO in a test environment.
-* Sonarqube supports **SP** initiated SSO
+* Sonarqube supports **SP** initiated SSO.
> [!NOTE] > Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
-## Adding Sonarqube from the gallery
+## Add Sonarqube from the gallery
To configure the integration of Sonarqube into Azure AD, you need to add Sonarqube from the gallery to your list of managed SaaS apps.
Follow these steps to enable Azure AD SSO in the Azure portal.
1. In the Azure portal, on the **Sonarqube** application integration page, find the **Manage** section and select **single sign-on**. 1. On the **Select a single sign-on method** page, select **SAML**.
-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
![Edit Basic SAML Configuration](common/edit-urls.png)
-1. On the **Basic SAML Configuration** section, enter the values for the following fields:
+1. On the **Basic SAML Configuration** section, perform the following steps:
- In the **Sign-on URL** text box, type a URL:
+ a. In the **Reply URL** text box, type a URL using the following pattern:
+ `https://servicessonar.<YOUR_ORGANIZATION>.com`
+
+ b. In the **Sign-on URL** text box, type one of the following URLs:
* **For Production Environment**
Follow these steps to enable Azure AD SSO in the Azure portal.
`https://servicescode-dev.westus.cloudapp.azure.com`
+ > [!NOTE]
+ > This value is not real. Update the value with actual Reply URL which are explained later in the tutorial.
+ 1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer. ![The Certificate download link](common/certificatebase64.png)
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog. 1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen. 1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.- 1. In the **Add Assignment** dialog, click the **Assign** button. ## Configure Sonarqube SSO
In this section, you'll enable B.Simon to use Azure single sign-on by granting a
1. IdP Entity ID 2. Login URL 3. X.509 Certificate + 1. Save all the details.
- ![saml plugin IDP](./media/sonarqube-tutorial/sso-idp-metadata.png)
+
+ ![saml plugin IDP](./media/sonarqube-tutorial/metadata.png)
1. On the **SAML** page, perform the following steps:
- ![Sonarqube configuration](./media/sonarqube-tutorial/config01.png)
+ ![Sonarqube configuration](./media/sonarqube-tutorial/configuration.png)
a. Toggle the **Enabled** option to **yes**.
In this section, you create a user called B.Simon in Sonarqube. Work with [Sonar
In this section, you test your Azure AD single sign-on configuration with following options.
-1. Click on **Test this application** in Azure portal. This will redirect to Sonarqube Sign-on URL where you can initiate the login flow.
+* Click on **Test this application** in Azure portal. This will redirect to Sonarqube Sign-on URL where you can initiate the login flow.
-2. Go to Sonarqube Sign-on URL directly and initiate the login flow from there.
+* Go to Sonarqube Sign-on URL directly and initiate the login flow from there.
-3. You can use Microsoft Access Panel. When you click the Sonarqube tile in the Access Panel, this will redirect to Sonarqube Sign-on URL. For more information about the Access Panel, see [Introduction to the Access Panel](../user-help/my-apps-portal-end-user-access.md).
+* You can use Microsoft My Apps. When you click the Sonarqube tile in the My Apps, this will redirect to Sonarqube Sign-on URL. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
## Next steps
active-directory Webcargo Tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/webcargo-tutorial.md
+
+ Title: 'Tutorial: Azure Active Directory single sign-on (SSO) integration with Webcargo | Microsoft Docs'
+description: Learn how to configure single sign-on between Azure Active Directory and Webcargo.
++++++++ Last updated : 06/23/2021++++
+# Tutorial: Azure Active Directory single sign-on (SSO) integration with Webcargo
+
+In this tutorial, you'll learn how to integrate Webcargo with Azure Active Directory (Azure AD). When you integrate Webcargo with Azure AD, you can:
+
+* Control in Azure AD who has access to Webcargo.
+* Enable your users to be automatically signed-in to Webcargo with their Azure AD accounts.
+* Manage your accounts in one central location - the Azure portal.
+
+## Prerequisites
+
+To get started, you need the following items:
+
+* An Azure AD subscription. If you don't have a subscription, you can get a [free account](https://azure.microsoft.com/free/).
+* Webcargo single sign-on (SSO) enabled subscription.
+
+## Scenario description
+
+In this tutorial, you configure and test Azure AD SSO in a test environment.
+
+* Webcargo supports **SP and IDP** initiated SSO.
+
+> [!NOTE]
+> Identifier of this application is a fixed string value so only one instance can be configured in one tenant.
+
+## Add Webcargo from the gallery
+
+To configure the integration of Webcargo into Azure AD, you need to add Webcargo from the gallery to your list of managed SaaS apps.
+
+1. Sign in to the Azure portal using either a work or school account, or a personal Microsoft account.
+1. On the left navigation pane, select the **Azure Active Directory** service.
+1. Navigate to **Enterprise Applications** and then select **All Applications**.
+1. To add new application, select **New application**.
+1. In the **Add from the gallery** section, type **Webcargo** in the search box.
+1. Select **Webcargo** from results panel and then add the app. Wait a few seconds while the app is added to your tenant.
+
+## Configure and test Azure AD SSO for Webcargo
+
+Configure and test Azure AD SSO with Webcargo using a test user called **B.Simon**. For SSO to work, you need to establish a link relationship between an Azure AD user and the related user in Webcargo.
+
+To configure and test Azure AD SSO with Webcargo, perform the following steps:
+
+1. **[Configure Azure AD SSO](#configure-azure-ad-sso)** - to enable your users to use this feature.
+ 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.
+ 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.
+1. **[Configure Webcargo SSO](#configure-webcargo-sso)** - to configure the single sign-on settings on application side.
+ 1. **[Create Webcargo test user](#create-webcargo-test-user)** - to have a counterpart of B.Simon in Webcargo that is linked to the Azure AD representation of user.
+1. **[Test SSO](#test-sso)** - to verify whether the configuration works.
+
+## Configure Azure AD SSO
+
+Follow these steps to enable Azure AD SSO in the Azure portal.
+
+1. In the Azure portal, on the **Webcargo** application integration page, find the **Manage** section and select **single sign-on**.
+1. On the **Select a single sign-on method** page, select **SAML**.
+1. On the **Set up single sign-on with SAML** page, click the pencil icon for **Basic SAML Configuration** to edit the settings.
+
+ ![Edit Basic SAML Configuration](common/edit-urls.png)
+
+1. On the **Basic SAML Configuration** section, if you wish to configure the application in **IDP** initiated mode, perform the following step:
+
+ In the **Reply URL** text box, type a URL using the following pattern:
+ `https://www.webcargo.net/sso/azure/account-id/<ID>`
+
+1. Click **Set additional URLs** and perform the following step if you wish to configure the application in **SP** initiated mode:
+
+ In the **Sign-on URL** text box, type a URL using the following pattern:
+ `https://www.webcargo.net/sso/azure/account-id/<ID>`
+
+ > [!NOTE]
+ > These values are not real. Update these values with the actual Reply URL and Sign-on URL. Contact [Webcargo Client support team](mailto:tickets@webcargo.uservoice.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+
+1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Certificate (Base64)** and select **Download** to download the certificate and save it on your computer.
+
+ ![The Certificate download link](common/certificatebase64.png)
+
+1. On the **Set up Webcargo** section, copy the appropriate URL(s) based on your requirement.
+
+ ![Copy configuration URLs](common/copy-configuration-urls.png)
+
+### Create an Azure AD test user
+
+In this section, you'll create a test user in the Azure portal called B.Simon.
+
+1. From the left pane in the Azure portal, select **Azure Active Directory**, select **Users**, and then select **All users**.
+1. Select **New user** at the top of the screen.
+1. In the **User** properties, follow these steps:
+ 1. In the **Name** field, enter `B.Simon`.
+ 1. In the **User name** field, enter the username@companydomain.extension. For example, `B.Simon@contoso.com`.
+ 1. Select the **Show password** check box, and then write down the value that's displayed in the **Password** box.
+ 1. Click **Create**.
+
+### Assign the Azure AD test user
+
+In this section, you'll enable B.Simon to use Azure single sign-on by granting access to Webcargo.
+
+1. In the Azure portal, select **Enterprise Applications**, and then select **All applications**.
+1. In the applications list, select **Webcargo**.
+1. In the app's overview page, find the **Manage** section and select **Users and groups**.
+1. Select **Add user**, then select **Users and groups** in the **Add Assignment** dialog.
+1. In the **Users and groups** dialog, select **B.Simon** from the Users list, then click the **Select** button at the bottom of the screen.
+1. If you are expecting a role to be assigned to the users, you can select it from the **Select a role** dropdown. If no role has been set up for this app, you see "Default Access" role selected.
+1. In the **Add Assignment** dialog, click the **Assign** button.
+
+## Configure Webcargo SSO
+
+To configure single sign-on on **Webcargo** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Webcargo support team](mailto:tickets@webcargo.uservoice.com). They set this setting to have the SAML SSO connection set properly on both sides.
+
+### Create Webcargo test user
+
+In this section, you create a user called Britta Simon in Webcargo. Work with [Webcargo support team](mailto:tickets@webcargo.uservoice.com) to add the users in the Webcargo platform. Users must be created and activated before you use single sign-on.
+
+## Test SSO
+
+In this section, you test your Azure AD single sign-on configuration with following options.
+
+#### SP initiated:
+
+* Click on **Test this application** in Azure portal. This will redirect to Webcargo Sign on URL where you can initiate the login flow.
+
+* Go to Webcargo Sign-on URL directly and initiate the login flow from there.
+
+#### IDP initiated:
+
+* Click on **Test this application** in Azure portal and you should be automatically signed in to the Webcargo for which you set up the SSO.
+
+You can also use Microsoft My Apps to test the application in any mode. When you click the Webcargo tile in the My Apps, if configured in SP mode you would be redirected to the application sign on page for initiating the login flow and if configured in IDP mode, you should be automatically signed in to the Webcargo for which you set up the SSO. For more information about the My Apps, see [Introduction to the My Apps](../user-help/my-apps-portal-end-user-access.md).
+
+## Next steps
+
+Once you configure Webcargo you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-aad).
aks Kubernetes Walkthrough https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/kubernetes-walkthrough.md
To learn more about creating a Windows Server node pool, see [Create an AKS clus
[!INCLUDE [azure-cli-prepare-your-environment.md](../../includes/azure-cli-prepare-your-environment.md)] - This article requires version 2.0.64 or greater of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
+- The identity you are using to create your cluster has the appropriate minimum permissions. For more details on access and identity for AKS, see [Access and identity options for Azure Kubernetes Service (AKS)](concepts-identity.md).
> [!NOTE] > Run the commands as administrator if you plan to run the commands in this quickstart locally instead of in Azure Cloud Shell.
analysis-services Analysis Services Backup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-backup.md
Backing up tabular model databases in Azure Analysis Services is much the same a
> > [!NOTE]
-> If the storage account is in a different region, configure storage account firewall settings to allow access from **Selected networks**. In Firewall **Address range**, specify the IP address range for the region the Analysis Services server is in. Configuring storage account firewall settings to allow access from All networks is supported, however choosing Selected networks and specifying an IP address range is preferred. To learn more, see [Network connectivity FAQ](analysis-services-network-faq.md#backup-and-restore).
+> If the storage account is in a different region, configure storage account firewall settings to allow access from **Selected networks**. In Firewall **Address range**, specify the IP address range for the region the Analysis Services server is in. Configuring storage account firewall settings to allow access from All networks is supported, however choosing Selected networks and specifying an IP address range is preferred. To learn more, see [Network connectivity FAQ](/azure/analysis-services/analysis-services-network-faq#backup-and-restore).
Backups are saved with an .abf extension. For in-memory tabular models, both model data and metadata are stored. For DirectQuery tabular models, only model metadata is stored. Backups can be compressed and encrypted, depending on the options you choose.
Use [Restore-ASDatabase](/powershell/module/sqlserver/restore-asdatabase) cmdlet
[Azure storage accounts](../storage/common/storage-account-create.md) [High availability](analysis-services-bcdr.md)
-[Analysis Services network connectivity FAQ](analysis-services-network-faq.md)
+[Analysis Services network connectivity FAQ](analysis-services-network-faq.yml)
analysis-services Analysis Services Gateway Install https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-gateway-install.md
That's it. If you need to open ports or do any troubleshooting, be sure to check
* [Connecting to on-premises data sources](analysis-services-gateway.md) * [Data sources supported in Azure Analysis Services](analysis-services-datasource.md) * [Use gateway for data sources on an Azure Virtual Network](analysis-services-vnet-gateway.md)
-* [Frequently asked questions about Analysis Services network connectivity](analysis-services-network-faq.md)
+* [Frequently asked questions about Analysis Services network connectivity](analysis-services-network-faq.yml)
analysis-services Analysis Services Network Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/analysis-services-network-faq.md
- Title: Frequently asked questions about Analysis Services network connectivity | Microsoft Docs
-description: This article provides answers to some of the more common questions about Analysis Services network connectivity.
--- Previously updated : 05/05/2020----
-# Frequently asked questions about Analysis Services network connectivity
-
-This article provides answers to common questions about connecting to storage accounts, data sources, firewalls, and IP addresses.
-
-## Backup and restore
-
-**Question** - How can I backup and restore using a storage account that is behind a firewall?
-**Answer** - Azure Analysis Services does not use fixed IP addresses or Service Tags. The range of IP addresses your Analysis Services servers use can be anything in the range of IP addresses for the *Azure region*. Because your server IP addresses are variable and can change over time, your firewall rules need to allow for the entire range of Azure region IP addresses your server is in.
-
-**Question** - My Azure storage account is in a different region from my Analysis Services server. How do I configure storage account firewall settings?
-**Answer** - If the storage account is in a different region, configure storage account firewall settings to allow access from **Selected networks**. In Firewall **Address range**, specify the IP address range for the region the Analysis Services server is in. To get the IP ranges for Azure regions, see [Azure IP Ranges and Service Tags ΓÇô Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519). Configuring storage account firewall settings to allow access from All networks is supported, however choosing Selected networks and specifying an IP address range is preferred.
-
-**Question** - My Azure storage account is in the same region as my Analysis Services server. How can I configure storage account firewall settings?
-**Answer** ΓÇô Because your Analysis Services server and storage account are in the same region, communications between them use internal IP address ranges, therefore, configuring a firewall to use Selected networks and specifying an IP address range is not supported. If organization policies require a firewall, it must be configured to allow access from All networks.
--
-## Data source connections
-
-**Question** - I have a VNET for my data source system. How can I allow my Analysis Services servers to access the database from the VNET?
-**Answer** - Azure Analysis Services is unable to join a VNET. The best solution here is to install and configure an On-premises Data Gateway on the VNET, and then configure your Analysis Services servers with the **AlwaysUseGateway** server property. To learn more, see [Use gateway for data sources on an Azure Virtual Network (VNet)](analysis-services-vnet-gateway.md).
-
-**Question** - I have a source database behind a firewall. How can I configure the firewall to allow my Analysis Services server to access it?
-**Answer** - Azure Analysis Services does not use fixed IP addresses or Service Tags. The range of IP addresses your Analysis Services servers use can be anything in the range of IP addresses for the *Azure region*. You have to provide the *full range* of IP addresses for the Azure region of your server in the source database firewall rules. Another, and possibly more secure, alternative is to configure an On-premises Data Gateway. You can then configure your Analysis Services servers with the [AlwaysUseGateway server property](analysis-services-vnet-gateway.md#configure-alwaysusegateway-property), and then ensure the On-premises Data Gateway has an IP address allowed by the firewall rules of the data source.
-
-## Azure apps with IP address
-
-**Question** - I use an Azure-based application (for example, Azure Functions, Azure Data Factory) with an IP address that changes on the fly. How can I manage the Azure Analysis Services firewall rules to dynamically allow the IP address where my app is executing?
-**Answer** - Azure Analysis Services does not support Private Links, VNETs, or Service Tags. There are some open-source solutions (for example, https://github.com/mathwro/Scripts/blob/master/Azure/AllowAzure-AnalysisServer.ps1) that detect the IP address of the client application, and automatically and temporarily update the firewall rules.
--
-## Next steps
-
-[Install and configure an on-premises data gateway](analysis-services-gateway-install.md)
-[Connecting to on-premises data sources with On-premises data gateway](analysis-services-gateway.md)
-[Use gateway for data sources on an Azure Virtual Network (VNet)](analysis-services-vnet-gateway.md)
analysis-services Move Between Regions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/analysis-services/move-between-regions.md
Before moving a server to a different region, it's recommended you create a deta
> Client applications and connection strings connect to Analysis Services by using the full server name, which is a Uri that includes the region the server is in. For example, `asazure://westcentralus.asazure.windows.net/advworks01`. When moving a server to a different region, you are effectively creating a new server resource in a different region, which will have a different region in the server name Uri. Client applications and connection strings used in scripts must connect to the new server using the new server name Uri. Using a [Server name alias](analysis-services-server-alias.md) can mitigate the number of places the server name Uri has to be changed, but must be implemented prior to a region move. > [!IMPORTANT]
-> Azure regions use different IP address ranges. If you have firewall exceptions configured for the region your server and/or storage account is in, it may be necessary to configure a different IP address range. To learn more, see [Frequently asked questions about Analysis Services network connectivity](analysis-services-network-faq.md).
+> Azure regions use different IP address ranges. If you have firewall exceptions configured for the region your server and/or storage account is in, it may be necessary to configure a different IP address range. To learn more, see [Frequently asked questions about Analysis Services network connectivity](analysis-services-network-faq.yml).
> [!NOTE] > This article describes restoring a database backup to a target server from a storage container in the source server's region. In some cases, restoring backups from a different region can have poor performance, especially for large databases. For the best performance during database restore, migrate or create a a new storage container in the target server region. Copy the .abf backup files from the source region storage container to the target region storage container prior to restoring the database to the target server. While out of scope for this article, in some cases, particularly with very large databases, scripting out a database from your source server, recreating, and then processing on the target server to load database data may be more cost effective than using backup/restore.
app-service App Service Web Tutorial Rest Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/app-service-web-tutorial-rest-api.md
You can set more than one client URL in `properties.cors.allowedOrigins` (`"['UR
> [!NOTE] > If your app requires credentials such as cookies or authentication tokens to be sent, the browser may require the `ACCESS-CONTROL-ALLOW-CREDENTIALS` header on the response. To enable this in App Service, set `properties.cors.supportCredentials` to `true` in your CORS config. This cannot be enabled when `allowedOrigins` includes `'*'`.
+> [!NOTE]
+> Specifying `AllowAnyOrigin` and `AllowCredentials` is an insecure configuration and can result in cross-site request forgery. The CORS service returns an invalid CORS response when an app is configured with both methods.
+ ### Test CORS again Refresh the browser app at `http://localhost:5000`. The error message in the **Console** window is now gone, and you can see the data from the deployed API and interact with it. Your remote API now supports CORS to your browser app running locally.
app-service Configure Common https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-common.md
This article explains how to configure common settings for web apps, mobile back
## Configure app settings
-In App Service, app settings are variables passed as environment variables to the application code. For Linux apps and custom containers, App Service passes app settings to the container using the `--env` flag to set the environment variable in the container.
+In App Service, app settings are variables passed as environment variables to the application code. For Linux apps and custom containers, App Service passes app settings to the container using the `--env` flag to set the environment variable in the container. In either case, they're injected into your app environment at app startup. When you add, remove, or edit app settings, App Service triggers an app restart.
In the [Azure portal], search for and select **App Services**, and then select your app.
app-service Configure Connect To Azure Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-connect-to-azure-storage.md
az webapp config storage-account list --resource-group <resource-group> --name <
# [Azure portal](#tab/portal)
-1. In the [Azure portal](https://porta.azure.com), navigate to the app.
+1. In the [Azure portal](https://portal.azure.com), navigate to the app.
1. From the left navigation, click **Configuration** > **Path Mappings** > **New Azure Storage Mount**. 1. Configure the storage mount according to the following table. When finished, click **OK**.
app-service Configure Ssl Certificate https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/configure-ssl-certificate.md
Once the rekey operation is complete, click **Sync**. The sync operation automat
### Renew certificate
+> [!NOTE]
+> The renewal process requires that [the well-known service principal for App Service has the required permissions on your key vault](deploy-resource-manager-template.md#deploy-web-app-certificate-from-key-vault). This permission is configured for you when you import an App Service Certificate through the portal, and should not be removed from your key vault.
+ To turn on automatic renewal of your certificate at any time, select the certificate in the [App Service Certificates](https://portal.azure.com/#blade/HubsExtension/Resources/resourceType/Microsoft.CertificateRegistration%2FcertificateOrders) page, then click **Auto Renew Settings** in the left navigation. By default, App Service Certificates have a one-year validity period. Select **On** and click **Save**. Certificates can start automatically renewing 30 days before expiration if you have automatic renewal turned on.
app-service Manage Backup https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/manage-backup.md
The following database solutions are supported with backup feature:
## Requirements and restrictions
-* The Backup and Restore feature requires the App Service plan to be in the **Standard**, **Premium** or **Isolated** tier. For more information about scaling your App Service plan to use a higher tier, see [Scale up an app in Azure](manage-scale-up.md). **Premium** and **Isolated** tiers allow a greater number of daily back ups than **Standard** tier.
+* The Backup and Restore feature requires the App Service plan to be in the **Standard**, **Premium**, or **Isolated** tier. For more information about scaling your App Service plan to use a higher tier, see [Scale up an app in Azure](manage-scale-up.md). **Premium** and **Isolated** tiers allow a greater number of daily back ups than **Standard** tier.
* You need an Azure storage account and container in the same subscription as the app that you want to back up. For more information on Azure storage accounts, see [Azure storage account overview](../storage/common/storage-account-overview.md). * Backups can be up to 10 GB of app and database content. If the backup size exceeds this limit, you get an error. * Backups of TLS enabled Azure Database for MySQL is not supported. If a backup is configured, you will encounter backup failures.
The database backup for the app is stored in the root of the .zip file. For SQL
> [!WARNING] > Altering any of the files in your **websitebackups** container can cause the backup to become invalid and therefore non-restorable.
+## Troubleshooting
+
+The **Backups** page shows you the status of each backup. If you click on a failed backup, you can get log details regarding the failure. Use the following table to help you troubleshoot your backup. If the failure isn't documented in the table, open a support ticket.
+
+| Error | Fix |
+| - | - |
+| Storage access failed. | Delete backup schedule and reconfigure it. Or, reconfigure the backup storage. |
+| The website + database size exceeds the {0} GB limit for backups. Your content size is {1} GB. | [Exclude some files](#configure-partial-backups) from the backup, or remove the database portion of the backup and use externally offered backups instead. |
+| Error occurred while connecting to the database {0} on server {1}: Authentication to host '{1}' for user '\<username>' using method 'mysql_native_password' failed with message: Unknown database '\<db-name>' | Update database connection string. |
+| Cannot resolve {0}. {1} (CannotResolveStorageAccount) | Delete the backup schedule and reconfigure it. |
+| Login failed for user '{0}'. | Update the database connection string. |
+| Create Database copy of {0} ({1}) threw an exception. Could not create Database copy. | Use an administrative user in the connection string. |
+| The server principal "\<name>" is not able to access the database "master" under the current security context. Cannot open database "master" requested by the login. The login failed. Login failed for user '\<name>'. | Use an administrative user in the connection string. |
+| A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server). | Check that the connection string is valid. Allow the app's [outbound IPs](overview-inbound-outbound-ips.md) in the database server settings. |
+| Cannot open server "\<name>" requested by the login. The login failed. | Check that the connection string is valid. |
+| Missing mandatory parameters for valid Shared Access Signature. | Delete the backup schedule and reconfigure it. |
+| SSL connection is required. Please specify SSL options and retry. when trying to connect. | Use the built-in backup feature in Azure MySQL or Azure Postgressql instead. |
+ ## Automate with scripts You can automate backup management with scripts, using the [Azure CLI](/cli/azure/install-azure-cli) or [Azure PowerShell](/powershell/azure/).
app-service Monitor Instances Health Check https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/monitor-instances-health-check.md
This article uses Health check in the Azure portal to monitor App Service instan
## What App Service does with Health checks - When given a path on your app, Health check pings this path on all instances of your App Service app at 1-minute intervals.-- If an instance doesn't respond with a status code between 200-299 (inclusive) after two or more requests, or fails to respond to the ping, the system determines it's unhealthy and removes it.-- After removal, Health check continues to ping the unhealthy instance. If it continues to respond unsuccessfully, App Service restarts the underlying VM in an effort to return the instance to a healthy state.-- If an instance remains unhealthy for one hour, it will be replaced with new instance.
+- If an instance doesn't respond with a status code between 200-299 (inclusive) after two or more requests, or fails to respond to the ping, it will be deemed unhealthy and requests will not be routed to that instance.
+- Health check will continue to ping the unhealthy instance after it has been removed from the load balancer. If the instance continues to respond unseccessfully for one hour, it will be replaced with new VM.
- Furthermore, when scaling up or out, App Service pings the Health check path to ensure new instances are ready. > [!NOTE]
app-service Quickstart Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/quickstart-java.md
JBoss EAP is only available on the Linux version of App Service. Please select t
Clone the Pet Store demo application. ```azurecli-interactive
-git clone https://github.com/agoncal/agoncal-application-petstore-ee7.git
+git clone https://github.com/andxu/migrate-javaee-app-to-azure-training.git
``` Change directory to the cloned project. ```azurecli-interactive
-cd agoncal-application-petstore-ee7
+cd migrate-javaee-app-to-azure-training
``` ::: zone-end
The deployment process to Azure App Service will use your Azure credentials from
Run the Maven command below to configure the deployment. This command will help you to set up the App Service operating system, Java version, and Tomcat version. ```azurecli-interactive
-mvn com.microsoft.azure:azure-webapp-maven-plugin:1.16.1:config
+mvn com.microsoft.azure:azure-webapp-maven-plugin:2.0.0:config
``` ::: zone pivot="platform-windows"
JBoss EAP is only available on the Linux version of App Service. Please select t
1. When prompted with **Web App** option, accept the default option `<create>` by pressing enter. 1. When prompted with **OS** option, select **Linux** by pressing enter. 1. When prompted with **javaVersion** option, select **Java 8** by entering `1`.
-1. When prompted with **runtimeStack** option, select **Jbosseap 7** by entering `1`
+1. When prompted with **runtimeStack** option, select **Jbosseap 7** by entering `2`
1. When prompted with **pricingTier** option, select **P1v3** by entering `3` 1. Finally, press enter on the last prompt to confirm your selections.
Property | Required | Description | Version
`<resourceGroup>` | true | Azure Resource Group for your Web App. | 0.1.0+ `<appName>` | true | The name of your Web App. | 0.1.0+ `<region>` | true | Specifies the region where your Web App will be hosted; the default value is **westeurope**. All valid regions at [Supported Regions](https://azure.microsoft.com/global-infrastructure/services/?products=app-service) section. | 0.1.0+
-`<pricingTier>` | false | The pricing tier for your Web App. The default value is **P1V2** for production workload, while **B2** is the recommended minimum for Java dev/test. [Learn more](https://azure.microsoft.com/pricing/details/app-service/linux/)| 0.1.0+
+`<pricingTier>` | true | The pricing tier for your Web App. The default value is **P1V2** for production workload, while **B2** is the recommended minimum for Java dev/test. [Learn more](https://azure.microsoft.com/pricing/details/app-service/linux/)| 0.1.0+
`<runtime>` | true | The runtime environment configuration, you could see the detail [here](https://github.com/microsoft/azure-maven-plugins/wiki/Azure-Web-App:-Configuration-Details). | 0.1.0+ `<deployment>` | true | The deployment configuration, you could see the details [here](https://github.com/microsoft/azure-maven-plugins/wiki/Azure-Web-App:-Configuration-Details). | 0.1.0+
app-service Scenario Secure App Authentication App Service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/scenario-secure-app-authentication-app-service.md
Previously updated : 04/02/2021 Last updated : 06/28/2021
app-service Tutorial Java Spring Cosmosdb https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/tutorial-java-spring-cosmosdb.md
Open the `pom.xml` file in the `initial/spring-boot-todo` directory and add the
<plugin> <groupId>com.microsoft.azure</groupId> <artifactId>azure-webapp-maven-plugin</artifactId>
- <version>1.14.0</version>
+ <version>2.0.0</version>
<configuration> <schemaVersion>v2</schemaVersion>
Open the `pom.xml` file in the `initial/spring-boot-todo` directory and add the
<resourceGroup>${RESOURCEGROUP_NAME}</resourceGroup> <appName>${WEBAPP_NAME}</appName> <region>${REGION}</region>
- <pricingTier>P1V2</princingTier>
+ <pricingTier>P1v2</pricingTier>
<!-- Java Runtime Stack for Web App on Linux--> <runtime> <os>linux</os>
bash-3.2$ mvn azure-webapp:deploy
[INFO] Building spring-todo-app 2.0-SNAPSHOT [INFO] [INFO]
-[INFO] azure-webapp-maven-plugin:1.14.0:deploy (default-cli) @ spring-todo-app
-[INFO] Auth Type : AZURE_CLI, Auth Files : [C:\Users\testuser\.azure\azureProfile.json, C:\Users\testuser\.azure\accessTokens.json]
-[INFO] Subscription : xxxxxxxxx
-[INFO] Target Web App doesn't exist. Creating a new one...
+[INFO] azure-webapp-maven-plugin:2.0.0:deploy (default-cli) @ spring-todo-app
+Auth Type: AZURE_CLI
+Default subscription: xxxxxxxxx
+Username: xxxxxxxxx
+[INFO] Subscription: xxxxxxxxx
[INFO] Creating App Service Plan 'ServicePlanb6ba8178-5bbb-49e7'... [INFO] Successfully created App Service Plan.
-[INFO] Successfully created Web App.
-[INFO] Using 'UTF-8' encoding to copy filtered resources.
-[INFO] Copying 1 resource to /home/test/e2e-java-experience-in-app-service-linux-part-2/initial/spring-todo-app/target/azure-webapp/spring-todo-app-61bb5207-6fb8-44c4-8230-c1c9e4c099f7
+[INFO] Creating web App spring-todo-app...
+[INFO] Successfully created Web App spring-todo-app.
[INFO] Trying to deploy artifact to spring-todo-app...
-[INFO] Renaming /home/test/e2e-java-experience-in-app-service-linux-part-2/initial/spring-todo-app/target/azure-webapp/spring-todo-app-61bb5207-6fb8-44c4-8230-c1c9e4c099f7/spring-todo-app-2.0-SNAPSHOT.jar to app.jar
-[INFO] Deploying the zip package spring-todo-app-61bb5207-6fb8-44c4-8230-c1c9e4c099f7718326714198381983.zip...
[INFO] Successfully deployed the artifact to https://spring-todo-app.azurewebsites.net [INFO] [INFO] BUILD SUCCESS
application-gateway Configuration Http Settings https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/application-gateway/configuration-http-settings.md
This setting lets you configure an optional custom forwarding path to use when t
## Use for app service
-This is a UI only shortcut that selects the two required settings for the Azure App Service back end. It enables **pick host name from back-end address**, and it creates a new custom probe if you don't have one already. (For more information, see the [Pick host name from back-end address](#pick-host-name-from-back-end-address)setting section of this article.) A new probe is created, and the probe header is picked from the back-end member's address.
+This is a UI only shortcut that selects the two required settings for the Azure App Service back end. It enables **pick host name from back-end address**, and it creates a new custom probe if you don't have one already. (For more information, see the [Pick host name from back-end address](#pick-host-name-from-back-end-address) setting section of this article.) A new probe is created, and the probe header is picked from the back-end member's address.
## Use custom probe
For example, if *www.contoso.com* is specified in the **Host name** setting, the
## Next steps -- [Learn about the back-end pool](configuration-overview.md#back-end-pool)
+- [Learn about the back-end pool](configuration-overview.md#back-end-pool)
automanage Automanage Arc https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/automanage-arc.md
+
+ Title: Azure Automanage for Arc enabled servers
+description: Learn about the Azure Automanage for Arc enabled servers
++++++ Last updated : 06/24/2021++++
+# Azure Automanage for Machines Best Practices - Arc enabled servers
+
+These Azure services are automatically onboarded for you when you use Automanage Machine Best Practices on an Arc-enabled server VM. They are essential to our best practices white paper, which you can find in our [Cloud Adoption Framework](/azure/cloud-adoption-framework/manage/azure-server-management).
+
+For all of these services, we will auto-onboard, auto-configure, monitor for drift, and remediate if drift is detected. To learn more about this process, see [Azure Automanage for virtual machines](automanage-virtual-machines.md).
+
+## Supported operating systems
+
+Automanage supports the following operating systems for Arc enabled servers
+
+- Windows Server 2012/R2
+- Windows Server 2016
+- Windows Server 2019
+- CentOS 7.3+, 8
+- RHEL 7.4+, 8
+- Ubuntu 16.04 and 18.04
+- SLES 12 (SP3-SP5 only)
+
+## Participating services
+
+|Service |Description |Environments supported<sup>1</sup> |Preferences supported<sup>1</sup> |
+|--||-|-|
+|[Machines Insights Monitoring](../azure-monitor/vm/vminsights-overview.md) |Azure Monitor for machines monitors the performance and health of your virtual machines, including their running processes and dependencies on other resources. Learn [more](../azure-monitor/vm/vminsights-overview.md). |Production |No |
+|[Azure Security Center](../security-center/security-center-introduction.md) |Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud. Learn [more](../security-center/security-center-introduction.md). Automanage will configure the subscription where your VM resides to the free-tier offering of Azure Security Center. If your subscription is already onboarded to Azure Security Center, then Automanage will not reconfigure it. |Production, Dev/Test |No |
+|[Update Management](../automation/update-management/overview.md) |You can use Update Management in Azure Automation to manage operating system updates for your machines. You can quickly assess the status of available updates on all agent machines and manage the process of installing required updates for servers. Learn [more](../automation/update-management/overview.md). |Production, Dev/Test |No |
+|[Change Tracking & Inventory](../automation/change-tracking/overview.md) |Change Tracking and Inventory combines change tracking and inventory functions to allow you to track virtual machine and server infrastructure changes. The service supports change tracking across services, daemons software, registry, and files in your environment to help you diagnose unwanted changes and raise alerts. Inventory support allows you to query in-guest resources for visibility into installed applications and other configuration items. Learn [more](../automation/change-tracking/overview.md). |Production, Dev/Test |No |
+|[Azure Guest Configuration](../governance/policy/concepts/guest-configuration.md) | Guest Configuration policy is used to monitor the configuration and report on the compliance of the machine. The Automanage service will install the Azure Linux baseline using the Guest Configuration extension. For Linux machines, the guest configuration service will install the baseline in audit-only mode. You will be able to see where your VM is out of compliance with the baseline, but noncompliance won't be automatically remediated. Learn [more](../governance/policy/concepts/guest-configuration.md). |Production, Dev/Test |No |
+|[Azure Automation Account](../automation/automation-create-standalone-account.md) |Azure Automation supports management throughout the lifecycle of your infrastructure and applications. Learn [more](../automation/automation-intro.md). |Production, Dev/Test |No |
+|[Log Analytics Workspace](../azure-monitor/logs/log-analytics-overview.md) |Azure Monitor stores log data in a Log Analytics workspace, which is an Azure resource and a container where data is collected, aggregated, and serves as an administrative boundary. Learn [more](../azure-monitor/logs/design-logs-deployment.md). |Production, Dev/Test |No |
++
+<sup>1</sup> The environment selection is available when you are enabling Automanage. Learn [more](automanage-virtual-machines.md#environment-configuration). You can also adjust the default settings of the environment and set your own preferences within the best practices constraints.
++
+## Next steps
+
+Try enabling Automanage for machines in the Azure portal.
+
+> [!div class="nextstepaction"]
+> [Enable Automanage for machines in the Azure portal](quick-create-virtual-machines-portal.md)
automanage Automanage Linux https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/automanage-linux.md
-# Azure Automanage for virtual machines best practices - Linux
+# Azure Automanage for Machines Best Practices - Linux
-These Azure services are automatically onboarded for you when you use Automanage for virtual machines (VMs) on a Linux VM. They are essential to our best practices white paper, which you can find in our [Cloud Adoption Framework](/azure/cloud-adoption-framework/manage/azure-server-management).
+These Azure services are automatically onboarded for you when you use Automanage Machine Best Practices on a Linux VM. They are essential to our best practices white paper, which you can find in our [Cloud Adoption Framework](/azure/cloud-adoption-framework/manage/azure-server-management).
For all of these services, we will auto-onboard, auto-configure, monitor for drift, and remediate if drift is detected. To learn more about this process, see [Azure Automanage for virtual machines](automanage-virtual-machines.md).
Automanage supports the following Linux distributions and versions:
## Participating services >[!NOTE]
-> Microsoft Antimalware is not supported on Linux VMs at this time.
+> Microsoft Antimalware is not supported on Linux machines at this time.
|Service |Description |Environments Supported<sup>1</sup> |Preferences supported<sup>1</sup> | |--||-|-|
-|[VM Insights Monitoring](../azure-monitor/vm/vminsights-overview.md) |Azure Monitor for VMs monitors the performance and health of your virtual machines, including their running processes and dependencies on other resources. Learn [more](../azure-monitor/vm/vminsights-overview.md). |Production |No |
+|[Machines Insights Monitoring](../azure-monitor/vm/vminsights-overview.md) |Azure Monitor for machines monitors the performance and health of your virtual machines, including their running processes and dependencies on other resources. Learn [more](../azure-monitor/vm/vminsights-overview.md). |Production |No |
|[Backup](../backup/backup-overview.md) |Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your VMs. Learn [more](../backup/backup-azure-vms-introduction.md). Charges are based on the number and size of VMs being protected. Learn [more](https://azure.microsoft.com/pricing/details/backup/). |Production |Yes | |[Azure Security Center](../security-center/security-center-introduction.md) |Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud. Learn [more](../security-center/security-center-introduction.md). Automanage will configure the subscription where your VM resides to the free-tier offering of Azure Security Center. If your subscription is already onboarded to Azure Security Center, then Automanage will not reconfigure it. |Production, Dev/Test |No |
-|[Update Management](../automation/update-management/overview.md) |You can use Update Management in Azure Automation to manage operating system updates for your virtual machines. You can quickly assess the status of available updates on all agent machines and manage the process of installing required updates for servers. Learn [more](../automation/update-management/overview.md). |Production, Dev/Test |No |
+|[Update Management](../automation/update-management/overview.md) |You can use Update Management in Azure Automation to manage operating system updates for your machines. You can quickly assess the status of available updates on all agent machines and manage the process of installing required updates for servers. Learn [more](../automation/update-management/overview.md). |Production, Dev/Test |No |
|[Change Tracking & Inventory](../automation/change-tracking/overview.md) |Change Tracking and Inventory combines change tracking and inventory functions to allow you to track virtual machine and server infrastructure changes. The service supports change tracking across services, daemons software, registry, and files in your environment to help you diagnose unwanted changes and raise alerts. Inventory support allows you to query in-guest resources for visibility into installed applications and other configuration items. Learn [more](../automation/change-tracking/overview.md). |Production, Dev/Test |No | |[Azure Guest Configuration](../governance/policy/concepts/guest-configuration.md) | Guest Configuration policy is used to monitor the configuration and report on the compliance of the machine. The Automanage service will install the Azure Linux baseline using the Guest Configuration extension. For Linux machines, the guest configuration service will install the baseline in audit-only mode. You will be able to see where your VM is out of compliance with the baseline, but noncompliance won't be automatically remediated. Learn [more](../governance/policy/concepts/guest-configuration.md). |Production, Dev/Test |No | |[Boot Diagnostics](../virtual-machines/boot-diagnostics.md) | Boot diagnostics is a debugging feature for Azure virtual machines (VM) that allows diagnosis of VM boot failures. Boot diagnostics enables a user to observe the state of their VM as it is booting up by collecting serial log information and screenshots. This will only be enabled for machines that are using managed disks. |Production, Dev/Test |No |
Automanage supports the following Linux distributions and versions:
## Next steps
-Try enabling Automanage for virtual machines in the Azure portal.
+Try enabling Automanage for machines in the Azure portal.
> [!div class="nextstepaction"]
-> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
+> [Enable Automanage for machines in the Azure portal](quick-create-virtual-machines-portal.md)
automanage Automanage Virtual Machines https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/automanage-virtual-machines.md
Azure Automanage also automatically monitors for drift and corrects for it when
Automanage doesn't store/process customer data outside the geography your VMs are located. In the SoutheastAsia region, Automanage does not store/process data outside of SoutheastAsia.
+> [!NOTE]
+> Automanage can be enabled on Azure virtual machines as well as Arc enabled servers. Automanage is not available in US Government Cloud at this time.
+ ## Prerequisites There are several prerequisites to consider before trying to enable Azure Automanage on your virtual machines.
automanage Automanage Windows Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/automanage-windows-server.md
-# Azure Automanage for virtual machines best practices - Windows Server
+# Azure Automanage for Machines Best Practices - Windows Server
-These Azure services are automatically onboarded for you when you use Automanage for virtual machines (VMs) on a Windows Server VM. They are essential to our best practices white paper, which you can find in our [Cloud Adoption Framework](/azure/cloud-adoption-framework/manage/azure-server-management).
+These Azure services are automatically onboarded for you when you use Automanage Machine Best Practices on a Windows Server VM. They are essential to our best practices white paper, which you can find in our [Cloud Adoption Framework](/azure/cloud-adoption-framework/manage/azure-server-management).
For all of these services, we will auto-onboard, auto-configure, monitor for drift, and remediate if drift is detected. To learn more about this process, see [Azure Automanage for virtual machines](automanage-virtual-machines.md).
Automanage supports the following Windows Server versions:
|Service |Description |Environments Supported<sup>1</sup> |Preferences supported<sup>1</sup> | |--||-|-|
-|[VM Insights Monitoring](../azure-monitor/vm/vminsights-overview.md) |Azure Monitor for VMs monitors the performance and health of your virtual machines, including their running processes and dependencies on other resources. Learn [more](../azure-monitor/vm/vminsights-overview.md). |Production |No |
-|[Backup](../backup/backup-overview.md) |Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your VMs. Learn [more](../backup/backup-azure-vms-introduction.md). Charges are based on the number and size of VMs being protected. Learn [more](https://azure.microsoft.com/pricing/details/backup/). |Production |Yes |
+|[Machines Insights Monitoring](../azure-monitor/vm/vminsights-overview.md) |Azure Monitor for Machines monitors the performance and health of your virtual machines, including their running processes and dependencies on other resources. Learn [more](../azure-monitor/vm/vminsights-overview.md). |Production |No |
+|[Backup](../backup/backup-overview.md) |Azure Backup provides independent and isolated backups to guard against unintended destruction of the data on your machines. Learn [more](../backup/backup-azure-vms-introduction.md). Charges are based on the number and size of VMs being protected. Learn [more](https://azure.microsoft.com/pricing/details/backup/). |Production |Yes |
|[Azure Security Center](../security-center/security-center-introduction.md) |Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers, and provides advanced threat protection across your hybrid workloads in the cloud. Learn [more](../security-center/security-center-introduction.md). Automanage will configure the subscription where your VM resides to the free-tier offering of Azure Security Center. If your subscription is already onboarded to Azure Security Center, then Automanage will not reconfigure it. |Production, Dev/Test |No | |[Microsoft Antimalware](../security/fundamentals/antimalware.md) |Microsoft Antimalware for Azure is a free real-time protection that helps identify and remove viruses, spyware, and other malicious software. It generates alerts when known malicious or unwanted software tries to install itself or run on your Azure systems. **Note:** Microsoft Antimalware requires that there be no other antimalware software installed, or it may fail to work. Learn [more](../security/fundamentals/antimalware.md). |Production, Dev/Test |Yes |
-|[Update Management](../automation/update-management/overview.md) |You can use Update Management in Azure Automation to manage operating system updates for your virtual machines. You can quickly assess the status of available updates on all agent machines and manage the process of installing required updates for servers. Learn [more](../automation/update-management/overview.md). |Production, Dev/Test |No |
+|[Update Management](../automation/update-management/overview.md) |You can use Update Management in Azure Automation to manage operating system updates for your machines. You can quickly assess the status of available updates on all agent machines and manage the process of installing required updates for servers. Learn [more](../automation/update-management/overview.md). |Production, Dev/Test |No |
|[Change Tracking & Inventory](../automation/change-tracking/overview.md) |Change Tracking and Inventory combines change tracking and inventory functions to allow you to track virtual machine and server infrastructure changes. The service supports change tracking across services, daemons software, registry, and files in your environment to help you diagnose unwanted changes and raise alerts. Inventory support allows you to query in-guest resources for visibility into installed applications and other configuration items. Learn [more](../automation/change-tracking/overview.md). |Production, Dev/Test |No | |[Azure Guest Configuration](../governance/policy/concepts/guest-configuration.md) | Guest Configuration policy is used to monitor the configuration and report on the compliance of the machine. The Automanage service will install the [Windows security baselines](/windows/security/threat-protection/windows-security-baselines) using the Guest Configuration extension. For Windows machines, the guest configuration service will automatically reapply the baseline settings if they are out of compliance. Learn [more](../governance/policy/concepts/guest-configuration.md). |Production, Dev/Test |No | |[Boot Diagnostics](../virtual-machines/boot-diagnostics.md) | Boot diagnostics is a debugging feature for Azure virtual machines (VM) that allows diagnosis of VM boot failures. Boot diagnostics enables a user to observe the state of their VM as it is booting up by collecting serial log information and screenshots. This will only be enabled for machines that are using managed disks. |Production, Dev/Test |No |
Automanage supports the following Windows Server versions:
## Next steps
-Try enabling Automanage for virtual machines in the Azure portal.
+Try enabling Automanage for machines in the Azure portal.
> [!div class="nextstepaction"]
-> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
+> [Enable Automanage for machines in the Azure portal](quick-create-virtual-machines-portal.md)
automanage Common Errors https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/common-errors.md
Onboarding a machine to Automanage will result in an Azure Resource Manager depl
:::image type="content" source="media\common-errors\failure-flyout.png" alt-text="Automanage failure detail flyout.":::
-### Check the deployments for the resource group containing the failed VM
+### Check the deployments for the resource group containing the failed machine
The failure flyout will contain a link to the deployments in the resource group containing the machine that failed onboarding. The flyout will also contain a prefix name you can use to filter deployments with. Clicking the deployment link will take you to the deployments blade, where you can then filter deployments to see Automanage deployments to your machine. If you're deploying across multiple regions, ensure that you click on the deployment in the correct region.
-### Check the deployments for the subscription containing the failed VM
-If you don't see any failures in the resource group deployment, then your next step would be to look at the deployments in your subscription containing the VM that failed onboarding. Click the **Deployments for subscription** link in the failure flyout and filter deployments using the **Automanage-DefaultResourceGroup** filter. Use the resource group name from the failure blade to filter deployments. The deployment name will be suffixed with a region name. If you're deploying across multiple regions, ensure that you click on the deployment in the correct region.
+### Check the deployments for the subscription containing the failed machine
+If you don't see any failures in the resource group deployment, then your next step would be to look at the deployments in your subscription containing the machine that failed onboarding. Click the **Deployments for subscription** link in the failure flyout and filter deployments using the **Automanage-DefaultResourceGroup** filter. Use the resource group name from the failure blade to filter deployments. The deployment name will be suffixed with a region name. If you're deploying across multiple regions, ensure that you click on the deployment in the correct region.
### Check deployments in a subscription linked to a Log Analytics workspace
-If you don't see any failed deployments in the resource group or subscription containing your failed VM, and if your failed VM is connected to a Log Analytics workspace in a different subscription, then go to the subscription linked to your Log Analytics workspace and check for failed deployments.
+If you don't see any failed deployments in the resource group or subscription containing your failed machine, and if your failed machine is connected to a Log Analytics workspace in a different subscription, then go to the subscription linked to your Log Analytics workspace and check for failed deployments.
## Common deployment errors
The template deployment failed because of policy violation. Please see details f
* [Learn more about Azure Automanage](./automanage-virtual-machines.md) > [!div class="nextstepaction"]
-> [Enable Automanage for virtual machines in the Azure portal](quick-create-virtual-machines-portal.md)
+> [Enable Automanage for machines in the Azure portal](quick-create-virtual-machines-portal.md)
automanage Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/faq.md
Yes, we have a built-in policy that will automatically apply Automanage to all V
The Automanage Account is an MSI (Managed Service Identity) that provides the security context or the identity under which the automated operations occur.
-**When enabling Automanage, does it impact any additional VMs besides the VM(s) I selected?**
+**When enabling Automanage, does it impact any additional machines besides the machine(s) I selected?**
-If your VM is linked to an existing Log Analytics workspace, we will reuse that workspace to apply these solutions: Change Tracking, Inventory, and Update Management. All VMs connected to that workspace will have those solutions enabled.
+If your VM is linked to an existing Log Analytics workspace, we will reuse that workspace to apply these solutions: Change Tracking, Inventory, and Update Management. All machines connected to that workspace will have those solutions enabled.
-**Can I change the environment of my VM?**
+**Can I change the environment of my machine?**
-At this time, you will need to disable Automanage for that VM and then re-enable Automanage with the desired environment and preferences.
+At this time, you will need to disable Automanage for that machine and then re-enable Automanage with the desired environment and preferences.
-**If my VM is already configured for a service, like Update Management, will Automanage reconfigure it?**
+**If my machine is already configured for a service, like Update Management, will Automanage reconfigure it?**
No, Automanage will not reconfigure it. We will begin to monitor the resources associated to that service for drift.
-**Why does my VM have a Failed status in the Automanage portal?**
+**Why does my machine have a Failed status in the Automanage portal?**
If you see the status as *Failed*, you can troubleshoot the deployment in a few different ways: * Go to **Resource groups**, select your resource group, click on **Deployments** and see the *Failed* status there along with error details. * Go to **Subscriptions**, select your resource group, click on **Deployments** and see the *Failed* status there along with error details.
-* You can also visit the activity log of a VM, which will contain an entry for "Create or Update Configuration Profile Assignments". This may also contain more details on your deployment.
+* You can also visit the activity log of a machine, which will contain an entry for "Create or Update Configuration Profile Assignments". This may also contain more details on your deployment.
**How can I get troubleshooting support for Automanage?**
automanage Quick Create Virtual Machines Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automanage/quick-create-virtual-machines-portal.md
If you don't have an Azure subscription, [create an account](https://azure.micro
Sign in to the [Azure portal](https://aka.ms/AutomanagePortal-Ignite21).
-## Enable Automanage for a single VM
+## Enable Automanage for a single machine
1. Browse to the Virtual Machine that you would like to enable.
Sign in to the [Azure portal](https://aka.ms/AutomanagePortal-Ignite21).
:::image type="content" source="media\quick-create-virtual-machine-portal\vmmanage-enablepane.png" alt-text="Enable on single VM.":::
-## Enable Automanage for multiple VMs
+## Enable Automanage for multiple machines
1. In the search bar, search for and select **Automanage ΓÇô Azure machine best practices**.
Sign in to the [Azure portal](https://aka.ms/AutomanagePortal-Ignite21).
:::image type="content" source="media\quick-create-virtual-machine-portal\zero-vm-list-view.png" alt-text="Enable on existing VM."::: 3. On the **Select machines** blade:
- 1. Filter the VMs list by your **Subscription** and **Resource group**.
+ 1. Filter the list by your **Subscription** and **Resource group**.
1. Check the checkbox of each virtual machine you want to onboard. 1. Click the **Select** button.
+ > [!NOTE]
+ > You may select both Azure VMs and Arc enabled servers.
:::image type="content" source="media\quick-create-virtual-machine-portal\existing-vm-select-machine.png" alt-text="Select existing VM from list of available VMs.":::
-4. Under **Environment**, select your environment type: **Dev/Test** or **Production**.
+4. Under **Environment**, select your environment type: **Dev/Test** or **Production**.
:::image type="content" source="media\quick-create-virtual-machine-portal\existing-vm-quick-create.png" alt-text="Select environments.":::
Sign in to the [Azure portal](https://aka.ms/AutomanagePortal-Ignite21).
:::image type="content" source="media\quick-create-virtual-machine-portal\browse-production-profile.png" alt-text="Browse production environment.":::
-5. By default, the **Azure Best Practices** preference is selected for the configuration preferences. To change this, create a new preference or select an existing one.
+5. By default, the **Azure Best Practices** preference is selected for the configuration preferences. To change this, create a new preference or select an existing one.
:::image type="content" source="media\quick-create-virtual-machine-portal\create-preference.png" alt-text="Create preference.":::
automation Automation Quickstart Dsc Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-quickstart-dsc-configuration.md
This quickstart uses a DSC configuration that configures Apache HTTP Server, MyS
In a text editor, type the following and save it locally as **AMPServer.ps1**. ```powershell-interactive
-configuration LAMPServer {
+configuration 'LAMPServer' {
Import-DSCResource -module "nx" Node localhost {
automation Automation Role Based Access Control https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/automation-role-based-access-control.md
Perform the following steps to create the Azure Automation custom role in the Az
} ```
-1. Complete the remaining steps as outlined in [Create or update Azure custom roles using the Azure portal](./../role-based-access-control/custom-roles-portal.md#start-from-json). For [Step 3:Basics](/role-based-access-control/custom-roles-portal.md#step-3-basics), note the following:
+1. Complete the remaining steps as outlined in [Create or update Azure custom roles using the Azure portal](/azure/role-based-access-control/custom-roles-portal#start-from-json). For [Step 3:Basics](/azure/role-based-access-control/custom-roles-portal#step-3-basics), note the following:
- In the **Custom role name** field, enter **Automation account Contributor (custom)** or a name matching your naming standards. - For **Baseline permissions**, select **Start from JSON**. Then select the custom JSON file you saved earlier.
availability-zones Az Region https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/availability-zones/az-region.md
To achieve comprehensive business continuity on Azure, build your application ar
| [Azure Data Factory](../data-factory/index.yml) | :large_blue_diamond: | | Azure Database for MySQL ΓÇô [Flexible Server](../mysql/flexible-server/concepts-high-availability.md) | :large_blue_diamond: | | Azure Database for PostgreSQL ΓÇô [Flexible Server](../postgresql/flexible-server/overview.md) | :large_blue_diamond: |
-| [Azure DDoS Protection](../ddos-protection/ddos-faq.md) | :large_blue_diamond: |
+| [Azure DDoS Protection](../ddos-protection/ddos-faq.yml) | :large_blue_diamond: |
| [Azure Disk Encryption](../virtual-machines/disks-redundancy.md) | :large_blue_diamond: | | [Azure Firewall](../firewall/deploy-availability-zone-powershell.md) | :large_blue_diamond: | | [Azure Firewall Manager](../firewall-manager/quick-firewall-policy.md) | :large_blue_diamond: |
azure-functions Functions Create Maven Eclipse https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-create-maven-eclipse.md
Maven creates the project files in a new folder with a name of _artifactId_. The
> [Azure Functions Core Tools, version 2](functions-run-local.md#v2) must be installed to run and debug functions locally. 1. Right-click on the generated project, then choose **Run As** and **Maven build**.
-1. In the **Edit Configuration** dialog, Enter `package` in the **Goals** and **Name** fields, then select **Run**. This will build and package the function code.
+1. In the **Edit Configuration** dialog, Enter `package` in the **Goals**, then select **Run**. This will build and package the function code.
1. Once the build is complete, create another Run configuration as above, using `azure-functions:run` as the goal and name. Select **Run** to run the function in the IDE. Terminate the runtime in the console window when you're done testing your function. Only one function host can be active and running locally at a time.
azure-functions Functions Reference Java https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-reference-java.md
Here is the generated corresponding `function.json` by the [azure-functions-mave
"name": "req", "direction": "in", "authLevel": "anonymous",
- "methods": [ "post" ]
+ "methods": [ "GET","POST" ]
}, { "type": "http",
azure-monitor Opencensus Python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/opencensus-python.md
Each exporter accepts the same arguments for configuration, passed through the c
- `proxies`: Specifies a sequence of proxies to use for sending data to Azure Monitor. For more information, see [proxies](https://requests.readthedocs.io/en/master/user/advanced/#proxies). - `storage_path`: A path to where the local storage folder exists (unsent telemetry). As of `opencensus-ext-azure` v1.0.3, the default path is the OS temp directory + `opencensus-python` + `your-ikey`. Prior to v1.0.3, the default path is $USER + `.opencensus` + `.azure` + `python-file-name`.
+## Authentication (preview)
+> [!NOTE]
+> Authentication feature is available starting from `opencensus-ext-azure` v1.1b0
+
+Each of the Azure Monitor exporters supports configuration of securely sending telemetry payloads via OAuth authentication with Azure Active Directory (AAD).
+For more information, check out the [Authentication](./azure-ad-authentication.md) documentation.
+ ## View your data with queries You can view the telemetry data that was sent from your application through the **Logs (Analytics)** tab.
azure-monitor Work Item Integration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/work-item-integration.md
Title: Work Item Integration - Application Insights description: Learn how to create work items in GitHub or Azure DevOps with Application Insights data embedded in them. Previously updated : 04/22/2021 Last updated : 06/27/2021
Last updated 04/22/2021
Work item integration functionality allows you to easily create work items in GitHub or Azure DevOps that have relevant Application Insights data embedded in them. +
+The new work item integration offers the following features over [classic](#classic-work-item-integration):
+- Advanced fields like assignee, projects, or milestones.
+- Repo icons so you can differentiate between GitHub & Azure DevOps workbooks.
+- Multiple configurations for any number of repositories or work items.
+- Deployment through Azure Resource Manager templates.
+- Pre-built & customizable Keyword Query Language (KQL) queries to add Application Insights data to your work items.
+- Customizable workbook templates.
++ ## Create and configure a work item template 1. To create a work item template, go to your Application Insights resource and on the left under *Configure* select **Work Items** then at the top select **Create a new template** :::image type="content" source="./media/work-item-integration/create-work-item-template.png" alt-text=" Screenshot of the Work Items tab with create a new template selected." lightbox="./media/work-item-integration/create-work-item-template.png":::
- You can also create a work item template from the End-to-end transaction details tab, if no template currently exists. Select an event and on the right select **Create a work item**, then **Start with a workbook template**.
+ You can also create a work item template from the end-to-end transaction details tab, if no template currently exists. Select an event and on the right select **Create a work item**, then **Start with a workbook template**.
:::image type="content" source="./media/work-item-integration/create-template-from-transaction-details.png" alt-text=" Screenshot of end-to-end transaction details tab with create a work item, start with a workbook template selected." lightbox="./media/work-item-integration/create-template-from-transaction-details.png":::
Select edit ![edit icon](./media/work-item-integration/edit-icon.png) at the top
:::image type="content" source="./media/work-item-integration/edit-workbook.png" alt-text=" Screenshot of the work item template workbook in edit mode." lightbox="./media/work-item-integration/edit-workbook.png":::
-You can create more than one work item configuration and have a custom workbook to meet each scenario. The workbooks can also be deployed by Azure Resource Manager ensuring standard implementations across your environments.
+You can create more than one work item configuration and have a custom workbook to meet each scenario. The workbooks can also be deployed by Azure Resource Manager ensuring standard implementations across your environments.
+
+## Classic work item integration
+
+1. In your Application Insights resource under *Configure* select **Work Items**.
+1. Select **Switch to Classic**, fill out the fields with your information, and authorize.
+
+ :::image type="content" source="./media/work-item-integration/classic.png" alt-text=" Screenshot of how to configure classic work items." lightbox="./media/work-item-integration/classic.png":::
+
+1. Create a work item by going to the end-to-end transaction details, select an event then select **Create work item (Classic)**.
++
+### Migrate to new work item integration
+
+To migrate, delete your classic work item configuration then [create and configure a work item template](#create-and-configure-a-work-item-template) to recreate your integration.
+
+To delete, go to in your Application Insights resource under *Configure* select **Work Items** then select **Switch to Classic** and **Delete* at the top.
++
+## Next steps
+[Availability test](availability-overview.md)
+
azure-monitor Manage Cost Storage https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/manage-cost-storage.md
# Manage usage and costs with Azure Monitor Logs > [!NOTE]
-> This article describes how to understand and control your costs for Azure Monitor Logs. A related article, [Monitoring usage and estimated costs](../usage-estimated-costs.md) describes how to view usage and estimated costs across multiple Azure monitoring features for different pricing models. All prices and costs shown in this article are for example purposes only.
+> This article describes how to understand and control your costs for Azure Monitor Logs. A related article, [Monitoring usage and estimated costs](../usage-estimated-costs.md), describes how to view usage and estimated costs across multiple Azure monitoring features for different pricing models. All prices and costs in this article are for example purposes only.
-Azure Monitor Logs is designed to scale and support collecting, indexing, and storing massive amounts of data per day from any source in your enterprise or deployed in Azure. While this may be a primary driver for your organization, cost-efficiency is ultimately the underlying driver. To that end, it's important to understand that the cost of a Log Analytics workspace isn't based only on the volume of data collected, it is also dependent on the plan selected, and how long you chose to store data generated from your connected sources.
+Azure Monitor Logs is designed to scale and support collecting, indexing, and storing massive amounts of data per day from any source in your enterprise or deployed in Azure. Although this might be a primary driver for your organization, cost-efficiency is ultimately the underlying driver. To that end, it's important to understand that the cost of a Log Analytics workspace isn't based only on the volume of data collected; it's also dependent on the selected plan, and how long you stored data generated from your connected sources.
-In this article we review how you can proactively monitor ingested data volume and storage growth, and define limits to control those associated costs.
+This article reviews how you can proactively monitor ingested data volume and storage growth. It also discusses how to define limits to control those associated costs.
## Pricing model
-The default pricing for Log Analytics is a **Pay-As-You-Go** model based on data volume ingested and optionally for longer data retention. Data volume is measured as the size of the data that will be stored in GB (10^9 bytes). Each Log Analytics workspace is charged as a separate service and contributes to the bill for your Azure subscription. The amount of data ingestion can be considerable depending on the following factors:
+The default pricing for Log Analytics is a **Pay-As-You-Go** model that's based on ingested data volume and, optionally, for longer data retention. Data volume is measured as the size of the data that will be stored in GB (10^9 bytes). Each Log Analytics workspace is charged as a separate service and contributes to the bill for your Azure subscription. The amount of data ingestion can be considerable, depending on the following factors:
- - Number of management solutions enabled and their configuration
- - Number of VMs monitored
+ - The number of management solutions enabled and their configuration
+ - The number of monitored virtual machines (VMs)
- Type of data collected from each monitored VM
-In addition to the Pay-As-You-Go model, Log Analytics has **Commitment Tiers** which enable you to save as much as 30% compared to the Pay-As-You-Go price. The commitment tier pricing enables you to make a commitment to buy data ingestion starting at 100 GB/day at a lower price than Pay-As-You-Go pricing. Any usage above the commitment level (overage) will be billed at that same price per GB as provided by the current commitment tier. The commitment tiers have a 31-day commitment period. During the commitment period, you can change to a higher commitment tier (which will restart the 31-day commitment period), but you cannot move back to Pay-As-You-Go or to a lower commitment tier until after the commitment period is finished. Billing for the commitment tiers is done on a daily basis. [Learn more](https://azure.microsoft.com/pricing/details/monitor/) about Log Analytics Pay-As-You-Go and Commitment Tier pricing.
+In addition to the Pay-As-You-Go model, Log Analytics has **Commitment Tiers**, which can save you as much as 30 percent compared to the Pay-As-You-Go price. With the commitment tier pricing, you can commit to buy data ingestion starting at 100 GB/day at a lower price than Pay-As-You-Go pricing. Any usage above the commitment level (overage) is billed at that same price per GB as provided by the current commitment tier. The commitment tiers have a 31-day commitment period. During the commitment period, you can change to a higher commitment tier (which restarts the 31-day commitment period), but you can't move back to Pay-As-You-Go or to a lower commitment tier until after you finish the commitment period. Billing for the commitment tiers is done on a daily basis. [Learn more](https://azure.microsoft.com/pricing/details/monitor/) about Log Analytics Pay-As-You-Go and Commitment Tier pricing.
> [!NOTE]
-> Starting June 2, 2021, **Capacity Reservations** are now called **Commitment Tiers**. Data collected above your commitment tier level (overage) is now billed at the same price-per-GB as the current commitment tier level, lowering costs compared to the old method of billing at the Pay-As-You-Go rate, and reducing the need for users with large data volumes to fine-tune their commitment level. Additionally, three new larger commitment tiers have been added at 1000, 2000 and 5000 GB/day.
+> Starting June 2, 2021, **Capacity Reservations** are now called **Commitment Tiers**. Data collected above your commitment tier level (overage) is now billed at the same price-per-GB as the current commitment tier level, lowering costs compared to the old method of billing at the Pay-As-You-Go rate, and reducing the need for users with large data volumes to fine-tune their commitment level. There are also three new larger commitment tiers: 1000, 2000, and 5000 GB/day.
-In all pricing tiers, an event's data size is calculated from a string representation of the properties that are stored in Log Analytics for this event, whether the data is sent from an agent or added during the ingestion process. This includes any [custom fields](custom-fields.md) that are added as data is collected and then stored in Log Analytics. Several properties common to all data types, including some [Log Analytics Standard Properties](./log-standard-columns.md), are excluded in the calculation of the event size. This includes `_ResourceId`, `_SubscriptionId`, `_ItemId`, `_IsBillable`, `_BilledSize` and `Type`. All other properties stored in Log Analytics are included in the calculation of the event size. Some data types are free from data ingestion charges altogether, for example the [AzureActivity](https://docs.microsoft.com/azure/azure-monitor/reference/tables/azureactivity), [Heartbeat](https://docs.microsoft.com/azure/azure-monitor/reference/tables/heartbeat), [Usage](https://docs.microsoft.com/azure/azure-monitor/reference/tables/usage) and [Operation](https://docs.microsoft.com/azure/azure-monitor/reference/tables/operation) types. To determine whether an event was excluded from billing for data ingestion, you can use the [_IsBillable](log-standard-columns.md#_isbillable) property as shown [below](#data-volume-for-specific-events).
+In all pricing tiers, an event's data size is calculated from a string representation of the properties that are stored in Log Analytics for this event, regardless of whether the data is sent from an agent or added during the ingestion process. This includes any [custom fields](custom-fields.md) that are added as data is collected and then stored in Log Analytics. Several properties common to all data types, including some [Log Analytics Standard Properties](./log-standard-columns.md), are excluded in the calculation of the event size. This includes `_ResourceId`, `_SubscriptionId`, `_ItemId`, `_IsBillable`, `_BilledSize` and `Type`. All other properties stored in Log Analytics are included in the calculation of the event size. Some data types are free from data ingestion charges; for example, the AzureActivity, Heartbeat, and Usage types. To determine whether an event was excluded from billing for data ingestion, you can use the `_IsBillable` property as shown [below](#data-volume-for-specific-events). Usage is reported in GB (1.0E9 bytes).
Also, some solutions, such as [Azure Defender (Security Center)](https://azure.microsoft.com/pricing/details/azure-defender/), [Azure Sentinel](https://azure.microsoft.com/pricing/details/azure-sentinel/), and [Configuration management](https://azure.microsoft.com/pricing/details/automation/) have their own pricing models. ### Log Analytics Dedicated Clusters
-[Log Analytics Dedicated Clusters](logs-dedicated-clusters.md) are collections of workspaces into a single managed Azure Data Explorer cluster to support advanced scenarios such as [Customer-Managed Keys](customer-managed-keys.md). Log Analytics Dedicated Clusters use a commitment tier pricing model that must be configured to at least 1000 GB/day. The cluster commitment tier has a 31-day commitment period after the commitment level is increased. During the commitment period, the commitment tier level cannot be reduced, but it can be increased at any time. When workspaces are associated to a cluster, the data ingestion billing for those workspaces is done at the cluster level using the configured commitment tier level. Learn more about [creating a Log Analytics Clusters](customer-managed-keys.md#create-cluster) and [associating workspaces to it](customer-managed-keys.md#link-workspace-to-cluster). Commitment tier pricing information is available at the [Azure Monitor pricing page]( https://azure.microsoft.com/pricing/details/monitor/).
+[Log Analytics Dedicated Clusters](logs-dedicated-clusters.md) are collections of workspaces in a single managed Azure Data Explorer cluster to support advanced scenarios, like [Customer-Managed Keys](customer-managed-keys.md). Log Analytics Dedicated Clusters use a commitment tier pricing model that must be configured to at least 1000 GB/day. The cluster commitment tier has a 31-day commitment period after the commitment level is increased. During the commitment period, the commitment tier level can't be reduced, but it can be increased at any time. When workspaces are associated to a cluster, the data ingestion billing for those workspaces is done at the cluster level using the configured commitment tier level. Learn more about [creating a Log Analytics Clusters](customer-managed-keys.md#create-cluster) and [associating workspaces to it](customer-managed-keys.md#link-workspace-to-cluster). For information about commitment tier pricing, see the [Azure Monitor pricing page]( https://azure.microsoft.com/pricing/details/monitor/).
-The cluster commitment tier level is configured via programmatically with Azure Resource Manager using the `Capacity` parameter under `Sku`. The `Capacity` is specified in units of GB and can have values of 1000, 2000 or 5000 GB/day. This is detailed at [Creating a cluster](logs-dedicated-clusters.md#creating-a-cluster).
+The cluster commitment tier level is programmatically configured with Azure Resource Manager using the `Capacity` parameter under `Sku`. The `Capacity` is specified in units of GB and can have values of 1000 GB/day or more in increments of 100 GB/day. For more information, see [Azure Monitor customer-managed key](customer-managed-keys.md).
There are two modes of billing for usage on a cluster. These can be specified by the `billingType` parameter when [creating a cluster](logs-dedicated-clusters.md#creating-a-cluster) or set after creation. The two modes are:
-1. **Cluster**: in this case (which is the default), billing for ingested data is done at the cluster level. The ingested data quantities from each workspace associated to a cluster are aggregated to calculate the daily bill for the cluster. Per-node allocations from [Azure Defender (Security Center)](../../security-center/index.yml) are applied at the workspace level prior to this aggregation of aggregated data across all workspaces in the cluster.
+- **Cluster**: in this case (which is the default), billing for ingested data is done at the cluster level. The ingested data quantities from each workspace associated to a cluster are aggregated to calculate the daily bill for the cluster. Per-node allocations from [Azure Defender (Security Center)](../../security-center/index.yml) are applied at the workspace level prior to this aggregation of aggregated data across all workspaces in the cluster.
-2. **Workspaces**: the commitment tier costs for your cluster are attributed proportionately to the workspaces in the cluster, by each workspace's data ingestion volume (after accounting for per-node allocations from [Azure Defender (Security Center)](../../security-center/index.yml) for each workspace.) If the total data volume ingested into a cluster for a day is less than the commitment tier, then each workspace is billed for its ingested data at the effective per-GB commitment tier rate by billing them a fraction of the commitment tier, and the unused part of the commitment tier is billed to the cluster resource. If the total data volume ingested into a cluster for a day is more than the commitment tier, then each workspace is billed for a fraction of the commitment tier based on its fraction of the ingested data that day, and each workspace for a fraction of the ingested data above the commitment tier. There is nothing billed to the cluster resource if the total data volume ingested into a workspace for a day is above the commitment tier.
+- **Workspaces**: the commitment tier costs for your cluster are attributed proportionately to the workspaces in the cluster, by each workspace's data ingestion volume (after accounting for per-node allocations from [Azure Defender (Security Center)](../../security-center/index.yml) for each workspace.) If the total data volume ingested into a cluster for a day is less than the commitment tier, each workspace is billed for its ingested data at the effective per-GB commitment tier rate by billing them a fraction of the commitment tier, and the unused part of the commitment tier is billed to the cluster resource. If the total data volume ingested into a cluster for a day is more than the commitment tier, each workspace is billed for a fraction of the commitment tier, based on its fraction of the ingested data that day and each workspace for a fraction of the ingested data above the commitment tier. If the total data volume ingested into a workspace for a day is above the commitment tier, nothing is billed to the cluster resource.
-In cluster billing options, data retention is billed for each workspace. Cluster billing starts when the cluster is created, regardless of whether workspaces have been associated to the cluster. Workspaces associated to a cluster no longer have their own pricing tier.
+In cluster billing options, data retention is billed for each workspace. Cluster billing starts when the cluster is created, regardless of whether workspaces are associated with the cluster. Workspaces associated to a cluster no longer have their own pricing tier.
## Estimating the costs to manage your environment
-If you're not yet using Azure Monitor Logs, you can use the [Azure Monitor pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=monitor) to estimate the cost of using Log Analytics. Start by entering "Azure Monitor" in the Search box, and clicking on the resulting Azure Monitor tile. Scroll down the page to Azure Monitor, and select Log Analytics from the Type dropdown. You can estimate your Log Analytics cost based on your anticipated data volume and desired retention. If you're already evaluating Azure Monitor Logs already, you can use your data statistics from your own environment. (See below for how to determine the [number of monitored VMs](#understanding-nodes-sending-data) and the [volume of data your workspace is ingesting](#understanding-ingested-data-volume). If you're not yet running Log Analytics, here is some guidance for estimating data volumes:
+If you're not yet using Azure Monitor Logs, you can use the [Azure Monitor pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=monitor) to estimate the cost of using Log Analytics. In the **Search** box, enter "Azure Monitor", and then select the resulting Azure Monitor tile. Scroll down the page to **Azure Monitor**, and then select **Log Analytics** in the **Type** dropdown list. Here you can enter the number of virtual machines and the number of gigabytes of data that you expect to collect from each VM. Typically, 1 GB to 3 GB of data per month is ingested from a typical Azure Virtual Machine. If you're already evaluating Azure Monitor Logs, you can use data statistics from your own environment. See below for how to determine the [number of monitored VMs](#understanding-nodes-sending-data) and the [volume of data your workspace is ingesting](#understanding-ingested-data-volume).
+
+If you're not yet running Log Analytics, here is some guidance for estimating data volumes:
1. **Monitoring VMs:** with typical monitoring eanabled, 1 GB to 3 GB of data month is ingested per monitored VM. 2. **Monitoring Azure Kubernetes Service (AKS) clusters:** details on expected data volumes for monitoring a typical AKS cluster are available [here](../containers/container-insights-cost.md#estimating-costs-to-monitor-your-aks-cluster). Follow these [best practices](../containers/container-insights-cost.md#controlling-ingestion-to-reduce-cost) to control your AKS cluster monitoring costs.
If you're not yet using Azure Monitor Logs, you can use the [Azure Monitor prici
## Understand your usage and estimate costs
-If you're using Azure Monitor Logs now, it's easy to understand what the costs are likely be based on recent usage patterns. To do this, use **Log Analytics Usage and Estimated Costs** to review and analyze data usage. This shows how much data is collected by each solution, how much data is being retained and an estimate of your costs based on the amount of data ingested and any additional retention beyond the included amount.
+If you're using Azure Monitor Logs now, it's easy to understand what the costs are likely be, based on recent usage patterns. To do this, use **Log Analytics Usage and Estimated Costs** to review and analyze data usage. This shows how much data is collected by each solution, how much data is being retained, and an estimate of your costs based on the amount of data ingested and any additional retention beyond the included amount.
:::image type="content" source="media/manage-cost-storage/usage-estimated-cost-dashboard-01.png" alt-text="Usage and estimated costs":::
-To explore your data in more detail, click on the icon at the top right of either of the charts on the **Usage and Estimated Costs** page. Now you can work with this query to explore more details of your usage.
+To explore your data in more detail, select on the icon in the upper-right corner of either chart on the **Usage and Estimated Costs** page. Now you can work with this query to explore more details of your usage.
:::image type="content" source="media/manage-cost-storage/logs.png" alt-text="Logs view"::: From the **Usage and Estimated Costs** page, you can review your data volume for the month. This includes all the billable data received and retained in your Log Analytics workspace.
-Log Analytics charges are added to your Azure bill. You can see details of your Azure bill under the Billing section of the Azure portal or in the [Azure Billing Portal](https://account.windowsazure.com/Subscriptions).
+Log Analytics charges are added to your Azure bill. You can see details of your Azure bill under the **Billing** section of the Azure portal or in the [Azure Billing Portal](https://account.windowsazure.com/Subscriptions).
## Viewing Log Analytics usage on your Azure bill
-Azure provides a great deal of useful functionality in the [Azure Cost Management + Billing](../../cost-management-billing/costs/quick-acm-cost-analysis.md?toc=%2fazure%2fbilling%2fTOC.json) hub. For instance, the "Cost analysis" functionality enables you to view your spends for Azure resources. First, add a filter by "Resource type" (to microsoft.operationalinsights/workspace for Log Analytics and microsoft.operationalinsights/cluster for Log Analytics Clusters) will allow you to track your Log Analytics spend. Then for "Group by" select "Meter category" or "Meter". Other services such as Azure Defender (Security Center) and Azure Sentinel also bill their usage against Log Analytics workspace resources. To see the mapping to Service name, you can select the Table view instead of a chart.
+Azure provides a great deal of useful functionality in the [Azure Cost Management + Billing](../../cost-management-billing/costs/quick-acm-cost-analysis.md?toc=%2fazure%2fbilling%2fTOC.json) hub. For example, you can use the "Cost analysis" functionality to view your Azure resource expenses. To track your Log Analytics expenses, you can add a filter by "Resource type" (to microsoft.operationalinsights/workspace for Log Analytics and microsoft.operationalinsights/cluster for Log Analytics Clusters). For **Group by**, select **Meter category** or **Meter**. Other services, like Azure Defender (Security Center) and Azure Sentinel, also bill their usage against Log Analytics workspace resources. To see the mapping to the service name, you can select the Table view instead of a chart.
-More understanding of your usage can be gained by [downloading your usage from the Azure portal](../../cost-management-billing/manage/download-azure-invoice-daily-usage-date.md#download-usage-in-azure-portal).
-In the downloaded spreadsheet, you can see usage per Azure resource (for example Log Analytics workspace) per day. In this Excel spreadsheet, usage from your Log Analytics workspaces can be found by first filtering on the "Meter Category" column to show "Log Analytics", "Insight and Analytics" (used by some of the legacy pricing tiers) and "Azure Monitor" (used by commitment tier pricing tiers), and then adding a filter on the "Instance ID" column that is "contains workspace" or "contains cluster" (the latter to include Log Analytics Cluster usage). The usage is shown in the "Consumed Quantity" column and the unit for each entry is shown in the "Unit of Measure" column. More details are available to help you [understand your Microsoft Azure bill](../../cost-management-billing/understand/review-individual-bill.md).
+To gain more understanding of your usage, you can [download your usage from the Azure portal](../../cost-management-billing/manage/download-azure-invoice-daily-usage-date.md#download-usage-in-azure-portal).
+In the downloaded spreadsheet, you can see usage per Azure resource (for example, Log Analytics workspace) per day. In this Excel spreadsheet, usage from your Log Analytics workspaces can be found by first filtering on the "Meter Category" column to show "Log Analytics", "Insight and Analytics" (used by some of the legacy pricing tiers), and "Azure Monitor" (used by commitment tier pricing tiers), and then adding a filter on the "Instance ID" column that is "contains workspace" or "contains cluster" (the latter to include Log Analytics Cluster usage). The usage is shown in the "Consumed Quantity" column, and the unit for each entry is shown in the "Unit of Measure" column. For more information, see [Review your individual Azure subscription bill](../../cost-management-billing/understand/review-individual-bill.md).
## Changing pricing tier
-To change the Log Analytics pricing tier of your workspace,
+To change the Log Analytics pricing tier of your workspace:
-1. In the Azure portal, open **Usage and estimated costs** from your workspace where you'll see a list of each of the pricing tiers available to this workspace.
+1. In the Azure portal, open **Usage and estimated costs** from your workspace; you'll see a list of each of the pricing tiers available to this workspace.
-2. Review the estimated costs for each of the pricing tiers. This estimate is based on the last 31 days of usage, so this cost estimate relies on the last 31 days being representative of your typical usage. In the example below you can see how, based on the data patterns from the last 31 days, this workspace would cost less in the Pay-As-You-Go tier (#1) compared to the 100 GB/day commitment tier (#2).
+2. Review the estimated costs for each pricing tier. This estimate is based on the last 31 days of usage, so this cost estimate relies on the last 31 days being representative of your typical usage. In the example below, you can see how, based on the data patterns from the last 31 days, this workspace would cost less in the Pay-As-You-Go tier (#1) compared to the 100 GB/day commitment tier (#2).
:::image type="content" source="media/manage-cost-storage/pricing-tier-estimated-costs.png" alt-text="Pricing tiers":::
-3. After reviewing the estimated costs based on the last 31 days of usage, if you decide to change the pricing tier, click **Select**.
+3. After reviewing the estimated costs based on the last 31 days of usage, if you decide to change the pricing tier, select **Select**.
### Changing pricing tier via ARM
-You can also [set the pricing tier via Azure Resource Manager](./resource-manager-workspace.md) using the `sku` object to set the pricing tier, and the `capacityReservationLevel` parameter if the pricing tier is `capacityresrvation`. (Learn more about [setting workspace properties via ARM](/azure/templates/microsoft.operationalinsights/2020-08-01/workspaces?tabs=json#workspacesku-object).) Here is a sample ARM template to set your workspace to a 300 GB/day commitment tier (which in ARM is called `capacityreservation`).
+You can also [set the pricing tier via Azure Resource Manager](./resource-manager-workspace.md) using the `sku` object to set the pricing tier, and the `capacityReservationLevel` parameter if the pricing tier is `capacityresrvation`. (Learn more about [setting workspace properties via ARM](/azure/templates/microsoft.operationalinsights/2020-08-01/workspaces?tabs=json#workspacesku-object).) Here is a sample Azure Resource Manager template to set your workspace to a 300 GB/day commitment tier (in Resource Manager, it's called `capacityreservation`).
``` {
You can also [set the pricing tier via Azure Resource Manager](./resource-manage
} ```
-To use this template via PowerShell, after [installing the Azure Az PowerShell module](/powershell/azure/install-az-ps), log into Azure using `Connect-AzAccount`, select the subscription containing your workspace using `Select-AzSubscription -SubscriptionId YourSubscriptionId`, and apply the template (saved in a file named template.json):
+To use this template in PowerShell, after [installing the Azure Az PowerShell module](/powershell/azure/install-az-ps), sign in to Azure using `Connect-AzAccount`, select the subscription containing your workspace using `Select-AzSubscription -SubscriptionId YourSubscriptionId`, and apply the template (saved in a file named template.json):
``` New-AzResourceGroupDeployment -ResourceGroupName "YourResourceGroupName" -TemplateFile "template.json" ```
-To set the pricing tier to other values such as Pay-As-You-Go (called `pergb2018` for the sku), omit the `capacityReservationLevel` property. Learn more about [creating ARM templates](../../azure-resource-manager/templates/template-tutorial-create-first-template.md), [adding a resource to your template](../../azure-resource-manager/templates/template-tutorial-add-resource.md), and [applying templates](../resource-manager-samples.md).
+To set the pricing tier to other values such as Pay-As-You-Go (called `pergb2018` for the SKU), omit the `capacityReservationLevel` property. Learn more about [creating ARM templates](../../azure-resource-manager/templates/template-tutorial-create-first-template.md), [adding a resource to your template](../../azure-resource-manager/templates/template-tutorial-add-resource.md), and [applying templates](../resource-manager-samples.md).
## Legacy pricing tiers
-Subscriptions which contained a Log Analytics workspace or Application Insights resource in it on April 2, 2018, or are linked to an Enterprise Agreement that started prior to February 1, 2019 and is still active, will continue to have access to use the legacy pricing tiers: **Free Trial**, **Standalone (Per GB)** and **Per Node (OMS)**. Workspaces in the Free pricing tier will have daily data ingestion limited to 500 MB (except for security data types collected by [Azure Defender (Security Center)](../../security-center/index.yml)) and the data retention is limited to 7 days. The Free Trial pricing tier is intended only for evaluation purposes. Workspaces in the Standalone or Per Node pricing tiers have user-configurable retention from 30 to 730 days.
+Subscriptions that contained a Log Analytics workspace or Application Insights resource on April 2, 2018, or are linked to an Enterprise Agreement that started before February 1, 2019 and is still active, will continue to have access to use the legacy pricing tiers: **Free Trial**, **Standalone (Per GB)**, and **Per Node (OMS)**. Workspaces in the Free Trial pricing tier will have daily data ingestion limited to 500 MB (except for security data types collected by [Azure Defender (Security Center)](../../security-center/index.yml)) and the data retention is limited to seven days. The Free Trial pricing tier is intended only for evaluation purposes. Workspaces in the Standalone or Per Node pricing tiers have user-configurable retention from 30 to 730 days.
Usage on the Standalone pricing tier is billed by the ingested data volume. It is reported in the **Log Analytics** service and the meter is named "Data Analyzed".
-The Per Node pricing tier charges per monitored VM (node) on an hour granularity. For each monitored node, the workspace is allocated 500 MB of data per day that is not billed. This allocation is calculated with hourly granularity and is aggregated at the workspace level each day. Data ingested above the aggregate daily data allocation is billed per GB as data overage. Note that on your bill, the service will be **Insight and Analytics** for Log Analytics usage if the workspace is in the Per Node pricing tier. Usage is reported on three meters:
+The Per Node pricing tier charges per monitored VM (node) on an hour granularity. For each monitored node, the workspace is allocated 500 MB of data per day that's not billed. This allocation is calculated with hourly granularity and is aggregated at the workspace level each day. Data ingested above the aggregate daily data allocation is billed per GB as data overage. On your bill, the service will be **Insight and Analytics** for Log Analytics usage if the workspace is in the Per Node pricing tier. Usage is reported on three meters:
-1. Node: this is usage for the number of monitored nodes (VMs) in units of node*months.
-2. Data Overage per Node: this is the number of GB of data ingested in excess of the aggregated data allocation.
-3. Data Included per Node: this is the amount of ingested data that was covered by the aggregated data allocation. This meter is also used when the workspace is in all pricing tiers to show the amount of data covered by the Azure Defender (Security Center).
+- **Node**: this is usage for the number of monitored nodes (VMs) in units of node months.
+- **Data Overage per Node**: this is the number of GB of data ingested in excess of the aggregated data allocation.
+- **Data Included per Node**: this is the amount of ingested data that was covered by the aggregated data allocation. This meter is also used when the workspace is in all pricing tiers to show the amount of data covered by the Azure Defender (Security Center).
> [!TIP]
-> If your workspace has access to the **Per Node** pricing tier, but you're wondering whether it would be cost less in a Pay-As-You-Go tier, you can [use the query below](#evaluating-the-legacy-per-node-pricing-tier) to easily get a recommendation.
+> If your workspace has access to the **Per Node** pricing tier but you're wondering whether it would cost less in a Pay-As-You-Go tier, you can [use the query below](#evaluating-the-legacy-per-node-pricing-tier) to easily get a recommendation.
-Workspaces created prior to April 2016 can also access the original **Standard** and **Premium** pricing tiers that have fixed data retention of 30 and 365 days respectively. New workspaces cannot be created in the **Standard** or **Premium** pricing tiers, and if a workspace is moved out of these tiers, it cannot be moved back. Data ingestion meters for these legacy tiers are called "Data analyzed".
+Workspaces created before April 2016 can also access the original **Standard** and **Premium** pricing tiers that have fixed data retention of 30 days and 365 days, respectively. New workspaces can't be created in the **Standard** or **Premium** pricing tiers, and if a workspace is moved out of these tiers, it can't be moved back. Data ingestion meters for these legacy tiers are called "Data analyzed."
There are also some behaviors between the use of legacy Log Analytics tiers and how usage is billed for [Azure Defender (Security Center)](../../security-center/index.yml).
-1. If the workspace is in the legacy Standard or Premium tier, Azure Defender will be billed only for Log Analytics data ingestion, not per node.
-2. If the workspace is in the legacy Per Node tier, Azure Defender will be billed using the current [Azure Defender node-based pricing model](https://azure.microsoft.com/pricing/details/security-center/).
-3. In other pricing tiers (including commitment tiers), if Azure Defender was enabled before June 19, 2017, Azure Defender will be billed only for Log Analytics data ingestion. Otherwise Azure Defender will be billed using the current Azure Defender node-based pricing model.
+- If the workspace is in the legacy Standard or Premium tier, Azure Defender is billed only for Log Analytics data ingestion, not per node.
+- If the workspace is in the legacy Per Node tier, Azure Defender is billed using the current [Azure Defender node-based pricing model](https://azure.microsoft.com/pricing/details/security-center/).
+- In other pricing tiers (including commitment tiers), if Azure Defender was enabled before June 19, 2017, Azure Defender is billed only for Log Analytics data ingestion. Otherwise, Azure Defender is billed using the current Azure Defender node-based pricing model.
More details of pricing tier limitations are available at [Azure subscription and service limits, quotas, and constraints](../../azure-resource-manager/management/azure-subscription-service-limits.md#log-analytics-workspaces). None of the legacy pricing tiers have regional-based pricing. > [!NOTE]
-> To use the entitlements that come from purchasing OMS E1 Suite, OMS E2 Suite or OMS Add-On for System Center, choose the Log Analytics *Per Node* pricing tier.
+> To use the entitlements that come from purchasing OMS E1 Suite, OMS E2 Suite, or OMS Add-On for System Center, choose the Log Analytics *Per Node* pricing tier.
## Log Analytics and Azure Defender (Security Center)
-[Azure Defender (Security Center)](../../security-center/index.yml) billing is closely tied to Log Analytics billing. Azure Defender provides 500 MB/node/day allocation against the following subset of [security data types](/azure/azure-monitor/reference/tables/tables-category#security) (WindowsEvent, SecurityAlert, SecurityBaseline, SecurityBaselineSummary, SecurityDetection, SecurityEvent, WindowsFirewall, MaliciousIPCommunication, LinuxAuditLog, SysmonEvent, ProtectionStatus) and the Update and UpdateSummary data types when the Update Management solution is not running on the workspace or solution targeting is enabled [learn more](../../security-center/security-center-pricing.md#what-data-types-are-included-in-the-500-mb-data-daily-allowance). If the workspace is in the legacy Per Node pricing tier, the Azure Defender and Log Analytics allocations are combined and applied jointly to all billable ingested data.
+[Azure Defender (Security Center)](../../security-center/index.yml) billing is closely tied to Log Analytics billing. Azure Defender provides 500 MB/node/day allocation against the following subset of [security data types](/azure/azure-monitor/reference/tables/tables-category#security) (WindowsEvent, SecurityAlert, SecurityBaseline, SecurityBaselineSummary, SecurityDetection, SecurityEvent, WindowsFirewall, MaliciousIPCommunication, LinuxAuditLog, SysmonEvent, ProtectionStatus) and the Update and UpdateSummary data types when the Update Management solution isn't running on the workspace or solution targeting is enabled ([learn more](../../security-center/security-center-pricing.md#what-data-types-are-included-in-the-500-mb-data-daily-allowance)). If the workspace is in the legacy Per Node pricing tier, the Azure Defender and Log Analytics allocations are combined and applied jointly to all billable ingested data.
## Change the data retention period
-The following steps describe how to configure how long log data is kept by in your workspace. Data retention at the workspace level can be configured from 30 to 730 days (2 years) for all workspaces unless they are using the legacy Free pricing tier. Retention for individual data types can be set as low as 4 days. [Learn more](https://azure.microsoft.com/pricing/details/monitor/) about pricing for longer data retention. To retain data longer than 730 days, consider using [Log Analytics workspace data export](logs-data-export.md).
+The following steps describe how to configure how long log data is kept by in your workspace. Data retention at the workspace level can be configured from 30 to 730 days (2 years) for all workspaces unless they're using the legacy Free Trial pricing tier. Retention for individual data types can be set as low as 4 days. [Learn more](https://azure.microsoft.com/pricing/details/monitor/) about pricing for longer data retention. To retain data longer than 730 days, consider using [Log Analytics workspace data export](logs-data-export.md).
### Workspace level default retention
-To set the default retention for your workspace,
+To set the default retention for your workspace:
-1. In the Azure portal, from your workspace, select **Usage and estimated costs** from the left pane.
-2. On the **Usage and estimated costs** page, click **Data Retention** from the top of the page.
-3. On the pane, move the slider to increase or decrease the number of days and then click **OK**. If you are on the *free* tier, you will not be able to modify the data retention period and you need to upgrade to the paid tier in order to control this setting.
+1. In the Azure portal, from your workspace, select **Usage and estimated costs** in the left pane.
+2. On the **Usage and estimated costs** page, select **Data Retention** at the top of the page.
+3. On the pane, move the slider to increase or decrease the number of days, and then select **OK**. If you're on the *free* tier, you can't modify the data retention period; you need to upgrade to the paid tier to control this setting.
:::image type="content" source="media/manage-cost-storage/manage-cost-change-retention-01.png" alt-text="Change workspace data retention setting":::
-When the retention is lowered, there is a grace period of several days before the data older than the new retention setting is removed.
+When the retention is lowered, there's a grace period of several days before the data older than the new retention setting is removed.
-The **Data Retention** page allows retention settings of 30, 31, 60, 90, 120, 180, 270, 365, 550 and 730 days. If another setting is required, that can be configured using [Azure Resource Manager](./resource-manager-workspace.md) using the `retentionInDays` parameter. When you set the data retention to 30 days, you can trigger an immediate purge of older data using the `immediatePurgeDataOn30Days` parameter (eliminating the grace period). This may be useful for compliance-related scenarios where immediate data removal is imperative. This immediate purge functionality is only exposed via Azure Resource Manager.
+The **Data Retention** page allows retention settings of 30, 31, 60, 90, 120, 180, 270, 365, 550, and 730 days. If another setting is required, that can be configured using [Azure Resource Manager](./resource-manager-workspace.md) using the `retentionInDays` parameter. When you set the data retention to 30 days, you can trigger an immediate purge of older data using the `immediatePurgeDataOn30Days` parameter (eliminating the grace period). This might be useful for compliance-related scenarios where immediate data removal is imperative. This immediate purge functionality is only exposed via Azure Resource Manager.
-Workspaces with 30 days retention may actually retain data for 31 days. If it is imperative that data be kept for only 30 days, use the Azure Resource Manager to set the retention to 30 days and with the `immediatePurgeDataOn30Days` parameter.
+Workspaces with 30 days retention might actually retain data for 31 days. If it's imperative that data be kept for only 30 days, use the Azure Resource Manager to set the retention to 30 days and with the `immediatePurgeDataOn30Days` parameter.
-Two data types -- `Usage` and `AzureActivity` -- are retained for a minimum of 90 days by default, and there is no charge for this 90-day retention. If the workspace retention is increased above 90 days, the retention of these data types will also be increased. These data types are also free from data ingestion charges.
+By default, two data types - `Usage` and `AzureActivity` - are retained for a minimum of 90 days at no charge. If the workspace retention is increased to more than 90 days, the retention of these data types is also increased. These data types are also free from data ingestion charges.
-Data types from workspace-based Application Insights resources (`AppAvailabilityResults`, `AppBrowserTimings`, `AppDependencies`, `AppExceptions`, `AppEvents`, `AppMetrics`, `AppPageViews`, `AppPerformanceCounters`, `AppRequests`, `AppSystemEvents`, and `AppTraces`) are also retained for 90 days by default, and there is no charge for this 90-day retention. Their retention can be adjust using the retention by data type functionality.
+Data types from workspace-based Application Insights resources (`AppAvailabilityResults`, `AppBrowserTimings`, `AppDependencies`, `AppExceptions`, `AppEvents`, `AppMetrics`, `AppPageViews`, `AppPerformanceCounters`, `AppRequests`, `AppSystemEvents`, and `AppTraces`) are also retained for 90 days at no charge by default. Their retention can be adjusted using the retention by data type functionality.
-The Log Analytics [purge API](/rest/api/loganalytics/workspacepurge/purge) does not affect retention billing and is intended to be used for very limited cases. To reduce your retention bill, the retention period must be reduced either for the workspace or for specific data types.
+The Log Analytics [purge API](/rest/api/loganalytics/workspacepurge/purge) doesn't affect retention billing and is intended to be used for very limited cases. To reduce your retention bill, the retention period must be reduced either for the workspace or for specific data types.
### Retention by data type
-It is also possible to specify different retention settings for individual data types from 4 to 730 days (except for workspaces in the legacy Free pricing tier) that override the workspace level default retention. Each data type is a sub-resource of the workspace. For instance the SecurityEvent table can be addressed in [Azure Resource Manager](../../azure-resource-manager/management/overview.md) as:
+It's also possible to specify different retention settings for individual data types from 4 to 730 days (except for workspaces in the legacy Free Trial pricing tier) that override the workspace-level default retention. Each data type is a sub-resource of the workspace. For example, the SecurityEvent table can be addressed in [Azure Resource Manager](../../azure-resource-manager/management/overview.md) as:
``` /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/MyResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/MyWorkspaceName/Tables/SecurityEvent ```
-Note that the data type (table) is case sensitive. To get the current per-data-type retention settings of a particular data type (in this example SecurityEvent), use:
+Note that the data type (table) is case-sensitive. To get the current per-data-type retention settings of a particular data type (in this example SecurityEvent), use:
```JSON GET /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/MyResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/MyWorkspaceName/Tables/SecurityEvent?api-version=2017-04-26-preview ``` > [!NOTE]
-> Retention is only returned for a data type if the retention has been explicitly set for it. Data types which have not had retention explicitly set (and thus inherit the workspace retention) will not return anything from this call.
+> Retention is only returned for a data type if the retention is explicitly set for it. Data types that don't have retention explicitly set (and thus inherit the workspace retention) don't return anything from this call.
To get the current per-data-type retention settings for all data types in your workspace that have had their per-data-type retention set, just omit the specific data type, for example:
To get the current per-data-type retention settings for all data types in your w
GET /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/MyResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/MyWorkspaceName/Tables?api-version=2017-04-26-preview ```
-To set the retention of a particular data type (in this example SecurityEvent) to 730 days, do
+To set the retention of a particular data type (in this example SecurityEvent) to 730 days, use:
```JSON PUT /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/MyResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/MyWorkspaceName/Tables/SecurityEvent?api-version=2017-04-26-preview
To set the retention of a particular data type (in this example SecurityEvent) t
Valid values for `retentionInDays` are from 30 through 730.
-The `Usage` and `AzureActivity` data types cannot be set with custom retention. They will take on the maximum of the default workspace retention or 90 days.
+The `Usage` and `AzureActivity` data types can't be set with custom retention. They take on the maximum of the default workspace retention or 90 days.
A great tool to connect directly to Azure Resource Manager to set retention by data type is the OSS tool [ARMclient](https://github.com/projectkudu/ARMClient). Learn more about ARMclient from articles by [David Ebbo](http://blog.davidebbo.com/2015/01/azure-resource-manager-client.html) and Daniel Bowbyes. Here's an example using ARMClient, setting SecurityEvent data to a 730-day retention:
armclient PUT /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/
``` > [!TIP]
-> Setting retention on individual data types can be used to reduce your costs for data retention. For data collected starting in October 2019 (when this feature was released), reducing the retention for some data types can reduce your retention cost over time. For data collected earlier, setting a lower retention for an individual type will not affect your retention costs.
+> Setting retention on individual data types can be used to reduce your costs for data retention. For data collected starting in October 2019 (when this feature was released), reducing the retention for some data types can reduce your retention cost over time. For data collected earlier, setting a lower retention for an individual type won't affect your retention costs.
## Manage your maximum daily data volume
-You can configure a daily cap and limit the daily ingestion for your workspace, but use care as your goal should not be to hit the daily limit. Otherwise, you lose data for the remainder of the day, which can impact other Azure services and solutions whose functionality may depend on up-to-date data being available in the workspace. As a result, your ability to observe and receive alerts when the health conditions of resources supporting IT services are impacted. The daily cap is intended to be used as a way to manage an **unexpected increase** in data volume from your managed resources and stay within your limit, or when you want to limit unplanned charges for your workspace. It is not appropriate to set a daily cap so that it is met each day on a workspace.
+You can configure a daily cap and limit the daily ingestion for your workspace, but use care because your goal shouldn't be to hit the daily limit. Otherwise, you lose data for the remainder of the day, which can impact other Azure services and solutions whose functionality may depend on up-to-date data being available in the workspace. As a result, your ability to observe and receive alerts when the health conditions of resources supporting IT services are impacted. The daily cap is intended to be used as a way to manage an **unexpected increase** in data volume from your managed resources and stay within your limit, or when you want to limit unplanned charges for your workspace. It's not appropriate to set a daily cap so that it's met each day on a workspace.
-Each workspace has its daily cap applied on a different hour of the day. The reset hour is shown in the **Daily Cap** page (see below). This reset hour cannot be configured.
+Each workspace has its daily cap applied on a different hour of the day. The reset hour is shown in the **Daily Cap** page (see below). This reset hour can't be configured.
-Soon after the daily limit is reached, the collection of billable data types stops for the rest of the day. Latency inherent in applying the daily cap means that the cap is not applied at precisely the specified daily cap level. A warning banner appears across the top of the page for the selected Log Analytics workspace and an operation event is sent to the *Operation* table under **LogManagement** category. Data collection resumes after the reset time defined under *Daily limit will be set at*. We recommend defining an alert rule based on this operation event, configured to notify when the daily data limit has been reached (see [below](#alert-when-daily-cap-reached)).
+Soon after the daily limit is reached, the collection of billable data types stops for the rest of the day. Latency inherent in applying the daily cap means that the cap isn't applied at precisely the specified daily cap level. A warning banner appears across the top of the page for the selected Log Analytics workspace, and an operation event is sent to the *Operation* table under the **LogManagement** category. Data collection resumes after the reset time defined under *Daily limit will be set at*. We recommend defining an alert rule that's based on this operation event, configured to notify when the daily data limit is reached. For more information, see [Alert when daily cap is reached](#alert-when-daily-cap-is-reached) section.
> [!NOTE]
-> The daily cap cannot stop data collection as precisely the specified cap level and some excess data is expected, particularly if the workspace is receiving high volumes of data. If data is collected above the cap, it is still billed. See [below](#view-the-effect-of-the-daily-cap) for a query that is helpful in studying the daily cap behavior.
+> The daily cap can't stop data collection as precisely as the specified cap level and some excess data is expected, particularly if the workspace is receiving high volumes of data. If data is collected above the cap, it's still billed. For a query that is helpful in studying the daily cap behavior, see the [View the effect of the Daily Cap](#view-the-effect-of-the-daily-cap) section in this article.
> [!WARNING]
-> The daily cap does not stop the collection of data types WindowsEvent, SecurityAlert, SecurityBaseline, SecurityBaselineSummary, SecurityDetection, SecurityEvent, WindowsFirewall, MaliciousIPCommunication, LinuxAuditLog, SysmonEvent, ProtectionStatus, Update and UpdateSummary, except for workspaces in which Azure Defender (Security Center) was installed before June 19, 2017.
+> The daily cap doesn't stop the collection of data types **WindowsEvent**, **SecurityAlert**, **SecurityBaseline**, **SecurityBaselineSummary**, **SecurityDetection**, **SecurityEvent**, **WindowsFirewall**, **MaliciousIPCommunication**, **LinuxAuditLog**, **SysmonEvent**, **ProtectionStatus**, **Update**, and **UpdateSummary**, except for workspaces in which Azure Defender (Security Center) was installed before June 19, 2017.
### Identify what daily data limit to define
-Review [Log Analytics Usage and estimated costs](../usage-estimated-costs.md) to understand the data ingestion trend and what is the daily volume cap to define. It should be considered with care, since you won?t be able to monitor your resources after the limit is reached.
+To understand the data ingestion trend and the daily volume cap to define, review [Log Analytics Usage and estimated costs](../usage-estimated-costs.md). Consider it with care, because you can't monitor your resources after the limit is reached.
-### Set the Daily Cap
+### Set the daily cap
The following steps describe how to configure a limit to manage the volume of data that Log Analytics workspace will ingest per day.
-1. From your workspace, select **Usage and estimated costs** from the left pane.
-2. On the **Usage and estimated costs** page for the selected workspace, click **Data Cap** from the top of the page.
-3. Daily cap is **OFF** by default? click **ON** to enable it, and then set the data volume limit in GB/day.
+1. From your workspace, select **Usage and estimated costs** in the left pane.
+2. On the **Usage and estimated costs** page for the selected workspace, select **Data Cap** at the top of the page.
+3. By default, **Daily cap** is set to **OFF**. To enable it, select **ON**, and then set the data volume limit in GB/day.
:::image type="content" source="media/manage-cost-storage/set-daily-volume-cap-01.png" alt-text="Log Analytics configure data limit":::
-The daily cap can be configured via ARM by setting the `dailyQuotaGb` parameter under `WorkspaceCapping` as described at [Workspaces - Create Or Update](/rest/api/loganalytics/workspaces/createorupdate#workspacecapping).
+You can use Azure Resource Manager to configure the daily cap. To configure it, set the `dailyQuotaGb` parameter under `WorkspaceCapping` as described at [Workspaces - Create Or Update](/rest/api/loganalytics/workspaces/createorupdate#workspacecapping).
You can track changes made to the daily cap using this query:
_LogOperation | where Operation == "Workspace Configuration" | where Detail cont
Learn more about the [_LogOperation](./monitor-workspace.md) function.
-### View the effect of the Daily Cap
+### View the effect of the daily cap
-To view the effect of the daily cap, it's important to account for the security data types not included in the daily cap, and the reset hour for your workspace. The daily cap reset hour is visible in the **Daily Cap** page. The following query can be used to track the data volumes subject to the Daily Cap between daily cap resets. In this example, the workspace's reset hour is 14:00. You'll need to update this for your workspace.
+To view the effect of the daily cap, it's important to account for the security data types that aren't included in the daily cap, and the reset hour for your workspace. The daily cap reset hour is visible on the **Daily Cap** page. The following query can be used to track the data volumes that are subject to the daily cap between daily cap resets. In this example, the workspace's reset hour is 14:00. You'll need to update this for your workspace.
```kusto let DailyCapResetHour=14;
Usage
(In the Usage data type, the units of `Quantity` are in MB.)
-### Alert when Daily Cap reached
+### Alert when daily cap is reached
-While we present a visual cue in the Azure portal when your data limit threshold is met, this behavior doesn't necessarily align to how you manage operational issues requiring immediate attention. To receive an alert notification, you can create a new alert rule in Azure Monitor. To learn more, see [how to create, view, and manage alerts](../alerts/alerts-metric.md).
+Azure portal has a visual cue when your data limit threshold is met, but this behavior doesn't necessarily align to how you manage operational issues that require immediate attention. To receive an alert notification, you can create a new alert rule in Azure Monitor. To learn more, see [how to create, view, and manage alerts](../alerts/alerts-metric.md).
To get you started, here are the recommended settings for the alert querying the `Operation` table using the `_LogOperation` function ([learn more](./monitor-workspace.md)).
To get you started, here are the recommended settings for the alert querying the
- Alert rule name: Daily data limit reached - Severity: Warning (Sev 1)
-Once alert is defined and the limit is reached, an alert is triggered and performs the response defined in the Action Group. It can notify your team via email and text messages, or automate actions using webhooks, Automation runbooks or [integrating with an external ITSM solution](../alerts/itsmc-definition.md#create-itsm-work-items-from-azure-alerts).
+After an alert is defined and the limit is reached, an alert is triggered and performs the response defined in the Action Group. It can notify your team in the following ways:
+
+- Email and text messages
+- Automated actions using webhooks
+- Azure Automation runbooks
+- [Integrated with an external ITSM solution](../alerts/itsmc-definition.md#create-itsm-work-items-from-azure-alerts).
## Troubleshooting why usage is higher than expected
-Higher usage is caused by one, or both of:
-- More nodes than expected sending data to Log Analytics workspace: see [Understanding nodes sending data](#understanding-nodes-sending-data)-- More data than expected being sent to Log Analytics workspace (perhaps due to starting to use a new solution or a configuration change to an existing solution): see [Understanding ingested data volume](#understanding-ingested-data-volume)
+Higher usage is caused by one, or both, of the following:
+- More nodes than expected sending data to Log Analytics workspace. For information, see the [Understanding nodes sending data](#understanding-nodes-sending-data) section of this article.
+- More data than expected being sent to Log Analytics workspace (perhaps due to starting to use a new solution or a configuration change to an existing solution). For information, see the [Understanding ingested data volume](#understanding-ingested-data-volume) section of this article.
-If you observe high data ingestion reported using the `Usage` records (see [below](#data-volume-by-solution)), but you don't observe the same results summing `_BilledSize` directly on the [data type](#data-volume-for-specific-events), it's possible you have significant late arriving data. [Here](#late-arriving-data) is more information on how to diagnose this.
+If you observe high data ingestion reported using the `Usage` records (see the [Data volume by solution](#data-volume-by-solution) section), but you don't observe the same results summing `_BilledSize` directly on the [data type](#data-volume-for-specific-events), it's possible that you have significant late-arriving data. For information about how to diagnose this, see the [Late arriving data](#late-arriving-data) section of this article.
### Log Analytics Workspace Insights
While this workbook can anaswer many of the questions without even needing to ru
## Understanding nodes sending data
-To understand the number of nodes reporting heartbeats from the agent each day in the last month, use
+To understand the number of nodes that are reporting heartbeats from the agent each day in the last month, use this query:
```kusto Heartbeat
Heartbeat
| summarize nodes = dcount(Computer) by bin(TimeGenerated, 1d) | render timechart ```
-The get a count of nodes sending data in the last 24 hours use the query:
+The get a count of nodes sending data in the last 24 hours, use this query:
```kusto find where TimeGenerated > ago(24h) project Computer
find where TimeGenerated > ago(24h) project Computer
| summarize nodes = dcount(computerName) ```
-To get a list of nodes sending any data (and the amount of data sent by each) the follow query can be used:
+To get a list of nodes sending any data (and the amount of data sent by each), use this query:
```kusto find where TimeGenerated > ago(24h) project _BilledSize, Computer
find where TimeGenerated > ago(24h) project _BilledSize, Computer
### Nodes billed by the legacy Per Node pricing tier
-The [legacy Per Node pricing tier](#legacy-pricing-tiers) bills for nodes with hourly granularity and also doesn't count nodes only sending a set of security data types. Its daily count of nodes would be close to the following query:
+The [legacy Per Node pricing tier](#legacy-pricing-tiers) bills for nodes with hourly granularity and also doesn't count nodes that are only sending a set of security data types. Its daily count of nodes would be close to the following query:
```kusto find where TimeGenerated >= startofday(ago(7d)) and TimeGenerated < startofday(now()) project Computer, _IsBillable, Type, TimeGenerated
find where TimeGenerated >= startofday(ago(7d)) and TimeGenerated < startofday(n
| sort by day asc ```
-The number of units on your bill is in units of node*months which is represented by `billableNodeMonthsPerDay` in the query.
-If the workspace has the Update Management solution installed, add the Update and UpdateSummary data types to the list in the where clause in the above query. Finally, there is some additional complexity in the actual billing algorithm when solution targeting is used that is not represented in the above query.
+The number of units on your bill is in units of node months, which is represented by `billableNodeMonthsPerDay` in the query.
+If the workspace has the Update Management solution installed, add the **Update** and **UpdateSummary** data types to the list in the where clause in the above query. Finally, there's some additional complexity in the actual billing algorithm when solution targeting is used that's not represented in the above query.
> [!TIP]
-> Use these `find` queries sparingly as scans across data types are [resource intensive](./query-optimization.md#query-performance-pane) to execute. If you do not need results **per computer** then query on the Usage data type (see below).
+> Use these `find` queries sparingly because scans across data types are [resource intensive](./query-optimization.md#query-performance-pane) to execute. If you don't need results **per computer**, then query on the **Usage** data type (see below).
## Understanding ingested data volume
-On the **Usage and Estimated Costs** page, the *Data ingestion per solution* chart shows the total volume of data sent and how much is being sent by each solution. This allows you to determine trends such as whether the overall data usage (or usage by a particular solution) is growing, remaining steady or decreasing.
+On the **Usage and Estimated Costs** page, the *Data ingestion per solution* chart shows the total volume of data sent and how much is being sent by each solution. You can determine trends like whether the overall data usage (or usage by a particular solution) is growing, remaining steady, or decreasing.
### Data volume for specific events
Usage
| render columnchart ```
-The clause with `TimeGenerated` is only to ensure that the query experience in the Azure portal will look back beyond the default 24 hours. When using the Usage data type, `StartTime` and `EndTime` represent the time buckets for which results are presented.
+The clause with `TimeGenerated` is only to ensure that the query experience in the Azure portal looks back beyond the default 24 hours. When using the **Usage** data type, `StartTime` and `EndTime` represent the time buckets for which results are presented.
### Data volume by type
Usage
### Data volume by computer
-The `Usage` data type does not include information at the computer level. To see the **size** of ingested billable data per computer, use the `_BilledSize` [property](./log-standard-columns.md#_billedsize), which provides the size in bytes:
+The **Usage** data type doesn't include information at the computer level. To see the **size** of ingested billable data per computer, use the **_BilledSize** [property](./log-standard-columns.md#_billedsize), which provides the size in bytes:
```kusto find where TimeGenerated > ago(24h) project _BilledSize, _IsBillable, Computer, Type
find where TimeGenerated > ago(24h) project _BilledSize, _IsBillable, Computer,
| sort by BillableDataBytes desc nulls last ```
-The `_IsBillable` [property](./log-standard-columns.md#_isbillable) specifies whether the ingested data will incur charges. The Usage type is omitted since this is only for analytics of data trends.
+The **_IsBillable** [property](./log-standard-columns.md#_isbillable) specifies whether the ingested data will incur charges. The **Usage** type is omitted because this is only for analytics of data trends.
To see the **count** of billable events ingested per computer, use
find where TimeGenerated > ago(24h) project _IsBillable, Computer
``` > [!TIP]
-> Use these `find` queries sparingly as scans across data types are [resource intensive](./query-optimization.md#query-performance-pane) to execute. If you do not need results **per computer** then query on the Usage data type.
+> Use these `find` queries sparingly because scans across data types are [resource intensive](./query-optimization.md#query-performance-pane) to execute. If you don't need results **per computer**, query on the **Usage** data type.
### Data volume by Azure resource, resource group, or subscription
-For data from nodes hosted in Azure you can get the **size** of ingested data __per computer__, use the _ResourceId [property](./log-standard-columns.md#_resourceid), which provides the full path to the resource:
+For data from nodes hosted in Azure, you can get the **size** of ingested data __per computer__, use the [_ResourceId property](./log-standard-columns.md#_resourceid), which provides the full path to the resource:
```kusto find where TimeGenerated > ago(24h) project _ResourceId, _BilledSize, _IsBillable
find where TimeGenerated > ago(24h) project _ResourceId, _BilledSize, _IsBillabl
| summarize BillableDataBytes = sum(_BilledSize) by _ResourceId | sort by BillableDataBytes nulls last ```
-For data from nodes hosted in Azure you can get the **size** of ingested data __per Azure subscription__, get use the `_SubscriptionId` property as:
+For data from nodes hosted in Azure, you can get the **size** of ingested data __per Azure subscription__ by using the **_SubscriptionId** property as:
```kusto find where TimeGenerated > ago(24h) project _BilledSize, _IsBillable, _SubscriptionId
find where TimeGenerated > ago(24h) project _BilledSize, _IsBillable, _Subscript
| summarize BillableDataBytes = sum(_BilledSize) by _SubscriptionId | sort by BillableDataBytes nulls last ```
-To get data volume by resource group, you can parse `_ResourceId`:
+To get data volume by resource group, you can parse **_ResourceId**:
```kusto find where TimeGenerated > ago(24h) project _ResourceId, _BilledSize, _IsBillable
find where TimeGenerated > ago(24h) project _ResourceId, _BilledSize, _IsBillabl
| summarize BillableDataBytes = sum(BillableDataBytes) by resourceGroup | sort by BillableDataBytes nulls last ```
-You can also parse the `_ResourceId` more fully if needed as well using
+If needed, you can also parse the **_ResourceId** more fully:
```Kusto | parse tolower(_ResourceId) with "/subscriptions/" subscriptionId "/resourcegroups/"
You can also parse the `_ResourceId` more fully if needed as well using
``` > [!TIP]
-> Use these `find` queries sparingly as scans across data types are [resource intensive](./query-optimization.md#query-performance-pane) to execute. If you do not need results per subscription, resouce group or resource name, then query on the Usage data type.
+> Use these `find` queries sparingly because scans across data types are [resource intensive](./query-optimization.md#query-performance-pane) to execute. If you don't need results per subscription, resouce group, or resource name, query on the **Usage** data type.
> [!WARNING]
-> Some of the fields of the Usage data type, while still in the schema, have been deprecated and will their values are no longer populated.
-> These are **Computer** as well as fields related to ingestion (**TotalBatches**, **BatchesWithinSla**, **BatchesOutsideSla**, **BatchesCapped** and **AverageProcessingTimeMs**.
+> Some of the fields of the **Usage** data type, while still in the schema, have been deprecated and their values are no longer populated.
+> These are **Computer**, as well as fields related to ingestion (**TotalBatches**, **BatchesWithinSla**, **BatchesOutsideSla**, **BatchesCapped** and **AverageProcessingTimeMs**).
-## Late arriving data
+## Late-arriving data
-Situations can arise where data is ingested with old timestamps. For instance, if an agent cannot communicate to Log Analytics due to a connectivity issue or when a host has an incorrect time date/time. This can manifest itself by an apparent discrepancy between the ingested data reported by the `Usage` data type, and a query summing `_BilledSize` over the raw data for a particular day specified by `TimeGenerated`, the timestamp when the event was generated.
+Situations can arise where data is ingested with old timestamps. For example, if an agent can't communicate to Log Analytics because of a connectivity issue or when a host has an incorrect time date/time. This can manifest itself by an apparent discrepancy between the ingested data reported by the **Usage** data type and a query summing **_BilledSize** over the raw data for a particular day specified by **TimeGenerated**, the timestamp when the event was generated.
-To diagnose late arriving data issues, use the `_TimeReceived` column ([learn more](./log-standard-columns.md#_timereceived)) in addition to the `TimeGenerated` column. `_TimeReceived` is the time when the record was received by the Azure Monitor ingestion point in the Azure cloud. For instance, when using the `Usage` records, you have observed high ingested data volumes of `W3CIISLog` data on May 2, 2021, here is a query that will identify the timestamps on this ingested data:
+To diagnose late-arriving data issues, use the **_TimeReceived** column ([learn more](./log-standard-columns.md#_timereceived)) in addition to the **TimeGenerated** column. **_TimeReceived** is the time when the record was received by the Azure Monitor ingestion point in the Azure cloud. For example, when using the **Usage** records, you have observed high ingested data volumes of **W3CIISLog** data on May 2, 2021, here is a query that identifies the timestamps on this ingested data:
```Kusto W3CIISLog
W3CIISLog
| sort by TimeGenerated asc ```
-The `where TimeGenerated > datetime(1970-01-01)` is just present to provide the clue to the Log Analytics user interface to look over all data.
+The `where TimeGenerated > datetime(1970-01-01)` statement is present only to provide the clue to the Log Analytics user interface to look over all data.
## Querying for common data types To dig deeper into the source of data for a particular data type, here are some useful example queries: + **Workspace-based Application Insights** resources
- - learn more at [Manage usage and costs for Application Insights](../app/pricing.md#data-volume-for-workspace-based-application-insights-resources)
+ - Learn more at [Manage usage and costs for Application Insights](../app/pricing.md#data-volume-for-workspace-based-application-insights-resources)
+ **Security** solution - `SecurityEvent | summarize AggregatedValue = count() by EventID` + **Log Management** solution
To dig deeper into the source of data for a particular data type, here are some
## Tips for reducing data volume
-Some suggestions for reducing the volume of logs collected include:
+This table lists some suggestions for reducing the volume of logs collected.
| Source of high data volume | How to reduce data volume | | -- | - | | Data Collection Rules | The [Azure Monitor Agent](../agents/azure-monitor-agent-overview.md) uses Data Collection Rules to manage the collection of data. You can [limit the collection of data](../agents/data-collection-rule-azure-monitor-agent.md#limit-data-collection-with-custom-xpath-queries) using custom XPath queries. | | Container Insights | [Configure Container Insights](../containers/container-insights-cost.md#controlling-ingestion-to-reduce-cost) to collect only the data you required. |
-| Security events | Select [common or minimal security events](../../security-center/security-center-enable-data-collection.md#data-collection-tier) <br> Change the security audit policy to collect only needed events. In particular, review the need to collect events for <br> - [audit filtering platform](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772749(v=ws.10)) <br> - [audit registry](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v%3dws.10))<br> - [audit file system](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772661(v%3dws.10))<br> - [audit kernel object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941615(v%3dws.10))<br> - [audit handle manipulation](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772626(v%3dws.10))<br> - audit removable storage |
-| Performance counters | Change [performance counter configuration](../agents/data-sources-performance-counters.md) to: <br> - Reduce the frequency of collection <br> - Reduce number of performance counters |
-| Event logs | Change [event log configuration](../agents/data-sources-windows-events.md) to: <br> - Reduce the number of event logs collected <br> - Collect only required event levels. For example, do not collect *Information* level events |
-| Syslog | Change [syslog configuration](../agents/data-sources-syslog.md) to: <br> - Reduce the number of facilities collected <br> - Collect only required event levels. For example, do not collect *Info* and *Debug* level events |
-| AzureDiagnostics | Change [resource log collection](../essentials/diagnostic-settings.md#create-in-azure-portal) to: <br> - Reduce the number of resources send logs to Log Analytics <br> - Collect only required logs |
+| Security events | Select [common or minimal security events](../../security-center/security-center-enable-data-collection.md#data-collection-tier). <br> Change the security audit policy to collect only needed events. In particular, review the need to collect events for: <br> - [audit filtering platform](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772749(v=ws.10)). <br> - [audit registry](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v%3dws.10)). <br> - [audit file system](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772661(v%3dws.10)). <br> - [audit kernel object](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941615(v%3dws.10)). <br> - [audit handle manipulation](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772626(v%3dws.10)). <br> - audit removable storage. |
+| Performance counters | Change the [performance counter configuration](../agents/data-sources-performance-counters.md) to: <br> - Reduce the frequency of collection. <br> - Reduce the number of performance counters. |
+| Event logs | Change the [event log configuration](../agents/data-sources-windows-events.md) to: <br> - Reduce the number of event logs collected. <br> - Collect only required event levels. For example, do not collect *Information* level events. |
+| Syslog | Change the [syslog configuration](../agents/data-sources-syslog.md) to: <br> - Reduce the number of facilities collected. <br> - Collect only required event levels. For example, do not collect *Info* and *Debug* level events. |
+| AzureDiagnostics | Change the [resource log collection](../essentials/diagnostic-settings.md#create-in-azure-portal) to: <br> - Reduce the number of resources that send logs to Log Analytics. <br> - Collect only required logs. |
| Solution data from computers that don't need the solution | Use [solution targeting](../insights/solution-targeting.md) to collect data from only required groups of computers. |
-| Application Insights | Review options for [managing Application Insights data volume](../app/pricing.md#managing-your-data-volume) |
+| Application Insights | Review options for [managing Application Insights data volume](../app/pricing.md#managing-your-data-volume). |
| [SQL Analytics](../insights/azure-sql.md) | Use [Set-AzSqlServerAudit](/powershell/module/az.sql/set-azsqlserveraudit) to tune the auditing settings. |
-| Azure Sentinel | Review any [Sentinel data sources](../../sentinel/connect-data-sources.md) which you recently enabled as sources of additional data volume. Learn more about [managing Sentinel costs](../../sentinel/azure-sentinel-billing.md#manage-azure-sentinel-costs) |
+| Azure Sentinel | Review any [Sentinel data sources](../../sentinel/connect-data-sources.md) that you recently enabled as sources of additional data volume. |
### Getting nodes as billed in the Per Node pricing tier
-To get a list of computers that will be billed as nodes if the workspace is in the legacy Per Node pricing tier, look for nodes which are sending **billed data types** (some data types are free).
-To do this, use the `_IsBillable` [property](./log-standard-columns.md#_isbillable) and use the leftmost field of the fully qualified domain name. This returns the count of computers with billed
+To get a list of computers that will be billed as nodes if the workspace is in the legacy Per Node pricing tier, look for nodes that are sending **billed data types** (some data types are free).
+To do this, use the [_IsBillable property](./log-standard-columns.md#_isbillable) and use the leftmost field of the fully qualified domain name. This returns the count of computers with billed
data per hour (which is the granularity at which nodes are counted and billed): ```kusto
To see the number of distinct Automation nodes, use the query:
The decision of whether workspaces with access to the legacy **Per Node** pricing tier are better off in that tier or in a current **Pay-As-You-Go** or **Commitment Tier** is often difficult for customers to assess. This involves understanding the trade-off between the fixed cost per monitored node in the Per Node pricing tier and its included data allocation of 500 MB/node/day and the cost of just paying for ingested data in the Pay-As-You-Go (Per GB) tier.
-To facilitate this assessment, the following query can be used to make a recommendation for the optimal pricing tier based on a workspace's usage patterns. This query looks at the monitored nodes and data ingested into a workspace in the last 7 days, and for each day evaluates which pricing tier would have been optimal. To use the query, you need to specify
+To facilitate this assessment, the following query can be used to make a recommendation for the optimal pricing tier based on a workspace's usage patterns. This query looks at the monitored nodes and data ingested into a workspace in the last seven days, and for each day, it evaluates which pricing tier would have been optimal. To use the query, you need to specify:
-1. whether the workspace is using Azure Defender (Security Center) by setting `workspaceHasSecurityCenter` to `true` or `false`,
-2. update the prices if you have specific discounts, and
-3. specify the number of days to look back and analyze by setting `daysToEvaluate`. This is useful if the query is taking too long trying to look at 7 days of data.
+- Whether the workspace is using Azure Defender (Security Center) by setting **workspaceHasSecurityCenter** to **true** or **false**.
+- Update the prices if you have specific discounts.
+- Specify the number of days to look back and analyze by setting **daysToEvaluate**. This is useful if the query is taking too long trying to look at seven days of data.
Here is the pricing tier recommendation query:
union *
| sort by day asc ```
-This query is not an exact replication of how usage is calculated, but will work for providing pricing tier recommendations in most cases.
+This query isn't an exact replication of how usage is calculated, but it provides pricing tier recommendations in most cases.
> [!NOTE]
-> To use the entitlements that come from purchasing OMS E1 Suite, OMS E2 Suite or OMS Add-On for System Center, choose the Log Analytics *Per Node* pricing tier.
+> To use the entitlements that come from purchasing OMS E1 Suite, OMS E2 Suite, or OMS Add-On for System Center, choose the Log Analytics *Per Node* pricing tier.
## Create an alert when data collection is high
-This section describes how to create an alert the data volume in the last 24 hours exceeded a specified amount, using Azure Monitor [Log Alerts](../alerts/alerts-unified-log.md).
+This section describes how to create an alert when the data volume in the last 24 hours exceeded a specified amount, using Azure Monitor [Log Alerts](../alerts/alerts-unified-log.md).
-To alert if the billable data volume ingested in the last 24 hours was greater than 50 GB, follow these steps:
+To alert if the billable data volume ingested in the last 24 hours was greater than 50 GB:
- **Define alert condition** specify your Log Analytics workspace as the resource target. - **Alert criteria** specify the following: - **Signal Name** select **Custom log search**
- - **Search query** to `Usage | where IsBillable | summarize DataGB = sum(Quantity / 1000.) | where DataGB > 50`. If you want a different
+ - **Search query** to `Usage | where IsBillable | summarize DataGB = sum(Quantity / 1000.) | where DataGB > 50`.
- **Alert logic** is **Based on** *number of results* and **Condition** is *Greater than* a **Threshold** of *0* - **Time period** of *1440* minutes and **Alert frequency** to every *1440* minutes to run once a day. - **Define alert details** specify the following: - **Name** to *Billable data volume greater than 50 GB in 24 hours* - **Severity** to *Warning*
-Specify an existing or create a new [Action Group](../alerts/action-groups.md) so that when the log alert matches criteria, you are notified.
+To be notified when the log alert matches criteria, specify an existing or create a new [action group](../alerts/action-groups.md).
When you receive an alert, use the steps in the above sections about how to troubleshoot why usage is higher than expected. ## Data transfer charges using Log Analytics
-Sending data to Log Analytics might incur data bandwidth charges, however that is limited to Virtual Machines where a Log Analytics agent is installed and doesn't apply when using Diagnostics settings or with other connectors that are built into Azure Sentinel. As described in the [Azure Bandwidth pricing page](https://azure.microsoft.com/pricing/details/bandwidth/), data transfer between Azure services located in two regions charged as outbound data transfer at the normal rate. Inbound data transfer is free. However, this charge is very small (few %) compared to the costs for Log Analytics data ingestion. Consequently controlling costs for Log Analytics needs to focus on your [ingested data volume](#understanding-ingested-data-volume).
-
+Sending data to Log Analytics might incur data bandwidth charges. However, that's limited to Virtual Machines where a Log Analytics agent is installed and doesn't apply when using Diagnostics settings or with other connectors that are built in to Azure Sentinel. As described in the [Azure Bandwidth pricing page](https://azure.microsoft.com/pricing/details/bandwidth/), data transfer between Azure services located in two regions is charged as outbound data transfer at the normal rate. Inbound data transfer is free. However, this charge is very small compared to the costs for Log Analytics data ingestion. So, controlling costs for Log Analytics needs to focus on your [ingested data volume](#understanding-ingested-data-volume).
## Troubleshooting why Log Analytics is no longer collecting data
-If you are on the legacy Free pricing tier and have sent more than 500 MB of data in a day, data collection stops for the rest of the day. Reaching the daily limit is a common reason that Log Analytics stops collecting data, or data appears to be missing. Log Analytics creates an event of type Operation when data collection starts and stops. Run the following query in search to check if you are reaching the daily limit and missing data:
+If you're on the legacy Free pricing tier and have sent more than 500 MB of data in a day, data collection stops for the rest of the day. Reaching the daily limit is a common reason that Log Analytics stops collecting data, or data appears to be missing. Log Analytics creates an **Operation** type event when data collection starts and stops. Run the following query in search to check whether you're reaching the daily limit and missing data:
```kusto Operation | where OperationCategory == 'Data Collection Status' ```
-When data collection stops, the OperationStatus is **Warning**. When data collection starts, the OperationStatus is **Succeeded**. The following table describes reasons that data collection stops and a suggested action to resume data collection:
+When data collection stops, the **OperationStatus** is **Warning**. When data collection starts, the **OperationStatus** is **Succeeded**. The following table lists reasons that data collection stops and a suggested action to resume data collection.
|Reason collection stops| Solution| |--|| |Daily cap of your workspace was reached|Wait for collection to automatically restart, or increase the daily data volume limit described in manage the maximum daily data volume. The daily cap reset time is shows on the **Daily Cap** page. |
-| Your workspace has hit the [Data Ingestion Volume Rate](../service-limits.md#log-analytics-workspaces) | The default ingestion volume rate limit for data sent from Azure resources using diagnostic settings is approximately 6 GB/min per workspace. This is an approximate value since the actual size can vary between data types depending on the log length and its compression ratio. This limit does not apply to data that is sent from agents or Data Collector API. If you send data at a higher rate to a single workspace, some data is dropped, and an event is sent to the Operation table in your workspace every 6 hours while the threshold continues to be exceeded. If your ingestion volume continues to exceed the rate limit or you are expecting to reach it sometime soon, you can request an increase to your workspace by sending an email to LAIngestionRate@microsoft.com or opening a support request. The event to look for that indicates a data ingestion rate limit can be found by the query `Operation | where OperationCategory == "Ingestion" | where Detail startswith "The rate of data crossed the threshold"`. |
+| Your workspace has hit the [Data Ingestion Volume Rate](../service-limits.md#log-analytics-workspaces) | The default ingestion volume rate limit for data sent from Azure resources using diagnostic settings is approximately 6 GB/min per workspace. This is an approximate value because the actual size can vary between data types, depending on the log length and its compression ratio. This limit doesn't apply to data that's sent from agents or the Data Collector API. If you send data at a higher rate to a single workspace, some data is dropped, and an event is sent to the Operation table in your workspace every 6 hours while the threshold continues to be exceeded. If your ingestion volume continues to exceed the rate limit or you are expecting to reach it sometime soon, you can request an increase to your workspace by sending an email to LAIngestionRate@microsoft.com or by opening a support request. The event to look for that indicates a data ingestion rate limit can be found by the query `Operation | where OperationCategory == "Ingestion" | where Detail startswith "The rate of data crossed the threshold"`. |
|Daily limit of legacy Free pricing tier reached |Wait until the following day for collection to automatically restart, or change to a paid pricing tier.|
-|Azure subscription is in a suspended state due to:<br> Free trial ended<br> Azure pass expired<br> Monthly spending limit reached (for example on an MSDN or Visual Studio subscription)|Convert to a paid subscription<br> Remove limit, or wait until limit resets|
+|Azure subscription is in a suspended state due to:<br> Free trial ended<br> Azure pass expired<br> Monthly spending limit reached (such as on an MSDN or Visual Studio subscription)|Convert to a paid subscription<br> Remove limit, or wait until limit resets|
-To be notified when data collection stops, use the steps described in *Create daily data cap* alert to be notified when data collection stops. Use the steps described in [create an action group](../alerts/action-groups.md) to configure an e-mail, webhook, or runbook action for the alert rule.
+To be notified when data collection stops, use the steps described in the [Alert when daily cap is reached](#alert-when-daily-cap-is-reached) section. To configure an e-mail, webhook, or runbook action for the alert rule, use the steps described in [create an action group](../alerts/action-groups.md).
## Limits summary
There are additional Log Analytics limits, some of which depend on the Log Analy
- See [Log searches in Azure Monitor Logs](../logs/log-query-overview.md) to learn how to use the search language. You can use search queries to perform additional analysis on the usage data. - Use the steps described in [create a new log alert](../alerts/alerts-metric.md) to be notified when a search criteria is met. - Use [solution targeting](../insights/solution-targeting.md) to collect data from only required groups of computers.-- To configure an effective event collection policy, review [Azure Defender (Security Center) filtering policy](../../security-center/security-center-enable-data-collection.md).
+- To configure an effective event collection policy, review [Azure Defender (Security Center) filtering policy](../../security-center/security-center-enable-data-collection.md).
- Change [performance counter configuration](../agents/data-sources-performance-counters.md). - To modify your event collection settings, review [event log configuration](../agents/data-sources-windows-events.md). - To modify your syslog collection settings, review [syslog configuration](../agents/data-sources-syslog.md).
azure-monitor Monitor Workspace https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/logs/monitor-workspace.md
Note, after reaching the set limit, your data collection will automatically stop
Recommended Actions: * Check _LogOperation table for collection stopped and collection resumed events.</br> `_LogOperation | where TimeGenerated >= ago(7d) | where Category == "Ingestion" | where Operation has "Data collection"`
-* [Create an alert](./manage-cost-storage.md#alert-when-daily-cap-reached) on "Data collection stopped" Operation event, this alert will allow you to get notified when the collection limit was reached.
+* [Create an alert](./manage-cost-storage.md#alert-when-daily-cap-is-reached) on "Data collection stopped" Operation event, this alert will allow you to get notified when the collection limit was reached.
* Data collected after the daily collection limit is reached will be lost, use ΓÇÿworkspace insightsΓÇÖ blade to review usage rates from each source. Or, you can decide to ([Manage your maximum daily data volume](./manage-cost-storage.md#manage-your-maximum-daily-data-volume) \ [change the pricing tier](./manage-cost-storage.md#changing-pricing-tier) to one that will suite your collection rates pattern).
-* Data collection rate is calculated per day, and will reset at the start of the next day, you can also monitor collection resume event by [Create an alert](./manage-cost-storage.md#alert-when-daily-cap-reached) on "Data collection resumed" Operation event.
+* Data collection rate is calculated per day, and will reset at the start of the next day, you can also monitor collection resume event by [Create an alert](./manage-cost-storage.md#alert-when-daily-cap-is-reached) on "Data collection resumed" Operation event.
#### Operation: Ingestion rate "The data ingestion volume rate crossed the threshold in your workspace: {0:0.00} MB per one minute and data has been dropped."
Recommended Actions:
* Check _LogOperation table for ingestion rate event `_LogOperation | where TimeGenerated >= ago(7d) | where Category == "Ingestion" | where Operation has "Ingestion rate"` Note: Operation table in the workspace every 6 hours while the threshold continues to be exceeded.
-* [Create an alert](./manage-cost-storage.md#alert-when-daily-cap-reached) on "Data collection stopped" Operation event, this alert will allow you to get notified when the limit is reached.
+* [Create an alert](./manage-cost-storage.md#alert-when-daily-cap-is-reached) on "Data collection stopped" Operation event, this alert will allow you to get notified when the limit is reached.
* Data collected while ingestion rate reached 100% will be dropped and lost. 'workspace insights' blade to review your usage patterns and try to reduce them.</br> For further information: </br> [Azure Monitor service limits](../service-limits.md#data-ingestion-volume-rate) </br>
-[Manage usage and costs for Azure Monitor Logs](./manage-cost-storage.md#alert-when-daily-cap-reached)
+[Manage usage and costs for Azure Monitor Logs](./manage-cost-storage.md#alert-when-daily-cap-is-reached)
#### Operation: Maximum table column count
azure-netapp-files Azure Netapp Files Solution Architectures https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-solution-architectures.md
na ms.devlang: na Previously updated : 06/22/2021 Last updated : 06/28/2021 # Solution architectures using Azure NetApp Files
This section provides solutions for Azure platform services.
### Azure Kubernetes Services and Kubernetes
+* [Astra: protect, recover, and manage your AKS workloads on Azure NetApp Files](https://cloud.netapp.com/hubfs/Astra%20Azure%20Documentation.pdf)
* [Integrate Azure NetApp Files with Azure Kubernetes Service](../aks/azure-netapp-files.md) * [Out-of-This-World Kubernetes performance on Azure with Azure NetApp Files](https://cloud.netapp.com/blog/ma-anf-blg-configure-kubernetes-openshift) * [Azure NetApp Files + Trident = Dynamic and Persistent Storage for Kubernetes](https://anfcommunity.com/2021/02/16/azure-netapp-files-trident-dynamic-and-persistent-storage-for-kubernetes/)
azure-resource-manager Bicep Functions Resource https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/bicep/bicep-functions-resource.md
The possible uses of list* are shown in the following table.
| Microsoft.AppPlatform/Spring | [listTestKeys](/rest/api/azurespringcloud/services/listtestkeys) | | Microsoft.Automation/automationAccounts | [listKeys](/rest/api/automation/keys/listbyautomationaccount) | | Microsoft.Batch/batchAccounts | [listkeys](/rest/api/batchmanagement/batchaccount/getkeys) |
-| Microsoft.BatchAI/workspaces/experiments/jobs | [listoutputfiles](/rest/api/batchai/jobs/listoutputfiles) |
+| Microsoft.BatchAI/workspaces/experiments/jobs | listoutputfiles |
| Microsoft.Blockchain/blockchainMembers | [listApiKeys](/rest/api/blockchain/2019-06-01-preview/blockchainmembers/listapikeys) | | Microsoft.Blockchain/blockchainMembers/transactionNodes | [listApiKeys](/rest/api/blockchain/2019-06-01-preview/transactionnodes/listapikeys) | | Microsoft.BotService/botServices/channels | [listChannelWithKeys](https://github.com/Azure/azure-rest-api-specs/blob/master/specification/botservice/resource-manager/Microsoft.BotService/stable/2020-06-02/botservice.json#L553) |
The possible uses of list* are shown in the following table.
| Microsoft.Relay/namespaces/disasterRecoveryConfigs/authorizationRules | listkeys | | Microsoft.Relay/namespaces/HybridConnections/authorizationRules | [listkeys](/rest/api/relay/hybridconnections/listkeys) | | Microsoft.Relay/namespaces/WcfRelays/authorizationRules | [listkeys](/rest/api/relay/wcfrelays/listkeys) |
-| Microsoft.Search/searchServices | [listAdminKeys](/rest/api/searchmanagement/adminkeys/get) |
-| Microsoft.Search/searchServices | [listQueryKeys](/rest/api/searchmanagement/querykeys/listbysearchservice) |
+| Microsoft.Search/searchServices | [listAdminKeys](/rest/api/searchmanagement/2021-04-01-preview/admin-keys/get) |
+| Microsoft.Search/searchServices | [listQueryKeys](/rest/api/searchmanagement/2021-04-01-preview/query-keys/list-by-search-service) |
| Microsoft.ServiceBus/namespaces/authorizationRules | [listkeys](/rest/api/servicebus/stable/namespaces-authorization-rules/list-keys) | | Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs/authorizationRules | [listkeys](/rest/api/servicebus/stable/disasterrecoveryconfigs/listkeys) |
-| Microsoft.ServiceBus/namespaces/queues/authorizationRules | [listkeys](/rest/rest/api/servicebus/stable/queues-authorization-rules/list-keys) |
+| Microsoft.ServiceBus/namespaces/queues/authorizationRules | [listkeys](/rest/api/servicebus/preview/queues-authorization-rules/list-keys) |
| Microsoft.ServiceBus/namespaces/topics/authorizationRules | [listkeys](/rest/api/servicebus/stable/topics%20%E2%80%93%20authorization%20rules/list-keys) | | Microsoft.SignalRService/SignalR | [listkeys](/rest/api/signalr/signalr/listkeys) | | Microsoft.Storage/storageAccounts | [listAccountSas](/rest/api/storagerp/storageaccounts/listaccountsas) |
azure-resource-manager Learn Bicep https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/bicep/learn-bicep.md
Title: Discover Bicep in Microsoft Learn description: Provides an overview of the units that are available in Microsoft Learn for Bicep. Previously updated : 06/11/2021 Last updated : 06/28/2021 # Bicep in Microsoft Learn
This path contains the following modules.
| [Deploy child and extension resources by using Bicep](/learn/modules/child-extension-bicep-templates/) | This module shows how to deploy various Azure resources in your Bicep code. Learn about child and extension resources, and how they can be defined and used within Bicep. Use Bicep to work with resources that you created outside a Bicep template or module. | | [Deploy resources to subscriptions, management groups, and tenants by using Bicep](/learn/modules/deploy-resources-scopes-bicep/) | Deploy Azure resources at the subscription, management group, and tenant scope. Learn what these resources are, why you would use them, and how you create Bicep code to deploy them. Also learn how to create a single set of Bicep files that you can deploy across multiple scopes in one operation. | | [Extend templates by using deployment scripts](/learn/modules/extend-resource-manager-template-deployment-scripts/) | Learn how to add custom steps to your Bicep file or Azure Resource Manager template (ARM template) by using deployment scripts. |
+| [Publish libraries of reusable infrastructure code by using template specs](/learn/modules/arm-template-specs/) | Learn how to create and publish template specs, and how to deploy them.|
## Other modules
azure-resource-manager Resource Name Rules https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/resource-name-rules.md
In the following tables, the term alphanumeric refers to:
> | | | | | > | communicationServices | global | 1-63 | Alphanumerics, hyphens, and underscores. |
+## Microsoft.Consumption
+
+> [!div class="mx-tableFixed"]
+> | Entity | Scope | Length | Valid Characters |
+> | | | | |
+> | budgets | subscription or resource group | 1-63 | Alphanumerics, hyphens, and underscores. |
+ ## Microsoft.ContainerInstance > [!div class="mx-tableFixed"]
azure-resource-manager Template Functions Resource https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/template-functions-resource.md
The possible uses of list* are shown in the following table.
| Microsoft.AppPlatform/Spring | [listTestKeys](/rest/api/azurespringcloud/services/listtestkeys) | | Microsoft.Automation/automationAccounts | [listKeys](/rest/api/automation/keys/listbyautomationaccount) | | Microsoft.Batch/batchAccounts | [listkeys](/rest/api/batchmanagement/batchaccount/getkeys) |
-| Microsoft.BatchAI/workspaces/experiments/jobs | [listoutputfiles](/rest/api/batchai/jobs/listoutputfiles) |
+| Microsoft.BatchAI/workspaces/experiments/jobs | listoutputfiles |
| Microsoft.Blockchain/blockchainMembers | [listApiKeys](/rest/api/blockchain/2019-06-01-preview/blockchainmembers/listapikeys) | | Microsoft.Blockchain/blockchainMembers/transactionNodes | [listApiKeys](/rest/api/blockchain/2019-06-01-preview/transactionnodes/listapikeys) | | Microsoft.BotService/botServices/channels | [listChannelWithKeys](https://github.com/Azure/azure-rest-api-specs/blob/master/specification/botservice/resource-manager/Microsoft.BotService/stable/2020-06-02/botservice.json#L553) |
The possible uses of list* are shown in the following table.
| Microsoft.Relay/namespaces/disasterRecoveryConfigs/authorizationRules | listkeys | | Microsoft.Relay/namespaces/HybridConnections/authorizationRules | [listkeys](/rest/api/relay/hybridconnections/listkeys) | | Microsoft.Relay/namespaces/WcfRelays/authorizationRules | [listkeys](/rest/api/relay/wcfrelays/listkeys) |
-| Microsoft.Search/searchServices | [listAdminKeys](/rest/api/searchmanagement/adminkeys/get) |
-| Microsoft.Search/searchServices | [listQueryKeys](/rest/api/searchmanagement/querykeys/listbysearchservice) |
+| Microsoft.Search/searchServices | [listAdminKeys](/rest/api/searchmanagement/2021-04-01-preview/admin-keys/get) |
+| Microsoft.Search/searchServices | [listQueryKeys](/rest/api/searchmanagement/2021-04-01-preview/query-keys/list-by-search-service) |
| Microsoft.ServiceBus/namespaces/authorizationRules | [listkeys](/rest/api/servicebus/stable/namespaces-authorization-rules/list-keys) | | Microsoft.ServiceBus/namespaces/disasterRecoveryConfigs/authorizationRules | [listkeys](/rest/api/servicebus/stable/disasterrecoveryconfigs/listkeys) | | Microsoft.ServiceBus/namespaces/queues/authorizationRules | [listkeys](/rest/api/servicebus/stable/queues-authorization-rules/list-keys) |
azure-resource-manager Test Cases https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/test-cases.md
Title: Test cases for test toolkit description: Describes the tests that are run by the ARM template test toolkit. Previously updated : 05/17/2021 Last updated : 06/25/2021 # Default test cases for ARM template test toolkit
-This article describes the default tests that are run with the [template test toolkit](test-toolkit.md) for Azure Resource Manager templates (ARM templates). It provides examples that pass or fail the test. It includes the name of each test. To run a specific test, see [Test parameters](test-toolkit.md#test-parameters).
+This article describes the default tests that are run with the [template test toolkit](test-toolkit.md) for Azure Resource Manager templates (ARM templates). It provides examples that pass or fail the test and includes the name of each test. To run a specific test, see [Test parameters](test-toolkit.md#test-parameters).
## Use correct schema
Test name: **Secure String Parameters Cannot Have Default**
Don't provide a hard-coded default value for a secure parameter in your template. An empty string is fine for the default value.
-You use the types **SecureString** or **SecureObject** on parameters that contain sensitive values, like passwords. When a parameter uses a secure type, the value of the parameter isn't logged or stored in the deployment history. This action prevents a malicious user from discovering the sensitive value.
+You use the types `secureString` or `secureObject` on parameters that contain sensitive values, like passwords. When a parameter uses a secure type, the value of the parameter isn't logged or stored in the deployment history. This action prevents a malicious user from discovering the sensitive value.
However, when you provide a default value, that value is discoverable by anyone who can access the template or the deployment history.
The following example **fails** this test:
```json "parameters": {
- "adminPassword": {
- "defaultValue": "HardcodedPassword",
- "type": "SecureString"
- }
+ "adminPassword": {
+ "defaultValue": "HardcodedPassword",
+ "type": "secureString"
+ }
} ```
The next example **passes** this test:
```json "parameters": {
- "adminPassword": {
- "type": "SecureString"
- }
+ "adminPassword": {
+ "type": "secureString"
+ }
} ```
The following example **fails** this test because the URL is hardcoded.
```json "variables":{
- "AzureURL":"https://management.azure.com"
+ "AzureURL":"https://management.azure.com"
} ```
The test also **fails** when used with [concat](template-functions-string.md#con
```json "variables":{
- "AzureSchemaURL1": "[concat('https://','gallery.azure.com')]",
- "AzureSchemaURL2": "[uri('gallery.azure.com','test')]"
+ "AzureSchemaURL1": "[concat('https://','gallery.azure.com')]",
+ "AzureSchemaURL2": "[uri('gallery.azure.com','test')]"
} ```
The following example **passes** this test.
```json "variables": {
- "AzureSchemaURL": "[environment().gallery]"
-},
+ "AzureSchemaURL": "[environment().gallery]"
+}
``` ## Location uses parameter
Test name: **Location Should Not Be Hardcoded**
Your templates should have a parameter named location. Use this parameter for setting the location of resources in your template. In the main template (named _azuredeploy.json_ or _mainTemplate.json_), this parameter can default to the resource group location. In linked or nested templates, the location parameter shouldn't have a default location.
-Users of your template may have limited regions available to them. When you hard code the resource location, users may be blocked from creating a resource in that region. Users could be blocked even if you set the resource location to `"[resourceGroup().location]"`. The resource group may have been created in a region that other users can't access. Those users are blocked from using the template.
+Users of your template may have limited regions available to them. When you hardcode the resource location, users may be blocked from creating a resource in that region. Users could be blocked even if you set the resource location to `"[resourceGroup().location]"`. The resource group may have been created in a region that other users can't access. Those users are blocked from using the template.
By providing a location parameter that defaults to the resource group location, users can use the default value when convenient but also specify a different location.
The following example **fails** this test because location on the resource is se
```json {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.Storage/storageAccounts",
- "apiVersion": "2019-06-01",
- "name": "storageaccount1",
- "location": "[resourceGroup().location]",
- "kind": "StorageV2",
- "sku": {
- "name": "Premium_LRS",
- "tier": "Premium"
- }
- }
- ]
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2021-02-01",
+ "name": "storageaccount1",
+ "location": "[resourceGroup().location]",
+ "kind": "StorageV2",
+ "sku": {
+ "name": "Premium_LRS",
+ "tier": "Premium"
+ }
+ }
+ ]
} ```
The next example uses a location parameter but **fails** this test because the l
```json {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "location": {
- "type": "string",
- "defaultValue": "westus"
- }
- },
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.Storage/storageAccounts",
- "apiVersion": "2019-06-01",
- "name": "storageaccount1",
- "location": "[parameters('location')]",
- "kind": "StorageV2",
- "sku": {
- "name": "Premium_LRS",
- "tier": "Premium"
- }
- }
- ],
- "outputs": {}
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "location": {
+ "type": "string",
+ "defaultValue": "westus"
+ }
+ },
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2021-02-01",
+ "name": "storageaccount1",
+ "location": "[parameters('location')]",
+ "kind": "StorageV2",
+ "sku": {
+ "name": "Premium_LRS",
+ "tier": "Premium"
+ }
+ }
+ ],
+ "outputs": {}
} ```
Instead, create a parameter that defaults to the resource group location but all
```json {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "location": {
- "type": "string",
- "defaultValue": "[resourceGroup().location]",
- "metadata": {
- "description": "Location for the resources."
- }
- }
- },
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.Storage/storageAccounts",
- "apiVersion": "2019-06-01",
- "name": "storageaccount1",
- "location": "[parameters('location')]",
- "kind": "StorageV2",
- "sku": {
- "name": "Premium_LRS",
- "tier": "Premium"
- }
- }
- ],
- "outputs": {}
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Location for the resources."
+ }
+ }
+ },
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2021-02-01",
+ "name": "storageaccount1",
+ "location": "[parameters('location')]",
+ "kind": "StorageV2",
+ "sku": {
+ "name": "Premium_LRS",
+ "tier": "Premium"
+ }
+ }
+ ],
+ "outputs": {}
} ```
The following example **fails** this test because the location isn't an expressi
```json {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {},
- "functions": [],
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.Storage/storageAccounts",
- "apiVersion": "2019-06-01",
- "name": "storageaccount1",
- "location": "westus",
- "kind": "StorageV2",
- "sku": {
- "name": "Premium_LRS",
- "tier": "Premium"
- }
- }
- ],
- "outputs": {}
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {},
+ "functions": [],
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2021-02-01",
+ "name": "storageaccount1",
+ "location": "westus",
+ "kind": "StorageV2",
+ "sku": {
+ "name": "Premium_LRS",
+ "tier": "Premium"
+ }
+ }
+ ],
+ "outputs": {}
} ```
The following example **passes** this test.
```json {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {},
- "functions": [],
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.Maps/accounts",
- "apiVersion": "2020-02-01-preview",
- "name": "demoMap",
- "location": "global",
- "sku": {
- "name": "S0"
- }
- }
- ],
- "outputs": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {},
+ "functions": [],
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Maps/accounts",
+ "apiVersion": "2021-02-01",
+ "name": "demoMap",
+ "location": "global",
+ "sku": {
+ "name": "S0"
+ }
}
+ ],
+ "outputs": {
+ }
} ```
The next example also **passes** this test.
```json {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "location": {
- "type": "string",
- "defaultValue": "[resourceGroup().location]",
- "metadata": {
- "description": "Location for the resources."
- }
- }
- },
- "variables": {},
- "resources": [
- {
- "type": "Microsoft.Storage/storageAccounts",
- "apiVersion": "2019-06-01",
- "name": "storageaccount1",
- "location": "[parameters('location')]",
- "kind": "StorageV2",
- "sku": {
- "name": "Premium_LRS",
- "tier": "Premium"
- }
- }
- ],
- "outputs": {}
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "location": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "Location for the resources."
+ }
+ }
+ },
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Storage/storageAccounts",
+ "apiVersion": "2021-02-01",
+ "name": "storageaccount1",
+ "location": "[parameters('location')]",
+ "kind": "StorageV2",
+ "sku": {
+ "name": "Premium_LRS",
+ "tier": "Premium"
+ }
+ }
+ ],
+ "outputs": {}
} ```
The next example also **passes** this test.
Test name: **VM Size Should Be A Parameter**
-Don't hardcode the virtual machine size. Provide a parameter so users of your template can modify the size of the deployed virtual machine.
+Don't hardcode the virtual machine (VM) size. Provide a parameter so users of your template can modify the size of the deployed virtual machine.
The following example **fails** this test. ```json "hardwareProfile": {
- "vmSize": "Standard_D2_v3"
+ "vmSize": "Standard_D2_v3"
} ```
Instead, provide a parameter.
```json "vmSize": {
- "type": "string",
- "defaultValue": "Standard_A2_v2",
- "metadata": {
- "description": "Size for the Virtual Machine."
- }
-},
+ "type": "string",
+ "defaultValue": "Standard_A2_v2",
+ "metadata": {
+ "description": "Size for the Virtual Machine."
+ }
+}
``` Then, set the VM size to that parameter. ```json "hardwareProfile": {
- "vmSize": "[parameters('vmSize')]"
-},
+ "vmSize": "[parameters('vmSize')]"
+}
``` ## Min and max values are numbers
The following example **fails** this test:
```json "exampleParameter": {
- "type": "int",
- "minValue": "0",
- "maxValue": "10"
-},
+ "type": "int",
+ "minValue": "0",
+ "maxValue": "10"
+}
``` Instead, provide the values as numbers. The following example **passes** this test: ```json "exampleParameter": {
- "type": "int",
- "minValue": 0,
- "maxValue": 10
-},
+ "type": "int",
+ "minValue": 0,
+ "maxValue": 10
+}
``` You also get this warning if you provide a min or max value, but not the other.
Test name: **artifacts parameter**
When you include parameters for `_artifactsLocation` and `_artifactsLocationSasToken`, use the correct defaults and types. The following conditions must be met to pass this test: * if you provide one parameter, you must provide the other
-* `_artifactsLocation` must be a **string**
+* `_artifactsLocation` must be a `string`
* `_artifactsLocation` must have a default value in the main template * `_artifactsLocation` can't have a default value in a nested template * `_artifactsLocation` must have either `"[deployment().properties.templateLink.uri]"` or the raw repo URL for its default value
-* `_artifactsLocationSasToken` must be a **secureString**
+* `_artifactsLocationSasToken` must be a `secureString`
* `_artifactsLocationSasToken` can only have an empty string for its default value * `_artifactsLocationSasToken` can't have a default value in a nested template
The following example **passes** this test. The **currentImage** variable is dyn
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": {
- "osType": {
- "type": "string",
- "allowedValues": [
- "Windows",
- "Linux"
- ]
- }
+ "osType": {
+ "type": "string",
+ "allowedValues": [
+ "Windows",
+ "Linux"
+ ]
+ }
}, "variables": { "imageOS": {
- "Windows": {
- "image": "Windows Image"
- },
- "Linux": {
- "image": "Linux Image"
- }
+ "Windows": {
+ "image": "Windows Image"
+ },
+ "Linux": {
+ "image": "Linux Image"
+ }
}, "currentImage": "[variables('imageOS')[parameters('osType')].image]" }, "resources": [], "outputs": {
- "result": {
- "type": "string",
- "value": "[variables('currentImage')]"
- }
+ "result": {
+ "type": "string",
+ "value": "[variables('currentImage')]"
+ }
} } ```
The following example **fails** this test.
```json "resources": [
- {
- "type": "Microsoft.Compute/virtualMachines",
- "apiVersion": "[providers('Microsoft.Compute', 'virtualMachines').apiVersions[0]]",
- ...
- }
+ {
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "[providers('Microsoft.Compute', 'virtualMachines').apiVersions[0]]",
+ ...
+ }
] ```
The following example **passes** this test.
```json "resources": [
- {
- "type": "Microsoft.Compute/virtualMachines",
- "apiVersion": "2019-12-01",
- ...
- }
+ {
+ "type": "Microsoft.Compute/virtualMachines",
+ "apiVersion": "2020-12-01",
+ ...
+ }
] ```
The following example **fails** this test.
```json "dependsOn": [
- "[if(equals(parameters('newOrExisting'),'new'), variables('storageAccountName'), '')]"
+ "[if(equals(parameters('newOrExisting'),'new'), variables('storageAccountName'), '')]"
] ```
The next example **passes** this test.
```json "dependsOn": [
- "[variables('storageAccountName')]"
+ "[variables('storageAccountName')]"
] ```
The next example **passes** this test.
Test name: **Deployment Resources Must Not Be Debug**
-When you define a [nested or linked template](linked-templates.md) with the **Microsoft.Resources/deployments** resource type, you can enable debugging for that template. Debugging is fine when you need to test that template but should be turned when you're ready to use the template in production.
+When you define a [nested or linked template](linked-templates.md) with the `Microsoft.Resources/deployments` resource type, you can enable [debugging](/azure/templates/microsoft.resources/deployments#debugsetting-object). Debugging is used when you need to test a template but can expose sensitive information. Before the template is used in production, turn off debugging. You can remove the `debugSetting` object or change the `detailLevel` property to `none`.
+
+The following example **fails** this test:
+
+```json
+"debugSetting": {
+ "detailLevel": "requestContent"
+}
+```
+
+The following example **passes** this test:
+
+```json
+"debugSetting": {
+ "detailLevel": "none"
+}
+```
## Admin user names can't be literal value
The following example **fails** this test:
```json "osProfile": {
- "adminUserName": "myAdmin"
-},
+ "adminUserName": "myAdmin"
+}
``` Instead, use a parameter. The following example **passes** this test: ```json "osProfile": {
- "adminUsername": "[parameters('adminUsername')]"
+ "adminUsername": "[parameters('adminUsername')]"
} ```
Instead, use a parameter. The following example **passes** this test:
Test name: **VM Images Should Use Latest Version**
+This test is disabled, but the output shows that it passed. The best practice is to check your template for the following criteria:
+ If your template includes a virtual machine with an image, make sure it's using the latest version of the image. ## Use stable VM images
The following example **fails** this test.
```json "imageReference": {
- "publisher": "Canonical",
- "offer": "UbuntuServer",
- "sku": "16.04-LTS",
- "version": "latest-preview"
+ "publisher": "Canonical",
+ "offer": "UbuntuServer",
+ "sku": "16.04-LTS",
+ "version": "latest-preview"
} ```
The following example **passes** this test.
```json "imageReference": {
- "publisher": "Canonical",
- "offer": "UbuntuServer",
- "sku": "16.04-LTS",
- "version": "latest"
-},
+ "publisher": "Canonical",
+ "offer": "UbuntuServer",
+ "sku": "16.04-LTS",
+ "version": "latest"
+}
``` ## Don't use ManagedIdentity extension
The following example **fails** the test because it includes a secure parameter
```json {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "secureParam": {
- "type": "securestring"
- }
- },
- "functions": [],
- "variables": {},
- "resources": [],
- "outputs": {
- "badResult": {
- "type": "string",
- "value": "[concat('this is the value ', parameters('secureParam'))]"
- }
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "secureParam": {
+ "type": "secureString"
}
+ },
+ "functions": [],
+ "variables": {},
+ "resources": [],
+ "outputs": {
+ "badResult": {
+ "type": "string",
+ "value": "[concat('this is the value ', parameters('secureParam'))]"
+ }
+ }
} ```
The following example **fails** because it uses a [list*](template-functions-res
```json {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "storageName": {
- "type": "string"
- }
- },
- "functions": [],
- "variables": {},
- "resources": [],
- "outputs": {
- "badResult": {
- "type": "object",
- "value": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageName')), '2019-06-01')]"
- }
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "storageName": {
+ "type": "string"
+ }
+ },
+ "functions": [],
+ "variables": {},
+ "resources": [],
+ "outputs": {
+ "badResult": {
+ "type": "object",
+ "value": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageName')), '2021-02-01')]"
}
+ }
} ```
The following example **fails** because it uses a [list*](template-functions-res
Test name: **CommandToExecute Must Use ProtectedSettings For Secrets**
-In a Custom Script Extension, use the encrypted property `protectedSettings` when `commandToExecute` includes secret data such as a password. Examples of secret data types are `secureString`, `secureObject`, `list()` functions, or scripts.
+For resources with type `CustomScript`, use the encrypted `protectedSettings` when `commandToExecute` includes secret data such as a password. For example, secret data can be used in secure parameters of type `secureString` or `secureObject`, [list() functions](template-functions-resource.md#list) such as `listKeys()`, or custom scripts.
-For more information about Custom Script Extension for virtual machines, see [Windows](
-/azure/virtual-machines/extensions/custom-script-windows), [Linux](../../virtual-machines/extensions/custom-script-linux.md), and the schema [Microsoft.Compute virtualMachines/extensions](/azure/templates/microsoft.compute/virtualmachines/extensions).
+Don't use secret data in the `settings` object because it uses clear text. For more information, see [Microsoft.Compute virtualMachines/extensions](/azure/templates/microsoft.compute/virtualmachines/extensions), [Windows](
+/azure/virtual-machines/extensions/custom-script-windows), or [Linux](../../virtual-machines/extensions/custom-script-linux.md).
-In this example, a template with a parameter named `adminPassword` and type `secureString` **passes** the test because the encrypted property `protectedSettings` includes `commandToExecute`.
+This example **fails** because `settings` uses `commandToExecute` with a secure parameter:
```json
-"properties": [
- {
- "protectedSettings": {
- "commandToExecute": "[parameters('adminPassword')]"
- }
+"parameters": {
+ "adminPassword": {
+ "type": "secureString"
}
-]
+}
+...
+"properties": {
+ "type": "CustomScript",
+ "settings": {
+ "commandToExecute": "[parameters('adminPassword')]"
+ }
+}
```
-The test **fails** if the unencrypted property `settings` includes `commandToExecute`.
+This example **fails** because `settings` uses `commandToExecute` with a `listKeys()` function:
```json
-"properties": [
- {
- "settings": {
- "commandToExecute": "[parameters('adminPassword')]"
- }
+"properties": {
+ "type": "CustomScript",
+ "settings": {
+ "commandToExecute": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageName')), '2021-02-01')]"
}
-]
+}
+```
+
+This example **passes** because `protectedSettings` uses `commandToExecute` with a secure parameter:
+
+```json
+"parameters": {
+ "adminPassword": {
+ "type": "secureString"
+ }
+}
+...
+"properties": {
+ "type": "CustomScript",
+ "protectedSettings": {
+ "commandToExecute": "[parameters('adminPassword')]"
+ }
+}
+```
+
+This example **passes** because `protectedSettings` uses `commandToExecute` with a `listKeys()` function:
+
+```json
+"properties": {
+ "type": "CustomScript",
+ "protectedSettings": {
+ "commandToExecute": "[listKeys(resourceId('Microsoft.Storage/storageAccounts', parameters('storageName')), '2021-02-01')]"
+ }
+}
+```
+
+## Use recent API versions in reference functions
+
+Test name: **apiVersions Should Be Recent In Reference Functions**
+
+Ensures the `apiVersions` used in [reference functions](template-functions-resource.md#reference) are recent and aren't preview versions. The test evaluates API versions against the resource providers available versions. An API version that's less than two years old from the date the test was run is considered recent.
+
+This example **fails** because the API version is more than two years old:
+
+```json
+"outputs": {
+ "stgAcct": {
+ "type": "string",
+ "value": "[reference(resourceId(parameters('storageResourceGroup'), 'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2019-06-01')]"
+ }
+}
+```
+
+This example **fails** because the API version is a preview version:
+
+```json
+"outputs": {
+ "stgAcct": {
+ "type": "string",
+ "value": "[reference(resourceId(parameters('storageResourceGroup'), 'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2020-08-01-preview')]"
+ }
+}
+```
+
+This example **passes** because the API version less than two years old and isn't a preview version:
+
+```json
+"outputs": {
+ "stgAcct": {
+ "type": "string",
+ "value": "[reference(resourceId(parameters('storageResourceGroup'), 'Microsoft.Storage/storageAccounts', parameters('storageAccountName')), '2021-02-01')]"
+ }
+}
+```
+
+## Use type and name in resourceId functions
+
+Test name: **Resources Should Not Be Ambiguous**
+
+This test is disabled, but the output shows that it passed. The best practice is to check your template for the following criteria:
+
+A [resourceId](template-functions-resource.md#resourceid) must include a resource type and resource name. This test finds all the template's `resourceId` functions and verifies that the resource is used in the template with the correct syntax. Otherwise the function is considered ambiguous.
+
+For example, a `resourceId` function is considered ambiguous:
+
+* When a resource isn't found in the template and a resource group isn't specified.
+* If a resource includes a condition and a resource group isn't specified.
+* If a related resource contains some but not all of the name segments. For example, a child resource contains more than one name segment. For more information, see [resourceId remarks](template-functions-resource.md#remarks-3).
+
+## Use inner scope for nested deployment secure parameters
+
+Test name: **Secure Params In Nested Deployments**
+
+Use the nested template's `expressionEvaluationOptions` object with `inner` scope to evaluate expressions that contain secure parameters of type `secureString` or `secureObject` or [list() functions](template-functions-resource.md#list) such as `listKeys()`. If the `outer` scope is used, expressions are evaluated in clear text within the parent template's scope. The secure value is then visible to anyone with access to the deployment history. The default value of `expressionEvaluationOptions` is `outer`.
+
+For more information about nested templates, see [Microsoft.Resources/deployments](/azure/templates/microsoft.resources/deployments) and [Expression evaluation scope in nested templates](linked-templates.md#expression-evaluation-scope-in-nested-templates).
+
+This example **fails** because `expressionEvaluationOptions` uses `outer` scope to evaluate secure parameters or `list()` functions:
+
+```json
+"resources": [
+{
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2021-04-01",
+ "name": "nestedTemplate",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "outer"
+ }
+```
+
+This example **passes** because `expressionEvaluationOptions` uses `inner` scope to evaluate secure parameters or `list()` functions:
+
+```json
+"resources": [
+{
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2021-04-01",
+ "name": "nestedTemplate",
+ "properties": {
+ "expressionEvaluationOptions": {
+ "scope": "inner"
+ }
``` ## Next steps * To learn about running the test toolkit, see [Use ARM template test toolkit](test-toolkit.md).
-* For a Microsoft Learn module that covers using the test toolkit, see [Preview changes and validate Azure resources by using what-if and the ARM template test toolkit](/learn/modules/arm-template-test/).
+* For a Microsoft Learn module that covers using the test toolkit, see [Preview changes and validate Azure resources by using what-if and the ARM template test toolkit](/learn/modules/arm-template-test/).
azure-signalr Signalr Resource Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/signalr-resource-faq.md
- Title: Azure SignalR Service frequently asked questions
-description: Get answers to frequently asked questions about Azure SignalR Service, including troubleshooting and typical usage scenarios.
---- Previously updated : 11/13/2019--
-# Azure SignalR Service FAQ
-
-## Is Azure SignalR Service ready for production use?
-
-Yes, both the support for [ASP.NET Core SignalR](https://dotnet.microsoft.com/apps/aspnet/signalr) and [ASP.NET SignalR](/aspnet/signalr/overview/getting-started/introduction-to-signalr) is all generally available.
-
-## When there are multiple application servers, are client messages sent to all servers or just one of them?
-
-There's a one-to-one mapping between a client and an application server. Messages from one client are always sent to the same application server.
-
-The mapping is maintained until the client or application server disconnects.
-
-## If one of my application servers is down, how can I find it and get notified?
-
-Azure SignalR Service monitors heartbeats from application servers.
-If heartbeats are not received for a specified period of time, the application server is considered offline. All client connections mapped to this application server will be disconnected.
-
-## Why does my custom `IUserIdProvider` throw an exception when I'm switching from ASP.NET Core SignalR SDK to Azure SignalR Service SDK?
-
-The parameter `HubConnectionContext context` is different between the ASP.NET Core SignalR SDK and the Azure SignalR Service SDK when `IUserIdProvider` is called.
-
-In ASP.NET Core SignalR, `HubConnectionContext context` is the context from the physical client connection with valid values for all properties.
-
-In the Azure SignalR Service SDK, `HubConnectionContext context` is the context from the logical client connection. The physical client is connected to the Azure SignalR Service instance, so only a limited number of properties are provided.
-
-For now, only `HubConnectionContext.GetHttpContext()` and `HubConnectionContext.User` are available for access.
-You can [check the source code](https://github.com/Azure/azure-signalr/blob/dev/src/Microsoft.Azure.SignalR/HubHost/ServiceHubConnectionContext.cs).
-
-## Can I configure the transports available in Azure SignalR Service on the server side with ASP.NET Core SignalR? For example, can I disable WebSocket transport?
-
-No.
-
-Azure SignalR Service provides all three transports that ASP.NET Core SignalR supports by default. It's not configurable. Azure SignalR Service will handle connections and transports for all client connections.
-
-You can configure client-side transports as documented in [ASP.NET Core SignalR configuration](/aspnet/core/signalr/configuration#configure-allowed-transports-1).
-
-## What is the meaning of metrics like message count or connection count shown in the Azure portal? Which kind of aggregation type should I choose?
-
-You can find details about we calculate these metrics in [Messages and connections in Azure SignalR Service](signalr-concept-messages-and-connections.md).
-
-On the overview pane of Azure SignalR Service resources, we've already chosen the appropriate aggregation type for you. If you go to the metrics pane, you can
-take the aggregation type to [Messages and connections in Azure SignalR Service](../azure-monitor/essentials/metrics-supported.md#microsoftsignalrservicesignalr) as a reference.
-
-## What is the meaning of the `Default`, `Serverless`, and `Classic` service modes? How can I choose?
-
-For new applications, only default and serverless mode should be used. The main difference is whether you have application servers that establish server connections to the service (i.e. use `AddAzureSignalR()` to connect to service). If yes use default mode, otherwise use serverless mode.
-
-Classic mode is designed for backward compatibility for existing applications so should not be used for new applications.
-
-For more information about service mode, see [Service mode in Azure SignalR Service](concept-service-mode.md).
-
-## Can I send message from client in serverless mode?
-
-You can send message from client if you configure upstream in your SignalR instance. Upstream is a set of endpoints that can receive messages and connection events from SignalR service. If no upstream is configured, messages from client will be ignored.
-
-For more information about upstream, see [Upstream settings](concept-upstream.md).
-
-Upstream is currently in public preview.
-
-## Are there any feature differences in using Azure SignalR Service with ASP.NET SignalR?
-
-When you're using Azure SignalR Service, some APIs and features of ASP.NET SignalR aren't supported:
-- The ability to pass arbitrary state between clients and the hub (often called `HubState`) is not supported.-- The `PersistentConnection` class is not supported.-- *Forever Frame transport* is not supported.-- Azure SignalR Service no longer replays messages sent to the client when the client is offline.-- When you're using Azure SignalR Service, the traffic for one client connection is always routed (also called *sticky*) to one app server instance for the duration of the connection.-
-Support for ASP.NET SignalR is focused on compatibility, so not all new features from ASP.NET Core SignalR are supported. For example, *MessagePack* and *Streaming* are available only for ASP.NET Core SignalR applications.
-
-You can configure Azure SignalR Service for different service modes: `Classic`, `Default`, and `Serverless`. The `Serverless` mode is not supported for ASP.NET. The data-plane REST API is also not supported.
-
-## Where does my data reside?
-
-Azure SignalR Service works as a data processor service. It won't store any customer content, and data residency is included by design. If you use Azure SignalR Service together with other Azure services, like Azure Storage for diagnostics, see [this white paper](https://azure.microsoft.com/resources/achieving-compliant-data-residency-and-security-with-azure/) for guidance about how to keep data residency in Azure regions.
azure-sql Elastic Database Client Library https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/elastic-database-client-library.md
To download:
13. [Elastic Database client library with Dapper](elastic-scale-working-with-dapper.md) 14. [Split-merge tool](elastic-scale-overview-split-and-merge.md) 15. [Performance counters for shard map manager](elastic-database-client-library.md)
-16. [FAQ for Elastic Database tools](elastic-scale-faq.md)
+16. [FAQ for Elastic Database tools](elastic-scale-faq.yml)
## Client capabilities
azure-sql Elastic Scale Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/elastic-scale-faq.md
- Title: Elastic Scale FAQ
-description: Frequently Asked Questions about Azure SQL Database Elastic Scale.
-------- Previously updated : 01/25/2019-
-# Elastic database tools frequently asked questions (FAQ)
-
-## If I have a single-tenant per shard and no sharding key, how do I populate the sharding key for the schema info
-
-The schema info object is only used to split merge scenarios. If an application is inherently single-tenant, then it does not require the Split Merge tool and thus there is no need to populate the schema info object.
-
-## IΓÇÖve provisioned a database and I already have a Shard Map Manager, how do I register this new database as a shard
-
-Please see [Adding a shard to an application using the elastic database client library](elastic-scale-add-a-shard.md).
-
-## How much do elastic database tools cost
-
-Using the elastic database client library does not incur any costs. Costs accrue only for the databases in Azure SQL Database that you use for shards and the Shard Map Manager, as well as the web/worker roles you provision for the Split Merge tool.
-
-## Why are my credentials not working when I add a shard from a different server
-
-Do not use credentials in the form of ΓÇ£User ID=username@servernameΓÇ¥, instead simply use ΓÇ£User ID = usernameΓÇ¥. Also, be sure that the ΓÇ£usernameΓÇ¥ login has permissions on the shard.
-
-## Do I need to create a Shard Map Manager and populate shards every time I start my applications
-
-NoΓÇöthe creation of the Shard Map Manager (for example, [ShardMapManagerFactory.CreateSqlShardMapManager](/dotnet/api/microsoft.azure.sqldatabase.elasticscale.shardmanagement.shardmapmanagerfactory.createsqlshardmapmanager)) is a one-time operation. Your application should use the call [ShardMapManagerFactory.TryGetSqlShardMapManager()](/dotnet/api/microsoft.azure.sqldatabase.elasticscale.shardmanagement.shardmapmanagerfactory.trygetsqlshardmapmanager) at application start-up time. There should be only one such call per application domain.
-
-## I have questions about using elastic database tools, how do I get them answered
-
-Please reach out to us on the [Microsoft Q&A question page for SQL Database](/answers/topics/azure-sql-database.html).
-
-## When I get a database connection using a sharding key, I can still query data for other sharding keys on the same shard. Is this by design
-
-The Elastic Scale APIs give you a connection to the correct database for your sharding key, but do not provide sharding key filtering. Add **WHERE** clauses to your query to restrict the scope to the provided sharding key, if necessary.
-
-## Can I use a different SQL Database edition for each shard in my shard set
-
-Yes, a shard is an individual database, and thus one shard could be a Premium edition while another be a Standard edition. Further, the edition of a shard can scale up or down multiple times during the lifetime of the shard.
-
-## Does the Split Merge tool provision (or delete) a database during a split or merge operation
-
-No. For **split** operations, the target database must exist with the appropriate schema and be registered with the Shard Map Manager. For **merge**
-operations, you must delete the shard from the shard map manager and then delete the database.
-
azure-sql Transact Sql Tsql Differences Sql Server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/transact-sql-tsql-differences-sql-server.md
Last updated 06/17/2021
# T-SQL differences between SQL Server and Azure SQL Database
-When [migrating your database](migrate-to-database-from-sql-server.md) from SQL Server to Azure SQL Database, you may discover that your SQL Server databases require some re-engineering before they can be migrated. This article provides guidance to assist you in both performing this re-engineering and understanding the underlying reasons why the re-engineering is necessary. To detect incompatibilities and migrate databases to Azure SQL Database, use [Data Migration Assistant (DMA)](/sql/dm).
+When [migrating your database](migrate-to-database-from-sql-server.md) from SQL Server to Azure SQL Database, you may discover that your SQL Server databases require some re-engineering before they can be migrated. This article provides guidance to assist you in both performing this re-engineering and understanding the underlying reasons why the re-engineering is necessary. To detect incompatibilities and migrate databases to Azure SQL Database, use [Data Migration Assistant (DMA)](/sql/dma/dma-overview).
## Overview
In addition to T-SQL statements related to the unsupported features described in
- `OPENQUERY`, `OPENDATASOURCE`, and four-part names. - .NET Framework: CLR integration - Semantic search-- Server credentials: Use [database scoped credentials](/sql/t-sql/statements/create-database-scoped-credential-T-SQL) instead.
+- Server credentials: Use [database scoped credentials](/sql/t-sql/statements/create-database-scoped-credential-transact-SQL) instead.
- Server-level permissions: `GRANT`, `REVOKE`, and `DENY` of server level permissions are not supported. Some server-level permissions are replaced by database-level permissions, or granted implicitly by built-in server roles. Some server-level DMVs and catalog views have similar database-level views. - `SET REMOTE_PROC_TRANSACTIONS` - `SHUTDOWN` - `sp_addmessage`-- `sp_configure` and `RECONFIGURE`. [ALTER DATABASE SCOPED CONFIGURATION](/sql/t-sql/statements/alter-database-scoped-configuration-T-SQL) is supported.
+- `sp_configure` and `RECONFIGURE`. [ALTER DATABASE SCOPED CONFIGURATION](/sql/t-sql/statements/alter-database-scoped-configuration-transact-sql) is supported.
- `sp_helpuser` - `sp_migrate_user_to_contained` - SQL Server Agent: Syntax that relies upon the SQL Server Agent or the MSDB database: alerts, operators, central management servers. Use scripting, such as PowerShell, instead.
For more information about T-SQL grammar, usage, and examples, see [T-SQL Refer
### About the "Applies to" tags
-The T-SQL reference includes articles related to all recent SQL Server versions. Below the article title there's an icon bar, listing MSSQL platforms, and indicating applicability. For example, availability groups were introduced in SQL Server 2012. The [CREATE AVAILABILITY GROUP](/sql/t-sql/statements/create-availability-group-T-SQL) article indicates that the statement applies to **SQL Server (starting with 2012)**. The statement doesn't apply to SQL Server 2008, SQL Server 2008 R2, Azure SQL Database, Azure Azure Synapse Analytics, or Parallel Data Warehouse.
+The T-SQL reference includes articles related to all recent SQL Server versions. Below the article title there's an icon bar, listing MSSQL platforms, and indicating applicability. For example, availability groups were introduced in SQL Server 2012. The [CREATE AVAILABILITY GROUP](/sql/t-sql/statements/create-availability-group-transact-sql) article indicates that the statement applies to **SQL Server (starting with 2012)**. The statement doesn't apply to SQL Server 2008, SQL Server 2008 R2, Azure SQL Database, Azure Azure Synapse Analytics, or Parallel Data Warehouse.
In some cases, the general subject of an article can be used in a product, but there are minor differences between products. The differences are indicated at midpoints in the article as appropriate. For example, the `CREATE TRIGGER` article is available in SQL Database. But the `ALL SERVER` option for server-level triggers, indicates that server-level triggers can't be used in SQL Database. Use database-level triggers instead.
In some cases, the general subject of an article can be used in a product, but t
For a list of the features that are supported and unsupported by SQL Database, see [Azure SQL Database feature comparison](features-comparison.md).
-To detect compatibility issues in your SQL Server databases before migrating to Azure SQL Database, and to migrate your databases, use [Data Migration Assistant (DMA)](/sql/dm).
+To detect compatibility issues in your SQL Server databases before migrating to Azure SQL Database, and to migrate your databases, use [Data Migration Assistant (DMA)](/sql/dma/dma-overview).
azure-video-analyzer Deploy On Stack Edge https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-docs/deploy-on-stack-edge.md
+
+ Title: Deploy Azure Video Analyzer on Azure Stack Edge
+description: This article lists the steps that will help you deploy Azure Video Analyzer on your Azure Stack Edge.
+ Last updated : 01/06/2021++
+# Deploy Azure Video Analyzer on Azure Stack Edge
+
+This article lists the steps that will help you deploy Video Analyzer on your Azure Stack Edge. After the device has been set up and activated, it is then ready for Video Analyzer deployment.
+
+For Video Analyzer, we will deploy via IoT Hub, but the Azure Stack Edge resources expose a Kubernetes API, which allows the customer to deploy additional non-IoT Hub aware solutions that can interface with Video Analyzer.
+
+> [!TIP]
+> Using the Kubernetes(K8s) API for custom deployment is an advanced case. It is recommended that the customer create edge modules and deploy via IoT Hub to each Azure Stack Edge resource instead of using the Kubernetes API. In this article, we will show you the steps of deploying the Video Analyzer module using IoT Hub.
+
+## Prerequisites
+
+* Video Analyzer account
+
+ This [cloud service](https://docs.microsoft.com/azure/azure-video-analyzer/video-analyzer-docs/overview) is used to register the Video Analyzer edge module, and for playing back recorded video and video analytics
+* Managed identity
+
+ This is the user assigned [managed identity](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview) used to manage access to the above storage account.
+* An [Azure Stack Edge](../../databox-online/azure-stack-edge-gpu-deploy-prep.md) resource
+* [An IoT Hub](../../iot-hub/iot-hub-create-through-portal.md)
+* Storage account
+
+ It is recommended that you use General-purpose v2 (GPv2) Storage accounts.
+ Learn more about a [general-purpose v2 storage account](../../storage/common/storage-account-upgrade.md?tabs=azure-portal).
+* [Visual Studio Code](https://code.visualstudio.com/) on your development machine. Make sure you have the [Azure IoT Tools extension](https://marketplace.visualstudio.com/items?itemName=vsciot-vscode.azure-iot-tools).
+* Make sure the network that your development machine is connected to permits Advanced Message Queueing Protocol over port 5671. This setup enables Azure IoT Tools to communicate with Azure IoT Hub.
+
+## Configuring Azure Stack Edge for using Video Analyzer
+
+Azure Stack Edge is a Hardware-as-a-Service solution and an AI-enabled edge computing device with network data transfer capabilities. Read more about [Azure Stack Edge and detailed setup instructions](../../databox-online/azure-stack-edge-gpu-deploy-prep.md). To get started, follow the instructions in the links below:
+
+* [Azure Stack Edge / Data Box Gateway Resource Creation](../../databox-online/azure-stack-edge-gpu-deploy-prep.md?tabs=azure-portal#create-a-new-resource)
+* [Install and Setup](../../databox-online/azure-stack-edge-gpu-deploy-install.md)
+* Connection and Activation
+
+ 1. [Connect](../../databox-online/azure-stack-edge-gpu-deploy-connect.md)
+ 2. [Configure network](../../databox-online/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md)
+ 3. [Configure device](../../databox-online/azure-stack-edge-gpu-deploy-set-up-device-update-time.md)
+ 4. [Configure certificates](../../databox-online/azure-stack-edge-gpu-deploy-configure-certificates.md)
+ 5. [Activate](../../databox-online/azure-stack-edge-gpu-deploy-activate.md)
+* [Attach an IoT Hub to Azure Stack Edge](../../databox-online/azure-stack-edge-gpu-deploy-configure-compute.md#configure-compute)
+### Enable Compute Prerequisites on the Azure Stack Edge Local UI
+
+Before you continue, make sure that:
+
+* You've activated your Azure Stack Edge resource.
+* You have access to a Windows client system running PowerShell 5.0 or later to access the Azure Stack Edge resource.
+* To deploy a Kubernetes cluster, you need to configure your Azure Stack Edge resource via its [local web UI](../../databox-online/azure-stack-edge-deploy-connect-setup-activate.md#connect-to-the-local-web-ui-setup).
+
+ * Connect and configure:
+
+ 1. [Connect](../../databox-online/azure-stack-edge-gpu-deploy-connect.md)
+ 2. [Configure network](../../databox-online/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md)
+ 3. [Configure device](../../databox-online/azure-stack-edge-gpu-deploy-set-up-device-update-time.md)
+ 4. [Configure certificates](../../databox-online/azure-stack-edge-gpu-deploy-configure-certificates.md)
+ 5. [Activate](../../databox-online/azure-stack-edge-gpu-deploy-activate.md)
+ * To enable the compute, in the local web UI of your device, go to the Compute page.
+
+ * Select a network interface that you want to enable for compute. Select Enable. Enabling compute results in the creation of a virtual switch on your device on that network interface.
+ * Leave the Kubernetes test node IPs and the Kubernetes external services IPs blank.
+ * Select Apply - This operation should take about 2 minutes.
+
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="../../databox-online/media/azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy/compute-network-2.png" alt-text=" Compute Prerequisites on the Azure Stack Edge Local UI":::
+
+ * If DNS is not configured for the Kubernetes API and Azure Stack Edge resource, you can update your Window's host file.
+
+ * Open a text editor as Administrator
+ * Open file 'to C:\Windows\System32\drivers\etc\hosts'
+ * Add the Kubernetes API device name's IPv4 and hostname to the file. (This info can be found in the Azure Stack Edge Portal under the Devices section.)
+ * Save and close
+
+### Deploy Video Analyzer Edge modules using Azure portal
+
+The Azure portal guides you through creating a deployment manifest and pushing the deployment to an IoT Edge device.
+#### Select your device and set modules
+
+1. Sign in to the [Azure portal](https://ms.portal.azure.com/) and navigate to your IoT hub.
+1. Select **IoT Edge** from the menu.
+1. Click on the ID of the target device from the list of devices.
+1. Select **Set Modules**.
+
+#### Configure a deployment manifest
+
+A deployment manifest is a JSON document that describes which modules to deploy, how data flows between the modules, and desired properties of the module twins. The Azure portal has a wizard that walks you through creating a deployment manifest. It has three steps organized into tabs: **Modules**, **Routes**, and **Review + Create**.
+
+#### Add modules
+
+1. In the **IoT Edge Modules** section of the page, click the **Add** dropdown and select **IoT Edge Module** to display the **Add IoT Edge Module** page.
+1. On the **Module Settings** tab, provide a name for the module and then specify the container image URI:
+ Examples:
+
+ * **IoT Edge Module Name**: avaedge
+ * **Image URI**: mcr.microsoft.com/media/video-analyzer:1
+
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="./media/deploy-on-stack-edge/add-module.png" alt-text="Screenshot shows the Module Settings tab":::
+
+ > [!TIP]
+ > Don't select **Add** until you've specified values on the **Module Settings**, **Container Create Options**, and **Module Twin Settings** tabs as described in this procedure.
+
+ > [!WARNING]
+ > Azure IoT Edge is case-sensitive when you make calls to modules. Make note of the exact string you use as the module name.
+
+1. Open the **Environment Variables** tab.
+
+ Add the following values in the input boxes that you see
+
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="./media/deploy-on-stack-edge/environment-variables.png" alt-text="Environment Variables":::
+
+1. Open the **Container Create Options** tab.
+
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="./media/deploy-on-stack-edge/container-create-options.png" alt-text="Container create options":::
+
+ Copy and paste the following JSON into the box, to limit the size of the log files produced by the module.
+
+ ```
+ {
+ "HostConfig": {
+ "LogConfig": {
+ "Type": "",
+ "Config": {
+ "max-size": "10m",
+ "max-file": "10"
+ }
+ },
+ "Binds": [
+ "/var/lib/videoanalyzer/:/var/lib/videoanalyzer",
+ "/var/media:/var/media"
+ ],
+ "IpcMode": "host",
+ "ShmSize": 1536870912
+ }
+ }
+ ````
+
+ The "Binds" section in the JSON has 2 entries:
+ 1. "/var/lib/videoanalyzer:/var/lib/videoanalyzer": This is used to bind the persistent application configuration data from the container and store it on the edge device.
+ 1. "/var/media:/var/media": This binds the media folders between the edge device and the container. This is used to store the video recordings when you run a pipelineTopology that supports storing of video clips on the edge device.
+
+1. On the **Module Twin Settings** tab, copy the following JSON and paste it into the box.
+
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="./media/deploy-on-stack-edge/twin-settings.png" alt-text="Twin settings":::
+
+ Azure Video Analyzer requires a set of mandatory twin properties in order to run, as listed in [Module Twin configuration schema](module-twin-configuration-schema.md).
+
+ The JSON that you need to enter into Module Twin Settings edit box will look like this:
+ ```
+ {
+ "applicationDataDirectory": "/var/lib/videoanalyzer",
+ "ProvisioningToken": "{provisioning-token}",
+ }
+ ```
+ Below are some additional **recommended** properties that can be added to the JSON and will help in monitoring the module. For more information, see [monitoring and logging](monitor-log-edge.md):
+
+ ```
+ "diagnosticsEventsOutputName": "diagnostics",
+ "OperationalEventsOutputName": "operational",
+ "logLevel": "Information",
+ "logCategories": "Application,Events",
+ "allowUnsecuredEndpoints": true,
+ "telemetryOptOut": false
+ ```
+1. Select **Next: Routes** to continue to the routes section. Specify routes.
+
+ Under NAME, enter **AVAToHub**, and under VALUE, enter **FROM /messages/modules/avaedge/outputs/ INTO $upstream**
+1. Select Next: **Review + create** to continue to the review section.
+1. Review your deployment information, then select **Create** to deploy the module.
+
+ > [!TIP]
+ > Follow these steps to generate the provisioning token:
+1. Open Azure portal and go to the Video Analyzer
+1. In the left navigation pane, click on **Edge modules**.
+1. Select the edge module and click on the **Generate token** button:
+
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="./media/deploy-on-stack-edge/generate-provisioning-token.png" alt-text="Generate token" lightbox="./media/deploy-on-stack-edge/generate-provisioning-token.png":::
+1. Copy the provisioning token:
+
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="./media/deploy-on-stack-edge/copy-provisioning-token.png" alt-text="Copy token":::
+
+#### (Optional) Setup Docker Volume Mounts
+
+If you want to view the data in the working directories, follow these steps to setup Docker Volume Mounts before deploying.
+
+These steps cover creating a Gateway user and setting up file shares to view the contents of the Video Analyzer working directory and Video Analyzer media folder.
+
+> [!NOTE]
+> Bind Mounts are supported, but Volume Mounts allow the data to be viewable and if desired remotely copied. It is possible to use both Bind and Volume mounts, but they cannot point to the same container path.
+
+1. Open Azure portal and go to the Azure Stack Edge resource.
+1. Create a **Gateway User** that can access shares.
+
+ 1. In the left navigation pane, click on **Cloud storage gateway**.
+ 1. Click on **Users** in the left navigation pane.
+ 1. Click ion **+ Add User** to the set the username and password. (Recommended: `avauser`).
+ 1. Click on **Add**.
+
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="./media/deploy-on-stack-edge/add-user.png" alt-text="Add user":::
+1. Create a **Local Share** for Video Analyzer persistence.
+
+ 1. Click on **Cloud storage gateway->Shares**.
+ 1. Click on **+ Add Shares**.
+ 1. Set a share name. (Recommended: `ava`).
+ 1. Keep the share type as SMB.
+ 1. Ensure **Use the share with Edge compute** is checked.
+ 1. Ensure **Configure as Edge local share** is checked.
+ 1. In User Details, give access to the share to the recently created user.
+ 1. Click on **Create**.
+
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="./media/deploy-on-stack-edge/local-share.png" alt-text="Local share":::
+
+ > [!TIP]
+ > Using your Windows client connected to your Azure Stack Edge, connect to the SMB shares following the steps [mentioned in this document](../../databox-online/azure-stack-edge-deploy-add-shares.md#connect-to-an-smb-share).
+1. Create a Remote Share for file sync storage.
+
+ 1. First create a blob storage account in the same region by clicking on **Cloud storage gateway->Storage accounts**.
+ 1. Click on **Cloud storage gateway->Shares**.
+ 1. Click on **+ Add Shares**.
+ 1. Set a share name. (Recommended: media).
+ 1. Keep the share type as SMB.
+ 1. Ensure **Use the share with Edge compute** is checked.
+ 1. Ensure **Configure as Edge local share** is not checked.
+ 1. Select the recently created storage account.
+ 1. Set the storage type to Block Blob.
+ 1. Set a container name.
+ 1. In User Details, give access to the share to the recently created user.
+ 1. Click on **Create**.
+
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="./media/deploy-on-stack-edge/remote-share.png" alt-text="Remote share":::
+1. Update the RTSP Simulator module's Container Create Options to use Volume Mounts:
+ 1. Click on the **Set modules** button:
+
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="./media/deploy-on-stack-edge/set-modules.png" alt-text="Set modules" lightbox="./media/deploy-on-stack-edge/set-modules.png":::
+ 1. Click on the **rtspsim** module:
+
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="./media/deploy-on-stack-edge/select-module.png" alt-text="Select module":::
+ 1. Select the **Container Create Options** tab and add the Mounts as shown below:
+
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="./media/deploy-on-stack-edge/update-module.png" alt-text="Update module":::
+
+ ```json
+ "createOptions":
+ {
+ "HostConfig":
+ {
+ "Mounts":
+ [
+ {
+ "Target": "/var/media",
+ "Source": "media",
+ "Type": "volume"
+ }
+ ],
+ "PortBindings": {
+ "554/tcp": [
+ {
+ "HostPort": "554"
+ }
+ ]
+ }
+ }
+ }
+ ```
+ 1. Click on the **Update** button
+ 1. Click on the **Review and create** button and finally on the **Create** button to update the module.
+
+### Verify that the module is running
+
+The final step is to ensure that the module is connected and running as expected. The run-time status of the module should be running for your IoT Edge device in the IoT Hub resource.
+
+To verify that the module is running, do the following:
+
+1. In the Azure portal, return to the Azure Stack Edge resource
+1. Select the Modules tile. This takes you to the Modules blade. In the list of modules, identify the module you deployed. The runtime status of the module you added should be running.
+
+ > [!div class="mx-imgBorder"]
+ > :::image type="content" source="./media/deploy-on-stack-edge/running-module.png" alt-text="Custom module" lightbox="./media/deploy-on-stack-edge/running-module.png":::
+
+### Configure the Azure IoT Tools extension
+
+Follow these instructions to connect to your IoT hub by using the Azure IoT Tools extension.
+
+1. In Visual Studio Code, select View > Explorer. Or select Ctrl+Shift+E.
+1. In the lower-left corner of the Explorer tab, select Azure IoT Hub.
+1. Select the More Options icon to see the context menu. Then select Set IoT Hub Connection String.
+1. When an input box appears, enter your IoT Hub connection string.
+
+ * To get the connection string, go to your IoT Hub in Azure portal and click on Shared access policies in the left navigation pane.
+ * Click on iothubowner get the shared access keys.
+ * Copy the Connection String ΓÇô primary key and paste it in the input box on the VSCode.
+
+ The connection string will look like:<br/>`HostName=xxx.azure-devices.net;SharedAccessKeyName=iothubowner;SharedAccessKey=xxx`
+
+ If the connection succeeds, the list of edge devices appears. You should see your Azure Stack Edge. You can now manage your IoT Edge devices and interact with Azure IoT Hub through the context menu. To view the modules deployed on the edge device, under the Azure Stack device, expand the Modules node.
+
+## Troubleshooting
+
+* **Kubernetes API Access (kubectl)**
+
+ * Follow the documentation to configure your machine for [access to the Kubernetes cluster](../../databox-online/azure-stack-edge-gpu-create-kubernetes-cluster.md).
+ * All deployed IoT Edge modules use the `iotedge` namespace. Make sure to include that when using kubectl.
+* **Module Logs**
+
+ The `iotedge` tool is not accessible to obtain logs. You must use [kubectl logs](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#logs) to view the logs or pipe to a file. Example: <br/> `kubectl logs deployments/mediaedge -n iotedge --all-containers`
+* **Pod and Node Metrics**
+
+ Use [kubectl top](https://kubernetes.io/docs/reference/generated/kubectl/kubectl-commands#top) to see pod and node metrics.
+ <br/>`kubectl top pods -n iotedge`
+* **Module Networking**
+
+ For Module discovery on Azure Stack Edge it is required that the module have the host port binding in createOptions. The module will then be addressable over `moduleName:hostport`.
+
+ ```json
+ "createOptions": {
+ "HostConfig": {
+ "PortBindings": {
+ "8554/tcp": [ { "HostPort": "8554" } ]
+ }
+ }
+ }
+ ```
+
+* **Volume Mounting**
+
+ A module will fail to start if the container is trying to mount a volume to an existing and non-empty directory.
+* **Shared Memory when using gRPC**
+
+ Shared memory on Azure Stack Edge resources is supported across pods in any namespace by using Host IPC.
+ Configuring shared memory on an edge module for deployment via IoT Hub.
+
+ ```
+ ...
+ "createOptions": {
+ "HostConfig": {
+ "IpcMode": "host"
+ }
+ ...
+
+ //(Advanced) Configuring shared memory on a K8s Pod or Deployment manifest for deployment via K8s API
+ spec:
+ ...
+ template:
+ spec:
+ hostIPC: true
+ ...
+ ```
+* **(Advanced) Pod Co-location**
+
+ When using K8s to deploy custom inference solutions that communicate with Video Analyzer via gRPC, you need to ensure the pods are deployed on the same nodes as Video Analyzer modules.
+
+ * **Option 1** - Use Node Affinity and built in Node labels for co-location.
+
+ Currently NodeSelector custom configuration does not appear to be an option as the users do not have access to set labels on the Nodes. However depending on the customer's topology and naming conventions they might be able to use [built-in node labels](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#built-in-node-labels). A nodeAffinity section referencing Azure Stack Edge resources with Video Analyzer can be added to the inference pod manifest to achieve co-location.
+ * **Option 2** - Use Pod Affinity for co-location (recommended).
+
+ Kubernetes has support for [Pod Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity) which can schedule pods on the same node. A podAffinity section referencing the Video Analyzer module can be added to the inference pod manifest to achieve co-location.
+
+ ```json
+ // Example Video Analyzer module deployment match labels
+ selector:
+ matchLabels:
+ net.azure-devices.edge.deviceid: dev-ase-1-edge
+ net.azure-devices.edge.module: mediaedge
+
+ // Example Inference deployment manifest pod affinity
+ spec:
+ affinity:
+ podAntiAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ - labelSelector:
+ matchExpressions:
+ - key: net.azure-devices.edge.module
+ operator: In
+ values:
+ - mediaedge
+ topologyKey: "kubernetes.io/hostname"
+ ```
+* **404 error code when using `rtspsim` module**
+
+ The container will read videos from exactly one folder within the container. If you map/bind an external folder into the one, which already exists within the container image, docker will hide the files present in the container image.
+
+ For example, with no bindings the container may have these files:
+ ```
+ root@rtspsim# ls /live/mediaServer/media
+ /live/mediaServer/media/camera-300s.mkv
+ /live/mediaServer/media/win10.mkv
+ ```
+
+ And your host may have these files:
+ ```
+ C:\MyTestVideos> dir
+ Test1.mkv
+ Test2.mkv
+ ```
+
+ But when the following binding is added in the deployment manifest file, docker will overwrite the contents of /live/mediaServer/media to match what is on the host.
+ `C:\MyTestVideos:/live/mediaServer/media`
+
+ ```
+ root@rtspsim# ls /live/mediaServer/media
+ /live/mediaServer/media/Test1.mkv
+ /live/mediaServer/media/Test2.mkv
+ ```
+
+## Next steps
+
+[Detect motion and emit events](detect-motion-emit-events-quickstart.md)
+
azure-video-analyzer Considerations When Use At Scale https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-video-analyzer/video-analyzer-for-media-docs/considerations-when-use-at-scale.md
When you upload videos using URL, you just need to provide a path to the locatio
> [!TIP] > Use the `videoUrl` optional parameter of the upload video API.
-To see an example of how to upload videos using URL, check out [this example](upload-index-videos.md#code-sample). Or, you can use [AzCopy](../../storage/common/storage-use-azcopy-v10.md) for a fast and reliable way to get your content to a storage account from which you can submit it to Video Analyzer for Media using [SAS URL](../../storage/common/storage-sas-overview.md).
+To see an example of how to upload videos using URL, check out [this example](upload-index-videos.md#code-sample). Or, you can use [AzCopy](../../storage/common/storage-use-azcopy-v10.md) for a fast and reliable way to get your content to a storage account from which you can submit it to Video Analyzer for Media using [SAS URL](../../storage/common/storage-sas-overview.md). Video Analyzer for Media recommends using *readonly* SAS URLs.
## Increase media reserved units if needed
azure-vmware Configure Nsx Network Components Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/configure-nsx-network-components-azure-portal.md
Title: Configure NSX network components using Azure VMware Solution description: Learn how to use the Azure VMware Solution to configure NSX-T network segments. Previously updated : 06/17/2021 Last updated : 06/28/2021 # Customer intent: As an Azure service administrator, I want to configure NSX network components using a simplified view of NSX-T operations a VMware administrator needs daily. The simplified view is targeted at users unfamiliar with NSX-T Manager.
You can create a DHCP server or relay directly from Azure VMware Solution in the
## Configure port mirroring in the Azure portal
-You can configure port mirroring to monitor network traffic that involves forwarding a copy of each packet from one network switch port to another. This option places a protocol analyzer on the port that receives the mirrored data. It analyzes traffic from a source, a VM, or a group of VMs, and then sent to a defined destination.
+In this step, you'll configure port mirroring to monitor network traffic that involves forwarding a copy of each packet from one network switch port to another. This option places a protocol analyzer on the port that receives the mirrored data. It analyzes traffic from a source, a VM, or a group of VMs, and then sent to a defined destination.
To set up port mirroring in the Azure VMware Solution console, you'll:
-* [Step 1. Create the source and destination VMs or VM groups](#step-1-create-source-and-destination-vms-or-vm-groups) ΓÇô The source group has a single VM or multiple VMs where the traffic is mirrored.
+* Create the source and destination VMs or VM groups ΓÇô The source group has a single VM or multiple VMs where the traffic is mirrored.
-* [Step 2. Create a port mirroring profile](#step-2-create-a-port-mirroring-profile) ΓÇô You'll define the traffic direction for the source and destination VM groups.
+* Create a port mirroring profile ΓÇô You'll define the traffic direction for the source and destination VM groups.
-### Step 1. Create source and destination VMs or VM groups
-
-In this step, you'll create a source VM group and a destination VM group.
1. In your Azure VMware Solution private cloud, under **Workload Networking**, select **Port mirroring** > **VM groups** > **Add**. :::image type="content" source="media/configure-nsx-network-components-azure-portal/add-port-mirroring-vm-groups.png" alt-text="Screenshot showing how to create a VM group for port mirroring.":::
-1. Provide a name for the new VM group, select the desired VMs from the list, and then **Ok**.
-
- :::image type="content" source="media/configure-nsx-network-components-azure-portal/add-vm-group.png" alt-text="Screenshot showing the list of VMs to add to the VM group.":::
+1. Provide a name for the new VM group, select the desired VMs from the list, and then **OK**.
1. Repeat these steps to create the destination VM group.
-### Step 2. Create a port mirroring profile
-
-In this step, you'll define a profile for the source and destination VM groups' traffic direction.
-
->[!NOTE]
->Make sure you have both the source and destination VM groups created.
+ >[!NOTE]
+ >Before creating a port mirroring profile, make sure you have both the source and destination VM groups created.
1. Select **Port mirroring** > **Add** and then provide:
In this step, you'll define a profile for the source and destination VM groups'
## Configure a DNS forwarder in the Azure portal
-You'll configure a DNS forwarder where specific DNS requests get forwarded to a designated DNS server for resolution. A DNS forwarder is associate with a **default DNS zone** and up to three **FQDN zones**.
-
->[!TIP]
->You can also use the [NSX-T Manager console to configure a DNS forwarder](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.5/administration/GUID-A0172881-BB25-4992-A499-14F9BE3BE7F2.html).
+In this step, you'll configure a DNS forwarder where specific DNS requests get forwarded to a designated DNS server for resolution. A DNS forwarder is associate with a **default DNS zone** and up to three **FQDN zones**.
-To set up a DNS forwarder in the Azure VMware Solution console, you'll:
+When a DNS query is received, a DNS forwarder compares the domain name with the domain names in the FQDN DNS zone. The query gets forwarded to the DNS servers specified in the FQDN DNS zone if a match is found. Otherwise, the query gets forwarded to the DNS servers specified in the default DNS zone.
-* [Step 1. Configure a default DNS zone and FQDN zone](#step-1-configure-a-default-dns-zone-and-fqdn-zone) ΓÇô When a DNS query is received, a DNS forwarder compares the domain name with the domain names in the FQDN DNS zone.
-
-* [Step 2. Configure DNS service](#step-2-configure-dns-service) - You'll configure the DNS forwarder service.
-
-### Step 1. Configure a default DNS zone and FQDN zone
+>[!NOTE]
+>To send DNS queries to the upstream server, a default DNS zone must be defined before configuring an FQDN zone.
-You'll configure a default DNS zone and FQDN zone to send DNS queries to the upstream server. When a DNS query is received, the DNS forwarder compares the domain name in the query with the FQDN DNS zones' domain names. If a match is found, the query is forwarded to the DNS servers specified in the FQDN DNS zone. If no match is found, the query is forwarded to the DNS servers specified in the default DNS zone.
+>[!TIP]
+>You can also use the [NSX-T Manager console to configure a DNS forwarder](https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.5/administration/GUID-A0172881-BB25-4992-A499-14F9BE3BE7F2.html).
->[!NOTE]
->A default DNS zone must be defined before you configure an FQDN zone.
1. In your Azure VMware Solution private cloud, under **Workload Networking**, select **DNS** > **DNS zones** > **Add**.
You'll configure a default DNS zone and FQDN zone to send DNS queries to the ups
1. Select **OK** to finish adding the default DNS zone and DNS service.
-### Step 2. Configure DNS service
+1. Select the **DNS service** tab, select **Add**. Provide the details and select **OK**.
-Select the **DNS service** tab, select **Add**. Provide the details and select **OK**.
+ :::image type="content" source="media/configure-nsx-network-components-azure-portal/nsxt-workload-networking-configure-dns-service.png" alt-text="Screenshot showing the information required for the DNS service.":::
-
->[!TIP]
->**Tier-1 Gateway** is selected by default and reflects the gateway created when deploying Azure VMware Solution.
+ >[!TIP]
+ >**Tier-1 Gateway** is selected by default and reflects the gateway created when deploying Azure VMware Solution.
-The DNS service was added successfully.
+ The DNS service was added successfully.
+ :::image type="content" source="media/configure-nsx-network-components-azure-portal/nsxt-workload-networking-configure-dns-service-success.png" alt-text="Screenshot showing the DNS service added successfully.":::
azure-vmware Configure Nsx Network Components Azure Portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/best-practices-availability-paired-regions.md
Previously updated : 03/30/2021 Last updated : 06/21/2021
No. Customers can leverage Azure services to architect a resilient service witho
| North America |East US 2 |Central US | | North America |North Central US |South Central US | | North America |West US 2 |West Central US |
+| North America |West US 3 |East US |
| Norway | Norway East | Norway West* | | South Africa | South Africa North |South Africa West* | | Switzerland | Switzerland North |Switzerland West* |
cloud-services-extended-support Swap Cloud Service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/swap-cloud-service.md
After you swap the deployments, you can stage and test your new release by using
> [!NOTE] > You can't swap between an Azure Cloud Services (classic) deployment and an Azure Cloud Services (extended support) deployment.
-You must make a cloud service swappable with another cloud service when you deploy the second of a pair of cloud services.
+You must make a cloud service swappable with another cloud service when you deploy the second of a pair of cloud services for the first time. Once the second pair of cloud service is deployed, it canot be made swappable with an existing cloud service in subsquent updates.
You can swap the deployments by using an Azure Resource Manager template (ARM template), the Azure portal, or the REST API.
-> [!Note]
-> Upon deployment of the second cloud service, both the cloud services have their SwappableCloudService property set to point to each other. Any subsequent update to these cloud services will need to specify this property failing which an error will be returned indicating that the SwappableCloudService property cannot be deleted or updated.
->
-> Once set, the SwappableCloudService property is treated as readonly. It cannot be deleted or changed to another value. Deleting one of the cloud services (of the swappable pair) will result in the SwappableCloudService property of the remaining cloud service being cleared.
+Upon deployment of the second cloud service, both the cloud services have their SwappableCloudService property set to point to each other. Any subsequent update to these cloud services will need to specify this property failing which an error will be returned indicating that the SwappableCloudService property cannot be deleted or updated.
+
+Once set, the SwappableCloudService property is treated as readonly. It cannot be deleted or changed to another value. Deleting one of the cloud services (of the swappable pair) will result in the SwappableCloudService property of the remaining cloud service being cleared.
## ARM template
cognitive-services Spatial Analysis Container https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Computer-vision/spatial-analysis-container.md
An Azure Virtual Machine with a GPU can also be used to run Spatial Analysis. Th
Open the [Create a Virtual Machine](https://ms.portal.azure.com/#create/Microsoft.VirtualMachine) wizard in the Azure portal.
-Give your VM a name and select the region to be (US) West US 2. Be sure to set `Availability Options` to "No infrastructure redundancy required". Refer to the below figure for the complete configuration and the next step for help locating the correct VM size.
+Give your VM a name and select the region to be (US) West US 2.
+
+> [!IMPORTANT]
+> Be sure to set `Availability Options` to "No infrastructure redundancy required". Refer to the below figure for the complete configuration and the next step for help locating the correct VM size.
:::image type="content" source="media/spatial-analysis/virtual-machine-instance-details.jpg" alt-text="Virtual machine configuration details." lightbox="media/spatial-analysis/virtual-machine-instance-details.jpg":::
cognitive-services Spatial Analysis Operations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Computer-vision/spatial-analysis-operations.md
This is an example of the DETECTOR_NODE_CONFIG parameters for all Spatial Analys
"gpu_index": 0, "do_calibration": true, "enable_recalibration": true,
-"calibration_quality_check_frequency_seconds":86400,
+"calibration_quality_check_frequency_seconds": 86400,
"calibration_quality_check_sample_collect_frequency_seconds": 300,
-"calibration_quality_check_one_round_sample_collect_num":10,
-"calibration_quality_check_queue_max_size":1000
+"calibration_quality_check_one_round_sample_collect_num": 10,
+"calibration_quality_check_queue_max_size": 1000,
+"calibration_event_frequency_seconds": -1
} ```
This is an example of the DETECTOR_NODE_CONFIG parameters for all Spatial Analys
| `calibration_quality_check_sample_collect_frequency_seconds` | int | Minimum number of seconds between collecting new data samples for recalibration and quality checking. Default is `300` (5 minutes). Only used when `enable_recalibration=True`.| | `calibration_quality_check_one_round_sample_collect_num` | int | Minimum number of new data samples to collect per round of sample collection. Default is `10`. Only used when `enable_recalibration=True`.| | `calibration_quality_check_queue_max_size` | int | Maximum number of data samples to store when camera model is calibrated. Default is `1000`. Only used when `enable_recalibration=True`.|
+| `calibration_event_frequency_seconds` | int | Output frequency (seconds) of camera calibration events. A value of `-1` indicates that the camera calibration should not be sent unless the camera calibration info has been changed. Default is `-1`.|
| `enable_breakpad`| bool | Indicates whether you want to enable breakpad, which is used to generate crash dump for debug use. It is `false` by default. If you set it to `true`, you also need to add `"CapAdd": ["SYS_PTRACE"]` in the `HostConfig` part of container `createOptions`. By default, the crash dump is uploaded to the [RealTimePersonTracking](https://appcenter.ms/orgs/Microsoft-Organization/apps/RealTimePersonTracking/crashes/errors?version=&appBuild=&period=last90Days&status=&errorType=all&sortCol=lastError&sortDir=desc) AppCenter app, if you want the crash dumps to be uploaded to your own AppCenter app, you can override the environment variable `RTPT_APPCENTER_APP_SECRET` with your app's app secret. | `enable_orientation` | bool | Indicates whether you want to compute the orientation for the detected people or not. `enable_orientation` is set by default to False. |
+### Camera calibration output
+This is an example of the output from camera calibration if enabled. Ellipses indicate more of the same type of objects in a list.
+```
+{
+ "type": "cameraCalibrationEvent",
+ "sourceInfo": {
+ "id": "camera1",
+ "timestamp": "2021-04-20T21:15:59.100Z",
+ "width": 640,
+ "height": 360,
+ "frameId": 531,
+ "cameraCalibrationInfo": {
+ "status": "Calibrated",
+ "cameraHeight": 13.294151306152344,
+ "focalLength": 372.0000305175781,
+ "tiltupAngle": 0.9581864476203918,
+ "lastCalibratedTime": "2021-04-20T21:15:59.058"
+ }
+ },
+ "zonePlacementInfo": {
+ "optimalZoneRegion": {
+ "type": "POLYGON",
+ "points": [
+ {
+ "x": 0.8403755868544601,
+ "y": 0.5515320334261838
+ },
+ {
+ "x": 0.15805946791862285,
+ "y": 0.5487465181058496
+ },
+ ...
+ ],
+ "name": "optimal_zone_region"
+ },
+ "fairZoneRegion": {
+ "type": "POLYGON",
+ "points": [
+ {
+ "x": 0.7871674491392802,
+ "y": 0.7437325905292479
+ },
+ {
+ "x": 0.22065727699530516,
+ "y": 0.7325905292479109
+ },
+ ...
+ ],
+ "name": "fair_zone_region"
+ },
+ "uniformlySpacedPersonBoundingBoxes": [
+ {
+ "type": "RECTANGLE",
+ "points": [
+ {
+ "x": 0.0297339593114241,
+ "y": 0.0807799442896936
+ },
+ {
+ "x": 0.10015649452269171,
+ "y": 0.2757660167130919
+ }
+ ]
+ },
+ ...
+ ],
+ "personBoundingBoxGroundPoints": [
+ {
+ "x": -22.944068908691406,
+ "y": 31.487680435180664
+ },
+ ...
+ ]
+ }
+}
+```
+
+See [Spatial analysis operation output](#spatial-analysis-operation-output) for details on `source_info`.
+
+| ZonePlacementInfo Field Name | Type| Description|
+||||
+| `optimalZonePolygon` | object| A polygon in the camera image where lines or zones for your operations can be placed for optimal results. <br/> Each value pair represents the x,y for vertices of a polygon. The polygon represents the areas in which people are tracked or counted and polygon points are based on normalized coordinates (0-1), where the top left corner is (0.0, 0.0) and the bottom right corner is (1.0, 1.0).|
+| `fairZonePolygon` | object| A polygon in the camera image where lines or zones for your operations can be placed for good, but possibly not optimal, results. <br/> See `optimalZonePolygon` above for an in-depth explanation of the contents. |
+| `uniformlySpacedPersonBoundingBoxes` | list | A list of bounding boxes of people within the camera image distributed uniformly in real space. Values are based on normalized coordinates (0-1).|
+| `personBoundingBoxGroundPoints` | list | A list of coordinates on the floor plane relative to the camera. Each coordinate corresponds to the bottom right of the bounding box in `uniformlySpacedPersonBoundingBoxes` with the same index. <br/> See the `centerGroundPoint` field under the [JSON format for cognitiveservices.vision.spatialanalysis-persondistance AI Insights](#json-format-for-cognitiveservicesvisionspatialanalysis-persondistance-ai-insights) section for more details on how coordinates on the floor plane are calculated. |
+
+Example of the zone placement info output visualized on a video frame:
+![Zone placement info visualization](./media/spatial-analysis/zone-placement-info-visualization.png)
+
+The zone placement info provides suggestions for your configurations, but the guidelines in [Camera configuration](#camera-configuration) must still be followed for best results.
+ ### Speed Parameter Settings You can configure the speed computation through the tracker node parameter settings. ```
cognitive-services Export Programmatically https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Custom-Vision-Service/export-programmatically.md
+
+ Title: "Export a model programmatically"
+
+description: Use the Custom Vision client library to export a trained model.
+++++++ Last updated : 06/28/2021+++
+# Export a model programmatically
+
+All of the export options available on the [Custom Vision website](https://www.customvision.ai/) can be done programmatically through the client libraries as well. You may want to do this so you can fully automate the process of retraining and updating the model iteration you use on a local device.
+
+This guide shows you how to export your model to an ONNX file with the Python SDK.
+
+## Create a training client
+
+You need to have a [CustomVisionTrainingClient](https://docs.microsoft.com/python/api/azure-cognitiveservices-vision-customvision/azure.cognitiveservices.vision.customvision.training.customvisiontrainingclient) object to export a model iteration. Create variables for your Custom Vision training resources Azure endpoint and subscription keys, and use them to create the client object.
+
+```python
+ENDPOINT = "PASTE_YOUR_CUSTOM_VISION_TRAINING_ENDPOINT_HERE"
+training_key = "PASTE_YOUR_CUSTOM_VISION_TRAINING_SUBSCRIPTION_KEY_HERE"
+
+credentials = ApiKeyCredentials(in_headers={"Training-key": training_key})
+trainer = CustomVisionTrainingClient(ENDPOINT, credentials)
+```
+
+> [!IMPORTANT]
+> Remember to remove the keys from your code when youre done, and never post them publicly. For production, consider using a secure way of storing and accessing your credentials. For more information, see the Cognitive Services [security](https://docs.microsoft.com/azure/cognitive-services/cognitive-services-security) article.
+
+## Call the export method
+
+Call the **export_iteration** method.
+* Provide the project ID, iteration ID of the model you want to export.
+* The *platform* parameter specifies the platform to export to: allowed values are `CoreML`, `TensorFlow`, `DockerFile`, `ONNX`, `VAIDK`, and `OpenVino`.
+* The *flavor* parameter specifies the format of the exported model: allowed values are `Linux`, `Windows`, `ONNX10`, `ONNX12`, `ARM`, `TensorFlowNormal`, and `TensorFlowLite`.
+* The *raw* parameter gives you the option to retrieve the raw JSON response along with the object model response.
+
+```python
+project_id = "PASTE_YOUR_PROJECT_ID"
+iteration_id = "PASTE_YOUR_ITERATION_ID"
+platform = "ONNX"
+flavor = "ONNX10"
+export = trainer.export_iteration(project_id, iteration_id, platform, flavor, raw=False)
+```
+
+For more information, see the **[export_iteration](https://docs.microsoft.com/python/api/azure-cognitiveservices-vision-customvision/azure.cognitiveservices.vision.customvision.training.operations.customvisiontrainingclientoperationsmixin?view=azure-python#export-iteration-project-id--iteration-id--platform--flavor-none--custom-headers-none--raw-false-operation-config-)** method.
+
+## Download the exported model
+
+Next, you'll call the **get_exports** method to check the status of the export operation. The operation runs asynchronously, so you should poll this method until the operation completes. When it completes, you can retrieve the URI where you can download the model iteration to your device.
+
+```python
+while (export.status == "Exporting"):
+ print ("Waiting 10 seconds...")
+ time.sleep(10)
+ exports = trainer.get_exports(project_id, iteration_id)
+ # Locate the export for this iteration and check its status
+ for e in exports:
+ if e.platform == export.platform and e.flavor == export.flavor:
+ export = e
+ break
+ print("Export status is: ", export.status)
+```
+
+For more information, see the **[get_exports](https://docs.microsoft.com/python/api/azure-cognitiveservices-vision-customvision/azure.cognitiveservices.vision.customvision.training.operations.customvisiontrainingclientoperationsmixin?view=azure-python#get-exports-project-id--iteration-id--custom-headers-none--raw-false-operation-config-)** method.
+
+Then, you can programmatically download the exported model to a location on your device.
+
+```python
+if export.status == "Done":
+ # Success, now we can download it
+ export_file = requests.get(export.download_uri)
+ with open("export.zip", "wb") as file:
+ file.write(export_file.content)
+```
+
+## Next steps
+
+Integrate your exported model into an application by exploring one of the following articles or samples:
+
+* [Use your Tensorflow model with Python](export-model-python.md)
+* [Use your ONNX model with Windows Machine Learning](custom-vision-onnx-windows-ml.md)
+* See the sample for [CoreML model in an iOS application](https://go.microsoft.com/fwlink/?linkid=857726) for real-time image classification with Swift.
+* See the sample for [Tensorflow model in an Android application](https://github.com/Azure-Samples/cognitive-services-android-customvision-sample) for real-time image classification on Android.
+* See the sample for [CoreML model with Xamarin](https://github.com/xamarin/ios-samples/tree/master/ios11/CoreMLAzureModel) for real-time image classification in a Xamarin iOS app.
+
cognitive-services Custom Speech Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Speech-Service/custom-speech-overview.md
Custom Speech allows you to evaluate and improve the Microsoft speech-to-text ac
Before you can do anything with Custom Speech, you'll need an Azure account and a Speech service subscription. After you have an account, you can prep your data, train and test your models, inspect recognition quality, evaluate accuracy, and ultimately deploy and use the custom speech-to-text model.
-This diagram highlights the pieces that make up the [Custom Speech area of the Speech Studio](https://aka.ms/customspeech). Use the links below to learn more about each step.
+This diagram highlights the pieces that make up the [Custom Speech area of the Speech Studio](https://aka.ms/speechstudio/customspeech). Use the links below to learn more about each step.
![Diagram that highlights the components that make up the Custom Speech area of the Speech Studio.](./media/custom-speech/custom-speech-overview.png)
communication-services Teams Endpoint https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/communication-services/concepts/teams-endpoint.md
> [!IMPORTANT] > To enable/disable the custom Teams endpoint experience, complete [this form](https://forms.office.com/r/B8p5KqCH19).
-Azure Communication Services can be used to build custom Teams endpoints. With Azure Communication Services SDKs you can customize voice, video, chat, and screen sharing experience for Teams users. Custom Teams endpoints can communicate with the Microsoft Teams client or other custom Teams endpoints.
+Azure Communication Services can be used to build custom Teams endpoints to communicate with the Microsoft Teams client or other custom Teams endpoints. With custom Teams endpoint you can customize voice, video, chat, and screen sharing experience for Teams users.
You can use the Azure Communication Services Identity SDK to exchange AAD user tokens for Teams' access tokens. In the following diagrams, is demonstrated multitenant use case, where Fabrikam is customer of the company Contoso.
You can also use custom Teams endpoints to optionally integrate chat capabilitie
The following documents may be interesting to you: -- Learn about [Teams interoperability](./teams-interop.md)
+- Learn about [Teams interoperability](./teams-interop.md)
confidential-computing Confidential Containers https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/confidential-computing/confidential-containers.md
Get started with a sample Redis Cache and Python Custom Application [here](https
### Fortanix
-[Fortanix](https://www.fortanix.com/) offers developers a choice of a portal and CLI-based experience to bring their containerized applications and covert them to SGX capable confidential containers without any need to modify or recompile the application. Fortanix provides the flexibility to run and manage the broadest set of applications, including existing applications, new enclave-native applications, and pre-packaged applications. Users can start with [Confidential Computing Manager](https://em.fortanix.com/) UI or [REST APIs](https://www.fortanix.com/api/em/) to create confidential containers by following the [Quick Start](https://support.fortanix.com/hc/en-us/articles/360049658291-Fortanix-Confidential-Container-on-Azure-Kubernetes-Service) guide for Azure Kubernetes Service.
+[Fortanix](https://www.fortanix.com/) offers developers a choice of a portal and CLI-based experience to bring their containerized applications and covert them to SGX capable confidential containers without any need to modify or recompile the application. Fortanix provides the flexibility to run and manage the broadest set of applications, including existing applications, new enclave-native applications, and pre-packaged applications. Users can start with [Confidential Computing Manager](https://em.fortanix.com/) UI or [REST APIs](https://www.fortanix.com/api/em/) to create confidential containers by following the [Quick Start](https://fortanix.com/blog/2020/10/fortanix-confidential-containers-on-microsoft-azure-kubernetes-service-aks/) guide for Azure Kubernetes Service.
![Fortanix Deployment Process](./media/confidential-containers/fortanix-confidential-containers-flow.png)
container-instances Container State https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-instances/container-state.md
+
+ Title: Azure Container Instances states
+description: Learn about the states of Azure Container Instances provisioning operations, containers, and container groups.
+++ Last updated : 03/25/2021++
+# Azure Container Instances states
+
+Azure Container Instances displays several independent state values. This article catalogs those values, where they can be found, and what they indicate.
+
+## Where to find state values
+
+In the Azure portal, state is shown in various locations. All state values are accessible via the JSON definition of the resource. This value can be found under Essentials in the Overview blade, shown below.
++
+State is also displayed in other locations in the Azure portal. The following table summarizes where state values can be found:
+
+|Name|JSON path|Azure portal location|
+|-|-|-|
+|Container Group state|`properties.instanceView.state`|Under Essentials in the Overview blade|
+|Current Container state|`properties.containers/initContainers[x].instanceView.currentState.state`|Under the Containers blade's table's **State** column|
+|Previous Container state|`properties.containers/initContainers[x].instanceView.previousState.state`|Via *JSON view* under Essentials in the Overview blade|
+|Provisioning state|`properties.provisioningState`|Via *JSON view* under Essentials in the Overview blade; HTTP response body|
+
+## Container Groups
+
+This value is the state of the deployed container group on the backend.
++
+- **Running**: The container group is running and will continue to try to run until a user action or a stop caused by the restart policy occurs.
+
+- **Stopped**: The container group has been stopped and will not be scheduled to run without user action.
+
+- **Pending**: The container group is waiting to initialize (finish running init containers, mount Azure file volumes if applicable). The container continues to attempt to get to the **Running** state unless a user action (stop/delete) happens.
+
+- **Succeeded**: The container group has run to completion successfully. Only applicable for *Never* and *On Failure* restart policies.
+
+- **Failed**: The container group failed to run to completion. Only applicable with a *Never* restart policy. This state indicates either an infrastructure failure (example: incorrect Azure file share credentials) or user application failure (example: application references an environment variable that does not exist).
+
+The following table shows what states are applicable to a container group based on the designated restart policy:
+
+|Value|Never|On Failure|Always|
+|--|--|--|--|
+|Running|Yes|Yes|Yes|
+|Stopped|Yes|Yes|Yes|
+|Pending|Yes|Yes|Yes|
+|Succeeded|Yes|Yes|No|
+|Failed|Yes|No|No|
+
+## Containers
+
+There are two state values for containers- a current state and a previous state. In the Azure portal, shown below, only current state is displayed. All state values are applicable for any given container regardless of the container group's restart policy.
+
+> [!NOTE]
+> The JSON values of `currentState` and `previousState` contain additional information, such as an exit code or a reason, that is not shown elsewhere in the Azure portal.
++
+- **Running**: The container is running.
+
+- **Waiting**: The container is waiting to run. This state indicates either init containers are still running, or the container is backing off due to a crash loop.
+
+- **Terminated**: The container has terminated, accompanied with an exit code value.
+
+## Provisioning
+
+This value is the state of the last operation performed on a container group. Generally, this operation is a PUT (create), but it can also be a POST (start/restart/stop) or DELETE (delete).
+
+> [!IMPORTANT]
+> Additionally, users should not create dependencies on non-terminal provisioning states. Dependencies on **Succeeded** and **Failed** states are acceptable.
+
+In addition to the JSON view, provisioning state can be also be found in the [response body of the HTTP call](/rest/api/container-instances/containergroups/createorupdate#response).
+
+### Create, start, and restart operations
+
+> [!IMPORTANT]
+> PUT (create) operations are asynchronous. The returned value from the PUT's response body is not the final state. Making subsequent GET calls on the container group's resourceId or the AsyncOperation (returned in the PUT response headers) is the recommended way to monitor the status of the deployment.
+
+These states are applicable to PUT (create) and POST (start/restart) events.
+
+- **Pending**: The container group is waiting for infrastructure setup, such as a node assignment, virtual network provisioning, or anything else needed prior to pulling the user image.
+
+- **Creating**: The infrastructure setup has finished. The container group is now getting brought up and receiving the resources it needs (mounting Azure file volumes, getting ingress IP address, etc.).
+
+- **Succeeded**: The container group has succeeded in getting its containers into the running state and has received all resources it needs.
+
+- **Unhealthy**: The container group is unhealthy. For an unexpected state, such as if a node is down, a job is automatically triggered to repair the container group by moving it.
+
+- **Repairing**: The container group is getting moved in order to repair an unhealthy state.
+
+- **Failed**: The container group failed to reach the **Succeeded** provisioning state. Failure can occur for many reasons (inaccessible network profile, low capacity in the designated region, full consumption of user quota, timeout after 30 minutes, etc.). More information on the failure can be found under `events` in the JSON view.
+ > [!NOTE]
+ > A failed state does not mean that the resource is removed or stops attempting to succeed. The container group state will indicate the current state of the group. If you want to ensure the container group does not run after a **Failed** provisioning state, then you will have to stop or delete it.
+
+### Stop and delete operations
+
+These values are applicable to POST (stop) and DELETE (delete) events.
+
+- **Succeeded**: The operation to stop or delete the container group completed successfully.
+
+- **Failed**: The container group failed to reach the **Succeeded** provisioning state, meaning the stop/delete event did not complete. More information on the failure can be found under `events` in the JSON view.
container-registry Container Registry Authentication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/container-registry-authentication.md
Title: Registry authentication options description: Authentication options for a private Azure container registry, including signing in with an Azure Active Directory identity, using service principals, and using optional admin credentials. Previously updated : 03/15/2021 Last updated : 06/16/2021+ # Authenticate with an Azure container registry
The following table lists available authentication methods and typical scenarios
| Method | How to authenticate | Scenarios  | Azure role-based access control (Azure RBAC)  | Limitations  | ||-||-|--|
-| [Individual AD identity](#individual-login-with-azure-ad)  | `az acr login` in Azure CLI  | Interactive push/pull by developers, testers  | Yes  | AD token must be renewed every 3 hours  |
-| [AD service principal](#service-principal)  | `docker login`<br/><br/>`az acr login` in Azure CLI<br/><br/> Registry login settings in APIs or tooling<br/><br/> [Kubernetes pull secret](container-registry-auth-kubernetes.md)    | Unattended push from CI/CD pipeline<br/><br/> Unattended pull to Azure or external services  | Yes  | SP password default expiry is 1 year  |
-| [Managed identity for Azure resources](container-registry-authentication-managed-identity.md)  | `docker login`<br/><br/> `az acr login` in Azure CLI | Unattended push from Azure CI/CD pipeline<br/><br/> Unattended pull to Azure services<br/><br/> | Yes  | Use only from select Azure services that [support managed identities for Azure resources](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-managed-identities-for-azure-resources) |
+| [Individual AD identity](#individual-login-with-azure-ad)  | `az acr login` in Azure CLI<br/><br/> `Connect-AzContainerRegistry` in Azure PowerShell  | Interactive push/pull by developers, testers  | Yes  | AD token must be renewed every 3 hours  |
+| [AD service principal](#service-principal)  | `docker login`<br/><br/>`az acr login` in Azure CLI<br/><br/> `Connect-AzContainerRegistry` in Azure PowerShell<br/><br/> Registry login settings in APIs or tooling<br/><br/> [Kubernetes pull secret](container-registry-auth-kubernetes.md)    | Unattended push from CI/CD pipeline<br/><br/> Unattended pull to Azure or external services  | Yes  | SP password default expiry is 1 year  |
+| [Managed identity for Azure resources](container-registry-authentication-managed-identity.md)  | `docker login`<br/><br/> `az acr login` in Azure CLI<br/><br/> `Connect-AzContainerRegistry` in Azure PowerShell | Unattended push from Azure CI/CD pipeline<br/><br/> Unattended pull to Azure services<br/><br/> | Yes  | Use only from select Azure services that [support managed identities for Azure resources](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md#azure-services-that-support-managed-identities-for-azure-resources) |
| [AKS cluster managed identity](../aks/cluster-container-registry-integration.md?toc=/azure/container-registry/toc.json&bc=/azure/container-registry/breadcrumb/toc.json)  | Attach registry when AKS cluster created or updated  | Unattended pull to AKS cluster in the same or a different subscription | No, pull access only  | Only available with AKS cluster  | | [AKS cluster service principal](authenticate-aks-cross-tenant.md)  | Enable when AKS cluster created or updated  | Unattended pull to AKS cluster from registry in another AD tenant  | No, pull access only  | Only available with AKS cluster  | | [Admin user](#admin-account)  | `docker login`  | Interactive push/pull by individual developer or tester<br/><br/>Portal deployment of image from registry to Azure App Service or Azure Container Instances | No, always pull and push access  | Single account per registry, not recommended for multiple users  |
-| [Repository-scoped access token](container-registry-repository-scoped-permissions.md)  | `docker login`<br/><br/>`az acr login` in Azure CLI<br/><br/> [Kubernetes pull secret](container-registry-auth-kubernetes.md)  | Interactive push/pull to repository by individual developer or tester<br/><br/> Unattended pull from repository by individual system or external device  | Yes  | Not currently integrated with AD identity  |
+| [Repository-scoped access token](container-registry-repository-scoped-permissions.md)  | `docker login`<br/><br/>`az acr login` in Azure CLI<br/><br/> `Connect-AzContainerRegistry` in Azure PowerShell<br/><br/> [Kubernetes pull secret](container-registry-auth-kubernetes.md)  | Interactive push/pull to repository by individual developer or tester<br/><br/> Unattended pull from repository by individual system or external device  | Yes  | Not currently integrated with AD identity  |
## Individual login with Azure AD
+### [Azure CLI](#tab/azure-cli)
+ When working with your registry directly, such as pulling images to and pushing images from a development workstation to a registry you created, authenticate by using your individual Azure identity. Sign in to the [Azure CLI](/cli/azure/install-azure-cli) with [az login](/cli/azure/reference-index#az_login), and then run the [az acr login](/cli/azure/acr#az_acr_login) command: ```azurecli
az acr login --name <acrName>
When you log in with `az acr login`, the CLI uses the token created when you executed `az login` to seamlessly authenticate your session with your registry. To complete the authentication flow, the Docker CLI and Docker daemon must be installed and running in your environment. `az acr login` uses the Docker client to set an Azure Active Directory token in the `docker.config` file. Once you've logged in this way, your credentials are cached, and subsequent `docker` commands in your session do not require a username or password. > [!TIP]
-> Also use `az acr login` to authenticate an individual identity when you want to push or pull artifacts other than Docker images to your registry, such as [OCI artifacts](container-registry-oci-artifacts.md).
+> Also use `az acr login` to authenticate an individual identity when you want to push or pull artifacts other than Docker images to your registry, such as [OCI artifacts](container-registry-oci-artifacts.md).
-For registry access, the token used by `az acr login` is valid for **3 hours**, so we recommend that you always log in to the registry before running a `docker` command. If your token expires, you can refresh it by using the `az acr login` command again to reauthenticate.
+For registry access, the token used by `az acr login` is valid for **3 hours**, so we recommend that you always log in to the registry before running a `docker` command. If your token expires, you can refresh it by using the `az acr login` command again to reauthenticate.
Using `az acr login` with Azure identities provides [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md). For some scenarios, you may want to log in to a registry with your own individual identity in Azure AD, or configure other Azure users with specific [Azure roles and permissions](container-registry-roles.md). For cross-service scenarios or to handle the needs of a workgroup or a development workflow where you don't want to manage individual access, you can also log in with a [managed identity for Azure resources](container-registry-authentication-managed-identity.md).
Output displays the access token, abbreviated here:
"accessToken": "eyJhbGciOiJSUzI1NiIs[...]24V7wA", "loginServer": "myregistry.azurecr.io" }
-```
+```
For registry authentication, we recommend that you store the token credential in a safe location and follow recommended practices to manage [docker login](https://docs.docker.com/engine/reference/commandline/login/) credentials. For example, store the token value in an environment variable: ```bash
Then, run `docker login`, passing `00000000-0000-0000-0000-000000000000` as the
docker login myregistry.azurecr.io --username 00000000-0000-0000-0000-000000000000 --password $TOKEN ```
+### [Azure PowerShell](#tab/azure-powershell)
+
+When working with your registry directly, such as pulling images to and pushing images from a development workstation to a registry you created, authenticate by using your individual Azure identity. Sign in to [Azure PowerShell](/powershell/azure/uninstall-az-ps) with [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount), and then run the [Connect-AzContainerRegistry](/powershell/module/az.containerregistry/connect-azcontainerregistry) cmdlet:
+
+```azurepowershell
+Connect-AzAccount
+Connect-AzContainerRegistry -Name <acrName>
+```
+
+When you log in with `Connect-AzContainerRegistry`, PowerShell uses the token created when you executed `Connect-AzAccount` to seamlessly authenticate your session with your registry. To complete the authentication flow, the Docker CLI and Docker daemon must be installed and running in your environment. `Connect-AzContainerRegistry` uses the Docker client to set an Azure Active Directory token in the `docker.config` file. Once you've logged in this way, your credentials are cached, and subsequent `docker` commands in your session do not require a username or password.
+
+> [!TIP]
+> Also use `Connect-AzContainerRegistry` to authenticate an individual identity when you want to push or pull artifacts other than Docker images to your registry, such as [OCI artifacts](container-registry-oci-artifacts.md).
+
+For registry access, the token used by `Connect-AzContainerRegistry` is valid for **3 hours**, so we recommend that you always log in to the registry before running a `docker` command. If your token expires, you can refresh it by using the `Connect-AzContainerRegistry` command again to reauthenticate.
+
+Using `Connect-AzContainerRegistry` with Azure identities provides [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md). For some scenarios, you may want to log in to a registry with your own individual identity in Azure AD, or configure other Azure users with specific [Azure roles and permissions](container-registry-roles.md). For cross-service scenarios or to handle the needs of a workgroup or a development workflow where you don't want to manage individual access, you can also log in with a [managed identity for Azure resources](container-registry-authentication-managed-identity.md).
+++ ## Service principal If you assign a [service principal](../active-directory/develop/app-objects-and-service-principals.md) to your registry, your application or service can use it for headless authentication. Service principals allow [Azure role-based access control (Azure RBAC)](../role-based-access-control/role-assignments-portal.md) to a registry, and you can assign multiple service principals to a registry. Multiple service principals allow you to define different access for different applications.
For CLI scripts to create a service principal for authenticating with an Azure c
## Admin account
-Each container registry includes an admin user account, which is disabled by default. You can enable the admin user and manage its credentials in the Azure portal, or by using the Azure CLI or other Azure tools. The admin account has full permissions to the registry.
+Each container registry includes an admin user account, which is disabled by default. You can enable the admin user and manage its credentials in the Azure portal, or by using the Azure CLI, Azure PowerShell, or other Azure tools. The admin account has full permissions to the registry.
The admin account is currently required for some scenarios to deploy an image from a container registry to certain Azure services. For example, the admin account is needed when you use the Azure portal to deploy a container image from a registry directly to [Azure Container Instances](../container-instances/container-instances-using-azure-container-registry.md#deploy-with-azure-portal) or [Azure Web Apps for Containers](container-registry-tutorial-deploy-app.md).
The admin account is currently required for some scenarios to deploy an image fr
The admin account is provided with two passwords, both of which can be regenerated. Two passwords allow you to maintain connection to the registry by using one password while you regenerate the other. If the admin account is enabled, you can pass the username and either password to the `docker login` command when prompted for basic authentication to the registry. For example: ```
-docker login myregistry.azurecr.io
+docker login myregistry.azurecr.io
``` For recommended practices to manage login credentials, see the [docker login](https://docs.docker.com/engine/reference/commandline/login/) command reference.
+### [Azure CLI](#tab/azure-cli)
+ To enable the admin user for an existing registry, you can use the `--admin-enabled` parameter of the [az acr update](/cli/azure/acr#az_acr_update) command in the Azure CLI: ```azurecli az acr update -n <acrName> --admin-enabled true ```
+### [Azure PowerShell](#tab/azure-powershell)
+
+To enable the admin user for an existing registry, you can use the `EnableAdminUser` parameter of the [Update-AzContainerRegistry](/powershell/module/az.containerregistry/update-azcontainerregistry) command in Azure PowerShell:
+
+```azurepowershell
+Update-AzContainerRegistry -Name <acrName> -ResourceGroupName myResourceGroup -EnableAdminUser
+```
+++ You can enable the admin user in the Azure portal by navigating your registry, selecting **Access keys** under **SETTINGS**, then **Enable** under **Admin user**. ![Enable admin user UI in the Azure portal][auth-portal-01]
You can enable the admin user in the Azure portal by navigating your registry, s
* [Push your first image using the Azure CLI](container-registry-get-started-azure-cli.md)
+* [Push your first image using Azure PowerShell](container-registry-get-started-powershell.md)
+ <!-- IMAGES --> [auth-portal-01]: ./media/container-registry-authentication/auth-portal-01.png
cost-management-billing Assign Access Acm Data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/costs/assign-access-acm-data.md
Title: Assign access to Azure Cost Management data
description: This article walks you though assigning permission to Azure Cost Management data for various access scopes. Previously updated : 07/24/2020 Last updated : 06/27/2021
After completing the steps above, the user account becomes an enrollment account
Access to view the management group scope requires at least the Cost Management Reader (or Reader) permission. You can configure permissions for a management group in the Azure portal. You must have at least the User Access Administrator (or Owner) permission for the management group to enable access for others. And for Azure EA accounts, you must also have enabled the **AO view charges** setting in the EA portal.
-1. Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com).
-2. Select **All Services** in the sidebar, search for _management groups_, then select **management groups**.
-3. Select the management group in the hierarchy.
-4. Next to the name of your management group, select **Details**.
-5. Select **Access Control (IAM)** from the left pane.
-6. Select **Add**.
-7. Under **Role**, select **Cost Management Reader**.
-8. Under **Assign access to**, select **Azure AD user, group, or application**.
-9. To assign access, search for and then select the user.
-10. Select **Save**.
- ![example information in the Add permissions box for a management group](./media/assign-access-acm-data/add-permissions.png)
+
+- Assign the Cost Management Reader (or reader) role to a user at the management group scope.
+ For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
## Assign subscription scope access Access to a subscription requires at least the Cost Management Reader (or Reader) permission. You can configure permissions to a subscription in the Azure portal. You must have at least the User Access Administrator (or Owner) permission for the subscription to enable access for others. And for Azure EA accounts, you must also have enabled the **AO view charges** setting in the EA portal.
-1. Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com).
-2. Select **All Services** in the sidebar, search for _subscriptions_, then select **Subscriptions**.
-3. Select your subscription.
-4. Select **Access Control (IAM)** from the left pane.
-5. Select **Add**.
-6. Under **Role**, select **Cost Management Reader**.
-7. Under **Assign access to**, select **Azure AD user, group, or application**.
-8. To assign access, search for and then select the user.
-9. Select **Save**.
+- Assign the Cost Management Reader (or reader) role to a user at the subscription scope.
+ For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
## Assign resource group scope access Access to a resource group requires at least the Cost Management Reader (or Reader) permission. You can configure permissions to a resource group in the Azure portal. You must have at least the User Access Administrator (or Owner) permission for the resource group to enable access for others. And for Azure EA accounts, you must also have enabled the **AO view charges** setting in the EA portal.
-1. Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com).
-2. Select **All Services** in the sidebar, search for _resource groups_, then select **Resource groups**.
-3. Select your resource group.
-4. Select **Access Control (IAM)** from the left pane.
-5. Select **Add**.
-6. Under **Role**, select **Cost Management Reader**.
-7. Under **Assign access to**, select **Azure AD user, group, or application**.
-8. To assign access, search for and then select the user.
-9. Select **Save**.
+
+- Assign the Cost Management Reader (or reader) role to a user at the resource group scope.
+ For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
## Cross-tenant authentication issues
cost-management-billing Add Change Subscription Administrator https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/add-change-subscription-administrator.md
tags: billing
Previously updated : 08/20/2020 Last updated : 06/27/2021
If you're not sure who the account administrator is for a subscription, use the
### To assign a user as an administrator
-1. Sign in to the Azure portal as the subscription owner and open [Subscriptions](https://portal.azure.com/#blade/Microsoft_Azure_Billing/SubscriptionsBlade).
+- Assign the Owner role to a user at the subscription scope.
+ For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
-1. Click the subscription where you want to grant access.
-
-1. Click **Access control (IAM)**.
-
-1. Click the **Role assignments** tab to view all the role assignments for this subscription.
-
- ![Screenshot that shows role assignments](./media/add-change-subscription-administrator/role-assignments.png)
-
-1. Click **Add** > **Add role assignment** to open the **Add role assignment** pane.
-
- If you don't have permissions to assign roles, the option will be disabled.
-
-1. In the **Role** drop-down list, select the **Owner** role.
-
-1. In the **Select** list, select a user. If you don't see the user in the list, you can type in the **Select** box to search the directory for display names and email addresses.
-
- ![Screenshot that shows the Owner role selected](./media/add-change-subscription-administrator/add-role.png)
-
-1. Click **Save** to assign the role.
+## Need help? Contact support
- After a few moments, the user is assigned the Owner role at the subscription scope.
+If you still need help, [contact support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) to get your issue resolved quickly.
## Next steps * [What is Azure role-based access control (Azure RBAC)?](../../role-based-access-control/overview.md) * [Understand the different roles in Azure](../../role-based-access-control/rbac-and-directory-admin-roles.md) * [Associate or add an Azure subscription to your Azure Active Directory tenant](../../active-directory/fundamentals/active-directory-how-subscriptions-associated-directory.md)
-* [Administrator role permissions in Azure Active Directory](../../active-directory/roles/permissions-reference.md)
-
-## Need help? Contact support
-
-If you still need help, [contact support](https://portal.azure.com/?#blade/Microsoft_Azure_Support/HelpAndSupportBlade) to get your issue resolved quickly.
+* [Administrator role permissions in Azure Active Directory](../../active-directory/roles/permissions-reference.md)
cost-management-billing Manage Billing Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/manage-billing-access.md
tags: billing
Previously updated : 01/26/2021 Last updated : 06/27/2021
These roles have access to billing information in the [Azure portal](https://por
To assign roles, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
-** If you're an EA customer, an Account Owner can assign the above role to other users of their team. But for these users to view billing information, the Enterprise Administrator must enable AO view charges in the Enterprise portal.
+> [!note]
+> If you're an EA customer, an Account Owner can assign the above role to other users of their team. But for these users to view billing information, the Enterprise Administrator must enable AO view charges in the Enterprise portal.
### <a name="opt-in"></a> Allow users to download invoices
After an Account administrator has assigned the appropriate roles to other users
1. Select **Subscriptions** from the left-hand pane. Depending on your access, you may need to select a billing scope and then select **Subscriptions**.
- ![Screenshot that shows selecting subscriptions](./media/manage-billing-access/billing-select-subscriptions.png)
+ ![Screenshot that shows selecting subscriptions.](./media/manage-billing-access/billing-select-subscriptions.png)
1. Select **Invoices** and then **Access to invoice**.
- ![Screenshot shows how to delegate access to invoices](./media/manage-billing-access/aa-optin01.png)
+ ![Screenshot shows how to delegate access to invoices.](./media/manage-billing-access/aa-optin01.png)
1. Select **On** and save.
Assign the Billing Reader role to someone that needs read-only access to the sub
The Billing Reader feature is in preview, and does not yet support non-global clouds.
-1. Sign in to the [Azure portal](https://portal.azure.com/), as an Account Administrator,
-
-1. Search on **Cost Management + Billing**.
-
- ![Screenshot that shows Azure portal search](./media/manage-billing-access/billing-search-cost-management-billing.png)
-
-1. Select **Subscriptions** from the left-hand pane. Depending on your access, you may need to select a billing scope and then select **Subscriptions**.
-
- ![Screenshot that shows selecting subscriptions](./media/manage-billing-access/billing-select-subscriptions.png)
-
-1. Select **Access control (IAM)**.
-1. Select **Add** from the top of the page.
-
- ![Screenshot that shows clicking add role assignment](./media/manage-billing-access/billing-click-add-role-assignment.png)
-
-1. In the **Role** drop-down list, choose **Billing Reader**.
-1. In the **Select** textbox, type the name or email for the user you want to add.
-1. Select the user.
-1. Select **Save**.
- ![Screenshot that highlights the Save button.](./media/manage-billing-access/billing-save-role-assignment.png)
+- Assign the Billing Reader role to a user at the subscription scope.
+ For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
-1. After a few moments, the user is assigned the Billing Reader role for the subscription.
-
-** If you're an EA customer, an Account Owner or Department Administrator can assign the Billing Reader role to team members. But for that Billing Reader to view billing information for the department or account, the Enterprise Administrator must enable **AO view charges** or **DA view charges** policies in the Enterprise portal.
+> [!NOTE]
+> If you're an EA customer, an Account Owner or Department Administrator can assign the Billing Reader role to team members. But for that Billing Reader to view billing information for the department or account, the Enterprise Administrator must enable **AO view charges** or **DA view charges** policies in the Enterprise portal.
## Check the type of your billing account [!INCLUDE [billing-check-account-type](../../../includes/billing-check-account-type.md)]
-## Next steps
--- Users in other roles, such as Owner or Contributor, can access not just billing information, but Azure services as well. To manage these roles, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).-- For more information about roles, see [Azure built-in roles](../../role-based-access-control/built-in-roles.md).- ## Need help? Contact us. If you have questions or need help, [create a support request](https://go.microsoft.com/fwlink/?linkid=2083458).+
+## Next steps
+
+- Users in other roles, such as Owner or Contributor, can access not just billing information, but Azure services as well. To manage these roles, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
+- For more information about roles, see [Azure built-in roles](../../role-based-access-control/built-in-roles.md).
cost-management-billing Understand Mca Roles https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/manage/understand-mca-roles.md
Previously updated : 03/10/2021 Last updated : 06/27/2021
The following table shows what role you need to complete tasks in the context of
## Manage billing roles in the Azure portal
-1. Sign in to the [Azure portal](https://portal.azure.com).
-
-2. Search for **Cost Management + Billing**.
-
- ![Screenshot that shows Azure portal search](./media/understand-mca-roles/billing-search-cost-management-billing.png)
-
-3. Select **Access control (IAM)** at a scope such as billing account, billing profile, or invoice section, where you want to give access.
-
-4. The Access control (IAM) page lists users and groups that are assigned to each role for that scope.
-
- ![Screenshot that shows list of admins for billing account](./media/understand-mca-roles/billing-list-admins.png)
-
-5. To give access to a user, Select **Add** from the top of the page. In the Role drop-down list, select a role. Enter the email address of the user to whom you want to give access. Select **Save** to assign the role.
-
- ![Screenshot that shows adding an admin to a billing account](./media/understand-mca-roles/billing-add-admin.png)
-
-6. To remove access for a user, select the user with the role assignment you want to remove. Select Remove.
-
- ![Screenshot that shows removing an admin from a billing account](./media/understand-mca-roles/billing-remove-admin.png)
+- Assign a role to a user or group at a billing scope such as billing account, billing profile, or invoice section, where you want to give access.
+ For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
## Check access to a Microsoft Customer Agreement [!INCLUDE [billing-check-mca](../../../includes/billing-check-mca.md)]
cost-management-billing Manage Reserved Vm Instance https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/reservations/manage-reserved-vm-instance.md
Previously updated : 04/21/2021 Last updated : 06/27/2021 # Manage Reservations for Azure resources
By default, the following users can view and manage reservations:
To allow other people to manage reservations, you have two options: -- Delegate access management for an individual reservation order:
- 1. Sign in to the [Azure portal](https://portal.azure.com).
- 1. Select **All Services** > **Reservation** to list reservations that you have access to.
- 1. Select the reservation that you want to delegate access to other users.
- 1. From Reservation details, select the reservation order.
- 1. Select **Access control (IAM)**.
- 1. Select **Add role assignment** > **Role** > **Owner**. If you want to give limited access, select a different role.
- 1. Type the email address of the user you want to add as owner.
- 1. Select the user, and then select **Save**.
+- Delegate access management for an individual reservation order by assigning the Owner role to a user at the resource scope of the reservation order. If you want to give limited access, select a different role.
+ For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
- Add a user as billing administrator to an Enterprise Agreement or a Microsoft Customer Agreement: - For an Enterprise Agreement, add users with the _Enterprise Administrator_ role to view and manage all reservation orders that apply to the Enterprise Agreement. Users with the _Enterprise Administrator (read only)_ role can only view the reservation. Department admins and account owners can't view reservations _unless_ they're explicitly added to them using Access control (IAM). For more information, see [Managing Azure Enterprise roles](../manage/understand-ea-roles.md).
cost-management-billing Troubleshoot No Eligible Subscriptions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/reservations/troubleshoot-no-eligible-subscriptions.md
Previously updated : 12/15/2020 Last updated : 06/27/2021 # Troubleshoot no eligible subscriptions
To get owner access to a reservation, you must get access to either:
The current reservation order owner or reservation owner can delegate access to you using the following steps.
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Select **All Services** > **Reservation** to list reservations that you have access to.
-1. Select the reservation that you want to delegate access to other users.
-1. Select **Access control (IAM)**.
-1. Select **Add role assignment** > **Role** > **Owner**. Or, if you want to give limited access, select a different role.
-1. Type the email address of the user you want to add as owner.
-1. Select the user, and then select **Save**.
+To allow other people to manage reservations, you have two options:
+
+- Delegate access management for an individual reservation order by assigning the Owner role to a user at the resource scope of the reservation order. If you want to give limited access, select a different role.
+ For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
+
+- Add a user as billing administrator to an Enterprise Agreement or a Microsoft Customer Agreement:
+ - For an Enterprise Agreement, add users with the _Enterprise Administrator_ role to view and manage all reservation orders that apply to the Enterprise Agreement. Users with the _Enterprise Administrator (read only)_ role can only view the reservation. Department admins and account owners can't view reservations _unless_ they're explicitly added to them using Access control (IAM). For more information, see [Managing Azure Enterprise roles](../manage/understand-ea-roles.md).
+
+ _Enterprise Administrators can take ownership of a reservation order and they can add other users to a reservation using Access control (IAM)._
+ - For a Microsoft Customer Agreement, users with the billing profile owner role or the billing profile contributor role can manage all reservation purchases made using the billing profile. Billing profile readers and invoice managers can view all reservations that are paid for with the billing profile. However, they can't make changes to reservations.
+ For more information, see [Billing profile roles and tasks](../manage/understand-mca-roles.md#billing-profile-roles-and-tasks).
For more information, see [Add or change users who can manage a reservation](manage-reserved-vm-instance.md#who-can-manage-a-reservation-by-default).
cost-management-billing View Reservations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cost-management-billing/reservations/view-reservations.md
After you have elevated access:
Users who have owner access on the reservations and billing administrators can delegate access management for an individual reservation order.
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Select **All Services** > **Reservation** to list reservations that you have access to.
-1. Select the reservation that you want to delegate access to other users.
-1. From Reservation details, select the reservation order.
-1. Select **Access control (IAM)**.
-1. Select **Add role assignment** > **Role** > **Owner**. If you want to give limited access, select a different role.
-1. Type the email address of the user you want to add as owner.
-1. Select the user, and then select **Save**.
+To allow other people to manage reservations, you have two options:
+
+- Delegate access management for an individual reservation order by assigning the Owner role to a user at the resource scope of the reservation order. If you want to give limited access, select a different role.
+ For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
+
+- Add a user as billing administrator to an Enterprise Agreement or a Microsoft Customer Agreement:
+ - For an Enterprise Agreement, add users with the _Enterprise Administrator_ role to view and manage all reservation orders that apply to the Enterprise Agreement. Users with the _Enterprise Administrator (read only)_ role can only view the reservation. Department admins and account owners can't view reservations _unless_ they're explicitly added to them using Access control (IAM). For more information, see [Managing Azure Enterprise roles](../manage/understand-ea-roles.md).
+
+ _Enterprise Administrators can take ownership of a reservation order and they can add other users to a reservation using Access control (IAM)._
+ - For a Microsoft Customer Agreement, users with the billing profile owner role or the billing profile contributor role can manage all reservation purchases made using the billing profile. Billing profile readers and invoice managers can view all reservations that are paid for with the billing profile. However, they can't make changes to reservations.
+ For more information, see [Billing profile roles and tasks](../manage/understand-mca-roles.md#billing-profile-roles-and-tasks).
## Next steps
data-lake-store Data Lake Store Encryption https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-lake-store/data-lake-store-encryption.md
Title: Encryption in Azure Data Lake Storage Gen1 | Microsoft Docs
description: Encryption in Azure Data Lake Storage Gen1 helps you protect your data, implement enterprise security policies, and meet regulatory compliance requirements. This article provides an overview of the design, and discusses some of the technical aspects of implementation. documentationcenter: ''-+ Last updated 03/26/2018-+ # Encryption of data in Azure Data Lake Storage Gen1
ddos-protection Ddos Faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/ddos-protection/ddos-faq.md
- Title: Azure DDoS Protection Standard frequently asked questions
-description: Frequently asked questions about the Azure DDoS Protection Standard, which helps provide defense against DDoS attacks.
----- Previously updated : 10/28/2020---
-# Azure DDoS Protection Standard frequently asked questions
-
-This article answers common questions about Azure DDoS Protection Standard.
-
-## What is a Distributed Denial of Service (DDoS) attack?
-Distributed denial of service, or DDoS, is a type of attack where an attacker sends more requests to an application than the application is capable of handling. The resulting effect is resources being depleted, affecting the applicationΓÇÖs availability and ability to service its customers. Over the past few years, the industry has seen a sharp increase in attacks, with attacks becoming more sophisticated and larger in magnitude. DDoS attacks can be targeted at any endpoint that is publicly reachable through the Internet.
-
-## What is Azure DDoS Protection Standard service?
-Azure DDoS Protection Standard, combined with application design best practices, provides enhanced DDoS mitigation features to defend against DDoS attacks. It is automatically tuned to help protect your specific Azure resources in a virtual network. Protection is simple to enable on any new or existing virtual network, and it requires no application or resource changes. It has several advantages over the basic service, including logging, alerting, and telemetry. See [Azure DDoS Protection Standard overview](ddos-protection-overview.md) for more details. 
-
-## How does pricing work?
-DDoS protection plans have a fixed monthly charge of $2,944 per month which covers up to 100 public IP addresses. Protection for additional resources will cost an additional $30 per resource per month.
-
-Under a tenant, a single DDoS protection plan can be used across multiple subscriptions, so there is no need to create more than one DDoS protection plan.
-
-See [Azure DDoS Protection Standard pricing](https://azure.microsoft.com/pricing/details/ddos-protection/) for more details.
-
-## Is the service zone resilient?
-Yes. Azure DDoS Protection is zone-resilient by default.
-
-## How do I configure the service to be zone-resilient?
-No customer configuration is necessary to enable zone-resiliency. Zone-resiliency for Azure DDoS Protection resources is available by default and managed by the service itself.
-
-## What about protection at the service layer (layer 7)?
-Customers can use Azure DDoS Protection service in combination with a Web Application Firewall (WAF) to for protection both at the network layer (Layer 3 and 4, offered by Azure DDoS Protection Standard) and at the application layer (Layer 7, offered by a WAF). WAF offerings include Azure [Application Gateway WAF SKU](../web-application-firewall/ag/ag-overview.md?toc=%2fazure%2fvirtual-network%2ftoc.json) as well as third-party web application firewall offerings available in the [Azure Marketplace](https://azuremarketplace.microsoft.com/marketplace/apps?page=1&search=web%20application%20firewall).
-
-## Are services unsafe in Azure without the service?
-Services running on Azure are inherently protected by Azure DDoS Protection Basic that is in place to protect AzureΓÇÖs infrastructure. However, the protection that safeguards the infrastructure has a much higher threshold than most applications have the capacity to handle, and does not provide telemetry or alerting, so while a traffic volume may be perceived as harmless by the platform, it can be devastating to the application receiving it.
-
-By onboarding to the Azure DDoS Protection Standard Service, the application gets dedicated monitoring to detect attacks and application specific thresholds. A service will be protected with a profile that is tuned to its expected traffic volume, providing a much tighter defense against DDoS attacks.
-
-## What are the supported protected resource types?
-Public IPs in ARM based VNETs are currently the only type of protected resource. PaaS services (multitenant) are not supported at presented. See [Azure DDoS Protection Standard reference architectures](ddos-protection-reference-architectures.md) for more details.
-
-## Are Classic/RDFE protected resources supported?
-Only ARM based protected resources are supported in preview. VMs in Classic/RDFE deployments are not supported. Support is not currently planned for Classic/RDFE resources. See [Azure DDoS Protection Standard reference architectures](ddos-protection-reference-architectures.md) for more details.
-
-## Can I protect my PaaS resources using DDoS Protection?
-Public IPs attached to multi-tenant, single VIP PaaS services are not supported presently. Examples of unsupported resources include Storage VIPs, Event Hub VIPs and App/Cloud Services applications. See [Azure DDoS Protection Standard reference architectures](ddos-protection-reference-architectures.md) for more details.
-
-## Can I protect my on-premise resources using DDoS Protection?
-You need to have the public endpoints of your service associated to a VNet in Azure to be enabled for DDoS protection. Example designs include:
-- Web sites (IaaS) in Azure and backend databases in on-prem datacenter. -- Application Gateway in Azure (DDoS protection enabled on App Gateway/WAF) and websites in on-prem datacenters.-
-See [Azure DDoS Protection Standard reference architectures](ddos-protection-reference-architectures.md) for more details.
-
-## Can I register a domain outside of Azure and associate that to a protected resource like VM or ELB?
-For the Public IP scenarios, DDoS Protection service will support any application regardless of where the associated domain is registered or hosted as long as the associated Public IP is hosted on Azure.
-
-## Can I manually configure the DDoS policy applied to the VNets/Public IPs?
-No, unfortunately policy customization is not available at this moment.
-
-## Can I allowlist/blocklist specific IP addresses?
-No, unfortunately manual configuration is not available at this moment.
-
-## How can I test DDoS Protection?
-See [testing through simulations](test-through-simulations.md).
-
-## How long does it take for the metrics to load on portal?
-The metrics should be visible on portal within 5 minutes. If your resource is under attack, other metrics will start showing up on portal within 5-7 minutes.
-
-## Does the service store customer data?
-No, Azure DDoS protection does not store customer data.
-
defender-for-iot Agent Based Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/agent-based-recommendations.md
+
+ Title: Agent based recommendations
+description: Learn about the concept of security recommendations and how they are used for Defender for IoT devices.
+ Last updated : 02/16/2021++
+# Security recommendations for IoT devices
+
+Defender for IoT scans your Azure resources and IoT devices and provides security recommendations to reduce your attack surface.
+Security recommendations are actionable and aim to aid customers in complying with security best practices.
+
+In this article, you will find a list of recommendations, which can be triggered on your IoT devices.
+
+## Agent based recommendations
+
+Device recommendations provide insights and suggestions to improve device security posture.
+
+| Severity | Name | Data Source | Description |
+|--|--|--|--|
+| Medium | Open Ports on device | Classic Defender-IoT-micro-agent| A listening endpoint was found on the device. |
+| Medium | Permissive firewall policy found in one of the chains. | Classic Defender-IoT-micro-agent| Allowed firewall policy found (INPUT/OUTPUT). Firewall policy should deny all traffic by default, and define rules to allow necessary communication to/from the device. |
+| Medium | Permissive firewall rule in the input chain was found | Classic Defender-IoT-micro-agent| A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports. |
+| Medium | Permissive firewall rule in the output chain was found | Classic Defender-IoT-micro-agent| A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or ports. |
+| Medium | Operation system baseline validation has failed | Classic Defender-IoT-micro-agent| Device doesn't comply with [CIS Linux benchmarks](https://www.cisecurity.org/cis-benchmarks/). |
+
+### Agent based operational recommendations
+
+Operational recommendations provide insights and suggestions to improve security agent configuration.
+
+| Severity | Name | Data Source | Description |
+|--|--|--|--|
+| Low | Agent sends unutilized messages | Classic Defender-IoT-micro-agent | 10% or more of security messages were smaller than 4 KB during the last 24 hours. |
+| Low | Security twin configuration not optimal | Classic Defender-IoT-micro-agent | Security twin configuration is not optimal. |
+| Low | Security twin configuration conflict | Classic Defender-IoT-micro-agent | Conflicts were identified in the security twin configuration. |
+
+## Next steps
+
+- Defender for IoT service [Overview](overview.md)
+- Learn how to [Access your security data](how-to-security-data-access.md)
+- Learn more about [Investigating a device](how-to-investigate-device.md)
defender-for-iot Agent Based Security Alerts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/agent-based-security-alerts.md
+
+ Title: Agent based security alerts
+description: Learn about security alerts and recommended remediation using Defender for IoT device's features and service.
+ Last updated : 2/16/2021++
+# Defender for IoT devices security alerts
+
+Defender for IoT continuously analyzes your IoT solution using advanced analytics and threat intelligence to alert you to malicious activity.
+In addition, you can create custom alerts based on your knowledge of expected device behavior.
+An alert acts as an indicator of potential compromise, and should be investigated and remediated.
+
+In this article, you will find a list of built-in alerts, which can be triggered on your IoT devices.
+In addition to built-in alerts, Defender for IoT allows you to define custom alerts based on expected IoT Hub and/or device behavior.
+For more information, see [customizable alerts](concept-customizable-security-alerts.md).
+
+## Agent based security alerts
+
+| Name | Severity | Data Source | Description | Suggested remediation steps |
+|--|--|--|--|--|
+| **High** severity | | | |
+| Binary Command Line | High | Classic Defender-IoT-micro-agent | LA Linux binary being called/executed from the command line was detected. This process may be legitimate activity, or an indication that your device is compromised. | Review the command with the user that ran it and check if this is something legitimately expected to run on the device. If not, escalate the alert to your information security team. |
+| Disable firewall | High | Classic Defender-IoT-micro-agent | Possible manipulation of on-host firewall detected. Malicious actors often disable the on-host firewall in an attempt to exfiltrate data. | Review with the user that ran the command to confirm if this was legitimate expected activity on the device. If not, escalate the alert to your information security team. |
+| Port forwarding detection | High | Classic Defender-IoT-micro-agent | Initiation of port forwarding to an external IP address detected. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Possible attempt to disable Auditd logging detected | High | Classic Defender-IoT-micro-agent | Linux Auditd system provides a way to track security-relevant information on the system. The system records as much information about the events that are happening on your system as possible. This information is crucial for mission-critical environments to determine who violated the security policy and the actions they performed. Disabling Auditd logging may prevent your ability to discover violations of security policies used on the system. | Check with the device owner if this was legitimate activity with business reasons. If not, this event may be hiding activity by malicious actors. Immediately escalated the incident to your information security team. |
+| Reverse shells | High | Classic Defender-IoT-micro-agent | Analysis of host data on a device detected a potential reverse shell. Reverse shells are often used to get a compromised machine to call back into a machine controlled by a malicious actor. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Successful Bruteforce attempt | High | Classic Defender-IoT-micro-agent | Multiple unsuccessful login attempts were identified, followed by a successful login. Attempted Brute force attack may have succeeded on the device. | Review SSH Brute force alert and the activity on the devices. <br>If the activity was malicious:<br> Roll out password reset for compromised accounts.<br> Investigate and remediate (if found) devices for malware. |
+| Successful local login | High | Classic Defender-IoT-micro-agent | Successful local sign in to the device detected | Make sure the signed in user is an authorized party. |
+| Web shell | High | Classic Defender-IoT-micro-agent | Possible web shell detected. Malicious actors commonly upload a web shell to a compromised machine to gain persistence or for further exploitation. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| **Medium** severity | | | |
+| Behavior similar to common Linux bots detected | Medium | Classic Defender-IoT-micro-agent | Execution of a process normally associated with common Linux botnets detected. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Behavior similar to Fairware ransomware detected | Medium | Classic Defender-IoT-micro-agent | Execution of rm -rf commands applied to suspicious locations detected using analysis of host data. Because rm -rf recursively deletes files, it is normally only used on discrete folders. In this case, it is being used in a location that could remove a large amount of data. Fairware ransomware is known to execute rm -rf commands in this folder. | Review with the user that ran the command this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Behavior similar to ransomware detected | Medium | Classic Defender-IoT-micro-agent | Execution of files similar to known ransomware that may prevent users from accessing their system, or personal files, and may demand ransom payment to regain access. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Crypto coin miner container image detected | Medium | Classic Defender-IoT-micro-agent | Container detecting running known digital currency mining images. | 1. If this behavior is not intended, delete the relevant container image.<br> 2. Make sure that the Docker daemon is not accessible via an unsafe TCP socket.<br> 3. Escalate the alert to the information security team. |
+| Crypto coin miner image | Medium | Classic Defender-IoT-micro-agent | Execution of a process normally associated with digital currency mining detected. | Verify with the user that ran the command if this was legitimate activity on the device. If not, escalate the alert to the information security team. |
+| Detected suspicious use of the nohup command | Medium | Classic Defender-IoT-micro-agent | Suspicious use of the nohup command on host detected. Malicious actors commonly run the nohup command from a temporary directory, effectively allowing their executables to run in the background. Seeing this command run on files located in a temporary directory is not expected or usual behavior. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Detected suspicious use of the useradd command | Medium | Classic Defender-IoT-micro-agent | Suspicious use of the useradd command detected on the device. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Exposed Docker daemon by TCP socket | Medium | Classic Defender-IoT-micro-agent | Machine logs indicate that your Docker daemon (dockerd) exposes a TCP socket. By default, Docker configuration, does not use encryption or authentication when a TCP socket is enabled. Default Docker configuration enables full access to the Docker daemon, by anyone with access to the relevant port. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Failed local login | Medium | Classic Defender-IoT-micro-agent | A failed local login attempt to the device was detected. | Make sure no unauthorized party has physical access to the device. |
+| File downloads from a known malicious source detected | Medium | Classic Defender-IoT-micro-agent | Download of a file from a known malware source detected. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| htaccess file access detected | Medium | Classic Defender-IoT-micro-agent | Analysis of host data detected possible manipulation of a htaccess file. Htaccess is a powerful configuration file that allows you to make multiple changes to a web server running Apache Web software, including basic redirect functionality, and more advanced functions, such as basic password protection. Malicious actors often modify htaccess files on compromised machines to gain persistence. | Confirm this is legitimate expected activity on the host. If not, escalate the alert to your information security team. |
+| Known attack tool | Medium | Classic Defender-IoT-micro-agent | A tool often associated with malicious users attacking other machines in some way was detected. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| IoT agent attempted and failed to parse the module twin configuration | Medium | Classic Defender-IoT-micro-agent | The Defender for IoT security agent failed to parse the module twin configuration due to type mismatches in the configuration object | Validate your module twin configuration against the IoT agent configuration schema, fix all mismatches. |
+| Local host reconnaissance detected | Medium | Classic Defender-IoT-micro-agent | Execution of a command normally associated with common Linux bot reconnaissance detected. | Review the suspicious command line to confirm that it was executed by a legitimate user. If not, escalate the alert to your information security team. |
+| Mismatch between script interpreter and file extension | Medium | Classic Defender-IoT-micro-agent | Mismatch between the script interpreter and the extension of the script file provided as input detected. This type of mismatch is commonly associated with attacker script executions. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Possible backdoor detected | Medium | Classic Defender-IoT-micro-agent | A suspicious file was downloaded and then run on a host in your subscription. This type of activity is commonly associated with the installation of a backdoor. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Potential loss of data detected | Medium | Classic Defender-IoT-micro-agent | Possible data egress condition detected using analysis of host data. Malicious actors often egress data from compromised machines. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Potential overriding of common files | Medium | Classic Defender-IoT-micro-agent | Common executable overwritten on the device. Malicious actors are known to overwrite common files as a way to hide their actions or as a way to gain persistence. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Privileged container detected | Medium | Classic Defender-IoT-micro-agent | Machine logs indicate that a privileged Docker container is running. A privileged container has full access to host resources. If compromised, a malicious actor can use the privileged container to gain access to the host machine. | If the container doesn't need to run in privileged mode, remove the privileges from the container. |
+| Removal of system logs files detected | Medium | Classic Defender-IoT-micro-agent | Suspicious removal of log files on the host detected. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Space after filename | Medium | Classic Defender-IoT-micro-agent | Execution of a process with a suspicious extension detected using analysis of host data. Suspicious extensions may trick users into thinking files are safe to be opened and can indicate the presence of malware on the system. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Suspected malicious credentials access tools detected | Medium | Classic Defender-IoT-micro-agent | Detection usage of a tool commonly associated with malicious attempts to access credentials. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Suspicious compilation detected | Medium | Classic Defender-IoT-micro-agent | Suspicious compilation detected. Malicious actors often compile exploits on a compromised machine to escalate privileges. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Suspicious file download followed by file run activity | Medium | Classic Defender-IoT-micro-agent | Analysis of host data detected a file that was downloaded and run in the same command. This technique is commonly used by malicious actors to get infected files onto victim machines. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. |
+| Suspicious IP address communication | Medium | Classic Defender-IoT-micro-agent | Communication with a suspicious IP address detected. | Verify if the connection is legitimate. Consider blocking communication with the suspicious IP. |
+| **LOW** severity | | | |
+| Bash history cleared | Low | Classic Defender-IoT-micro-agent | Bash history log cleared. Malicious actors commonly erase bash history to hide their own commands from appearing in the logs. | Review with the user that ran the command that the activity in this alert to see if you recognize this as legitimate administrative activity. If not, escalate the alert to the information security team. |
+| Device silent | Low | Classic Defender-IoT-micro-agent | Device has not sent any telemetry data in the last 72 hours. | Make sure device is online and sending data. Check that the Azure Security Agent is running on the device. |
+| Failed Bruteforce attempt | Low | Classic Defender-IoT-micro-agent | Multiple unsuccessful login attempts identified. Potential Brute force attack attempt failed on the device. | Review SSH Brute force alerts and the activity on the device. No further action required. |
+| Local user added to one or more groups | Low | Classic Defender-IoT-micro-agent | New local user added to a group on this device. Changes to user groups are uncommon, and can indicate a malicious actor may be collecting extra permissions. | Verify if the change is consistent with the permissions required by the affected user. If the change is inconsistent, escalate to your Information Security team. |
+| Local user deleted from one or more groups | Low | Classic Defender-IoT-micro-agent | A local user was deleted from one or more groups. Malicious actors are known to use this method in an attempt to deny access to legitimate users or to delete the history of their actions. | Verify if the change is consistent with the permissions required by the affected user. If the change is inconsistent, escalate to your Information Security team. |
+| Local user deletion detected | Low | Classic Defender-IoT-micro-agent | Deletion of a local user detected. Local user deletion is uncommon, a malicious actor may be trying to deny access to legitimate users or to delete the history of their actions. | Verify if the change is consistent with the permissions required by the affected user. If the change is inconsistent, escalate to your Information Security team. |
+
+## Next steps
+
+- Defender for IoT service [Overview](overview.md)
+- Learn how to [Access your security data](how-to-security-data-access.md)
+- Learn more about [Investigating a device](how-to-investigate-device.md)
defender-for-iot Agent Based Security Custom Alerts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/agent-based-security-custom-alerts.md
+
+ Title: Agent based security custom alerts
+description: Learn about customizable security alerts and recommended remediation using Defender for IoT device's features and service.
+ Last updated : 2/16/2021+++
+# Defender for IoT devices custom security alerts
+
+Defender for IoT continuously analyzes your IoT solution using advanced analytics and threat intelligence to alert you to malicious activity.
+
+We encourage you to create custom alerts based on your knowledge of expected device behavior to ensure alerts act as the most efficient indicators of potential compromise in your unique organizational deployment and landscape.
+
+The following lists of Defender for IoT alerts are definable by you based on your expected IoT device behavior. For more information about how to customize each alert, see [create custom alerts](quickstart-create-custom-alerts.md).
+
+## Agent-based security custom alerts
+
+| Severity | Alert name | Data source | Description | Suggested remediation |
+|--|--|--|--|--|
+| Low | Custom alert - The number of active connections is outside the allowed range | Classic Defender-IoT-micro-agent, Azure RTOS | Number of active connections within a specific time window is outside the currently configured and allowable range. | Investigate the device logs. Learn where the connection originated and determine if it is benign or malicious. If malicious, remove possible malware and understand source. If benign, add the source to the allowed connection list. |
+| Low | Custom alert - The outbound connection created to an IP that isn't allowed | Classic Defender-IoT-micro-agent, Azure RTOS | An outbound connection was created to an IP that is outside your allowed IP list. | Investigate the device logs. Learn where the connection originated and determine if it is benign or malicious. If malicious, remove possible malware and understand source. If benign, add the source to the allowed IP list. |
+| Low | Custom alert - The number of failed local logins is outside the allowed range | Classic Defender-IoT-micro-agent, Azure RTOS | The number of failed local logins within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The sign in of a user that is not on the allowed user list | Classic Defender-IoT-micro-agent, Azure RTOS | A local user outside your allowed user list, logged in to the device. | If you are saving raw data, navigate to your log analytics account and use the data to investigate the device, identify the source, and then fix the allow/block list for those settings. If you are not currently saving raw data, go to the device and fix the allow/block list for those settings. |
+| Low | Custom alert - A process was executed that is not allowed | Classic Defender-IoT-micro-agent, Azure RTOS | A process that is not allowed was executed on the device. | If you are saving raw data, navigate to your log analytics account and use the data to investigate the device, identify the source, and then fix the allow/block list for those settings. If you are not currently saving raw data, go to the device and fix the allow/block list for those settings. |
+|
+
+## Next steps
+
+- Learn how to [customize an alert](quickstart-create-custom-alerts.md)
+- Defender for IoT service [Overview](overview.md)
+- Learn how to [Access your security data](how-to-security-data-access.md)
+- Learn more about [Investigating a device](how-to-investigate-device.md)
defender-for-iot Architecture Agent Based https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/architecture-agent-based.md
+
+ Title: What is agent-based solution architecture
+description: Learn about Azure Defender for IoT agent-based architecture and information flow.
+ Last updated : 1/25/2021++
+# What is agent-based solution for device builders
+
+This article describes the functional system architecture of the Defender for IoT agent-based solution. Azure Defender for IoT offers two sets of capabilities to fit your environment's needs, agentless solution for organizations, and agent-based solution for device builders.
+
+## IoT hub built-in security
+
+Defender for IoT is enabled by default in every new IoT Hub that is created. Defender for IoT provides real-time monitoring, recommendations, and alerts, without requiring agent installation on any devices and uses advanced analytics on logged IoT Hub meta data to analyze and protect your field devices and IoT hubs.
+
+## Defender for IoT micro agent
+
+Defender for IoT micro agent provides depth security protection and visibility into device behavior. collects, aggregates, and analyze raw security events from your devices. Raw security events can include IP connections, process creation, user logins, and other security-relevant information. Defender for IoT device agents also handles event aggregation to help avoid high network throughput. The agents are highly customizable, allowing you to use them for specific tasks, such as sending only important information at the fastest SLA, or for aggregating extensive security information and context into larger segments, avoiding higher service costs.
+
+Device agents, and other applications use the **Azure send security message SDK** to send security information into Azure IoT hub. IoT hub gets this information and forwards it to the Defender for IoT service.
+
+Once the Defender for IoT service is enabled, in addition to the forwarded data, IoT hub also sends out all of its internal data for analysis by Defender for IoT. This data includes device-cloud operation logs, device identities, and hub configuration. All of this information helps to create the Defender for IoT analytics pipeline.
+
+Defender for IoT analytics pipeline also receives other threat intelligence streams from various sources within Microsoft and Microsoft partners. The Defender for IoT entire analytics pipeline works with every customer configuration made on the service (such as custom alerts and use of the send security message SDK).
+
+Using the analytics pipeline, Defender for IoT combines all of the streams of information to generate actionable recommendations and alerts. The pipeline contains both custom rules created by security researchers and experts as well as machine learning models searching for deviation from standard device behavior and risk analysis.
+
+Defender for IoT recommendations and alerts (analytics pipeline output) is written to the Log Analytics workspace of each customer. Including the raw events in the workspace and the alerts and recommendations enables deep dive investigations and queries using the exact details of the suspicious activities detected.
++
+## Next steps
+
+Check out [Azure Defender for IoT agent frequently asked questions](resources-agent-frequently-asked-questions.md).
defender-for-iot Azure Iot Security Local Configuration C https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/azure-iot-security-local-configuration-c.md
+
+ Title: Security agent local configuration (C)
+description: Learn about Defender for agent local configurations for C.
+ Last updated : 10/08/2020++
+# Understanding the LocalConfiguration.json file - C agent
+
+The Defender for IoT security agent uses configurations from a local configuration file.
+The security agent reads the configuration once, at agent start-up.
+The configuration found in the local configuration file contains authentication configuration and other agent related configurations.
+The file contains configurations in "Key-Value" pairs in JSON notation and the configurations get populated when the agent is installed.
+
+By default, the file is located at: /var/ASCIoTAgent/LocalConfiguration.json
+
+Changes to the configuration file take place when the agent is restarted.
+
+## Security agent configurations for C
+
+| Configuration Name | Possible values | Details |
+|:--|:|:--|
+| AgentId | GUID | The agent Unique identifier |
+| TriggerdEventsInterval | ISO8601 string | Scheduler interval for triggered events collection |
+| ConnectionTimeout | ISO8601 string | Time period before the connection to IoThub gets timed out |
+| Authentication | JsonObject | Authentication configuration. This object contains all the information needed for authentication against IoTHub |
+| Identity | "DPS", "SecurityModule", "Device" | Authentication identity - DPS if authentication is made through DPS, SecurityModule if authentication is made via Defender-IoT-micro-agentcredentials or device if authentication is made with Device credentials |
+| AuthenticationMethod | "SasToken", "SelfSignedCertificate" | the user secret for authentication - Choose SasToken if the use secret is a Symmetric key, choose self-signed certificate if the secret is a self-signed certificate |
+| FilePath | Path to file (string) | Path to the file that contains the authentication secret |
+| HostName | string | The host name of the Azure IoT hub. usually <my-hub>.azure-devices.net |
+| DeviceId | string | The ID of the device (as registered in Azure IoT Hub) |
+| DPS | JsonObject | DPS related configurations |
+| IDScope | string | ID scope of DPS |
+| RegistrationId | string | DPS device registration ID |
+| Logging | JsonObject | Agent logger related configurations |
+| SystemLoggerMinimumSeverity | 0 <= number <= 4 | log messages equal and above this severity will be logged to /var/log/syslog (0 is the lowest severity) |
+| DiagnosticEventMinimumSeverity | 0 <= number <= 4 | log messages equal and above this severity will be sent as diagnostic events (0 is the lowest severity) |
+
+## Security agent configurations code example
+
+```json
+{
+ "Configuration" : {
+ "AgentId" : "b97faf0a-0f57-471f-9dab-46a8e1764946",
+ "TriggerdEventsInterval" : "PT2M",
+ "ConnectionTimeout" : "PT30S",
+ "Authentication" : {
+ "Identity" : "Device",
+ "AuthenticationMethod" : "SasToken",
+ "FilePath" : "/path/to/my/SymmetricKey",
+ "DeviceId" : "my-device",
+ "HostName" : "my-iothub.azure-devices.net",
+ "DPS" : {
+ "IDScope" : "",
+ "RegistrationId" : ""
+ }
+ },
+ "Logging": {
+ "SystemLoggerMinimumSeverity": 0,
+ "DiagnoticEventMinimumSeverity": 2
+ }
+ }
+}
+```
+
+## Next steps
+
+- Read the Defender for IoT service [Overview](overview.md)
+- Learn more about Defender for IoT [Agent-based solution architecture](architecture-agent-based.md)
+- Enable the Defender for IoT [service](quickstart-onboard-iot-hub.md)
+- Read the Defender for IoT service [FAQ](resources-agent-frequently-asked-questions.md)
+- Learn how to access [raw security data](how-to-security-data-access.md)
+- Understand [recommendations](concept-recommendations.md)
+- Understand security [alerts](concept-security-alerts.md)
defender-for-iot Azure Iot Security Local Configuration Csharp https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/azure-iot-security-local-configuration-csharp.md
+
+ Title: Defender for IoT security agent local configuration (C#)
+description: Learn more about the Defender for IoT security service, security agent local configuration file for C#.
++ Last updated : 10/08/2020++
+# Understanding the local configuration file (C# agent)
+
+The Defender for IoT security agent uses configurations from a local configuration file.
+
+The security agent reads the configuration file once when the agent starts running. Configurations found in the local configuration file contain both authentication configuration and other agent related configurations.
+
+The C# security agent uses multiple configuration files:
+
+- **General.config** - Agent related configurations.
+- **Authentication.config** - Authentication related configuration (including authentication details).
+- **SecurityIotInterface.config** - IoT related configurations.
+
+The configuration files contain the default configuration. Authentication configuration is populated during agent installation and changes to the configuration file are made when the agent is restarted.
+
+## Configuration file location
+
+For Linux:
+
+- Operating system configuration files are located in `/var/ASCIoTAgent`.
+
+For Windows:
+
+- Operating system configuration files are located within the directory of the security agent.
+
+### General.config configurations
+
+| Configuration Name | Possible values | Details |
+|:--|:|:--|
+| agentId | GUID | Agent unique identifier |
+| readRemoteConfigurationTimeout | TimeSpan | Time period for fetching remote configuration from IoT Hub. If the agent can't fetch the configuration within the specified time, the operation will time out.|
+| schedulerInterval | TimeSpan | Internal scheduler interval. |
+| producerInterval | TimeSpan | Event producer worker interval. |
+| consumerInterval | TimeSpan | Event consumer worker interval. |
+| highPriorityQueueSizePercentage | 0 < number < 1 | The portion of total cache dedicated for high priority messages. |
+| logLevel | "Off", "Fatal", "Error", "Warning", "Information", "Debug" | Log messages equal and above this severity are logged to debug console (Syslog in Linux). |
+| fileLogLevel | "Off", "Fatal", "Error", "Warning", "Information", "Debug"| Log messages equal and above this severity are logged to file (Syslog in Linux). |
+| diagnosticVerbosityLevel | "None", "Some", "All", | Verbosity level of diagnostic events. None - diagnostic events are not sent. Some - Only diagnostic events with high importance are sent. All - all logs are also sent as diagnostic events. |
+| logFilePath | Path to file | If fileLogLevel > Off, logs are written to this file. |
+| defaultEventPriority | "High", "Low", "Off" | Default event priority. |
+
+### General.config example
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<General>
+ <add key="agentId" value="da00006c-dae9-4273-9abc-bcb7b7b4a987" />
+ <add key="readRemoteConfigurationTimeout" value="00:00:30" />
+ <add key="schedulerInterval" value="00:00:01" />
+ <add key="producerInterval" value="00:02:00" />
+ <add key="consumerInterval" value="00:02:00" />
+ <add key="highPriorityQueueSizePercentage" value="0.5" />
+ <add key="logLevel" value="Information" />
+ <add key="fileLogLevel" value="Off"/>
+ <add key="diagnosticVerbosityLevel" value="Some" />
+ <add key="logFilePath" value="IotAgentLog.log" />
+ <add key="defaultEventPriority" value="Low"/>
+</General>
+```
+
+### Authentication.config
+
+| Configuration name | Possible values | Details |
+|:--|:|:--|
+| moduleName | string | Name of the Defender-IoT-micro-agent identity. This name must correspond to the module identity name in the device. |
+| deviceId | string | ID of the device (as registered in Azure IoT Hub). |
+| schedulerInterval | TimeSpan string | Internal scheduler interval. |
+| gatewayHostname | string | Host name of the Azure Iot Hub. Usually <my-hub>.azure-devices.net |
+| filePath | string - path to file | Path to the file that contains the authentication secret.|
+| type | "SymmetricKey", "SelfSignedCertificate" | The user secret for authentication. Choose *SymmetricKey* if the user secret is a Symmetric key, choose *self-signed certificate* if the secret is a self-signed certificate. |
+| identity | "DPS", "Module", "Device" | Authentication identity - DPS if authentication is made through DPS, Module if authentication is made using module credentials, or device if authentication is made using device credentials.
+| certificateLocationKind | "LocalFile", "Store" | LocalFile if the certificate is stored in a file, store if the certificate is located in a certificate store. |
+| idScope | string | ID scope of DPS |
+| registrationId | string | DPS device registration ID. |
+|
+
+### Authentication.config example
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<Authentication>
+ <add key="moduleName" value="azureiotsecurity"/>
+ <add key="deviceId" value="d1"/>
+ <add key="gatewayHostname" value=""/>
+ <add key="filePath" value="c:\p-dps-d1.pfx"/>
+ <add key="type" value="SelfSignedCertificate" /> <!-- SymmetricKey, SelfSignedCertificate-->
+ <add key="identity" value="DPS" /> <!-- Device, Module, DPS -->
+ <add key="certificateLocationKind" value="LocalFile" /> <!-- LocalFile, Store -->
+ <add key="idScope" value="0ne0005335B"/>
+ <add key="registrationId" value="d1"/>
+</Authentication>
+```
+
+### SecurityIotInterface.config
+
+| Configuration Name | Possible values | Details |
+|:--|:|:--|
+| transportType | "Ampq" "Mqtt" | IoT Hub transport type. |
+|
+
+### SecurityIotInterface.config example
+
+```xml
+<ExternalInterface>
+ <add key="facadeType" value="Microsoft.Azure.Security.IoT.Agent.Common.SecurityIoTHubInterface, Security.Common" />
+ <add key="transportType" value="Amqp"/>
+</ExternalInterface>
+```
+
+## Next steps
+
+- Read the Defender for IoT service [Overview](overview.md)
+- Learn more about Defender for IoT [Agent-based solution architecture](architecture-agent-based.md)
+- Enable the Defender for IoT [service](quickstart-onboard-iot-hub.md)
+- Read the Defender for IoT service [FAQ](resources-agent-frequently-asked-questions.md)
+- Learn how to access [raw security data](how-to-security-data-access.md)
+- Understand [recommendations](concept-recommendations.md)
+- Understand security [alerts](concept-security-alerts.md)
defender-for-iot Azure Rtos Security Module Api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/azure-rtos-security-module-api.md
+
+ Title: Defender-IoT-micro-agent for Azure RTOS API
+description: Reference API for the Defender-IoT-micro-agent for Azure RTOS.
+ Last updated : 09/07/2020++++
+# Defender-IoT-micro-agent for Azure RTOS API (preview)
+
+This API is intended for use with the Defender-IoT-micro-agent for Azure RTOS only. For additional resources, see the [Defender-IoT-micro-agent for Azure RTOS GitHub resource](https://github.com/azure-rtos/azure-iot-preview/releases).
+
+## Enable Defender-IoT-micro-agent for Azure RTOS
+
+**nx_azure_iot_security_module_enable**
+
+### Prototype
+
+```c
+UINT nx_azure_iot_security_module_enable(NX_AZURE_IOT *nx_azure_iot_ptr);
+```
+
+### Description
+
+This routine enables the Azure IoT Defender-IoT-micro-agent subsystem. An internal state machine manages collection of security events and sends them to Azure IoT Hub. Only one NX_AZURE_IOT_SECURITY_MODULE instance is required and needed to manage data collection.
+
+### Parameters
+
+| Name | Description |
+|||
+| nx_azure_iot_ptr [in] | A pointer to a `NX_AZURE_IOT`. |
+
+### Return values
+
+|Return values |Description |
+|||
+|NX_AZURE_IOT_SUCCESS| Successfully enabled Azure IoT Security Module. |
+|NX_AZURE_IOT_FAILURE | Failed to enable the Azure IoT Security Module due to an internal error. |
+|NX_AZURE_IOT_INVALID_PARAMETER | Security module requires a valid #NX_AZURE_IOT instance. |
+
+### Allowed from
+
+Threads
+
+## Disable Azure IoT Defender-IoT-micro-agent
+
+**nx_azure_iot_security_module_disable**
++
+### Prototype
+
+```c
+UINT nx_azure_iot_security_module_disable(NX_AZURE_IOT *nx_azure_iot_ptr);
+```
+
+### Description
+
+This routine disables the Azure IoT Defender-IoT-micro-agent subsystem.
+
+### Parameters
+
+| Name | Description |
+|||
+| nx_azure_iot_ptr [in] | A pointer to `NX_AZURE_IOT`. If NULL the singleton instance is disabled. |
+
+### Return values
+
+|Return values |Description |
+|||
+|NX_AZURE_IOT_SUCCESS | Successful when the Azure IoT Security Module is successfully disabled. |
+|NX_AZURE_IOT_INVALID_PARAMETER | Azure IoT Hub instance is different than the singleton composite instance. |
+|NX_AZURE_IOT_FAILURE | Failed to disable the Azure IoT Security Module due to an internal error. |
+
+### Allowed from
+
+Threads
++
+## Next steps
+
+To learn more about how to get started with Azure RTOS Defender-IoT-micro-agent, see the following articles:
+
+- Review the Defender for IoT RTOS Defender-IoT-micro-agent [overview](iot-security-azure-rtos.md).
defender-for-iot Concept Agent Portfolio Overview Os Support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/concept-agent-portfolio-overview-os-support.md
+
+ Title: Agent portfolio overview and OS support (Preview)
+description: Azure Defender for IoT provides a large portfolio of agents based on the device type.
Last updated : 05/02/2021+++
+# Agent portfolio overview and OS support (Preview)
+
+Azure Defender for IoT provides a large portfolio of agents based on the device type.
+
+## Standalone agent
+
+The standalone agent covers most of the Linux Operating Systems (OS), which can be deployed as a binary package or as a source code that can be incorporated as part of the firmware and allow modification and customization based on customer needs. The following are some examples of supported OS:
+
+| Operating system | AMD64 | ARM32v7 |
+|--|--|--|
+| Debian 9 | Γ£ô | Γ£ô |
+| Ubuntu 18.04 | Γ£ô | |
+| Ubuntu 20.04 | Γ£ô | |
+
+For more information, supported operating systems, or to request access to the source code so you can incorporate it as a part of the device's firmware, contact your account manager, or send an email to <defender_micro_agent@microsoft.com>.
+
+## Azure RTOS micro agent
+
+The Azure Defender for IoT micro agent provides a comprehensive and lightweight security solution for devices that use Azure RTOS. Azure Defender for IoT micro agent provides coverage for common threats, and potential malicious activities on real-time operating system (RTOS) devices. The micro agent comes built in as part of the Azure RTOS NetX Duo component, and monitors the device's network activity.
+
+The Azure Defender for IoT micro agent comes built in as part of the Azure RTOS NetX Duo component, and monitors the device's network activity. The micro agent consists of a comprehensive and lightweight security solution that provides coverage for common threats, and potential malicious activities on a real-time operating system (RTOS) devices.
+
+## Next steps
+
+Learn more about the [Standalone micro agent overview (Preview)](concept-standalone-micro-agent-overview.md).
defender-for-iot Concept Baseline https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/concept-baseline.md
+
+ Title: Baseline and custom checks
+description: Learn about the concept of Azure Defender for IoT baseline.
+ Last updated : 10/07/2019++
+# Azure Defender for IoT baseline and custom checks
+
+This article explains Defender for IoT baseline, and summarizes all associated properties of baseline custom checks.
+
+## Baseline
+
+A baseline establishes standard behavior for each device and makes it easier to establish unusual behavior or deviation from expected norms.
+
+## Baseline custom checks
+
+Baseline custom checks establish a custom list of checks for each device baseline using the **Module identity twin** of the device.
+
+## Setting baseline properties
+
+1. In your IoT Hub, locate and select the device you wish to change.
+
+1. Click on the device, and then click the **azureiotsecurity** module.
+
+1. Click **Module Identity Twin**.
+
+1. Upload the **baseline custom checks** file to the device.
+
+1. Add baseline properties to the Defender-IoT-micro-agent and click **Save**.
+
+### Baseline custom check file example
+
+To configure baseline custom checks:
+
+ ```json
+ "desired": {
+ "ms_iotn:urn_azureiot_Security_SecurityAgentConfiguration": {
+ "baselineCustomChecksEnabled": {
+ "value" : true
+ },
+ "baselineCustomChecksFilePath": {
+ "value" : "/home/user/full_path.xml"
+ },
+ "baselineCustomChecksFileHash": {
+ "value" : "#hashexample!"
+ }
+ }
+ },
+ ```
+
+## Baseline custom check properties
+
+| Name| Status | Valid values| Default values| Description |
+||--||--|--|
+|baselineCustomChecksEnabled|Required: true |Valid values: **Boolean** |Default value: **false** |Max time interval before high priority messages is sent.|
+|baselineCustomChecksFilePath |Required: true|Valid values: **String**, **null** |Default value: **null** |Full path of the baseline xml configuration|
+|baselineCustomChecksFileHash |Required: true|Valid values: **String**, **null** |Default value: **null** |`sha256sum` of the xml configuration file. Use the [sha256sum reference](https://linux.die.net/man/1/sha256sum) for additional information. |
+
+To review additional baseline examples, see [custom baseline example -1](https://ascforiot.blob.core.windows.net/public/custom_baseline_example_hyperv_ubuntu1804.xml) and [custom baseline example -2](https://ascforiot.blob.core.windows.net/public/oms_audits.xml).
+
+## Next steps
+
+- Access your [raw security data](how-to-security-data-access.md)
+- [Investigate a device](how-to-investigate-device.md)
+- Understand and explore [security recommendations](concept-recommendations.md)
+- Understand and explore [security alerts](concept-security-alerts.md)
defender-for-iot Concept Customizable Security Alerts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/concept-customizable-security-alerts.md
+
+ Title: Custom security alerts for IoT Hub
+description: Learn about customizable security alerts and recommended remediation using Defender for IoT Hub's features and service.
+ Last updated : 2/16/2021++
+# Defender for IoT Hub custom security alerts
+
+Defender for IoT continuously analyzes your IoT solution using advanced analytics and threat intelligence to alert you to malicious activity.
+
+We encourage you to create custom alerts based on your knowledge of expected device behavior to ensure alerts act as the most efficient indicators of potential compromise in your unique organizational deployment and landscape.
+
+The following lists of Defender for IoT alerts are definable by you based on your expected IoT Hub behavior. For more information about how to customize each alert, see [create custom alerts](quickstart-create-custom-alerts.md).
+
+## Built-in custom alerts in the IoT Hub
+
+| Severity | Alert name | Data source | Description | Suggested remediation |
+|--|--|--|--|--|
+| Low | Custom alert - The number of cloud to device messages in AMQP protocol is outside the allowed range | IoT Hub | The number of cloud to device messages (AMQP protocol) within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The number of rejected cloud to device messages in AMQP protocol is outside the allowed range | IoT Hub | The number of cloud to device messages (AMQP protocol) rejected by the device, within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The number of device to cloud messages in AMQP protocol is outside the allowed range | IoT Hub | The amount of device to cloud messages (AMQP protocol) within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The number of direct method invokes is outside the allowed range | IoT Hub | The amount of direct method invokes within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The number of file uploads is outside the allowed range | IoT Hub | The amount of file uploads within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The number of cloud to device messages in HTTP protocol is outside the allowed range | IoT Hub | The amount of cloud to device messages (HTTP protocol) in a time window is not in the configured allowed range |
+| Low | Custom alert - The number of rejected cloud to device messages in HTTP protocol is not in the allowed range | IoT Hub | The amount of cloud to device messages (HTTP protocol) within a specific time window is outside the currently configured and allowable range. |
+| Low | Custom alert - The number of device to cloud messages in HTTP protocol is outside the allowed range | IoT Hub | The amount of device to cloud messages (HTTP protocol) within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The number of cloud to device messages in MQTT protocol is outside the allowed range | IoT Hub | The amount of cloud to device messages (MQTT protocol) within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The number of rejected cloud to device messages in MQTT protocol is outside the allowed range | IoT Hub | The amount of cloud to device messages (MQTT protocol) rejected by the device within a specific time window is outside the currently configured and allowable range. |
+| Low | Custom alert - The number of device to cloud messages in MQTT protocol is outside the allowed range | IoT Hub | The amount of device to cloud messages (MQTT protocol) within a specific time window is outside the currently configured and allowable range. |
+| Low | Custom alert - The number of command queue purges that are outside of the allowed range | IoT Hub | The amount of command queue purges within a specific time window is outside the currently configured and allowable range. | |
+| Low | Custom alert - The number of module twin updates is outside the allowed range | IoT Hub | The amount of module twin updates within a specific time window is outside the currently configured and allowable range. |
+| Low | Custom alert - The number of unauthorized operations is outside the allowed range | IoT Hub | The amount of unauthorized operations within a specific time window is outside the currently configured and allowable range. |
+
+## Next steps
+
+- Learn how to [customize an alert](quickstart-create-custom-alerts.md)
+- Defender for IoT service [Overview](overview.md)
+- Learn how to [Access your security data](how-to-security-data-access.md)
+- Learn more about [Investigating a device](how-to-investigate-device.md)
defender-for-iot Concept Event Aggregation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/concept-event-aggregation.md
+
+ Title: Event aggregation (Preview)
+description: Defender for IoT security agents collects data and system events from your local device, and sends the data to the Azure cloud for processing, and analytics.
Last updated : 1/20/2021+++
+# Event aggregation (Preview)
+
+Defender for IoT security agents collects data and system events from your local device, and sends the data to the Azure cloud for processing, and analytics. The Defender for IoT micro agent collects many types of device events including new processes, and all new connection events. Both the new process, and new connection events may occur frequently on a device within a second. This ability is important for comprehensive security, however, the number of messages security agents send may quickly meet, or exceed your IoT Hub quota and cost limits. Nevertheless, these events contain highly valuable security information that is crucial to protecting your device.
+
+To reduce the extra quota, and costs while keeping your devices protected, Defender for IoT agents aggregates these types of events:
+
+- ProcessCreate (Linux only)
+
+- ConnectionCreate (Azure RTOS only)
+
+## How does event aggregation work?
+
+Defender for IoT agents aggregate events for the interval period, or time window. Once the interval period has passed, the agent sends the aggregated events to the Azure cloud for further analysis. The aggregated events are stored in memory until being sent to the Azure cloud.
+
+When the agent collects an identical event to one that is already kept in memory, the agent increases the hit count of this specific event, in order to reduce the memory footprint of the agent. When the aggregation time window passes, the agent sends the hit count of each type of event that occurred. Event aggregation is simply the aggregation of the hit counts of each collected type of event.
+
+## Process events
+
+Process events are currently only supported on Linux operating systems.
+
+Process events are considered identical when the *command line*, and *userid* are identical.
+
+The default buffer for process events is 32 processes, after which the buffer will cycle, and the oldest process events are discarded in order to make room for new process events.
+
+## Network Connection events
+
+Network Connection events are currently only supported on Azure RTOS.
+
+Network Connection events are considered identical when the *local port*, *remote port*, *transport protocol*, *local address*, and *remote address* are identical.
+
+The default buffer for network connection events is 64. No new network events will be cached until the next collection cycle. A warning to increase the cache size will be logged.
+
+## Next steps
+
+Check your [Defender for IoT security alerts](concept-security-alerts.md).
defender-for-iot Concept Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/concept-recommendations.md
+
+ Title: Security recommendations for IoT Hub
+description: Learn about the concept of security recommendations and how they are used in the Defender for IoT Hub.
+ Last updated : 02/16/2021++
+# Security recommendations for IoT Hub
+
+Defender for IoT scans your Azure resources and IoT devices and provides security recommendations to reduce your attack surface.
+Security recommendations are actionable and aim to aid customers in complying with security best practices.
+
+In this article, you will find a list of recommendations, which can be triggered on your IoT Hub.
+
+## Built in recommendations in IoT Hub
+
+Recommendation alerts provide insight and suggestions for actions to improve the security posture of your environment.
+
+| Severity | Name | Data Source | Description |
+|--|--|--|--|
+| High | Identical authentication credentials used by multiple devices | IoT Hub | IoT Hub authentication credentials are used by multiple devices. This process may indicate an illegitimate device impersonating a legitimate device. Duplicate credential use increases the risk of device impersonation by a malicious actor. |
+| Medium | Default IP filter policy should be deny | IoT Hub | IP filter configuration should have rules defined for allowed traffic, and should by default, deny all other traffic by default. |
+| Medium | IP filter rule includes large IP range | IoT Hub | An allow IP filter rule source IP range is too large. Overly permissive rules can expose your IoT hub to malicious actors. |
+| Low | Enable diagnostics logs in IoT Hub | IoT Hub | Enable logs and retain them for up to a year. Retaining logs enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. |
+
+## Next steps
+
+- Defender for IoT service [Overview](overview.md)
+- Learn how to [Access your security data](how-to-security-data-access.md)
+- Learn more about [Investigating a device](how-to-investigate-device.md)
defender-for-iot Concept Rtos Security Alerts Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/concept-rtos-security-alerts-recommendations.md
+
+ Title: Defender-IoT-micro-agent for Azure RTOS built-in & customizable alerts and recommendations
+description: Learn about security alerts and recommended remediation using the Azure IoT Defender-IoT-micro-agent -RTOS.
+ Last updated : 09/07/2020++
+# Defender-IoT-micro-agent for Azure RTOS security alerts and recommendations (preview)
+
+Defender-IoT-micro-agent for Azure RTOS continuously analyzes your IoT solution using advanced analytics and threat intelligence to alert you to potential malicious activity and suspicious system modifications. You can also create custom alerts based on your knowledge of expected device behavior and baselines.
+
+A Defender-IoT-micro-agent for Azure RTOS alert acts as an indicator of potential compromise, and should be investigated and remediated. A Defender-IoT-micro-agent for Azure RTOS recommendation identifies weak security posture to be remediated and updated.
+
+In this article, you'll find a list of built-in alerts and recommendations that are triggered based on the default ranges, and customizable with your own values, based on expected or baseline behavior.
+
+For more information on how alert customization works in the Defender for IoT service, see [customizable alerts](concept-customizable-security-alerts.md). The specific alerts and recommendations available for customization when using the Defender-IoT-micro-agent for Azure RTOS are detailed in the following tables.
+
+## Defender-IoT-micro-agent for Azure RTOS supported security alerts
+
+### Device-related security alerts
+
+|Device-related security alert activity |Alert name |
+|||
+|IP address| Communication with a suspicious IP address detected|
+|X.509 device certificate thumbprint|X.509 device certificate thumbprint mismatch|
+|X.509 certificate| X.509 certificate expired|
+|SAS Token| Expired SAS Token|
+|SAS Token| Invalid SAS Token signature|
+
+### IoT Hub-related security alerts
+
+|IoT Hub security alert activity |Alert name |
+|||
+|Add a certificate | Detected unsuccessful attempt to add a certificate to an IoT Hub |
+|Addition or editing of a diagnostic setting | Detected an attempt to add or edit a diagnostic setting of an IoT Hub |
+|Delete a certificate | Detected unsuccessful attempt to delete a certificate from an IoT Hub |
+|Delete a diagnostic setting | Detected attempt to delete a diagnostic setting from an IoT Hub |
+|Deleted certificate | Detected deletion of a certificate from an IoT Hub |
+|New certificate | Detected addition of new certificate to an IoT Hub |
+
+## Defender-IoT-micro-agent for Azure RTOS supported customizable alerts
+
+### Device related customizable alerts
+
+|Device related activity |Alert name |
+|||
+|Active connections|Number of active connections is not in the allowed range|
+|Cloud to device messages in **MQTT** protocol|Number of cloud to device messages in **MQTT** protocol is not in the allowed range|
+|Outbound connection| Outbound connection to an IP that isn't allowed|
+
+### Hub related customizable alerts
+
+|Hub related activity |Alert name |
+|||
+|Command queue purges | Number of command queue purges outside the allowed range |
+|Cloud to device messages in **MQTT** protocol | Number of Cloud to device messages in **MQTT** protocol outside the allowed range |
+|Device to cloud messages in **MQTT** protocol | Number of device to cloud messages in **MQTT** protocol outside the allowed range |
+|Direct method invokes | Number of direct method invokes outside the allowed range |
+|Rejected cloud to device messages in **MQTT** protocol | Number of rejected cloud to device messages in **MQTT** protocol outside the allowed range |
+|Updates to twin modules | Number of updates to twin modules outside the allowed range |
+|Unauthorized operations | Number of unauthorized operations outside the allowed range |
+
+## Defender-IoT-micro-agent for Azure RTOS supported recommendations
+
+### Device-related recommendations
+
+|Device-related activity |Recommendation name |
+|||
+|Authentication credentials | Identical authentication credentials used by multiple devices |
+
+### Hub-related recommendations
+
+|IoT Hub-related activity |Recommendation name |
+|||
+|IP filter policy | The Default IP filter policy should be set to **deny** |
+|IP filter rule| IP filter rule includes a large IP range|
+|Diagnostics logs|Suggestion to enable diagnostics logs in IoT Hub|
+
+### All Defender for IoT alerts and recommendations
+
+For a complete list of all Defender for IoT service related alerts and recommendations, see IoT [security alerts](concept-security-alerts.md), IoT security [recommendations](concept-recommendations.md).
+
+## Next steps
+
+- [Quickstart: Defender-IoT-micro-agent for Azure RTOS](quickstart-azure-rtos-security-module.md)
+- [Configure and customize Defender-IoT-micro-agent for Azure RTOS](how-to-azure-rtos-security-module.md)
+- Refer to the [Defender-IoT-micro-agent for Azure RTOS API](azure-rtos-security-module-api.md)
defender-for-iot Concept Rtos Security Module https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/concept-rtos-security-module.md
+
+ Title: Conceptual explanation of the basics of the Defender-IoT-micro-agent for Azure RTOS
+description: Learn the basics about the Defender-IoT-micro-agent for Azure RTOS concepts and workflow.
+ Last updated : 09/09/2020++
+# Defender-IoT-micro-agent for Azure RTOS (preview)
+
+Use this article to get a better understanding of the Defender-IoT-micro-agent for Azure RTOS, including features and benefits as well as links to relevant configuration and reference resources.
+
+## Azure RTOS IoT Defender-IoT-micro-agent
+
+Defender-IoT-micro-agent for Azure RTOS provides a comprehensive security solution for Azure RTOS devices as part of the NetX Duo offering. Within the NetX Duo offering, Azure RTOS ships with the Azure IoT Defender-IoT-micro-agent built-in, and provides coverage for common threats on your real-time operating system devices once activated.
+
+The Defender-IoT-micro-agent for Azure RTOS runs in the background, and provides a seamless user experience, while sending security messages using each customer's unique connections to their IoT Hub. The Defender-IoT-micro-agent for Azure RTOS is enabled by default.
+
+## Azure RTOS NetX Duo
+
+Azure RTOS NetX Duo is an advanced, industrial-grade TCP/IP network stack designed specifically for deeply embedded real-time and IoT applications. Azure RTOS NetX Duo is a dual IPv4 and IPv6 network stack providing a rich set of protocols, including security and cloud. Learn more about [Azure RTOS NetX Duo](/azure/rtos/netx-duo/) solutions.
+
+The module offers the following features:
+
+- **Detect malicious network activities**
+- **Device behavior baselines based on custom alerts**
+- **Improve device security hygiene**
+
+## Defender-IoT-micro-agent for Azure RTOS architecture
+
+The Defender-IoT-micro-agent for Azure RTOS is initialized by the Azure IoT middleware platform and uses IoT Hub clients to send security telemetry to the Hub.
++
+The Defender-IoT-micro-agent for Azure RTOS monitors the following device activity and information using three collectors:
+- Device network activity **TCP**, **UDP**, and **ICM**
+- System information as **Threadx** and **NetX Duo** versions
+- Heartbeat events
+
+Each collector is linked to a priority group and each priority group has its own interval with possible values of **Low**, **Medium**, and **High**. The intervals affect the time interval in which the data is collected and sent.
+
+Each time interval is configurable and the IoT connectors can be enabled and disabled in order to further [customize your solution](how-to-azure-rtos-security-module.md).
+
+## Supported security alerts and recommendations
+
+The Defender-IoT-micro-agent for Azure RTOS supports specific security alerts and recommendations. Make sure to [review and customize the relevant alert and recommendation values](concept-rtos-security-alerts-recommendations.md) for your service after completing the initial configuration.
+
+## Ready to begin?
+
+Defender-IoT-micro-agent for Azure RTOS is provided as a free download for your IoT devices. The Defender for IoT cloud service is available with a 30-day trial per Azure subscription. [Download the Defender-IoT-micro-agent now](https://github.com/azure-rtos/azure-iot-preview/releases) and let's get started.
+
+## Next steps
+
+- Get started with Defender-IoT-micro-agent for Azure RTOS [prerequisites and setup](quickstart-azure-rtos-security-module.md).
+- Learn more about Defender-IoT-micro-agent for Azure RTOS [security alerts and recommendation support](concept-rtos-security-alerts-recommendations.md).
+- Use the Defender-IoT-micro-agent for Azure RTOS [reference API](azure-rtos-security-module-api.md).
defender-for-iot Concept Security Agent Authentication Methods https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/concept-security-agent-authentication-methods.md
+
+ Title: Security agent authentication methods
+description: Learn about the different authentication methods available when using the Defender for IoT service.
+ Last updated : 01/24/2021++
+# Security agent authentication methods
+
+This article explains the different authentication methods you can use with the AzureIoTSecurity agent to authenticate with the IoT Hub.
+
+For each device onboarded to Defender for IoT in the IoT Hub, a Defender-IoT-micro-agent is required. To authenticate the device, Defender for IoT can use one of two methods. Choose the method that works best for your existing IoT solution.
+
+- SecurityModule option
+- Device option
+
+## Authentication methods
+
+The two methods for the Defender for IoT AzureIoTSecurity agent to perform authentication:
+
+- **Defender-IoT-micro-agent** authentication mode<br>
+The agent is authenticated using the Defender-IoT-micro-agent identity independently of the device identity.
+Use this authentication type if you would like the security agent to use a dedicated authentication method through Defender-IoT-micro-agent (symmetric key only).
+
+- **Device** authentication mode<br>
+In this method, the security agent first authenticates with the device identity. After the initial authentication, the Defender for IoT agent performs a **REST** call to the IoT Hub using the REST API with the authentication data of the device. The Defender for IoT agent then requests the Defender-IoT-micro-agent authentication method and data from the IoT Hub. In the final step, the Defender for IoT agent performs an authentication against the Defender for IoT module.
+
+Use this authentication type if you would like the security agent to reuse an existing device authentication method (self-signed certificate or symmetric key).
+
+See [Security agent installation parameters](#security-agent-installation-parameters) to learn how to configure.
+
+## Authentication methods known limitations
+
+- **SecurityModule** authentication mode only supports symmetric key authentication.
+- CA-Signed certificate is not supported by **Device** authentication mode.
+
+## Security agent installation parameters
+
+When [deploying a security agent](how-to-deploy-agent.md), authentication details must be provided as arguments.
+These arguments are documented in the following table.
+
+|Linux Parameter Name | Windows Parameter Name | Shorthand Parameter |Description|Options|
+||||||
+|authentication-identity|AuthenticationIdentity|aui|Authentication identity| **SecurityModule** or **Device**|
+|authentication-method|AuthenticationMethod|aum|Authentication method|**SymmetricKey** or **SelfSignedCertificate**|
+|file-path|FilePath|f|Absolute full path for the file containing the certificate or the symmetric key| |
+|host-name|HostName|hn|FQDN of the IoT Hub|Example: ContosoIotHub.azure-devices.net|
+|device-id|DeviceId|di|Device ID|Example: MyDevice1|
+|certificate-location-kind|CertificateLocationKind|cl|Certificate storage location|**LocalFile** or **Store**|
+|
+
+When using the install security agent script, the following configuration is performed automatically. To edit the security agent authentication manually, edit the config file.
+
+## Change authentication method after deployment
+
+When deploying a security agent with an installation script, a configuration file is automatically created.
+
+To change authentication methods after deployment, manual editing of the configuration file is required.
+
+### C#-based security agent
+
+Edit _Authentication.config_ with the following parameters:
+
+```xml
+<Authentication>
+ <add key="deviceId" value=""/>
+ <add key="gatewayHostname" value=""/>
+ <add key="filePath" value=""/>
+ <add key="type" value=""/>
+ <add key="identity" value=""/>
+ <add key="certificateLocationKind" value="" />
+</Authentication>
+```
+
+### C-based security agent
+
+Edit _LocalConfiguration.json_ with the following parameters:
+
+```json
+"Authentication" : {
+ "Identity" : "",
+ "AuthenticationMethod" : "",
+ "FilePath" : "",
+ "DeviceId" : "",
+ "HostName" : ""
+}
+```
+
+## See also
+
+- [Security agents overview](security-agent-architecture.md)
+- [Deploy security agent](how-to-deploy-agent.md)
+- [Access raw security data](how-to-security-data-access.md)
defender-for-iot Concept Security Agent Authentication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/concept-security-agent-authentication.md
+
+ Title: Security agent authentication (Preview)
+description: Perform micro agent authentication with two possible methods.
Last updated : 1/20/2021+++
+# Micro agent authentication methods (Preview)
+
+There are two options for authentication with the Defender for IoT Micro Agent:
+
+- Connection string
+
+- Certificate
+
+## Authentication using a connection string
+
+In order to use a connection string, you need to add a file that uses the connection string encoded in utf-8 in the defender agent directory in a file named `connection_string.txt`. For example,
+
+```azurecli
+echo ΓÇ£<connection string>ΓÇ¥ > connection_string.txt
+```
+
+Once you have done that, you should then restart the service using this command.
+
+```azurecli
+sudo systemctl restart defender-iot-micro-agent.service
+```
+
+## Authentication using a certificate
++
+To perform authentication using a certificate:
+
+1. Place the PEM-encoded public part of a certificate into the defender agent directory, in a file called `certificate_public.pem`.
+1. Place the PEM-encoded private key, into the defender agent directory, in a file called `certificate_private.pem`.
+1. Place the appropriate connection string in a file named `connection_string.txt`. For example,
+
+ ```azurecli
+ HostName=<the host name of the iot hub>;DeviceId=<the id of the device>;ModuleId=<the id of the module>;x509=true
+ ```
+
+ This action indicates that the defender agent will expect a certificate to be provided for authentication.
+
+1. restart the service using the following code:
+
+ ```azurecli
+ sudo systemctl restart defender-iot-micro-agent.service
+ ```
+
+## Ensure the micro agent is running correctly
+
+1. Run the following command:
+ ```azurecli
+ systemctl status defender-iot-micro-agent.service
+ ```
+1. Check that the service is stable by making sure it is **active** and that the uptime of the process is appropriate:
+
+ :::image type="content" source="media/concept-security-agent-authentication/active.png" alt-text="Ensure your service is stable by making sure it is active.":::
+
+## Next steps
+
+Check your [Security posture ΓÇô CIS benchmark](concept-security-posture.md).
defender-for-iot Concept Security Alerts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/concept-security-alerts.md
+
+ Title: Built-in & custom alerts list
+description: Learn about security alerts and recommended remediation using Defender for IoT Hub's features and service.
+ Last updated : 2/16/2021++
+# Defender for IoT Hub security alerts
+
+Defender for IoT continuously analyzes your IoT solution using advanced analytics and threat intelligence to alert you to malicious activity.
+In addition, you can create custom alerts based on your knowledge of expected device behavior.
+An alert acts as an indicator of potential compromise, and should be investigated and remediated.
+
+In this article, you will find a list of built-in alerts, which can be triggered on your IoT Hub.
+In addition to built-in alerts, Defender for IoT allows you to define custom alerts based on expected IoT Hub and/or device behavior.
+For more information, see [customizable alerts](concept-customizable-security-alerts.md).
+
+## Built-in alerts for IoT Hub
+
+| Severity | Name | Description | Suggested remediation |
+|--|--|--|--|
+| **Medium** severity | | | |
+| New certificate added to an IoT Hub | Medium | A certificate named \'%{DescCertificateName}\' was added to IoT Hub \'%{DescIoTHubName}\'. If this action was made by an unauthorized party, it may indicate malicious activity. | 1. Make sure the certificate was added by an authorized party. <br> 2. If it was not added by an authorized party, remove the certificate and escalate the alert to the organizational security team. |
+| Certificate deleted from an IoT Hub | Medium | A certificate named \'%{DescCertificateName}\' was deleted from IoT Hub \'%{DescIoTHubName}\'. If this action was made by an unauthorized party, it may indicate a malicious activity. | 1. Make sure the certificate was removed by an authorized party. <br> 2. If the certificate was not removed by an authorized party, add the certificate back, and escalate the alert to the organizational security team. |
+| Unsuccessful attempt detected to add a certificate to an IoT Hub | Medium | There was an unsuccessful attempt to add certificate \'%{DescCertificateName}\' to IoT Hub \'%{DescIoTHubName}\'. If this action was made by an unauthorized party, it may indicate malicious activity. | Make sure permissions to change certificates are only granted to authorized parties. |
+| Unsuccessful attempt detected to delete a certificate from an IoT Hub | Medium | There was an unsuccessful attempt to delete certificate \'%{DescCertificateName}\' from IoT Hub \'%{DescIoTHubName}\'. If this action was made by an unauthorized party, it may indicate malicious activity. | Make sure permissions to change certificates are only granted to an authorized party. |
+| x.509 device certificate thumbprint mismatch | Medium | x.509 device certificate thumbprint did not match configuration. | Review alerts on the devices. No further action required. |
+| x.509 certificate expired | Medium | X.509 device certificate has expired. | This could be a legitimate device with an expired certificate or an attempt to impersonate a legitimate device. If the legitimate device is currently communicating correctly this is likely an impersonation attempt. |
+| **Low** severity | | | |
+| Attempt to add or edit a diagnostic setting of an IoT Hub detected | Low | Attempt to add or edit the diagnostic settings of an IoT Hub has been detected. Diagnostic settings enable you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. If this action was not made by an authorized party, it may indicate malicious activity. | 1. Make sure the certificate was removed by an authorized party.<br> 2. If the certificate was not removed by an authorized party, add the certificate back and escalate the alert to your information security team. |
+| Attempt to delete a diagnostic setting from an IoT Hub detected | Low | There was %{DescAttemptStatusMessage}\' attempt to add or edit diagnostic setting \'%{DescDiagnosticSettingName}\' of IoT Hub \'%{DescIoTHubName}\'. Diagnostic setting enables you to recreate activity trails for investigation purposes when a security incident occurs or your network is compromised. If this action was not made by an authorized party, it may indicate a malicious activity. | Make sure permissions to change diagnostics settings are granted only to an authorized party. |
+| Expired SAS Token | Low | Expired SAS token used by a device | May be a legitimate device with an expired token, or an attempt to impersonate a legitimate device. If the legitimate device is currently communicating correctly, this is likely an impersonation attempt. |
+| Invalid SAS token signature | Low | A SAS token used by a device has an invalid signature. The signature does not match either the primary or secondary key. | Review the alerts on the devices. No further action required. |
+
+## Next steps
+
+- Defender for IoT service [Overview](overview.md)
+- Learn how to [Access your security data](how-to-security-data-access.md)
+- Learn more about [Investigating a device](how-to-investigate-device.md)
defender-for-iot Concept Security Module https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/concept-security-module.md
+
+ Title: Defender-IoT-micro-agent and device twins
+description: Learn about the concept of Defender-IoT-micro-agent twins and how they are used in Defender for IoT.
+ Last updated : 05/25/2021++
+# Defender-IoT-micro-agent
+
+This article explains how Defender for IoT uses device twins and modules.
+
+## Device twins
+
+For IoT solutions built in Azure, device twins play a key role in both device management and process automation.
+
+Defender for IoT offers full integration with your existing IoT device management platform, enabling you to manage your device security status as well as make use of existing device control capabilities. Integration is achieved by making use of the IoT Hub twin mechanism.
+
+Learn more about the concept of [Device twins](../../iot-hub/iot-hub-devguide-device-twins.md#device-twins) in Azure IoT Hub.
+
+## Defender-IoT-micro-agent twins
+
+Defender for IoT maintains a Defender-IoT-micro-agent twin for each device in the service.
+The Defender-IoT-micro-agent twin holds all the information relevant to device security for each specific device in your solution.
+Device security properties are maintained in a dedicated Defender-IoT-micro-agent twin for safer communication and for enabling updates and maintenance that requires fewer resources.
+
+See [Create Defender-IoT-micro-agent twin](quickstart-create-security-twin.md) and [Configure security agents](how-to-agent-configuration.md) to learn how to create, customize, and configure the twin. See [Understand and use module twins in IoT Hub](../../iot-hub/iot-hub-devguide-module-twins.md) to learn more about the concept of module twins in IoT Hub.
+
+## See also
+
+- [Defender for IoT overview](overview.md)
+- [Deploy security agents](how-to-deploy-agent.md)
+- [Security agent authentication methods](concept-security-agent-authentication-methods.md)
defender-for-iot Concept Security Posture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/concept-security-posture.md
+
+ Title: Security posture - CIS benchmark
+description: Improve your security compliance and posture by using Defender for IoT micro agent.
Last updated : 1/20/2021+++
+# Security posture ΓÇô CIS benchmark
+
+Defender for IoT micro agent enables organizations to improve their security compliance and posture. CIS benchmark-based OS baseline recommendations help identify issues with device security hygiene, and prioritize changes for security hardening.
+
+## Best practices for secure configuration
+
+CIS benchmarks, are the best practices to the secure the configuration of a target system. CIS benchmarks are developed through a unique consensus-based process comprised of cybersecurity professionals and subject matter experts around the world.
+
+CIS Benchmarks are the only consensus-based, best-practice security configuration guides that are both developed, and accepted by government, business, industry, and academia.
+
+Azure Defender for IoT micro agent enables you to quickly improve your organizationΓÇÖs device security and defense capabilities by offering CIS best practice configurations, along with constant identification of any existing weak links in your OS security posture.
+
+## Next steps
+
+Review your [Event aggregation (Preview)](concept-event-aggregation.md).
defender-for-iot Concept Standalone Micro Agent Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/concept-standalone-micro-agent-overview.md
+
+ Title: Standalone micro agent overview (Preview)
+description: The Azure Defender for IoT security agents allows you to build security directly into your new IoT devices and Azure IoT projects.
Last updated : 1/19/2021+++
+# Standalone micro agent overview (Preview)
+
+Security is a near-universal concern for IoT implementers. IoT devices have unique needs for endpoint monitoring, security posture management, and threat detection ΓÇô all with highly specific performance requirements.
+
+The Azure Defender for IoT security agents allows you to build security directly into your new IoT devices and Azure IoT projects. The micro agent has flexible deployment options, including the ability to deploy as a binary package or modify source code. And the micro agent is available for standard IoT operating systems like Linux and Azure RTOS.
+
+The Azure Defender for IoT micro agent provides endpoint visibility into security posture management, threat detection, and integration into Microsoft's other security tools for unified security management.
+
+## Security posture management
+
+Proactively monitor the security posture of your IoT devices. Azure Defender for IoT provides security posture recommendations based on the CIS benchmark, along with device-specific recommendations. Get visibility into operating system security, including OS configuration, firewall configuration, and permissions.
+
+## Endpoint IoT and OT threat detection
+
+Detect threats like botnets, brute force attempts, crypto miners, and suspicious network activity. Create custom alerts to target the most important threats in your unique organization.
+
+## Flexible distribution and deployment models
+
+The Azure Defender for IoT micro agent includes source code, allowing you to incorporate the micro agent into firmware, or customize it to include only what you need. Micro agent is also available as a binary package, or integrated directly into other Azure IoT solutions.
+
+## Meets the needs of your IoT devices, with minimal impact
+
+The Azure Defender for IoT micro agent is easy to deploy, and has minimal performance impact on the endpoint. With Defender for IoT micro agent you can:
+
+- **Optimize for performance**: The Azure Defender for IoT micro agent has a small footprint and low CPU consumption.
+
+- **Plug and Play**: There are no specific OS kernel dependencies, or support necessary for all major IoT operating systems. Azure Defender for IoT micro agent meets your devices where they are.
+
+- **Flexible deployment**: As a standalone agent, Azure Defender for IoTΓÇÖs micro agent supports different distribution models and flexible deployment.
+
+## Next steps
+
+Check your [Micro agent authentication methods (Preview)](concept-security-agent-authentication.md).
defender-for-iot Edge Security Module Deprecation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/edge-security-module-deprecation.md
+
+ Title: Feature support and retirement
+description: Defender for IoT will continue to support C, C#, and Edge until March 1, 2022.
Last updated : 1/21/2021+++
+# Feature support and retirement
+
+This article describes Azure Defender for IoT features and support for different capabilities within Defender for IoT.
+
+## Defender for IoT C, C#, and Edge Defender-IoT-micro-agent deprecation
+
+The new micro agent will replace the current C, C#, and Edge Defender-IoT-micro-agent.ΓÇ»
+
+The new micro agent is based on the knowledge, and experience gathered from the exiting Defender-IoT-micro-agent development, customers, and partners feedback with four important improvements:
+
+- **Depth security value**: The new agent will run on the host level, which will provide more visibility to the underlying operations of the device, and to allow for better security coverage.
+
+- **Improved device performance and reduced footprint**: Achieved by a small RAM, and ROM memory footprint as well as low CPU consumption. 
+
+- **Plug and play**: The new micro agent has no kernel level dependencies anymore, and all of its software dependencies are provided as part of its package. The micro agent supports common CPU architecture.
+
+- **Easy to deploy**: The micro agent supports different distribution models, through source code, and as a binary package.
+
+### Timeline
+
+Defender for IoT will continue to support C, C#, and Edge until March 1, 2022.
+
+## Micro agent preview support
+
+During the preview the micro agent may experience breaking changes without notice.
+
+## Next steps
+
+Check out [Azure Defender for IoT agent frequently asked questions](resources-agent-frequently-asked-questions.md).
defender-for-iot Event Aggregation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/event-aggregation.md
+
+ Title: Defender-IoT-micro-agent classic event aggregation
+description: Learn about Defender for IoT event aggregation.
+ Last updated : 3/23/2021++
+# Defender-IoT-micro-agent classic event aggregation
+
+Defender for IoT security agents collects data and system events from your local device and send this data to the Azure cloud for processing and analytics. The security agent collects many types of device events including new process and new connection events. Both new process and new connection events may legitimately occur frequently on a device within a second, and while important for robust and comprehensive security, the number of messages security agents are forced to send may quickly reach or exceed your IoT Hub quota and cost limits. However, these events contain highly valuable security information that is crucial to protecting your device.
+
+To reduce the extra quota, and costs while keeping your devices protected, Defender for IoT Agents aggregates these types of events.
+
+Event aggregation is **On** by default, and although not recommended, can be manually turned **Off** at any time.
+
+Aggregation is currently available for the following types of events:
+
+* ProcessCreate
+* ConnectionCreate
+* ProcessTerminate (Windows only)
+
+## How does event aggregation work?
+
+When event aggregation is left **On**, Defender for IoT agents aggregate events for the interval period or time window.
+Once the interval period has passed, the agent sends the aggregated events to the Azure cloud for further analysis.
+The aggregated events are stored in memory until being sent to the Azure cloud.
+
+To reduce the memory footprint of the agent, whenever the agent collects an identical event to one that is already being kept in memory, the agent increases the hit count of this specific event. When the aggregation time window passes, the agent sends the hit count of each specific type of event that occurred. Event aggregation is simply the aggregation of the hit counts of each collected type of event.
+
+Events are considered identical only when the following conditions are met:
+
+* ProcessCreate events - when **commandLine**, **executable**, **username**, and **userid** are identical
+* ConnectionCreate events - when **commandLine**, **userId**, **direction**, **local address**, **remote address**, **protocol**, and **destination port** are identical.
+* ProcessTerminate events - when **executable** and **exit status** are identical
+
+### Working with aggregated events
+
+During aggregation, event properties that are not aggregated are discarded, and appear in log analytics with a value of 0.
+
+* ProcessCreate events - **processId**, and **parentProcessId** are set to 0
+* ConnectionCreate events - **processId**, and **source port** are set to 0
+
+## Event aggregation-based alerts
+
+After analysis, Defender for IoT creates security alerts for suspicious aggregated events. Alerts created from aggregated events appear only once for each aggregated event.
+
+Aggregation start time, end time, and hit count for each event are logged in the event **ExtraDetails** field within Log Analytics for use during investigations.
+
+Each aggregated event represents a 24-hour period of collected alerts. Using the event options menu on the upper left of each event, you can **dismiss** each individual aggregated event.
+
+## Event aggregation twin configuration
+
+Make changes to the configuration of Defender for IoT event aggregation inside the [agent configuration object](how-to-agent-configuration.md) of the module twin identity of the **azureiotsecurity** module.
+
+| Configuration name | Possible values | Details | Remarks |
+|:--|:|:--|:--|
+| aggregationEnabledProcessCreate | boolean | Enable / disable event aggregation for process create events |
+| aggregationIntervalProcessCreate | ISO8601 Timespan string | Aggregation interval for process creates events |
+| aggregationEnabledConnectionCreate | boolean| Enable / disable event aggregation for connection create events |
+| aggregationIntervalConnectionCreate | ISO8601 Timespan string | Aggregation interval for connection creates events |
+| aggregationEnabledProcessTerminate | boolean | Enable / disable event aggregation for process terminate events | Windows only|
+| aggregationIntervalProcessTerminate | ISO8601 Timespan string | Aggregation interval for process terminates events | Windows only|
+|
+
+## Default configurations settings
+
+| Configuration name | Default values |
+|:--|:|
+| aggregationEnabledProcessCreate | true |
+| aggregationIntervalProcessCreate | "PT1H"|
+| aggregationEnabledConnectionCreate | true |
+| aggregationIntervalConnectionCreate | "PT1H"|
+| aggregationEnabledProcessTerminate | true |
+| aggregationIntervalProcessTerminate | "PT1H"|
+|
+
+## Next steps
+
+In this article, you learned about Defender for IoT security agent aggregation, and the available event configuration options.
+
+To continue getting started with Defender for IoT deployment, use the following articles:
+
+- Understand [Security agent authentication methods](concept-security-agent-authentication-methods.md)
+- Select and deploy a [security agent](how-to-deploy-agent.md)
+- Learn how to [Enable Defender for IoT service in your IoT Hub](quickstart-onboard-iot-hub.md)
+- Learn more about the service from the [Defender for IoT FAQ](resources-agent-frequently-asked-questions.md)
defender-for-iot How To Agent Configuration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/how-to-agent-configuration.md
+
+ Title: Configure security agents
+description: Learn how to configure Defender for IoT security agents for use with the Defender for IoT security service.
+ Last updated : 09/09/2020++
+# Tutorial: Configure security agents
+
+This article explains Defender for IoT security agents, and details how to change and configure them.
+
+> [!div class="checklist"]
+> * Configure security agents
+> * Change agent behavior by editing twin properties
+> * Discover default configuration
+
+## Agents
+
+Defender for IoT security agents collect data from IoT devices and perform security actions to mitigate the detected vulnerabilities. Security agent configuration is controllable using a set of module twin properties you can customize. In general, secondary updates to these properties are infrequent.
+
+Defender for IoT's security agent twin configuration object is a JSON format object. The configuration object is a set of controllable properties that you can define to control the behavior of the agent.
+
+These configurations help you customize the agent for each scenario required. For example, automatically excluding some events, or keeping power consumption to a minimal level are possible by configuring these properties.
+
+Use the Defender for IoT security agent configuration [schema](https://aka.ms/iot-security-github-module-schema) to make changes.
+
+## Configuration objects
+
+Properties related to every Defender for IoT security agent are located in the agent configuration object, within the desired properties section, of the **azureiotsecurity** module.
+
+To modify the configuration, create and modify this object inside the **azureiotsecurity** module twin identity.
+
+If the agent configuration object does not exist in the **azureiotsecurity** module twin, all security agent property values are set to default.
+
+```json
+"desired": {
+ "ms_iotn:urn_azureiot_Security_SecurityAgentConfiguration": {
+ }
+}
+```
+
+## Configuration schema and validation
+
+Make sure to validate your agent configuration against this [schema](https://aka.ms/iot-security-github-module-schema). An agent will not launch if the configuration object does not match the schema.
+
+If, while the agent is running, the configuration object is changed to a non-valid configuration (the configuration does not match the schema), the agent will ignore the invalid configuration and will continue using the current configuration.
+
+### Configuration validation
+
+Defender for IoT security agent reports its current configuration inside the reported properties section of the **azureiotsecurity** module twin identity.
+The agent reports all the available properties, if a property was not set by the user, the agent reports the default configuration.
+
+In order to validate your configuration, compare the values set on the desired section with the values reported in the reported section.
+
+If there is a mismatch between the desired and the reported properties, then the agent was not able to parse the configuration.
+
+Validate your desired properties against the [schema](https://aka.ms/iot-security-github-module-schema), fix the errors and set your desired properties again!
+
+> [!NOTE]
+> A configuration error alert will be fired from the agent in case that the agent was not able to parse the desired configuration.
+> Compare the reported and desired section to understand if the alert still applies
+
+## Editing a property
+
+All custom properties must be set inside the agent configuration object within the **azureiotsecurity** module twin.
+To use a default property value, remove the property from the configuration object.
+
+### Setting a property
+
+1. In your IoT Hub, locate and select the device you wish to change.
+
+1. Click on your device, and then on **azureiotsecurity** module.
+
+1. Click on **Module Identity Twin**.
+
+1. Edit the properties you wish to change in the Defender-IoT-micro-agent.
+
+ For example, to configure connection events as high priority and collect high priority events every 7 minutes, use the following configuration.
+
+ ```json
+ "desired": {
+ "ms_iotn:urn_azureiot_Security_SecurityAgentConfiguration": {
+ "highPriorityMessageFrequency": {
+ "value": "PT7M"
+ },
+ "eventPriorityConnectionCreate": {
+ "value": "High"
+ }
+ }
+ }
+ ```
+
+1. Click **Save**.
+
+### Using a default value
+
+To use a default property value, remove the property from the configuration object.
+
+## Default properties
+
+The following table contains the controllable properties of Defender for IoT security agents.
+
+Default values are available in the proper schema in [GitHub](https\://aka.ms/iot-security-module-default).
+
+| Name| Status | Valid values| Default values| Description |
+|-|--|--|-|-|
+|highPriorityMessageFrequency|Required: false |Valid values: Duration in ISO 8601 Format |Default value: PT7M |Max time interval before high priority messages are sent.|
+|lowPriorityMessageFrequency |Required: false|Valid values: Duration in ISO 8601 Format |Default value: PT5H |Max time before low-priority messages are sent.|
+|snapshotFrequency |Require: false|Valid values: Duration in ISO 8601 Format |Default value PT13H |Time interval for the creation of device status snapshots.|
+|maxLocalCacheSizeInBytes |Required: false |Valid values: |Default value: 2560000, larger than 8192 | Maximum storage (in bytes) allowed for the message cache of an agent. Maximum amount of space allowed to store messages on the device, before messages are sent.|
+|maxMessageSizeInBytes |Required: false |Valid values: A positive number, larger than 8192, less than 262144 |Default value: 204800 |Maximum allowed size of an agent to cloud message. This setting controls the amount of maximum data sent in each message. |
+|eventPriority${EventName} |Required: false |Valid values: High, Low, Off |Default values: |Priority of every agent-generated event |
+
+### Supported security events
+
+|Event name| PropertyName | Default Value| Snapshot Event| Details Status |
+|-|-||-|-|
+|Diagnostic event|eventPriorityDiagnostic| Off| False| Agent related diagnostic events. Use this event for verbose logging.|
+|Configuration error |eventPriorityConfigurationError |Low |False |Agent failed to parse the configuration. Verify the configuration against the schema.|
+|Dropped events statistics |eventPriorityDroppedEventsStatistics |Low |True|Agent related event statistics. |
+|Connected hardware|eventPriorityConnectedHardware |Low |True |Snapshot of all hardware connected to the device.|
+|Listening ports|eventPriorityListeningPorts |High |True |Snapshot of all open listening ports on the device.|
+|Process create |eventPriorityProcessCreate |Low |False |Audits process creation on the device.|
+|Process terminate|eventPriorityProcessTerminate |Low |False |Audits process termination on the device.|
+|System information |eventPrioritySystemInformation |Low |True |A snapshot of system information (for example: OS or CPU).|
+|Local users| eventPriorityLocalUsers |High |True|A snapshot of the registered local users within the system. |
+|Login| eventPriorityLogin |High|False|Audit the login events to the device (local and remote logins).|
+|Connection create |eventPriorityConnectionCreate|Low|False|Audits TCP connections created to and from the device. |
+|Firewall configuration| eventPriorityFirewallConfiguration|Low|True|Snapshot of device firewall configuration (firewall rules). |
+|OS baseline| eventPriorityOSBaseline| Low|True|Snapshot of device OS baseline check.|
+|
+
+## Next steps
+
+- [Understand Defender for IoT recommendations](concept-recommendations.md)
+- [Explore Defender for IoT alerts](concept-security-alerts.md)
+- [Access raw security data](how-to-security-data-access.md)
defender-for-iot How To Azure Rtos Security Module https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/how-to-azure-rtos-security-module.md
+
+ Title: Configure and customize Defender-IoT-micro-agent for Azure RTOS
+description: Learn about how to configure and customize your Defender-IoT-micro-agent for Azure RTOS.
+ Last updated : 03/07/2021++
+# Configure and customize Defender-IoT-micro-agent for Azure RTOS (preview)
+
+This article describes how to configure the Defender-IoT-micro-agent for your Azure RTOS device, to meet your network, bandwidth, and memory requirements.
+
+You must select a target distribution file that has a `*.dist` extension, from the `netxduo/addons/azure_iot/azure_iot_security_module/configs` directory.
+
+When using a CMake compilation environment, you must set a command line parameter to `IOT_SECURITY_MODULE_DIST_TARGET` for the chosen value. For example, `-DIOT_SECURITY_MODULE_DIST_TARGET=RTOS_BASE`.
+
+In an IAR, or other non CMake compilation environment, you must add the `netxduo/addons/azure_iot/azure_iot_security_module/inc/configs/<target distribution>/` path to any known included paths. For example, `netxduo/addons/azure_iot/azure_iot_security_module/inc/configs/RTOS_BASE`.
+
+Use the following file to configure your device behavior.
+
+**netxduo/addons/azure_iot/azure_iot_security_module/inc/configs/\<target distribution>/asc_config.h**
+
+In a CMake compilation environment, you must change the default configuration by editing the `netxduo/addons/azure_iot/azure_iot_security_module/configs/<target distribution>.dist` file. Use the following CMake format `set(ASC_XXX ON)`, or the following file `netxduo/addons/azure_iot/azure_iot_security_module/inc/configs/<target distribution>/asc_config.h` for all other environments. For example, `#define ASC_XXX`.
+
+The default behavior of each configuration is provided in the following tables:
+
+## General
+
+| Name | Type | Default | Details |
+| - | - | - | - |
+| ASC_SECURITY_MODULE_ID | String | defender-iot-micro-agent | The unique identifier of the device. |
+| SECURITY_MODULE_VERSION_(MAJOR)(MINOR)(PATCH) | Number | 3.2.1 | The version. |
+| ASC_SECURITY_MODULE_SEND_MESSAGE_RETRY_TIME | Number | 3 | The amount of time the Defender-IoT-micro-agent will take to send the security message after a fail. (in seconds) |
+| ASC_SECURITY_MODULE_PENDING_TIME | Number | 300 | The Defender-IoT-micro-agent pending time (in seconds). The state will change to suspend, if the time is exceeded.. |
+
+## Collection
+
+| Name | Type | Default | Details |
+| - | - | - | - |
+| ASC_FIRST_COLLECTION_INTERVAL | Number | 30 | The Collector's startup collection interval offset. During startup, the value will be added to the collection of the system in order to avoid sending messages from multiple devices simultaneously. |
+| ASC_HIGH_PRIORITY_INTERVAL | Number | 10 | The collector's high priority group interval (in seconds). |
+| ASC_MEDIUM_PRIORITY_INTERVAL | Number | 30 | The collector's medium priority group interval (in seconds). |
+| ASC_LOW_PRIORITY_INTERVAL | Number | 145,440 | The collector's low priority group interval (in seconds). |
+
+#### Collector network activity
+
+To customize your collector network activity configuration, use the following:
+
+| Name | Type | Default | Details |
+| - | - | - | - |
+| ASC_COLLECTOR_NETWORK_ACTIVITY_TCP_DISABLED | Boolean | false | Filters the `TCP` network activity. |
+| ASC_COLLECTOR_NETWORK_ACTIVITY_UDP_DISABLED | Boolean | false | Filters the `UDP` network activity events. |
+| ASC_COLLECTOR_NETWORK_ACTIVITY_ICMP_DISABLED | Boolean | false | Filters the `ICMP` network activity events. |
+| ASC_COLLECTOR_NETWORK_ACTIVITY_CAPTURE_UNICAST_ONLY | Boolean | true | Captures the unicast incoming packets only. When set to false, it will also capture both Broadcast, and Multicast. |
+| ASC_COLLECTOR_NETWORK_ACTIVITY_SEND_EMPTY_EVENTS | Boolean | false | Sends an empty events of collector. |
+| ASC_COLLECTOR_NETWORK_ACTIVITY_MAX_IPV4_OBJECTS_IN_CACHE | Number | 64 | The maximum number of IPv4 network events to store in memory. |
+| ASC_COLLECTOR_NETWORK_ACTIVITY_MAX_IPV6_OBJECTS_IN_CACHE | Number | 64 | The maximum number of IPv6 network events to store in memory. |
+
+### Collectors
+| Name | Type | Default | Details |
+| - | - | - | - |
+| ASC_COLLECTOR_HEARTBEAT_ENABLED | Boolean | ON | Enables the heartbeat collector. |
+| ASC_COLLECTOR_NETWORK_ACTIVITY_ENABLED | Boolean | ON | Enables the network activity collector. |
+| ASC_COLLECTOR_SYSTEM_INFORMATION_ENABLED | Boolean | ON | Enables the system information collector. |
+
+Other configurations flags are advanced, and have unsupported features. Contact support to change this, or for more information.
+
+## Supported security alerts and recommendations
+
+The Defender-IoT-micro-agent for Azure RTOS supports specific security alerts and recommendations. Make sure to [review and customize the relevant alert and recommendation values](concept-rtos-security-alerts-recommendations.md) for your service.
+
+## Log Analytics (optional)
+
+You can enable and configure Log Analytics to investigate device events and activities. Read about how to setup, and use [Log Analytics with the Defender for IoT service](how-to-security-data-access.md#log-analytics) to learn more.
+
+## Next steps
++
+- Review and customize Defender-IoT-micro-agent for Azure RTOS [security alerts and recommendations](concept-rtos-security-alerts-recommendations.md)
+- Refer to the [Defender-IoT-micro-agent for Azure RTOS API](azure-rtos-security-module-api.md) as needed.
defender-for-iot How To Configure Agent Based Solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/how-to-configure-agent-based-solution.md
+
+ Title: Configure Azure Defender for IoT agent-based solution
+description: Learn how to configure data collection in Azure Defender for IoT agent-based solution
Last updated : 05/26/2021+++
+# Configure Azure Defender for IoT agent-based solution
+
+This article describes how to configure data collection in Azure Defender for IoT agent-based solution.
+
+## Configure data collection
+
+To configure data collection in Azure Defender for IoT agent-based solution:
+
+1. Navigate to the Azure portal, and select the IoT Hub that the Defender for IoT is attached to
+
+1. Under the **Security** menu, select **Settings**.
+
+1. SelectΓÇ»**Data Collection**.
+
+ :::image type="content" source="media/how-to-configure-agent-based-solution/data-collection.png" alt-text="Select data collection from the security menu settings.":::
+
+## Geolocation and IP address handling
+
+In order to secure your IoT solution, the IP addresses of the incoming, and outgoing connections for your IoT devices, IoT Edge, and IoT Hub(s) are collected and stored by default. This information is essential, and used to detect abnormal connectivity from suspicious IP address sources. For example, when there are attempts made that try to establish connections from an IP address source of a known botnet, or from an IP address source outside your geolocation. The Defender for IoT service, offers the flexibility to enable and disable the collection of the IP address data at any time.
+
+To enable, or disable the collection of IP address data:
+
+1. Open your IoT Hub, and then select **Settings** from the **Security** menu.
+
+1. Select the **Data Collection** screen and modify the geolocation, and IP address handling settings to suit your needs.
+
+## Log Analytics creation
+
+Defender for IoT allows you to store security alerts, recommendations, and raw security data, in your Log Analytics workspace. Log Analytics ingestion in IoT Hub is set to **off** by default in the Defender for IoT solution. It is possible, to attach Defender for IoT to a Log Analytic workspace, and to store the security data there as well.
+
+There are two types of information stored by default in your Log Analytics workspace by Defender for IoT:
+ΓÇ»
+- Security alerts.
+
+- Recommendations.
+
+You can choose to add storage of an additional information type as `raw events`.
+
+> [!Note]
+> Storing `raw events` in Log Analytics carries additional storage costs.
+
+To enable Log Analytics to work with micro agent:
+
+1. Navigate to **Workspace configuration** > **Data Collection**, and switch the toggle toΓÇ»**On**.
+
+1. Create a new Log Analytics workspace, or attach an existing one.
+
+1. Verify that the **Access to raw security data** option is selected.
+
+ :::image type="content" source="media/how-to-configure-agent-based-solution/data-settings.png" alt-text="Ensure Access to raw security data is selected.":::
+
+1. SelectΓÇ»**Save**.
+
+Every month, the first 5 gigabytes of data ingested, per customer to the Azure Log Analytics service, is free. Every gigabyte of data ingested into your Azure Log Analytics workspace, is retained at no charge for the first 31 days. For more information on pricing, see, [Log Analytics pricing](https://azure.microsoft.com/pricing/details/monitor/).
+
+To change the workspace configuration of Log Analytics:
+
+1. In your IoT Hub, in the **Security** menu, selectΓÇ»**Settings**.
+
+1. Select the **Data Collection** screen, and modify the workspace configuration of Log Analytics settings to suit your needs.
+
+To access your alerts in your Log Analytics workspace after configuration:
+
+1. Select an alert in Defender for IoT.
+
+1. Select **Investigate alerts in Log Analytics workspace**.
+
+To access your alerts in your Log Analytics workspace after configuration:
+
+1. Select a recommendation in Defender for IoT.
+
+1. Select **Investigate recommendations in Log Analytics workspace**.
+
+For more information on querying data from Log Analytics, seeΓÇ»[Get started with log queries in Azure Monitor](../../azure-monitor/logs/get-started-queries.md).
+
+## Turn off Defender for IoT
+
+To turn a Defender for IoT service on, or off on a specific IoT Hub:
+
+1. In your IoT Hub, in the **Security** menu, selectΓÇ»**Settings**.
+
+1. Select the **Data Collection** screen, and modify the workspace configuration of Log Analytics settings to suit your needs.
+
+## Next steps
+
+Advance to the next article to [configure your solution](quickstart-configure-your-solution.md).
defender-for-iot How To Configure With Sentinel https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/how-to-configure-with-sentinel.md
+
+ Title: Configure Azure Sentinel with Defender for IoT for device builders
+description: This article explains how to configure Azure Sentinel to receive data from your Defender for IoT for device builders solution.
+ Last updated : 05/26/2021++
+# Connect your data from Defender for IoT for device builders to Azure Sentinel
+
+Use the Defender for IoT connector to stream all your Defender for IoT events into Azure Sentinel.
+
+This integration enables organizations to quickly detect multistage attacks that often cross IT and OT boundaries. Additionally, Defender for IoTΓÇÖs integration with Azure Sentinel's security orchestration, automation, and response (SOAR) capabilities enables automated response and prevention using built-in OT-optimized playbooks.
+
+## Prerequisites
+
+- **Read** and **Write** permissions on the Workspace onto which Azure Sentinel is deployed
+- **Defender for IoT** must be **enabled** on your relevant IoT Hub(s)
+- You must have **Contributor** permissions on the **Subscription** you want to connect
+
+## Connect to Defender for IoT
+
+1. In Azure Sentinel, select **Data connectors** and then select the **Defender for IoT** (may still be called Azure Security Center for IoT) from the gallery.
+
+1. From the bottom of the right pane, click **Open connector page**.
+
+1. Click **Connect**, next to each IoT Hub subscription whose alerts and device alerts you want to stream into Azure Sentinel.
+ - You will receive an error message if Defender for IoT is not enabled on at least one IoT Hub within a subscription. Enable Defender for IoT within the IoT Hub to remove the error.
+
+1. You can decide whether you want the alerts from Defender for IoT to automatically generate incidents in Azure Sentinel. Under **Create incidents**, select **Enable** to enable the default analytics rule to automatically create incidents from the generated alerts. This rule can be changed or edited under **Analytics** > **Active rules**.
+
+> [!NOTE]
+> It can take 10 seconds or more for the **Subscription** list to refresh after making connection changes.
+
+## Log Analytics alert view
+
+To use the relevant schema in Log Analytics to display the Defender for IoT alerts:
+
+1. Open **Logs** > **SecurityInsights** > **SecurityAlert**, or search for **SecurityAlert**.
+
+1. Filter to see only Defender for IoT generated alerts using the following kql filter:
+
+```kusto
+SecurityAlert | where ProductName == "Azure Security Center for IoT"
+```
+
+### Service notes
+
+After connecting a **Subscription**, the hub data is available in Azure Sentinel approximately 15 minutes later.
+
+## Next steps
+
+In this document, you learned how to connect Defender for IoT to Azure Sentinel. To learn more about threat detection and security data access, see the following articles:
+
+- Learn how to use Azure Sentinel to [Quickstart: Get started with Azure Sentinel](../../sentinel/quickstart-get-visibility.md).
+- Learn how to [Access your IoT security data](how-to-security-data-access.md)
defender-for-iot How To Deploy Agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/how-to-deploy-agent.md
+
+ Title: Select and deploy security agents
+description: Learn about how select and deploy Defender for IoT security agents on IoT devices.
+ Last updated : 07/23/2019++
+# Select and deploy a security agent on your IoT device
+
+Defender for IoT provides reference architectures for security agents that monitor and collect data from IoT devices.
+To learn more, see [Security agent reference architecture](security-agent-architecture.md).
+
+Agents are developed as open-source projects, and are available in two flavors: <br> [C](https://aka.ms/iot-security-github-c), and [C#](https://aka.ms/iot-security-github-cs).
+
+In this article, you learn how to:
+- Compare security agent flavors
+- Discover supported agent platforms
+- Choose the right agent flavor for your solution
+
+## Understand security agent options
+
+Every Defender for IoT security agent flavor offers the same set of features, and supports similar configuration options.
+
+The C-based security agent has a lower memory footprint, and is the ideal choice for devices with fewer available resources.
+
+| | C-based security agent | C#-based security agent |
+| | -- | |
+| **Open-source** | Available under [MIT license](https://en.wikipedia.org/wiki/MIT_License) in [GitHub](https://aka.ms/iot-security-github-c) | Available under [MIT license](https://en.wikipedia.org/wiki/MIT_License) in [GitHub](https://aka.ms/iot-security-github-cs) |
+| **Development language** | C | C# |
+| **Supported Windows platforms?** | No | Yes |
+| **Windows prerequisites** | | [WMI](/windows/desktop/wmisdk/) |
+| **Supported Linux platforms?** | Yes, x64 and x86 | Yes, x64 only |
+| **Linux prerequisites** | libunwind8, libcurl3, uuid-runtime, auditd, audispd-plugins | libunwind8, libcurl3, uuid-runtime, auditd, audispd-plugins, sudo, netstat, iptables |
+| **Disk footprint** | 10.5 MB | 90 MB |
+| **Memory footprint (on average)** | 5.5 MB | 33 MB |
+| **[Authentication](concept-security-agent-authentication-methods.md) to IoT Hub** | Yes | Yes |
+| **Security data [collection](how-to-agent-configuration.md#supported-security-events)** | Yes | Yes |
+| **Event aggregation** | Yes | Yes |
+| **Remote configuration through [Defender-IoT-micro-agent twin](concept-security-module.md)** | Yes | Yes |
+
+## Security agent installation guidelines
+
+For **Windows**:
+The Install SecurityAgent.ps1 script must be executed from an Administrator PowerShell window.
+
+For **Linux**:
+The InstallSecurityAgent.sh must be run as superuser. We recommend prefixing the installation command with "sudo".
+
+## Choose an agent flavor
+
+Answer the following questions about your IoT devices to select the correct agent:
+
+- Are you using _Windows Server_ or _Windows IoT Core_?
+
+ [Deploy a C#-based security agent for Windows](how-to-deploy-windows-cs.md).
+
+- Are you using a Linux distribution with x86 architecture?
+
+ [Deploy a C-based security agent for Linux](how-to-deploy-linux-c.md).
+
+- Are you using a Linux distribution with x64 architecture?
+
+ Both agent flavors can be used. <br>
+ [Deploy a C-based security agent for Linux](how-to-deploy-linux-c.md) and/or
+ [Deploy a C#-based security agent for Linux](how-to-deploy-linux-cs.md).
+
+Both agent flavors offer the same set of features and support similar configuration options.
+See [Security agent comparison](how-to-deploy-agent.md#understand-security-agent-options) to learn more.
+
+## Supported platforms
+
+The following list includes all currently supported platforms.
+
+|Defender for IoT agent |Operating System |Architecture |
+|--||--|
+|C|Ubuntu 16.04 | x64|
+|C|Ubuntu 18.04 | x64, ARMv7|
+|C|Debian 9 | x64, x86|
+|C#|Ubuntu 16.04 |x64|
+|C#|Ubuntu 18.04 |x64, ARMv7|
+|C#|Debian 9 |x64|
+|C#|Windows Server 2016| X64|
+|C#|Windows 10 IoT Core, build 17763 |x64|
+|
+
+## Next steps
+
+To learn more about configuration options, continue to the how-to guide for agent configuration.
+> [!div class="nextstepaction"]
+> [Agent configuration how to guide](./how-to-agent-configuration.md)
defender-for-iot How To Deploy Edge https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/how-to-deploy-edge.md
+
+ Title: Deploy IoT Edge security module
+description: Learn about how to deploy a Defender for IoT security agent on IoT Edge.
+ Last updated : 05/26/2021++
+# Deploy a security module on your IoT Edge device
+
+**Defender for IoT** module provides a comprehensive security solution for your IoT Edge devices.
+The security module collects, aggregates, and analyzes raw security data from your Operating System and Container system into actionable security recommendations and alerts.
+To learn more, see [Security module for IoT Edge](security-edge-architecture.md).
+
+In this article, you'll learn how to deploy a security module on your IoT Edge device.
+
+## Deploy security module
+
+Use the following steps to deploy a Defender for IoT security module for IoT Edge.
+
+### Prerequisites
+
+1. In your IoT Hub, make sure your device is [Register a new device](../../iot-edge/how-to-register-device.md#register-a-new-device).
+
+1. Defender for IoT Edge module requires the [AuditD framework](https://linux.die.net/man/8/auditd) is installed on the IoT Edge device.
+
+ - Install the framework by running the following command on your IoT Edge device:
+
+ `sudo apt-get install auditd audispd-plugins`
+
+ - Verify AuditD is active by running the following command:
+
+ `sudo systemctl status auditd`<br>
+ - Expected response is: `active (running)`
+
+### Deployment using Azure portal
+
+1. From the Azure portal, open **Marketplace**.
+
+1. Select **Internet of Things**, then search for **Azure Security Center for IoT** and select it.
+
+ :::image type="content" source="media/howto/edge-onboarding.png" alt-text="Select Defender for IoT":::
+
+1. Select **Create** to configure the deployment.
+
+1. Choose the Azure **Subscription** of your IoT Hub, then select your **IoT Hub**.<br>Select **Deploy to a device** to target a single device or select **Deploy at Scale** to target multiple devices, and select **Create**. For more information about deploying at scale, see [How to deploy](../../iot-edge/how-to-deploy-at-scale.md).
+
+ >[!Note]
+ >If you selected **Deploy at Scale**, add the device name and details before continuing to the **Add Modules** tab in the following instructions.
+
+Complete each step to complete your IoT Edge deployment for Defender for IoT.
+
+#### Step 1: Modules
+
+1. Select the **AzureSecurityCenterforIoT** module.
+1. On the **Module Settings** tab, change the **name** to **azureiotsecurity**.
+1. On the **Environment Variables** tab, add a variable if needed (for example, you can add *debug level* and set it to one of the following values: "Fatal", "Error", "Warning", or "Information").
+1. On the **Container Create Options** tab, add the following configuration:
+
+ ``` json
+ {
+ "NetworkingConfig": {
+ "EndpointsConfig": {
+ "host": {}
+ }
+ },
+ "HostConfig": {
+ "Privileged": true,
+ "NetworkMode": "host",
+ "PidMode": "host",
+ "Binds": [
+ "/:/host"
+ ]
+ }
+ }
+ ```
+
+1. On the **Module Twin Settings** tab, add the following configuration:
+
+ Module Twin Property:
+
+ ``` json
+ "ms_iotn:urn_azureiot_Security_SecurityAgentConfiguration"
+ ```
+
+ Module Twin Property Content:
+
+ ```json
+ {
+
+ }
+ ```
+
+ For more information about configuring the agent, see [Configure security agents](./how-to-agent-configuration.md).
+
+1. Select **Update**.
+
+#### Step 2: Runtime settings
+
+1. Select **Runtime Settings**.
+2. Under **Edge Hub**, change the **Image** to **mcr.microsoft.com/azureiotedge-hub:1.0.8.3**.
+
+ >[!Note]
+ > Currently, version 1.0.8.3 or older is supported.
+
+3. Verify **Create Options** is set to the following configuration:
+
+ ``` json
+ {
+ "HostConfig":{
+ "PortBindings":{
+ "8883/tcp":[
+ {
+ "HostPort":"8883"
+ }
+ ],
+ "443/tcp":[
+ {
+ "HostPort":"443"
+ }
+ ],
+ "5671/tcp":[
+ {
+ "HostPort":"5671"
+ }
+ ]
+ }
+ }
+ }
+ ```
+
+4. Select **Save**.
+
+5. Select **Next**.
+
+#### Step 3: Specify routes
+
+1. On the **Specify Routes** tab, make sure you have a route (explicit or implicit) that will forward messages from the **azureiotsecurity** module to **$upstream** according to the following examples. Only when the route is in place, select **Next**.
+
+ Example routes:
+
+ ```Default implicit route
+ "route": "FROM /messages/* INTO $upstream"
+ ```
+
+ ```Explicit route
+ "ASCForIoTRoute": "FROM /messages/modules/azureiotsecurity/* INTO $upstream"
+ ```
+
+1. Select **Next**.
+
+#### Step 4: Review deployment
+
+- On the **Review Deployment** tab, review your deployment information, then select **Create** to complete the deployment.
+
+## Diagnostic steps
+
+If you encounter an issue, container logs are the best way to learn about the state of an IoT Edge security module device. Use the commands and tools in this section to gather information.
+
+### Verify the required containers are installed and functioning as expected
+
+1. Run the following command on your IoT Edge device:
+
+ `sudo docker ps`
+
+1. Verify that the following containers are running:
+
+ | Name | IMAGE |
+ | | |
+ | azureiotsecurity | mcr.microsoft.com/ascforiot/azureiotsecurity:1.0.2 |
+ | edgeHub | mcr.microsoft.com/azureiotedge-hub:1.0.8.3 |
+ | edgeAgent | mcr.microsoft.com/azureiotedge-agent:1.0.1 |
+
+ If the minimum required containers are not present, check if your IoT Edge deployment manifest is aligned with the recommended settings. For more information, see [Deploy IoT Edge module](#deployment-using-azure-portal).
+
+### Inspect the module logs for errors
+
+1. Run the following command on your IoT Edge device:
+
+ `sudo docker logs azureiotsecurity`
+
+1. For more verbose logs, add the following environment variable to the **azureiotsecurity** module deployment: `logLevel=Debug`.
+
+## Next steps
+
+To learn more about configuration options, continue to the how-to guide for module configuration.
+> [!div class="nextstepaction"]
+> [Module configuration how-to guide](./how-to-agent-configuration.md)
defender-for-iot How To Deploy Linux C https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/how-to-deploy-linux-c.md
+
+ Title: Install & deploy Linux C agent
+description: Learn how to install and deploy the Defender for IoT C-based security agent on Linux
+ Last updated : 05/26/2021++
+# Deploy Defender for IoT C based security agent for Linux
+
+This guide explains how to install and deploy the Defender for IoT C-based security agent on Linux.
+
+- Install
+- Verify deployment
+- Uninstall the agent
+- Troubleshoot
+
+## Prerequisites
+
+For other platforms and agent flavors, see [Choose the right security agent](how-to-deploy-agent.md).
+
+1. To deploy the security agent, local admin rights are required on the machine you wish to install on (sudo).
+
+1. [Create a Defender-IoT-micro-agent](quickstart-create-security-twin.md) for the device.
+
+## Installation
+
+To install and deploy the security agent, use the following workflow:
+
+1. Download the most recent version to your machine from [GitHub](https://aka.ms/iot-security-github-c).
+
+1. Extract the contents of the package and navigate to the _/src/installation_ folder.
+
+1. Add running permissions to the **InstallSecurityAgent script** by running the following command:
+
+ ```
+ chmod +x InstallSecurityAgent.sh
+ ```
+
+1. Next, run:
+
+ ```
+ ./InstallSecurityAgent.sh -aui <authentication identity> -aum <authentication method> -f <file path> -hn <host name> -di <device id> -i
+ ```
+
+ See [How to configure authentication](concept-security-agent-authentication-methods.md) for more information about authentication parameters.
+
+This script performs the following function:
+
+1. Installs prerequisites.
+
+1. Adds a service user (with interactive sign in disabled).
+
+1. Installs the agent as a **Daemon** - assumes the device uses **systemd** for service management.
+
+1. Configures the agent with the authentication parameters provided.
+
+For additional help, run the script with the ΓÇôhelp parameter:
+
+```./InstallSecurityAgent.sh --help```
+
+### Uninstall the agent
+
+To uninstall the agent, run the script with the ΓÇô-uninstall parameter:
+
+```./InstallSecurityAgent.sh -ΓÇôuninstall```
+
+## Troubleshooting
+
+Check the deployment status by running:
+
+```systemctl status ASCIoTAgent.service```
+
+## Next steps
+
+- Read the Defender for IoT service [Overview](overview.md)
+- Learn more about Defender for IoT [What is agent-based solution for device builders](architecture-agent-based.md)
+- Enable the [service](quickstart-onboard-iot-hub.md)
+- Read the [Azure Defender for IoT agent frequently asked questions](resources-agent-frequently-asked-questions.md)
+- Understand [security alerts](concept-security-alerts.md)
defender-for-iot How To Deploy Linux Cs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/how-to-deploy-linux-cs.md
+
+ Title: Install & deploy Linux C# agent
+description: Learn how to install and deploy the Defender for IoT C#-based security agent on Linux
+ Last updated : 05/26/2021++
+# Deploy Defender for IoT C# based security agent for Linux
+
+This guide explains how to install and deploy the Defender for IoT C#-based security agent on Linux.
+
+In this guide, you learn how to:
+
+- Install
+- Verify deployment
+- Uninstall the agent
+- Troubleshoot
+
+## Prerequisites
+
+For other platforms and agent flavors, see [Choose the right security agent](how-to-deploy-agent.md).
+
+1. To deploy the security agent, local admin rights are required on the machine you wish to install on.
+
+1. [Create a Defender-IoT-micro-agent](quickstart-create-security-twin.md) for the device.
+
+## Installation
+
+To deploy the security agent, use the following steps:
+
+1. Download the most recent version to your machine from [GitHub](https://aka.ms/iot-security-github-cs).
+
+1. Extract the contents of the package and navigate to the _/Install_ folder.
+
+1. Add running permissions to the **InstallSecurityAgent script** by running `chmod +x InstallSecurityAgent.sh`
+
+1. Next, run the following command with **root privileges**:
+
+ ```
+ ./InstallSecurityAgent.sh -i -aui <authentication identity> -aum <authentication method> -f <file path> -hn <host name> -di <device id> -cl <certificate location kind>
+ ```
+
+ for more information about authentication parameters, see [How to configure authentication](concept-security-agent-authentication-methods.md).
+
+This script performs the following actions:
+
+- Installs prerequisites.
+
+- Adds a service user (with interactive sign in disabled).
+
+- Installs the agent as a **Daemon** - assumes the device uses **systemd** for classic deployment model.
+
+- Configures **sudoers** to allow the agent to do certain tasks as root.
+
+- Configures the agent with the provided authentication parameters.
+
+For additional help, run the script with the ΓÇôhelp parameter: `./InstallSecurityAgent.sh --help`
+
+### Uninstall the agent
+
+To uninstall the agent, run the script with the ΓÇôu parameter: `./InstallSecurityAgent.sh -u`.
+
+> [!NOTE]
+> Uninstall does not remove any missing prerequisites that were installed during installation.
+
+## Troubleshooting
+
+1. Check the deployment status by running:
+
+ `systemctl status ASCIoTAgent.service`
+
+1. Enable logging.
+ If the agent fails to start, turn on logging to get more information.
+
+ Turn on the logging by:
+
+ 1. Open the configuration file for editing in any Linux editor:
+
+ `vi /var/ASCIoTAgent/General.config`
+
+ 1. Edit the following values:
+
+ ```
+ <add key="logLevel" value="Debug"/>
+ <add key="fileLogLevel" value="Debug"/>
+ <add key="diagnosticVerbosityLevel" value="Some" />
+ <add key="logFilePath" value="IotAgentLog.log"/>
+ ```
+
+ The **logFilePath** value is configurable.
+
+ > [!NOTE]
+ > We recommend turning logging **off** after troubleshooting is complete. Leaving logging **on** increases log file size and data usage.
+
+ 1. Restart the agent by running:
+
+ `systemctl restart ASCIoTAgent.service`
+
+ 1. View the log file for more information about the failure.
+
+ Log file location is: `/var/ASCIoTAgent/IotAgentLog.log`
+
+ Change the file location path according to the name you chose for the **logFilePath** in step 2.
+
+## Next steps
+
+- Read the Defender for IoT service [Overview](overview.md)
+- Learn more about Defender for IoT [What is agent-based solution for device builders](architecture-agent-based.md)
+- Enable the [service](quickstart-onboard-iot-hub.md)
+- Read the [Azure Defender for IoT agent frequently asked questions](resources-agent-frequently-asked-questions.md)
+- Understand [alerts](concept-security-alerts.md)
defender-for-iot How To Deploy Windows Cs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/how-to-deploy-windows-cs.md
+
+ Title: Install C# agent on Windows device
+description: Learn about how to install Defender for IoT agent on 32-bit or 64-bit Windows devices.
+ Last updated : 05/26/2021++
+# Deploy a Defender for IoT C#-based security agent for Windows
+
+This guide explains how to install the Defender for IoT C#-based security agent on Windows.
+
+In this guide, you learn how to:
+
+- Install
+- Verify deployment
+- Uninstall the agent
+- Troubleshoot
+
+## Prerequisites
+
+For other platforms and agent flavors, see [Choose the right security agent](how-to-deploy-agent.md).
+
+1. Local admin rights on the machine you wish to install on.
+
+1. [Create a Defender-IoT-micro-agent](quickstart-create-security-twin.md) for the device.
+
+## Installation
+
+To install the security agent, use the following workflow:
+
+1. Install the Defender for IoT Windows C# agent on the device. Download the most recent version to your machine from the Defender for IoT [GitHub repository](https://github.com/Azure/Azure-IoT-Security-Agent-CS).
+
+1. Extract the contents of the package, and navigate to the /Install folder.
+
+1. Open Windows PowerShell as Administrator.
+1. Add running permissions to the InstallSecurityAgent script by running:
+
+ ```
+ Unblock-File .\InstallSecurityAgent.ps1
+ ```
+
+ then run:
+
+ ```
+ .\InstallSecurityAgent.ps1 -Install -aui <authentication identity> -aum <authentication method> -f <file path> -hn <host name> -di <device id> -cl <certificate location kind>
+ ```
+
+ For example:
+
+ ```
+ .\InstallSecurityAgent.ps1 -Install -aui Device -aum SymmetricKey -f c:\Temp\Key.txt -hn MyIotHub.azure-devices.net -di Mydevice1 -cl store
+ ```
+
+ For more information about authentication parameters, see [How to configure authentication](concept-security-agent-authentication-methods.md).
+
+This script does the following actions:
+
+* Installs prerequisites.
+* Adds a service user (with interactive sign-in disabled).
+* Installs the agent as a **System Service**.
+* Configures the agent with the provided authentication parameters.
+
+For extra help, use the Get-Help command in PowerShell.
+
+Get-Help example: ```Get-Help .\InstallSecurityAgent.ps1```
+
+### Verify deployment status
+
+Check the agent deployment status by running:
+
+```sc.exe query "ASC IoT Agent"```
+
+### Uninstall the agent
+
+To uninstall the agent:
+
+1. Run the following PowerShell script with the **-mode** parameter set to **Uninstall**.
+
+ ```
+ .\InstallSecurityAgent.ps1 -Uninstall
+ ```
+
+## Troubleshooting
+
+If the agent fails to start, turn on logging (logging is *off* by default) to get more information.
+
+To turn on logging:
+
+1. Open the configuration file (General.config) for editing using a standard file editor.
+
+1. Edit the following values:
+
+ ```xml
+ <add key="logLevel" value="Debug" />
+ <add key="fileLogLevel" value="Debug"/>
+ <add key="diagnosticVerbosityLevel" value="Some" />
+ <add key="logFilePath" value="IoTAgentLog.log" />
+ ```
+
+ > [!NOTE]
+ > We recommend turning logging **off** after troubleshooting is complete. Leaving logging **on** increases log file size and data usage.
+
+1. Restart the agent by running the following PowerShell or command line:
+
+ **PowerShell**
+
+ ```
+ Restart-Service "ASC IoT Agent"
+ ```
+
+ or
+
+ **CMD**
+
+ ```
+ sc.exe stop "ASC IoT Agent"
+ sc.exe start "ASC IoT Agent"
+ ```
+
+1. Review the log file for more information about the failure. The log file would be present in the working directory where we run the script.
+
+ Log file location: `.\IoTAgentLog.log`
+
+## Next steps
+
+* Read the Defender for IoT service [Overview](overview.md)
+* Learn more about Defender for IoT [What is agent-based solution for device builders](architecture-agent-based.md)
+* Enable the [service](quickstart-onboard-iot-hub.md)
+* Read the [Azure Defender for IoT agent frequently asked questions](resources-agent-frequently-asked-questions.md)
+* Understand [alerts](concept-security-alerts.md)
defender-for-iot How To Investigate Cis Benchmark https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/how-to-investigate-cis-benchmark.md
+
+ Title: Investigate CIS benchmark recommendation
+description: Perform basic and advanced investigations based on OS baseline recommendations.
Last updated : 05/26/2021+++
+# Investigate OS baseline (based on CIS benchmark) recommendation
+
+Perform basic and advanced investigations based on OS baseline recommendations.
+
+## Basic OS baseline security recommendation investigation
+
+You can investigate OS baseline recommendations by navigating to your Azure Defender for IoT portal, under the **IoT Hub**. For more information, see how to [Investigate security recommendations](quickstart-investigate-security-recommendations.md).
+
+## Advanced OS baseline security recommendation investigation
+
+This section describes how to better understand the OS baseline test results, and querying events in Azure Log Analytics.
+
+The advanced OS baseline security recommendation investigation is only supported by using log analytics. Connect Defender for IoT to a Log Analytics workspace before continuing. For more information on advanced OS baseline security recommendations, see how to [Configure Azure Defender for IoT agent-based solution](how-to-configure-agent-based-solution.md).
+
+To query your IoT security events in Log Analytics for alerts:
+
+1. Navigate to the **Alerts** page.
+
+1. Select **Investigate recommendations in Log Analytics workspace**.
+
+To query your IoT security events in Log Analytics for recommendations:
+
+1. Navigate to the **Recommendations** page.
+
+1. Select **Investigate recommendations in Log Analytics workspace**.
+
+1. Select **Show Operation system (OS) baseline rules details** from the **Recommendation details** quick view page to see the details of a specific device.
+
+ :::image type="content" source="media/how-to-investigate-cis-benchmark/recommendation-details.png" alt-text="See the details of a specific device.":::
+
+To query your IoT security events in Log Analytics workspace directly:
+
+1. Navigate to the **Logs** page.
+
+ :::image type="content" source="media/how-to-investigate-cis-benchmark/logs.png" alt-text="Select logs from the left side pane.":::
+
+1. Select **Investigate the alerts** or, select the **Investigate the alerts in Log Analytics** option from any security recommendation, or alert.
+
+## Useful queries to investigate the OS baseline resources:
+
+> [!Note]
+> Make sure to Replace `<device-id>` with the name(s) you gave your device in each of the following queries.
++
+### Retrieve the latest information
+
+- **Device fleet failure**: Run the following query to retrieve the latest information about checks that failed across the device fleet:
+
+ ```azurecli
+ let lastDates = SecurityIoTRawEvent |
+
+ where RawEventName == "OSBaseline" |
+
+ summarize TimeStamp=max(TimeStamp) by DeviceId;
+
+ lastDates | join kind=inner (SecurityIoTRawEvent) on TimeStamp, DeviceId |
+
+ extend event = parse_json(EventDetails) |
+
+ where event.Result == "FAIL" |
+
+ project DeviceId, event.CceId, event.Description
+ ```
+
+- **Specific device failure** - Run the following query to retrieve the latest information about checks that failed on a specific device:
+
+ ```azurecli
+ let LastEvents = SecurityIoTRawEvent |
+
+ where RawEventName == "OSBaseline" |
+
+ where DeviceId == "<device-id>" |
+
+ top 1 by TimeStamp desc |
+
+ project IoTRawEventId;
+
+ LastEvents | join kind=leftouter SecurityIoTRawEvent on IoTRawEventId |
+
+ extend event = parse_json(EventDetails) |
+
+ where event.Result == "FAIL" |
+
+ project DeviceId, event.CceId, event.Description
+ ```
+
+- **Specific device error** - Run this query to retrieve the latest information about checks that have an error on a specific device:
+
+ ```azurecli
+ let LastEvents = SecurityIoTRawEvent |
+
+ where RawEventName == "OSBaseline" |
+
+ where DeviceId == "<device-id>" |
+
+ top 1 by TimeStamp desc |
+
+ project IoTRawEventId;
+
+ LastEvents | join kind=leftouter SecurityIoTRawEvent on IoTRawEventId |
+
+ extend event = parse_json(EventDetails) |
+
+ where event.Result == "ERROR" |
+
+ project DeviceId, event.CceId, event.Description
+ ```
+
+- **Update device list for device fleet that failed a specific check** - Run this query to retrieve updated list of devices (across the device fleet) that failed a specific check: 
+
+ ```azurecli
+ let lastDates = SecurityIoTRawEvent |
+
+ where RawEventName == "OSBaseline" |
+
+ summarize TimeStamp=max(TimeStamp) by DeviceId;
+
+ lastDates | join kind=inner (SecurityIoTRawEvent) on TimeStamp, DeviceId |
+
+ extend event = parse_json(EventDetails) |
+
+ where event.Result == "FAIL" |
+
+ where event.CceId contains "6.2.8" |
+
+ project DeviceId;
+ ```
+
+## Next steps
+
+[Investigate security recommendations](quickstart-investigate-security-recommendations.md).
+
defender-for-iot How To Investigate Device https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/how-to-investigate-device.md
+
+ Title: Investigate a suspicious device
+description: This how to guide explains how to use Defender for IoT to investigate a suspicious IoT device using Log Analytics.
+ Last updated : 09/04/2020++
+# Investigate a suspicious IoT device
+
+Defender for IoT service alerts provides clear indications when IoT devices are suspected of involvement in suspicious activities or when indications exist that a device is compromised.
+
+In this guide, use the investigation suggestions provided to help determine the potential risks to your organization, decide how to remediate, and discover the best ways to prevent similar attacks in the future.
+
+> [!div class="checklist"]
+> * Find your device data
+> * Investigate using kql queries
+
+## How can I access my data?
+
+By default, Defender for IoT stores your security alerts and recommendations in your Log Analytics workspace. You can also choose to store your raw security data.
+
+To locate your Log Analytics workspace for data storage:
+
+1. Open your IoT hub,
+1. Under **Security**, select **Settings**, and then select **Data Collection**.
+1. Change your Log Analytics workspace configuration details.
+1. Select **Save**.
+
+Following configuration, do the following to access data stored in your Log Analytics workspace:
+
+1. Select and select on a Defender for IoT alert in your IoT Hub.
+1. Select **Further investigation**.
+1. Select **To see which devices have this alert click here and view the DeviceId column**.
+
+## Investigation steps for suspicious IoT devices
+
+To view insights and raw data about your IoT devices, go to your Log Analytics workspace [to access your data](#how-can-i-access-my-data).
+
+See the sample kql queries below to get started with investigating alerts and activities on your device.
+
+### Related alerts
+
+You can find out if other alerts were triggered around the same time through the following kql query:
+
+ ```
+ let device = "YOUR_DEVICE_ID";
+ let hub = "YOUR_HUB_NAME";
+ SecurityAlert
+ | where ExtendedProperties contains device and ResourceId contains tolower(hub)
+ | project TimeGenerated, AlertName, AlertSeverity, Description, ExtendedProperties
+ ```
+
+### Users with access
+
+To find out which users have access to this device use the following kql query:
+
+ ```
+ let device = "YOUR_DEVICE_ID";
+ let hub = "YOUR_HUB_NAME";
+ SecurityIoTRawEvent
+ | where
+ DeviceId == device and AssociatedResourceId contains tolower(hub)
+ and RawEventName == "LocalUsers"
+ | project
+ TimestampLocal=extractjson("$.TimestampLocal", EventDetails, typeof(datetime)),
+ GroupNames=extractjson("$.GroupNames", EventDetails, typeof(string)),
+ UserName=extractjson("$.UserName", EventDetails, typeof(string))
+ | summarize FirstObserved=min(TimestampLocal) by GroupNames, UserName
+ ```
+Use this data to discover:
+
+- Which users have access to the device?
+- Do the users with access have the expected permission levels?
+
+### Open ports
+
+To find out which ports in the device are currently in use or were used, use the following kql query:
+
+ ```
+ let device = "YOUR_DEVICE_ID";
+ let hub = "YOUR_HUB_NAME";
+ SecurityIoTRawEvent
+ | where
+ DeviceId == device and AssociatedResourceId contains tolower(hub)
+ and RawEventName == "ListeningPorts"
+ and extractjson("$.LocalPort", EventDetails, typeof(int)) <= 1024 // avoid short-lived TCP ports (Ephemeral)
+ | project
+ TimestampLocal=extractjson("$.TimestampLocal", EventDetails, typeof(datetime)),
+ Protocol=extractjson("$.Protocol", EventDetails, typeof(string)),
+ LocalAddress=extractjson("$.LocalAddress", EventDetails, typeof(string)),
+ LocalPort=extractjson("$.LocalPort", EventDetails, typeof(int)),
+ RemoteAddress=extractjson("$.RemoteAddress", EventDetails, typeof(string)),
+ RemotePort=extractjson("$.RemotePort", EventDetails, typeof(string))
+ | summarize MinObservedTime=min(TimestampLocal), MaxObservedTime=max(TimestampLocal), AllowedRemoteIPAddress=makeset(RemoteAddress), AllowedRemotePort=makeset(RemotePort) by Protocol, LocalPort
+ ```
+
+Use this data to discover:
+
+- Which listening sockets are currently active on the device?
+- Should the listening sockets that are currently active be allowed?
+- Are there any suspicious remote addresses connected to the device?
+
+### User logins
+
+To find users that logged into the device use the following kql query:
+
+ ```
+ let device = "YOUR_DEVICE_ID";
+ let hub = "YOUR_HUB_NAME";
+ SecurityIoTRawEvent
+ | where
+ DeviceId == device and AssociatedResourceId contains tolower(hub)
+ and RawEventName == "Login"
+ // filter out local, invalid and failed logins
+ and EventDetails contains "RemoteAddress"
+ and EventDetails !contains '"RemoteAddress":"127.0.0.1"'
+ and EventDetails !contains '"UserName":"(invalid user)"'
+ and EventDetails !contains '"UserName":"(unknown user)"'
+ //and EventDetails !contains '"Result":"Fail"'
+ | project
+ TimestampLocal=extractjson("$.TimestampLocal", EventDetails, typeof(datetime)),
+ UserName=extractjson("$.UserName", EventDetails, typeof(string)),
+ LoginHandler=extractjson("$.Executable", EventDetails, typeof(string)),
+ RemoteAddress=extractjson("$.RemoteAddress", EventDetails, typeof(string)),
+ Result=extractjson("$.Result", EventDetails, typeof(string))
+ | summarize CntLoginAttempts=count(), MinObservedTime=min(TimestampLocal), MaxObservedTime=max(TimestampLocal), CntIPAddress=dcount(RemoteAddress), IPAddress=makeset(RemoteAddress) by UserName, Result, LoginHandler
+ ```
+
+Use the query results to discover:
+
+- Which users signed in to the device?
+- Are the users that signed in, supposed to sign in?
+- Did the users that signed in connect from expected or unexpected IP addresses?
+
+### Process list
+
+To find out if the process list is as expected, use the following kql query:
+
+ ```
+ let device = "YOUR_DEVICE_ID";
+ let hub = "YOUR_HUB_NAME";
+ SecurityIoTRawEvent
+ | where
+ DeviceId == device and AssociatedResourceId contains tolower(hub)
+ and RawEventName == "ProcessCreate"
+ | project
+ TimestampLocal=extractjson("$.TimestampLocal", EventDetails, typeof(datetime)),
+ Executable=extractjson("$.Executable", EventDetails, typeof(string)),
+ UserId=extractjson("$.UserId", EventDetails, typeof(string)),
+ CommandLine=extractjson("$.CommandLine", EventDetails, typeof(string))
+ | join kind=leftouter (
+ // user UserId details
+ SecurityIoTRawEvent
+ | where
+ DeviceId == device and AssociatedResourceId contains tolower(hub)
+ and RawEventName == "LocalUsers"
+ | project
+ UserId=extractjson("$.UserId", EventDetails, typeof(string)),
+ UserName=extractjson("$.UserName", EventDetails, typeof(string))
+ | distinct UserId, UserName
+ ) on UserId
+ | extend UserIdName = strcat("Id:", UserId, ", Name:", UserName)
+ | summarize CntExecutions=count(), MinObservedTime=min(TimestampLocal), MaxObservedTime=max(TimestampLocal), ExecutingUsers=makeset(UserIdName), ExecutionCommandLines=makeset(CommandLine) by Executable
+```
+
+Use the query results to discover:
+
+- Were there any suspicious processes running on the device?
+- Were processes executed by appropriate users?
+- Did any command-line executions contain the correct and expected arguments?
+
+## Next steps
+
+After investigating a device, and gaining a better understanding of your risks, you may want to consider [Configuring custom alerts](quickstart-create-custom-alerts.md) to improve your IoT solution security posture. If you don't already have a device agent, consider [Deploying a security agent](how-to-deploy-agent.md) or [changing the configuration of an existing device agent](how-to-agent-configuration.md) to improve your results.
defender-for-iot How To Security Data Access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/how-to-security-data-access.md
+
+ Title: Access security & recommendation data
+description: Learn about how to access your security alert and recommendation data when using Defender for IoT.
+ Last updated : 05/26/2021++
+# Access your security data
+
+Defender for IoT stores security alerts, recommendations, and raw security data (if you choose to save it) in your Log Analytics workspace.
+
+## Log Analytics
+
+To configure which Log Analytics workspace is used:
+
+1. Open your IoT hub.
+1. Click the **Settings** blade under the **Security** section.
+1. Click **Data Collection**, and change your Log Analytics workspace configuration.
+
+To access your alerts and recommendations in your Log Analytics workspace after configuration:
+
+1. Choose an alert or recommendation in Defender for IoT.
+1. Click **further investigation**, then click **To see which devices have this alert click here and view the DeviceId column**.
+
+For details on querying data from Log Analytics, see [Get started with log queries in Azure Monitor](../../azure-monitor/logs/get-started-queries.md).
+
+## Security alerts
+
+Security alerts are stored in _AzureSecurityOfThings.SecurityAlert_ table in the Log Analytics workspace configured for the Defender for IoT solution.
+
+We've provided a number of useful queries to help you get started exploring security alerts.
+
+### Sample records
+
+Select a few random records
+
+```
+// Select a few random records
+//
+SecurityAlert
+| project
+ TimeGenerated,
+ IoTHubId=ResourceId,
+ DeviceId=tostring(parse_json(ExtendedProperties)["DeviceId"]),
+ AlertSeverity,
+ DisplayName,
+ Description,
+ ExtendedProperties
+| take 3
+```
+
+| TimeGenerated | IoTHubId | DeviceId | AlertSeverity | DisplayName | Description | ExtendedProperties |
+|-|-|||||--|
+| 2018-11-18T18:10:29.000 | /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | High | Brute force attack succeeded | A Brute force attack on the device was Successful | { "Full Source Address": "[\"10.165.12.18:\"]", "User Names": "[\"\"]", "DeviceId": "IoT-Device-Linux" } |
+| 2018-11-19T12:40:31.000 | /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | High | Successful local login on device | A successful local login to the device was detected | { "Remote Address": "?", "Remote Port": "", "Local Port": "", "Login Shell": "/bin/su", "Login Process Id": "28207", "User Name": "attacker", "DeviceId": "IoT-Device-Linux" } |
+| 2018-11-19T12:40:31.000 | /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | High | Failed local login attempt on device | A failed local login attempt to the device was detected | { "Remote Address": "?", "Remote Port": "", "Local Port": "", "Login Shell": "/bin/su", "Login Process Id": "22644", "User Name": "attacker", "DeviceId": "IoT-Device-Linux" } |
+
+### Device summary
+
+Get the number of distinct security alerts detected in the last week, grouped by IoT Hub, device, alert severity, alert type.
+
+```
+// Get the number of distinct security alerts detected in the last week, grouped by
+// IoT hub, device, alert severity, alert type
+//
+SecurityAlert
+| where TimeGenerated > ago(7d)
+| summarize Cnt=dcount(SystemAlertId) by
+ IoTHubId=ResourceId,
+ DeviceId=tostring(parse_json(ExtendedProperties)["DeviceId"]),
+ AlertSeverity,
+ DisplayName
+```
+
+| IoTHubId | DeviceId | AlertSeverity | DisplayName | Count |
+|-||||--|
+| /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | High | Brute force attack succeeded | 9 |
+| /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | Medium | Failed local login attempt on device | 242 |
+| /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | High | Successful local login on device | 31 |
+| /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | Medium | Crypto Coin Miner | 4 |
+
+### IoT hub summary
+
+Select a number of distinct devices that had alerts in the last week, by IoT Hub, alert severity, alert type
+
+```
+// Select number of distinct devices which had alerts in the last week, by
+// IoT hub, alert severity, alert type
+//
+SecurityAlert
+| where TimeGenerated > ago(7d)
+| extend DeviceId=tostring(parse_json(ExtendedProperties)["DeviceId"])
+| summarize CntDevices=dcount(DeviceId) by
+ IoTHubId=ResourceId,
+ AlertSeverity,
+ DisplayName
+```
+
+| IoTHubId | AlertSeverity | DisplayName | CntDevices |
+|-||||
+| /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | High | Brute force attack succeeded | 1 |
+| /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | Medium | Failed local login attempt on device | 1 |
+| /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | High | Successful local login on device | 1 |
+| /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | Medium | Crypto Coin Miner | 1 |
+
+## Security recommendations
+
+Security recommendations are stored in _AzureSecurityOfThings.SecurityRecommendation_ table in the Log Analytics workspace configured for the Defender for IoT solution.
+
+We've provided a number of useful queries to help you get start exploring security recommendations.
+
+### Sample records
+
+Select a few random records
+
+```
+// Select a few random records
+//
+SecurityRecommendation
+| project
+ TimeGenerated,
+ IoTHubId=AssessedResourceId,
+ DeviceId,
+ RecommendationSeverity,
+ RecommendationState,
+ RecommendationDisplayName,
+ Description,
+ RecommendationAdditionalData
+| take 2
+```
+
+| TimeGenerated | IoTHubId | DeviceId | RecommendationSeverity | RecommendationState | RecommendationDisplayName | Description | RecommendationAdditionalData |
+||-|-||||-||
+| 2019-03-22T10:21:06.060 | /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | Medium | Active | Permissive firewall rule in the input chain was found | A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports | {"Rules":"[{\"SourceAddress\":\"\",\"SourcePort\":\"\",\"DestinationAddress\":\"\",\"DestinationPort\":\"1337\"}]"} |
+| 2019-03-22T10:50:27.237 | /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | Medium | Active | Permissive firewall rule in the input chain was found | A rule in the firewall has been found that contains a permissive pattern for a wide range of IP addresses or Ports | {"Rules":"[{\"SourceAddress\":\"\",\"SourcePort\":\"\",\"DestinationAddress\":\"\",\"DestinationPort\":\"1337\"}]"} |
+
+### Device summary
+
+Get the number of distinct active security recommendations, grouped by IoT Hub, device, recommendation severity, and type.
+
+```
+// Get the number of distinct active security recommendations, grouped by by
+// IoT hub, device, recommendation severity and type
+//
+SecurityRecommendation
+| extend IoTHubId=AssessedResourceId
+| summarize CurrentState=arg_max(RecommendationState, DiscoveredTimeUTC) by IoTHubId, DeviceId, RecommendationSeverity, RecommendationDisplayName
+| where CurrentState == "Active"
+| summarize Cnt=count() by IoTHubId, DeviceId, RecommendationSeverity
+```
+
+| IoTHubId | DeviceId | RecommendationSeverity | Count |
+|-|||--|
+| /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | High | 2 |
+| /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | Medium | 1 |
+| /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | High | 1 |
+| /subscriptions/<subscription_id>/resourceGroups/<resource_group>/providers/Microsoft.Devices/IotHubs/<iot_hub> | <device_name> | Medium | 4 |
+
+## Next steps
+
+- Read the Defender for IoT [Overview](overview.md)
+- Learn about Defender for IoT [What is agent-based solution for device builders](architecture-agent-based.md)
+- Understand and explore [Defender for IoT alerts](concept-security-alerts.md)
+- Understand and explore [Defender for IoT recommendations](concept-recommendations.md)
defender-for-iot How To Send Security Messages https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/how-to-send-security-messages.md
+
+ Title: Send Defender for IoT device security messages
+description: Learn how to send your security messages using Defender for IoT.
+ Last updated : 2/8/2021+++
+# Send security messages SDK
+
+This how-to guide explains the Defender for IoT service capabilities when you choose to collect and send your device security messages without using a Defender for IoT agent, and explains how to do so.
+
+In this guide, you learn how to:
+
+> [!div class="checklist"]
+> * Send security messages using the Azure IoT C SDK
+> * Send security messages using the Azure IoT C# SDK
+> * Send security messages using the Azure IoT Python SDK
+> * Send security messages using the Azure IoT Node.js SDK
+> * Send security messages using the Azure IoT Java SDK
+
+## Defender for IoT capabilities
+
+Defender for IoT can process and analyze any kind of security message data as long as the data sent conforms to the [Defender for IoT schema](https://aka.ms/iot-security-schemas) and the message is set as a security message.
+
+## Security message
+
+Defender for IoT defines a security message using the following criteria:
+
+- If the message was sent with Azure IoT SDK
+- If the message conforms to the [security message schema](https://aka.ms/iot-security-schemas)
+- If the message was set as a security message prior to sending
+
+Each security message includes the metadata of the sender such as `AgentId`, `AgentVersion`, `MessageSchemaVersion` and a list of security events.
+The schema defines the valid and required properties of the security message including the types of events.
+
+> [!NOTE]
+> Messages sent that do not comply with the schema are ignored. Make sure to verify the schema before initiating sending data as ignored messages are not currently stored.
+
+> [!NOTE]
+> Messages sent that were not set as a security message using the Azure IoT SDK will not be routed to the Defender for IoT pipeline.
+
+## Valid message example
+
+The example below shows a valid security message object. The example contains the message metadata and one `ProcessCreate` security event.
+
+Once set as a security message and sent, this message will be processed by Defender for IoT.
+
+```json
+"AgentVersion": "0.0.1",
+"AgentId": "e89dc5f5-feac-4c3e-87e2-93c16f010c25",
+"MessageSchemaVersion": "1.0",
+"Events": [
+ {
+ "EventType": "Security",
+ "Category": "Triggered",
+ "Name": "ProcessCreate",
+ "IsEmpty": false,
+ "PayloadSchemaVersion": "1.0",
+ "Id": "21a2db0b-44fe-42e9-9cff-bbb2d8fdf874",
+ "TimestampLocal": "2019-01-27 15:48:52Z",
+ "TimestampUTC": "2019-01-27 13:48:52Z",
+ "Payload":
+ [
+ {
+ "Executable": "/usr/bin/myApp",
+ "ProcessId": 11750,
+ "ParentProcessId": 1593,
+ "UserName": "aUser",
+ "CommandLine": "myApp -a -b"
+ }
+ ]
+ }
+]
+```
+
+## Send security messages
+
+Send security messages *without* using Defender for IoT agent, by using the [Azure IoT C device SDK](https://github.com/Azure/azure-iot-sdk-c/tree/public-preview), [Azure IoT C# device SDK](https://github.com/Azure/azure-iot-sdk-csharp/tree/preview), , [Azure IoT Node.js SDK](https://github.com/Azure/azure-iot-sdk-node), [Azure IoT Python SDK](https://github.com/Azure/azure-iot-sdk-python), or [Azure IoT Java SDK](https://github.com/Azure/azure-iot-sdk-java).
+
+To send the device data from your devices for processing by Defender for IoT, use one of the following APIs to mark messages for correct routing to Defender for IoT processing pipeline.
+
+All data that is sent, even if marked with the correct header, must also comply with the [Defender for IoT message schema](https://aka.ms/iot-security-schemas).
+
+### Send security message API
+
+The **Send security messages** API is currently available in C and C#, Python, Node.js, and Java.
+
+#### C API
+
+```c
+bool SendMessageAsync(IoTHubAdapter* iotHubAdapter, const void* data, size_t dataSize) {
+
+ bool success = true;
+ IOTHUB_MESSAGE_HANDLE messageHandle = NULL;
+
+ messageHandle = IoTHubMessage_CreateFromByteArray(data, dataSize);
+
+ if (messageHandle == NULL) {
+ success = false;
+ goto cleanup;
+ }
+
+ if (IoTHubMessage_SetAsSecurityMessage(messageHandle) != IOTHUB_MESSAGE_OK) {
+ success = false;
+ goto cleanup;
+ }
+
+ if (IoTHubModuleClient_SendEventAsync(iotHubAdapter->moduleHandle, messageHandle, SendConfirmCallback, iotHubAdapter) != IOTHUB_CLIENT_OK) {
+ success = false;
+ goto cleanup;
+ }
+
+cleanup:
+ if (messageHandle != NULL) {
+ IoTHubMessage_Destroy(messageHandle);
+ }
+
+ return success;
+}
+
+static void SendConfirmCallback(IOTHUB_CLIENT_CONFIRMATION_RESULT result, void* userContextCallback) {
+ if (userContextCallback == NULL) {
+ //error handling
+ return;
+ }
+
+ if (result != IOTHUB_CLIENT_CONFIRMATION_OK){
+ //error handling
+ }
+}
+```
+
+#### C# API
+
+```cs
+
+private static async Task SendSecurityMessageAsync(string messageContent)
+{
+ ModuleClient client = ModuleClient.CreateFromConnectionString("<connection_string>");
+ Message securityMessage = new Message(Encoding.UTF8.GetBytes(messageContent));
+ securityMessage.SetAsSecurityMessage();
+ await client.SendEventAsync(securityMessage);
+}
+```
+
+#### Node.js API
+
+```typescript
+var Protocol = require('azure-iot-device-mqtt').Mqtt
+ΓÇï
+function SendSecurityMessage(messageContent)ΓÇï
+{ΓÇï
+ var client = Client.fromConnectionString(connectionString, Protocol);ΓÇï
+ΓÇï
+ var connectCallback = function (err) {ΓÇï
+ if (err) {ΓÇï
+ console.error('Could not connect: ' + err.message);ΓÇï
+ } else {ΓÇï
+ var message = new Message(messageContent);ΓÇï
+ message.setAsSecurityMessage();ΓÇï
+ client.sendEvent(message);ΓÇï
+ ΓÇï
+ client.on('error', function (err) {ΓÇï
+ console.error(err.message);ΓÇï
+ });ΓÇï
+ ΓÇï
+ client.on('disconnect', function () {ΓÇï
+ clearInterval(sendInterval);ΓÇï
+ client.removeAllListeners();ΓÇï
+ client.open(connectCallback);ΓÇï
+ });ΓÇï
+ }ΓÇï
+ };ΓÇï
+ΓÇï
+ client.open(connectCallback);ΓÇï
+}
+```
+
+#### Python API
+
+To use the Python API you need to install the package [azure-iot-device](https://pypi.org/project/azure-iot-device/).
+
+When using the Python API, you can either send the security message through the module or through the device using the unique device or module connection string. When using the following Python script example, with a device, use **IoTHubDeviceClient**, and with a module, use **IoTHubModuleClient**.
+
+```python
+from azure.iot.device.aio import IoTHubDeviceClient, IoTHubModuleClient
+from azure.iot.device import Message
+
+async def send_security_message_async(message_content):
+ conn_str = os.getenv("<connection_string>")ΓÇï
+ device_client = IoTHubDeviceClient.create_from_connection_string(conn_str)ΓÇï
+ await device_client.connect()ΓÇï
+ security_message = Message(message_content)ΓÇï
+ security_message.set_as_security_message()ΓÇï
+ await device_client.send_message(security_message)ΓÇï
+ await device_client.disconnect()
+```
+
+#### Java API
+
+```java
+public void SendSecurityMessage(string message)
+{
+ ModuleClient client = new ModuleClient("<connection_string>", IotHubClientProtocol.MQTT);
+ Message msg = new Message(message);
+ msg.setAsSecurityMessage();
+ EventCallback callback = new EventCallback();
+ string context = "<user_context>";
+ client.sendEventAsync(msg, callback, context);
+}
+```
+
+## Next steps
+
+- Read the Defender for IoT service [Overview](overview.md)
+- Learn more about Defender for IoT [What is agent-based solution for device builders](architecture-agent-based.md)
+- Enable the [service](quickstart-onboard-iot-hub.md)
+- Read the [Azure Defender for IoT agent frequently asked questions](resources-agent-frequently-asked-questions.md)
+- Learn how to access [raw security data](how-to-security-data-access.md)
+- Understand [recommendations](concept-recommendations.md)
+- Understand [alerts](concept-security-alerts.md)
defender-for-iot Iot Security Azure Rtos https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/iot-security-azure-rtos.md
++
+ Title: Defender-IoT-micro-agent for Azure RTOS overview
+description: Learn more about the Defender-IoT-micro-agent for Azure RTOS support and implementation as part of Azure Defender for IoT.
+ Last updated : 01/14/2021++
+# Overview: Defender for IoT Defender-IoT-micro-agent for Azure RTOS (preview)
+
+The Azure Defender for IoT micro module provides a comprehensive security solution for devices that use Azure RTOS. It provides coverage for common threats and potential malicious activities on real-time operating system (RTOS) devices. Azure RTOS now ships with the Azure IoT Defender-IoT-micro-agent built in.
+++
+The micro module for Azure RTOS offers the following features:
+
+- Malicious network activity detection
+- Custom alert-based device behavior baselining
+- Improved device security hygiene
+
+## Detect malicious network activities
+
+Inbound and outbound network activity of each device is monitored. Supported protocols are TCP, UDP, and ICMP on IPv4 and IPv6. Defender for IoT inspects each of these network activities against the Microsoft threat intelligence feed. The feed gets updated in real time with millions of unique threat indicators collected worldwide.
+
+## Device behavior baselining based on custom alerts
+
+Baselining allows for clustering of devices into security groups and defining the expected behavior of each group. Because IoT devices are typically designed to operate in well-defined and limited scenarios, it's easy to create a baseline that defines their expected behavior by using a set of parameters. Any deviation from the baseline triggers an alert.
+
+## Improve your device security hygiene
+
+By using the recommended infrastructure Defender for IoT provides, you can gain knowledge and insights about issues in your environment that impact and damage the security posture of your devices. A weak IoT-device security posture can allow potential attacks to succeed if it's left unchanged. Security is always measured by the weakest link within any organization.
+
+## Get started protecting Azure RTOS devices
+
+Defender-IoT-micro-agent for Azure RTOS is provided as a free download for your devices. The Defender for IoT cloud service is available with a 30-day trial per Azure subscription. To get started, download the [Defender-IoT-micro-agent for Azure RTOS](https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/defender-for-iot/iot-security-azure-rtos.md).
+
+## Next steps
+
+In this article, you learned about the Defender-IoT-micro-agent for Azure RTOS. To learn more about the Defender-IoT-micro-agent and get started, see the following articles:
+
+- [Azure RTOS IoT Defender-IoT-micro-agent concepts](concept-rtos-security-module.md)
+- [Quickstart: Azure RTOS IoT Defender-IoT-micro-agent](quickstart-azure-rtos-security-module.md)
defender-for-iot Overview Security Agents https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/overview-security-agents.md
+
+ Title: Security agents
+description: Get started with understanding, configuring, deploying, and using Azure Defender for IoT security service agents on your IoT devices.
+ Last updated : 05/26/2021++
+# Get started with Azure Defender for IoT device micro agents
+
+Defender for IoT security agents offers enhanced security capabilities, such as monitoring operating system configuration best practices. Take control of your device field threat protection and security posture with a single service.
+
+The Defenders for IoT security agents handle raw event collection from the device operating system, event aggregation to reduce cost, and configuration through a device module twin. Security messages are sent through your IoT Hub, into Defender for IoT analytics services.
+
+Use the following workflow to deploy and test your Defender for IoT security agents:
+
+1. [Enable Defender for IoT service to your IoT Hub](quickstart-onboard-iot-hub.md).
+
+1. If your IoT Hub has no registered devices, [Register a new device](/previous-versions/azure/iot-accelerators/iot-accelerators-device-simulation-overview).
+
+1. [Create a DefenderIotMicroAgent module twin](quickstart-create-micro-agent-module-twin.md) for your devices.
+
+1. To install the agent on an Azure simulated device instead of installing on an actual device, [spin up a new Azure Virtual Machine (VM)](../../virtual-machines/linux/quick-create-portal.md).
+
+1. [Deploy a Defender for IoT security agent](how-to-deploy-linux-cs.md) on your IoT device, or new VM.
+
+1. Follow the instructions for [trigger_events](https://aka.ms/iot-security-github-trigger-events) to run an OS baseline event.
+
+1. Verify Defender for IoT recommendations in response to the simulated OS baseline check failure in the previous step. Begin verification 30 minutes after running the script.
+
+## Next steps
+
+- Configure your [solution](quickstart-configure-your-solution.md)
+- [Create Defender-IoT-micro-agents](quickstart-create-security-twin.md)
+- Configure [custom alerts](quickstart-create-custom-alerts.md)
+- [Deploy a security agent](how-to-deploy-agent.md)
defender-for-iot Overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/overview.md
+
+ Title: Service overview for device builders
+description: Learn about the Defender for IoT features and services, and understand how Defender for IoT provides comprehensive IoT security.
+ Last updated : 05/27/2021++
+# Welcome to Azure Defender for IoT for device builders
+
+Operational technology (OT) networks power many of the most critical aspects of our society. But many of these technologies were not designed with security in mind and can't be protected with traditional IT security controls. Meanwhile, the Internet of Things (IoT) is enabling a new wave of innovation with billions of connected devices, increasing the attack surface and risk.
+
+Azure Defender for IoT is a unified security solution for identifying IoT/OT devices, vulnerabilities, and threats. It enables you to secure your entire IoT/OT environment, whether you need to protect existing IoT/OT devices or build security into new IoT innovations.
+
+Azure Defender for IoT offers two sets of capabilities to fit your environment's needs.
+
+For end-user organizations with IoT/OT environments, Azure Defender for IoT delivers agentless, network-layer monitoring that:
+
+- Can be rapidly deployed.
+- Integrates easily with diverse industrial equipment and SOC tools.
+- Has zero impact on IoT/OT network performance or stability.
+
+The platform can be deployed fully on-premises or in Azure-connected and hybrid environments.
+
+For IoT device builders, Azure Defender for IoT also offers lightweight a micro agent that supports standard IoT operating systems, such as Linux and RTOS. This lightweight agent helps ensure that security is built into your IoT/OT initiatives from the edge to the cloud. It includes source code for flexible, customizable deployment.
+
+## Agent-based solution
+
+Security is a near-universal concern for IoT implementers. IoT devices have unique needs for endpoint monitoring, security posture management, and threat detection ΓÇô all with highly specific performance requirements.
+
+The Azure Defender for IoT security agents allow you to build security directly into your new IoT devices and Azure IoT projects. The micro agent has flexible deployment options, including the ability to deploy as a binary package or modify source code. And the micro agent is available for standard IoT operating systems like Linux and Azure RTOS.
+
+The Azure Defender for IoT micro agent provides endpoint visibility into security posture management, threat detection, and integration into Microsoft's other security tools for unified security management.
+
+### Security posture management
+
+Proactively monitor the security posture of your IoT devices. Azure Defender for IoT provides security posture recommendations based on the CIS benchmark, along with device-specific recommendations. Get visibility into operating system security, including OS configuration, firewall configuration, and permissions.
+
+### Endpoint IoT/OT threat detection
+
+Detect threats like botnets, brute force attempts, crypto miners, and suspicious network activity. Create custom alerts to target the most important threats in your unique organization.
+
+### Flexible distribution and deployment models
+
+The Azure Defender for IoT micro agent includes source code, so you can incorporate the micro agent into firmware or customize it to include only what you need. It's also available as a binary package, or integrated directly into other Azure IoT solutions.
+
+## See also
+
+[What is agent-based solution for device builders](architecture-agent-based.md)
defender-for-iot Quickstart Azure Rtos Security Module https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/quickstart-azure-rtos-security-module.md
+
+ Title: 'Quickstart: Configure and enable the Defender-IoT-micro-agent for Azure RTOS'
+description: In this quickstart, learn how to onboard and enable the Defender-IoT-micro-agent for Azure RTOS service in your Azure IoT Hub.
++ Last updated : 05/26/2021+++
+# Quickstart: Defender-IoT-micro-agent for Azure RTOS (preview)
+
+This article provides an explanation of the prerequisites before getting started and explains how to enable the Defender-IoT-micro-agent for Azure RTOS service on an IoT Hub. If you don't currently have an IoT Hub, see [Create an IoT hub using the Azure portal](../../iot-hub/iot-hub-create-through-portal.md).
+
+## Prerequisites
+
+### Supported devices
+
+- ST STM32F746G Discovery Kit
+- NXP i.MX RT1060 EVK
+- Microchip SAM E54 Xplained Pro EVK
+
+Download, compile, and run one of the .zip files for the specific board and tool (IAR, semi's IDE or PC) of your choice from the [Defender-IoT-micro-agent for Azure RTOS GitHub resource](https://github.com/azure-rtos/azure-iot-preview/releases).
+
+### Azure resources
+
+The next stage for getting started is preparing your Azure resources. You'll need an IoT Hub and we suggest a Log Analytics workspace. For IoT Hub, you'll need your IoT Hub connection string to connect to your device.
+
+### IoT Hub connection
+
+An IoT Hub connection is required to get started.
+
+1. Open your **IoT Hub** in Azure portal.
+
+1. Navigate to **IoT Devices**.
+
+1. Select **Create**.
+
+1. Copy the IoT connection string to the [configuration file](how-to-azure-rtos-security-module.md).
+
+The connections credentials are taken from the user application configuration **HOST_NAME**, **DEVICE_ID**, and **DEVICE_SYMMETRIC_KEY**.
+
+The Defender-IoT-micro-agent for Azure RTOS uses Azure IoT Middleware connections based on the **MQTT** protocol.
+
+## Next steps
+
+Advance to the next article to finish configuring and customizing your solution.
+
+> [!div class="nextstepaction"]
+> [Configure and customize Defender-IoT-micro-agent for Azure RTOS (preview)](how-to-azure-rtos-security-module.md)
defender-for-iot Quickstart Building The Defender Micro Agent From Source https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/quickstart-building-the-defender-micro-agent-from-source.md
+
+ Title: 'Quickstart: Build the Defender micro agent from source code (Preview)'
+description: In this quickstart, learn about the Micro Agent which includes an infrastructure that can be used to customize your distribution.
Last updated : 05/10/2021+++
+# Quickstart: Build the Defender micro agent from source code (Preview)
+
+The Micro Agent includes an infrastructure, which can be used to customize your distribution. To see a list of the available configuration parameters look at the `configs/LINUX_BASE.conf` file.
+
+For a single distribution, modify the base `.conf` file.
+
+If you require more than one distribution, you can inherit from the base configuration and override its values.
+
+To override the values:
+
+1. Create a new `.dist` file.
+
+1. Add `CONF_DEFINE_BASE(${g_plat_config_path} LINUX_BASE.conf)` to the top.
+
+1. Define new values to whatever you require, example:
+
+ `set(ASC_LOW_PRIORITY_INTERVAL 60*60*24)`
+
+1. Give the `.dist` file a reference when building. For example,
+
+ `cmake -DCMAKE_BUILD_TYPE=Debug -Dlog_level=DEBUG -Dlog_level_cmdline:BOOL=ON -DIOT_SECURITY_MODULE_DIST_TARGET=UBUNTU1804 ..`
+
+## Prerequisites
+
+1. Contact your account manager to ask for access to Defender for IoT source code.
+
+1. Clone, or extract the source code to a folder on the disk.
+
+1. Navigate into that directory.
+
+1. Pull the submodules using the following code:
+
+ ```bash
+ git submodule update --init
+ ```
+
+1. Next, pull the submodules for the Azure IoT SDK with the following code:
+
+ ```bash
+ git -C deps/azure-iot-sdk-c/ submodule update ΓÇôinit
+ ```
+
+
+1. Add an execution permission, and run the developer environment setup script:
+
+ ```bash
+ chmod +x scripts/install_development_environment.sh && ./scripts/install_development_environment.sh
+ ```
+
+1. Create a directory for the build outputs:
+
+ ```bash
+ mkdir cmake
+ ```
+
+1. (Optional) Download and install [VSCode](https://code.visualstudio.com/download )
+
+1. (Optional) Install the [C/C++ extension](https://code.visualstudio.com/docs/languages/cpp ) for VSCode.- None
+
+## Baseline Configuration signing
+
+The agent verifies the authenticity of configuration files that are placed on the disk to mitigate tampering, by default.
+
+You can stop this process by defining the preprocessor flag `ASC_BASELINE_CONF_SIGN_CHECK_DISABLE`.
+
+We don't recommend turning off the signature check for production environments.
+
+If you require a different configuration for production scenarios, contact the Defender for IoT team.
+
+## Building the Defender IoT Micro Agent
+
+1. Open the directory with VSCode
+
+1. Navigate to the `cmake` directory.
+
+1. Run the following command:
+
+ ```bash
+ cmake -DCMAKE_BUILD_TYPE=Debug -Dlog_level=DEBUG -Dlog_level_cmdline:BOOL=ON -DIOT_SECURITY_MODULE_DIST_TARGET<the appropriate distro configuration file name> ..
+
+ cmake --build . -- -j${env:NPROC}
+ ```
+
+ For example:
+
+ ```bash
+ cmake -DCMAKE_BUILD_TYPE=Debug -Dlog_level=DEBUG -Dlog_level_cmdline:BOOL=ON -DIOT_SECURITY_MODULE_DIST_TARGETUBUNTU1804 ..
+
+ cmake --build . -- -j${env:NPROC}
+ ```
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Configure your Azure Defender for IoT solution](quickstart-configure-your-solution.md).
defender-for-iot Quickstart Configure Your Solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/quickstart-configure-your-solution.md
+
+ Title: 'Quickstart: Add Azure resources to your IoT solution'
+description: In this quickstart, learn how to configure your end-to-end IoT solution using Azure Defender for IoT.
+ Last updated : 01/25/2021++
+# Quickstart: Configure your Azure Defender for IoT solution
+
+This article provides an explanation of how to perform initial configuration of your IoT security solution using Defender for IoT.
+
+## Prerequisites
+
+- None
+
+## What is Defender for IoT?
+
+Defender for IoT provides comprehensive end-to-end security for Azure-based IoT solutions.
+
+With Defender for IoT, you can monitor your entire IoT solution in one dashboard, surfacing all of your IoT devices, IoT platforms, and back-end resources in Azure.
+
+Once enabled on your IoT Hub, Defender for IoT automatically identifies other Azure services, also connected to your IoT Hub and related to your IoT solution.
+
+In addition to automatic relationship detection, you can also pick and choose which other Azure resource groups to tag as part of your IoT solution.
+
+Your selections allow you to add entire subscriptions, resource groups, or single resources.
+
+After defining all of the resource relationships, Defender for IoT uses Defender to provide you security recommendations and alerts for these resources.
+
+## Add Azure resources to your IoT solution
+
+To add new resource to your IoT solution:
+
+1. Open your **IoT Hub** in Azure portal.
+
+1. Under **Security** select **Overview** followed by **Settings**, and then select **Monitored Resources**.
+
+1. Select **Edit** and select the monitored resources that belong to your IoT solution.
+
+1. Select **Add**.
+
+Congratulations! You've added a new resource group to your IoT solution.
+
+Defender for IoT now monitors you're newly added resource groups, and surfaces relevant security recommendations and alerts as part of your IoT solution.
+
+## Next steps
+
+Advance to the next article to learn how to create Defender-IoT-micro-agents...
+
+> [!div class="nextstepaction"]
+> [Create Defender-IoT-micro-agents](quickstart-create-security-twin.md)
defender-for-iot Quickstart Create Custom Alerts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/quickstart-create-custom-alerts.md
+
+ Title: Create custom alerts
+description: Understand, create, and assign custom device alerts for the Azure Defender for IoT security service.
+ Last updated : 09/04/2020++
+# Create custom alerts
+
+Using custom security groups and alerts, takes full advantage of the end-to-end security information and categorical device knowledge to ensure better security across your IoT solution.
+
+## Why use custom alerts?
+
+You know your IoT devices best.
+
+For customers who fully understand their expected device behavior, Defender for IoT allows you to translate this understanding into a device behavior policy and alert on any deviation from expected, normal behavior.
+
+## Security groups
+
+Security groups enable you to define logical groups of devices, and manage their security state in a centralized way.
+
+These groups can represent devices with specific hardware, devices deployed in a certain location, or any other group suitable to your specific needs.
+
+Security groups are defined by a device twin tag property named **SecurityGroup**. By default, each IoT solution on IoT Hub has one security group named **default**. Change the value of the **SecurityGroup** property to change the security group of a device.
+
+For example:
+
+```
+{
+ "deviceId": "VM-Contoso12",
+ "etag": "AAAAAAAAAAM=",
+ "deviceEtag": "ODA1BzA5QjM2",
+ "status": "enabled",
+ "statusUpdateTime": "0001-01-01T00:00:00",
+ "connectionState": "Disconnected",
+ "lastActivityTime": "0001-01-01T00:00:00",
+ "cloudToDeviceMessageCount": 0,
+ "authenticationType": "sas",
+ "x509Thumbprint": {
+ "primaryThumbprint": null,
+ "secondaryThumbprint": null
+ },
+ "version": 4,
+ "tags": {
+ "SecurityGroup": "default"
+ },
+```
+
+Use security groups to group your devices into logical categories. After creating the groups, assign them to the custom alerts of your choice, for the most effective end-to-end IoT security solution.
+
+## Customize an alert
+
+1. Open your IoT Hub and select **Settings** from the **Security** menu.
+
+1. Select on **Custom alerts**.
+
+1. Choose a security group you wish to apply the customization to.
+
+1. Select **Add a custom alert**.
+
+1. Select a custom alert from the dropdown list.
+
+1. Edit the required properties, select **OK**.
+
+1. Make sure to select **SAVE**. Without saving the new alert, the alert is deleted the next time you close IoT Hub.
+
+## Alerts available for customization
+
+Defender for IoT offers a large number of alerts, which can be customized according to your specific needs. Review the [customizable alert table](concept-customizable-security-alerts.md) for alert severity, data source, description, and our suggested remediation steps if and when each alert is received.
+
+## Next steps
+
+Advance to the next article to learn how to deploy a security agent...
+
+> [!div class="nextstepaction"]
+> [Deploy a security agent](how-to-deploy-agent.md)
defender-for-iot Quickstart Create Micro Agent Module Twin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/quickstart-create-micro-agent-module-twin.md
+
+ Title: 'Quickstart: Create a Defender IoT micro agent module twin (Preview)'
+description: In this quickstart, learn how to create individual DefenderIotMicroAgent module twins for new devices.
Last updated : 05/10/2021+++
+# Quickstart: Create a Defender IoT micro agent module twin (Preview)
+
+You can create individualΓÇ»**DefenderIotMicroAgent** module twins for new devices. You can also batch create module twins for all devices in an IoT Hub.
+
+## Prerequisites
+
+None
+
+## Device twins
+
+For IoT solutions built in Azure, device twins play a key role in both device management and process automation.
+
+Defender for IoT has the ability to fully integrate with your existing IoT device management platform. Full integration, enables you to manage your device's security status, and allows you to make use of all existing device control capabilities. Integration is achieved by making use of the IoT Hub twin mechanism.
+
+Learn more about the concept ofΓÇ»[Understand and use device twins in IoT Hub](../../iot-hub/iot-hub-devguide-device-twins.md).
+
+## Defender-IoT-micro-agent twins
+
+Defender for IoT uses a Defender-IoT-micro-agent twin for each device. The Defender-IoT-micro-agent twin holds all of the information that is relevant to device security, for each specific device in your solution. Device security properties are configured through a dedicated Defender-IoT-micro-agent twin for safer communication, to enable updates, and maintenance that requires fewer resources.
+
+## Understanding DefenderIotMicroAgent module twins
+
+Device twins play a key role in both device management and process automation, for IoT solutions that are built in to Azure.
+
+Defender for IoT offers the capability to fully integrate your existing IoT device management platform, enabling you to manage your device security status and make use of the existing device control capabilities. You can integrate your Defender for IoT by using the IoT Hub twin mechanism.
+
+To learn more about the general concept of module twins in Azure IoT Hub, seeΓÇ»[Understand and use module twins in IoT Hub](../../iot-hub/iot-hub-devguide-module-twins.md).
+
+Defender for IoT uses the module twin mechanism, and maintains a Defender-IoT-micro-agent twin named `DefenderIotMicroAgent` for each of your devices.
+
+To take full advantage of all Defender for IoT feature's, you need to create, configure, and use the Defender-IoT-micro-agent twins for every device in the service.
+
+## Create DefenderIotMicroAgent module twin
+
+**DefenderIotMicroAgent** module twins can be created by manually editing each module twin to include specific configurations for each device.
+
+To manually create a newΓÇ»**DefenderIotMicroAgent** module twin for a device:
+
+1. In your IoT Hub, locate and select the device on which to create a Defender-IoT-micro-agent twin.
+
+1. SelectΓÇ»**Add module identity**.
+
+1. In the **Module Identity Name** field, and enter `DefenderIotMicroAgent`.
+
+1. SelectΓÇ»**Save**.
+
+## Verify the creation of a module twin
+
+To verify if a Defender-IoT-micro-agent twin exists for a specific device:
+
+1. In your Azure IoT Hub, select **IoT devices** from the **Explorers** menu.
+
+1. Enter the device ID, or select an option in the **Query device** field and select **Query devices**. 
+
+ :::image type="content" source="media/quickstart-create-micro-agent-module-twin/iot-devices.png" alt-text="Select query devices to get a list of your devices.":::
+
+1. Select the device, and open the **Device details** page.
+
+1. Select the **Module identities** menu, and confirm the existence of the **DefenderIotMicroAgent** module in the list of module identities associated with the device. 
+
+ :::image type="content" source="media/quickstart-create-micro-agent-module-twin/device-details-module.png" alt-text="Select module identities from the tab.":::
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [investigate security recommendations](quickstart-investigate-security-recommendations.md)
defender-for-iot Quickstart Create Security Twin https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/quickstart-create-security-twin.md
+
+ Title: 'Quickstart: Create a security module twin'
+description: In this quickstart, learn how to create a Defender for IoT module twin for use with Azure Defender for IoT.
+ Last updated : 05/26/2021++
+# Quickstart: Create an azureiotsecurity module twin
+
+This quickstart explains how to create individual _azureiotsecurity_ module twins for new devices, or batch create module twins for all devices in an IoT Hub.
+
+## Prerequisites
+
+- None
+
+## Understanding azureiotsecurity module twins
+
+For IoT solutions built in Azure, device twins play a key role in both device management and process automation.
+
+Defender for IoT offers full integration with your existing IoT device management platform, enabling you to manage your device security status and make use of existing device control capabilities.
+Defender for IoT integration is achieved by making use of the IoT Hub twin mechanism.
+
+See [IoT Hub module twins](../../iot-hub/iot-hub-devguide-module-twins.md)[IoT Hub module twins] to learn more about the general concept of module twins in Azure IoT Hub.
+
+Defender for IoT makes use of the module twin mechanism and maintains a security module twin named _azureiotsecurity_ for each of your devices.
+
+The Defender-IoT-micro-agent twin holds all the information relevant to device security for each of your devices.
+
+To make full use of Defender for IoT features, you'll need to create, configure, and use this Defender-IoT-micro-agent twins for every device in the service.
+
+## Create azureiotsecurity module twin
+
+_azureiotsecurity_ module twins can be created in two ways:
+
+1. [Module batch script](https://aka.ms/iot-security-github-create-module) - automatically creates module twin for new devices or devices without a module twin using the default configuration.
+1. Manually editing each module twin individually with specific configurations for each device.
+
+>[!NOTE]
+> Using the batch method will not overwrite existing azureiotsecurity module twins. Using the batch method ONLY creates new module twins for devices that do not already have a security module twin.
+
+See [agent configuration](how-to-agent-configuration.md) to learn how to modify or change the configuration of an existing module twin.
+
+To manually create a new _azureiotsecurity_ module twin for a device:
+
+1. In your IoT Hub, locate and select the device you wish to create a security module twin for.
+
+1. Select on your device, and then on **Add module identity**.
+
+1. In the **Module Identity Name** field, enter **azureiotsecurity**.
+
+1. Select **Save**.
+
+## Verify creation of a module twin
+
+To verify if a security module twin exists for a specific device:
+
+1. In your Azure IoT Hub, select **IoT devices** from the **Explorers** menu.
+
+1. Enter the device ID, or select an option in the **Query device field** and select **Query devices**.
+
+ :::image type="content" source="./media/quickstart/verify-security-module-twin.png" alt-text="Query devices":::
+
+1. Select the device or double select it to open the Device details page.
+
+1. Select the **Module identities** menu, and confirm existence of the **azureiotsecurity** module in the list of module identities associated with the device.
+
+ :::image type="content" source="./media/quickstart/verify-security-module-twin-3.png" alt-text="Modules associated with a device":::
+
+To learn more about customizing properties of Defender for IoT module twins, see [Agent configuration](how-to-agent-configuration.md).
+
+## Next steps
+
+Advance to the next article to learn how to investigate security recommendations...
+
+> [!div class="nextstepaction"]
+> [Investigate security recommendations](quickstart-investigate-security-recommendations.md)
defender-for-iot Quickstart Investigate Security Alerts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/quickstart-investigate-security-alerts.md
+
+ Title: "Quickstart: Investigate security alerts"
+description: Understand, drill down, and investigate Defender for IoT security alerts on your IoT devices.
+ Last updated : 06/21/2021++
+# Quickstart: Investigate security alerts
+
+Scheduled investigation and remediation of the alerts issued by Defender for IoT is the best way to ensure compliance, and protection across your IoT solution.
+
+## Investigate new security alerts
+
+The IoT Hub security alert list displays all of the aggregated security alerts for your IoT Hub.
+
+1. In the Azure portal, open the **IoT Hub** you want to investigate for new alerts.
+
+1. From the **Security** menu, select **Alerts**. All of the security alerts for the IoT Hub will display, and the alerts with a **New** flag, mark your alerts from the past 24 hours.
+
+ :::image type="content" source="media/quickstart/investigate-new-security-alerts.png" alt-text="Investigate new IoT security alerts by using the new alert flag":::
+
+1. Select an alert from the list to open the alert details, and understand the alert specifics.
+
+## Security alert details
+
+Opening each aggregated alert displays the detailed alert description, remediation steps, and device ID for each device that triggered an alert. The alert severity, and direct investigation is accessible using Log Analytics.
+
+1. Navigate to **IoT Hub** > **Security** > **Alerts**.
+
+1. Select any security alert from the list to open it.
+
+1. Review the alert **description**, **severity**, **source of the detection**, **device details** of all devices that issued this alert in the aggregation period.
+
+ :::image type="content" source="media/quickstart/drill-down-iot-alert-details.png" alt-text="Investigate and review the details of each device in an aggregated alert ":::
+
+1. After reviewing the alert specifics, use the **manual remediation step** instructions to help remediate, and resolve the issue that caused the alert.
+
+ :::image type="content" source="media/quickstart/iot-alert-manual-remediation-steps.png" alt-text="Follow the manual remediation steps to help resolve or remediate your device security alerts":::
+
+1. If further investigation is required, **Investigate the alerts in Log Analytics** using the link.
+
+ :::image type="content" source="media/quickstart/investigate-iot-alert-log-analytics.png" alt-text="To further investigate an alert, use the investigate using log analytics link provided on screen":::
+
+## Next steps
+
+Advance to the next article to learn more about Defender alert types and possible customizations.
+
+> [!div class="nextstepaction"]
+> [Understanding IoT security alerts](concept-security-alerts.md)
defender-for-iot Quickstart Investigate Security Recommendations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/quickstart-investigate-security-recommendations.md
+
+ Title: Investigate security recommendations
+description: Investigate security recommendations with the Defender for IoT security service.
+ Last updated : 05/26/2021++
+# Quickstart: Investigate security recommendations
++
+Timely analysis and mitigation of recommendations by Defender for IoT is the best way to improve security posture and reduce attack surface across your IoT solution.
+
+In this quickstart, we'll explore the information available in each IoT security recommendation, and explain how to drill down and use the details of each recommendation and related devices, to reduce risk.
+
+Let's get started.
+
+## Investigate new recommendations
+
+The IoT Hub recommendations list displays all of the aggregated security recommendations for your IoT Hub.
+
+1. In the Azure portal, open the **IoT Hub** you want to investigate for new recommendations.
+
+1. From the **Security** menu, select **Recommendations**. All of the security recommendations for the IoT Hub will display, and the recommendations with a **New** flag, mark your recommendations from the past 24 hours.
+
+ :::image type="content" source="media/quickstart/investigate-security-recommendations-expanded.png#lightbox" alt-text="Investigate security recommendations with ASC for IoT](media/quickstart/investigate-security-recommendations-inline.png)":::
++
+1. Select and open any recommendation from the list to open the recommendation details and drill down to the specifics.
+
+## Security recommendation details
+
+Open each aggregated recommendation to display the detailed recommendation description, remediation steps, device ID for each device that triggered a recommendation. It also displays recommendation severity and direct-investigation access using Log Analytics.
+
+1. Select and open any security recommendation from the **IoT Hub** > **Security** > **Recommendations** list.
+
+1. Review the recommendation **description**, **severity**, **device details** of all devices that issued this recommendation in the aggregation period.
+
+1. After reviewing recommendation specifics, use the **manual remediation step** instructions to help remediate and resolve the issue that caused the recommendation.
+
+ :::image type="content" source="media/quickstart/remediate-security-recommendations-inline.png" alt-text="Remediate security recommendations with ASC for IoT" lightbox="media/quickstart/remediate-security-recommendations-expanded.png":::
+
+1. Explore the recommendation details for a specific device by selecting the desired device in the drill-down page.
+
+ :::image type="content" source="media/quickstart/explore-security-recommendation-detail-inline.png" alt-text="Investigate specific security recommendations for a device with ASC for IoT" lightbox="media/quickstart/explore-security-recommendation-detail-expanded.png":::
+
+1. If further investigation is required, **Investigate the recommendation in Log Analytics** using the link.
+
+## Next steps
+
+Advance to the next article to learn how to create custom alerts...
+
+> [!div class="nextstepaction"]
+> [Create custom alerts](quickstart-create-custom-alerts.md)
defender-for-iot Quickstart Onboard Iot Hub https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/quickstart-onboard-iot-hub.md
+
+ Title: 'Quickstart: Onboard Defender for IoT to an agent-based solution'
+description: In this quickstart, you will learn how to onboard and enable the Defender for IoT security service in your Azure IoT Hub.
+ Last updated : 1/20/2021++
+# Quickstart: Onboard Defender for IoT to an agent-based solution
+
+This article explains how to enable the Defender for IoT service on your existing IoT Hub. If you don't currently have an IoT Hub, see [Create an IoT hub using the Azure portal](../../iot-hub/iot-hub-create-through-portal.md) to get started.
+
+You can manage your IoT security through the IoT Hub in Defender for IoT. The management portal located in the IoT Hub allows you to do the following:
+
+- Manage IoT Hub security.
+
+- Basic management of an IoT device's security without installing an agent based on the IoT Hub telemetry.
+
+- Advanced management for the security of an IoT device based on the micro agent.
+
+> [!NOTE]
+> Defender for IoT currently only supports standard tier IoT Hubs.
+
+## Prerequisites
+
+None
+
+## Onboard Defender for IoT to an IoT Hub
+
+For all new IoT hubs, Defender for IoT is set to **On** by default. You can verify that Defender for IoT is toggled to **On** during the IoT Hub creation process.
+
+To verify the toggle is set to **On**:
+
+1. Navigate to the Azure portal.
+
+1. Select **IoT Hub** from the list of Azure services.
+
+1. Select **Create**.
+
+ :::image type="content" source="media/quickstart-onboard-iot-hub/create-iot-hub.png" alt-text="Select the create button from the top toolbar." lightbox="media/quickstart-onboard-iot-hub/create-iot-hub-expanded.png":::
+
+1. Select the **Management** tab, and verify that **Defender for IoT** toggle is set to **On**.
+
+ :::image type="content" source="media/quickstart-onboard-iot-hub/management-tab.png" alt-text="Ensure the Defender for IoT toggle is set to on.":::
+
+## Onboard Defender for IoT to an existing IoT Hub
+
+You can onboard Defender for IoT to an existing IoT Hub, where
+you can then monitor the device identity management, device to cloud, and cloud to device communication patterns.
+
+To onboard Defender for IoT to an existing IoT Hub:
+
+1. Navigate to the IoT Hub.
+
+1. Select the IoT Hub to be onboarded.
+
+1. Select any option under the **Security** section.
+
+1. Click **Secure your IoT solution** and complete the onboarding form.
+
+ :::image type="content" source="media/quickstart-onboard-iot-hub/secure-your-iot-solution.png" alt-text="Select the secure your IoT solution button to secure your solution.":::
+
+The **Secure your IoT solution** button will only appear if the IoT Hub has not already been onboarded, or if while onboarding you left the Defender for IoT toggle on **Off**.
++
+## Next steps
+
+Advance to the next article to configure your solution...
+
+> [!div class="nextstepaction"]
+> [Create a Defender Iot micro agent module twin (Preview)](quickstart-create-micro-agent-module-twin.md)
defender-for-iot Quickstart Standalone Agent Binary Installation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/quickstart-standalone-agent-binary-installation.md
+
+ Title: 'Quickstart: Install Defender for IoT micro agent (Preview)'
+description: In this quickstart, learn how to install, and authenticate the Defender Micro Agent.
Last updated : 06/27/2021+++
+# Quickstart: Install Defender for IoT micro agent (Preview)
+
+This article provides an explanation of how to install, and authenticate the Defender micro agent.
+
+## Prerequisites
+
+Before you install the Defender for IoT module, you must create a module identity in the IoT Hub. For more information on how to create a module identity, see [Create a Defender IoT micro agent module twin (Preview)](quickstart-create-micro-agent-module-twin.md).
+
+## Install the package
+
+**To add the appropriate Microsoft package repository**:
+
+1. Download the repository configuration that matches your device operating system.
+
+ - For Ubuntu 18.04
+
+ ```bash
+ curl https://packages.microsoft.com/config/ubuntu/18.04/multiarch/prod.list > ./microsoft-prod.list
+ ```
+
+ - For Ubuntu 20.04
+
+ ```bash
+ curl https://packages.microsoft.com/config/ubuntu/20.04/prod.list > ./microsoft-prod.list
+ ```
+
+ - For Debian 9 (both AMD64 and ARM64)
+
+ ```bash
+ curl https://packages.microsoft.com/config/debian/stretch/multiarch/prod.list > ./microsoft-prod.list
+ ```
+
+1. Copy the repository configuration to the `sources.list.d` directory.
+
+ ```bash
+ sudo cp ./microsoft-prod.list /etc/apt/sources.list.d/
+ ```
+
+1. Update the list of packages from the repository that you added with the following command:
+
+ ```bash
+ sudo apt-get update
+ ```
+
+To install the Defender micro agent package on Debian, and Ubuntu based Linux distributions, use the following command:
+
+```bash
+sudo apt-get install defender-iot-micro-agent
+```
+
+## Micro agent authentication methods
+
+The two options used to authenticate the Defender for IoT micro agent are:
+
+- Module identity connection string.
+
+- Certificate.
+
+### Authenticate using a module identity connection string
+
+Ensure the [Prerequisites](#prerequisites) for this article are met, and that you create a module identity before starting these steps.
+
+#### Get the module identity connection string
+
+To get the module identity connection string from the IoT Hub:
+
+1. Navigate to the IoT Hub, and select your hub.
+
+1. In the left-hand menu, under the **Explorers** section, select **IoT devices**.
+
+ :::image type="content" source="media/quickstart-standalone-agent-binary-installation/iot-devices.png" alt-text="Select IoT devices from the left-hand menu.":::
+
+1. Select a device from the Device ID list to view the **Device details** page.
+
+1. Select the **Module identities** tab.
+
+1. Select the **DefenderIotMicroAgent** module from the list of module identities associated with the device.
+
+ :::image type="content" source="media/quickstart-standalone-agent-binary-installation/module-identities.png" alt-text="Select the module identities tab.":::
+
+1. In the **Module Identity Details** page, copy the Connection string (primary key) by selecting the **copy** button.
+
+ :::image type="content" source="media/quickstart-standalone-agent-binary-installation/copy-button.png" alt-text="Select the copy button to copy the Connection string (primary key).":::
+
+#### Configure authentication using a module identity connection string
+
+To configure the agent to authenticate using a module identity connection string:
+
+1. Place a file named `connection_string.txt` containing the connection string encoded in utf-8 in the defender agent directory `/var/defender_iot_micro_agent` path by entering the following command:
+
+ ```bash
+ sudo bash -c 'echo "<connection string>" > /var/defender_iot_micro_agent/connection_string.txt'
+ ```
+
+ The `connection_string.txt` should be located in the following path location `/var/defender_iot_micro_agent/connection_string.txt`.
+
+1. Restart the service using this command:
+
+ ```bash
+ sudo systemctl restart defender-iot-micro-agent.service
+ ```
+
+### Authenticate using a certificate
+
+To authenticate using a certificate:
+
+1. Procure a certificate by following [these instructions](../../iot-hub/tutorial-x509-scripts.md).
+
+1. Place the PEM-encoded public part of the certificate, and the private key, in to the Defender Agent Directory in to the file called `certificate_public.pem`, and `certificate_private.pem`.
+
+1. Place the appropriate connection string in to the `connection_string.txt` file. the connection string should look like this:
+
+ `HostName=<the host name of the iot hub>;DeviceId=<the id of the device>;ModuleId=<the id of the module>;x509=true`
+
+ This string alerts the defender agent, to expect a certificate be provided for authentication.
+
+1. Restart the service using the following command:
+
+ ```bash
+ sudo systemctl restart defender-iot-micro-agent.service
+ ```
+
+### Validate your installation
+
+To validate your installation:
+
+1. Making sure the micro agent is running properly with the following command:
+
+ ```bash
+ systemctl status defender-iot-micro-agent.service
+ ```
+
+1. Ensure that the service is stable by making sure it is `active` and that the uptime of the process is appropriate
+
+ :::image type="content" source="media/quickstart-standalone-agent-binary-installation/active-running.png" alt-text="Check to make sure your service is stable and active.":::
+
+## Testing the system end-to-end
+
+You can test the system from end to end by creating a trigger file on the device. The trigger file will cause the baseline scan in the agent to detect the file as a baseline violation.
+
+Create a file on the file system with the following command:
+
+```bash
+sudo touch /tmp/DefenderForIoTOSBaselineTrigger.txt
+```
+
+A baseline validation failure recommendation will occur in the hub, with a `CceId` of CIS-debian-9-DEFENDER_FOR_IOT_TEST_CHECKS-0.0:
++
+Allow up to one hour for the recommendation to appear in the hub.
+
+## Micro agent versioning
+
+To install a specific version of the Defender IoT micro agent, run the following command:
+
+```bash
+sudo apt-get install defender-iot-micro-agent=<version>
+```
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Building the Defender micro agent from source code](quickstart-building-the-defender-micro-agent-from-source.md)
defender-for-iot References Defender For Iot Glossary https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/references-defender-for-iot-glossary.md
+
+ Title: Defender for IoT glossary for device builder
+description: The glossary provides a brief description of important Defender for IoT platform terms and concepts.
Last updated : 05/27/2021+++
+# Defender for IoT glossary for device builder
+
+This glossary provides a brief description of important terms and concepts for the Azure Defender for IoT platform. Select the **Learn more** links to go to related terms in the glossary. This will help you more quickly learn and use product tools.
+
+<a name="glossary-a"></a>
+
+## A
+
+## B
+
+## C
+
+## D
+
+| Term | Description | Learn more |
+|--|--|--|
+| **Device twins** | Device twins are JSON documents that store device state information including metadata, configurations, and conditions. | [Module Twin](#m) <br /> <br />[Defender-IoT-micro-agent twin](#s) |
+| **Defender-IoT-micro-agent twin** `(DB)` | The Defender-IoT-micro-agent twin holds all of the information that is relevant to device security, for each specific device in your solution. | [Device twin](#d) <br /> <br />[Module Twin](#m) |
+
+## E
+
+## F
+
+## G
+
+## H
+
+## I
+
+| Term | Description | Learn more |
+|--|--|--|
+| **IoT Hub** | Managed service, hosted in the cloud, that acts as a central message hub for bi-directional communication between your IoT application and the devices it manages. | |
+
+## L
+
+## M
++
+| Term | Description | Learn more |
+|--|--|--|
+| **Micro Agent** | Provides depth security capabilities for IoT devices including security posture and threat detection. | |
+| **Module twin** | Module twins are JSON documents that store module state information including metadata, configurations, and conditions. | [Device twins](#d) <br /> <br />[Defender-IoT-micro-agent twin](#d) |
+
+## N
+
+## O
+
+## P
+
+## R
+
+## S
+
+## Z
defender-for-iot Release Notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/release-notes.md
+
+ Title: What's new in Azure Defender for IoT for device builders
+description: Learn about the latest releases, and the newest features of Defender for IoT device builders.
+ Last updated : 06/06/2021++
+# What's new in Azure Defender for IoT for device builders?
+
+This article lists new features and feature enhancements for Defender for IoT.
+
+Noted features are in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+## Versioning and support for Azure Defender for IoT
+
+Listed below are the support, breaking change policies for Defender for IoT, and the versions of Azure Defender for IoT that are currently available.
+
+### Servicing information and timelines
+
+Microsoft plans to release updates for Azure Defender for IoT no less than once per quarter. Each general availability (GA) version of the Azure Defender for IoT sensor, and on premises management console is supported for up to nine months after its release. Fixes, and new functionality will be applied to the current GA version that are currently in support, and will not be applied to older GA versions.
+
+### Versions and support dates
+
+| Version | Date released | End support date |
+|--|--|--|
+| 10.0 | 01/2021 | 10/2021 |
+| 10.3 | 04/2021 | 02/2022 |
+
+## April 2021
+
+### Work with automatic threat intelligence updates (Public Preview)
+
+New threat intelligence packages can now be automatically pushed to cloud connected sensors as they are released by Microsoft Defender for IoT. This is in addition to downloading threat intelligence packages and then uploading them to sensors.
+
+Working with automatic updates helps reduce operational efforts and ensure greater security.
+Enable automatic updating by onboarding your cloud connected sensor on the Defender for IoT portal with the **Automatic Threat Intelligence Updates** toggle turned on.
+
+If you would like to take a more conservative approach to updating your threat intelligence data, you can manually push packages from the Azure Defender for IoT portal to cloud connected sensors only when you feel it is required.
+This gives you the ability to control when a package is installed, without the need to download and then upload it to your sensors. Manually push updates to sensors from the Defender for IoT **Sites and Sensors** page.
+
+You can also review the following information about threat intelligence packages:
+
+- Package version installed
+- Threat intelligence update mode
+- Threat intelligence update status
+
+### View cloud connected sensor information (Public Preview)
+
+View important operational information about cloud connected sensors on the **Sites and Sensors** page.
+
+- The sensor version installed
+- The sensor connection status to the cloud.
+- The last time the sensor was detected connecting to the cloud.
+
+### Alert API enhancements
+
+New fields are available for users working with alert APIs.
+
+**On-premises management console**
+
+- Source and destination address
+- Remediation steps
+- The name of sensor defined by the user
+- The name of zone associated with the sensor
+- The name of site associated with the sensor
+
+**Sensor**
+
+- Source and destination address
+- Remediation steps
+
+API version 2 is required when working with the new fields.
+
+### Features delivered as Generally Available (GA)
+
+The following features were previously available for Public Preview, and are now Generally Available (GA) features:
+
+- Sensor - enhanced custom alert rules
+- On-premises management console - export alerts
+- Add second network interface to On-premises management console
+- Device builder - new micro agent
+
+## March 2021
+
+### Sensor - enhanced custom alert rules (Public Preview)
+
+You can now create custom alert rules based on the day, group of days and time-period network activity was detected. Working with day and time rule conditions is useful, for example in cases where alert severity is derived by the time the alert event takes place. For example, create a custom rule that triggers a high severity alert when network activity is detected on a weekend or in the evening.
+
+This feature is available on the sensor with the release of version 10.2.
+
+### On-premises management console - export alerts (Public Preview)
+
+Alert information can now be exported to a .csv file from the on-premises management console. You can export information of all alerts detected or export information based on the filtered view.
+
+This feature is available on the on-premises management console with the release of version 10.2.
+
+### Add second network interface to On-premises management console (Public Preview)
+
+You can now enhance the security of your deployment by adding a second network interface to your on-premises management console. This feature allows your on-premises management to have its connected sensors on one secure network, while allowing your users to access the on-premises management console through a second separate network interface.
+
+This feature is available on the on-premises management console with the release of version 10.2.
+
+### Device builder - new micro agent (Public preview)
+
+A new device builder module is available. The module, referred to as a micro-agent, allows:
+
+- **Integration with Azure IoT Hub and Azure Defender for IoT** - build stronger endpoint security directly into your IoT devices by integrating it with the monitoring option provided by both the Azure IoT Hub and Azure Defender for IoT.
+- **Flexible deployment options with support for standard IoT operating systems** - can be deployed either as a binary package or as modifiable source code, with support for standard IoT operating systems like Linux and Azure RTOS.
+- **Minimal resource requirements with no OS kernel dependencies** - small footprint, low CPU consumption, and no OS kernel dependencies.
+- **Security posture management** ΓÇô proactively monitor the security posture of your IoT devices.
+- **Continuous, real-time IoT/OT threat detection** - detect threats such as botnets, brute force attempts, crypto miners, and suspicious network activity
+
+The deprecated Defender-IoT-micro-agent documentation will be moved to the *Agent-based solution for device builders>Classic* folder.
+
+This feature set is available with the current public preview cloud release.
+
+## January 2021
+
+- [Security](#security)
+- [Onboarding](#onboarding)
+- [Usability](#usability)
+- [Other updates](#other-updates)
+### Security
+
+Certificate and password recovery enhancements were made for this release.
+
+#### Certificates
+
+This version lets you:
+
+- Upload SSL certificates directly to the sensors and on-premises management consoles.
+- Perform validation between the on-premises management console and connected sensors, and between a management console and a High Availability management console. Validation is based on expiration dates, root CA authenticity, and Certificate Revocation Lists. If validation fails, the session will not continue.
+
+For upgrades:
+
+- There is no change in SSL certificate or validation functionality during the upgrade.
+- After upgrading, sensor and on-premises management console administrative users can replace SSL certificates, or activate SSL certificate validation from the System Settings, SSL Certificate window.
+
+For Fresh Installations:
+
+- During first-time login, users are required to either use an SSL Certificate (recommended) or a locally generated self-signed certificate (not recommended)
+- Certificate validation is turned on by default for fresh installations.
+
+#### Password recovery
+
+Sensor and on-premises management console Administrative users can now recover passwords from the Azure Defender for IoT portal. Previously password recovery required intervention by the support team.
+
+### Onboarding
+
+#### On-premises management console - committed devices
+
+Following initial sign-in to the on-premises management console, users are now required to upload an activation file. The file contains the aggregate number of devices to be monitored on the organizational network. This number is referred to as the number of committed devices.
+Committed devices are defined during the onboarding process on the Azure Defender for IoT portal, where the activation file is generated.
+First-time users and users upgrading are required to upload the activation file.
+After initial activation, the number of devices detected on the network might exceed the number of committed devices. This event might happen, for example, if you connect more sensors to the management console. If there is a discrepancy between the number of detected devices and the number of committed devices, a warning appears in the management console. If this event occurs, you should upload a new activation file.
+
+#### Pricing page options
+
+Pricing page lets you onboard new subscriptions to Azure Defender for IoT and define committed devices in your network.
+Additionally, the Pricing page now lets you manage existing subscriptions associated with a sensor and update device commitment.
+
+#### View and manage onboarded sensors
+
+A new Site and Sensors portal page lets you:
+
+- Add descriptive information about the sensor. For example, a zone associated with the sensor, or free-text tags.
+- View and filter sensor information. For example, view details about sensors that are cloud connected or locally managed or view information about sensors in a specific zone.
+
+### Usability
+
+#### Azure Sentinel new connector page
+
+The Azure Defender for IoT data connector page in Azure Sentinel has been redesigned. The data connector is now based on subscriptions rather than IoT Hubs; allowing customers to better manage their configuration connection to Azure Sentinel.
+
+#### Azure portal permission updates
+
+Security Reader and Security Administrator support has been added.
+
+### Other updates
+
+#### Access group - zone permissions
+
+The on-premises management console Access Group rules will not include the option to grant access to a specific zone. There is no change in defining rules that use sites, regions, and business units. Following upgrade, Access Groups that contained rules allowing access to specific zones will be modified to allow access to its parent site, including all its zones.
+
+#### Terminology changes
+
+The term asset has been renamed device in the sensor and on-premises management console, reports, and other solution interfaces.
+In sensor and on-premises management console Alerts, the term Manage this Event has been named Remediation Steps.
+
+## Next steps
+
+[What is agent-based solution for device builders](architecture-agent-based.md)
defender-for-iot Resources Agent Frequently Asked Questions https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/resources-agent-frequently-asked-questions.md
+
+ Title: Azure Defender for IoT agent frequently asked questions
+description: Find answers to the most frequently asked questions about Azure Defender for IoT agent.
+ Last updated : 04/25/2021++
+# Azure Defender for IoT agent frequently asked questions
+
+This article provides a list of frequently asked questions and answers about the Defender for IoT agent.
+
+## Do I have to install an embedded security agent?
+
+Agent installation on your IoT devices isn't mandatory in order to enable Defender for IoT. You can choose between the following three options, gaining different levels of security monitoring and management capabilities according to your selection:
+
+- Passive, non-invasive (agentless) deployment using NTA (Network Traffic Analysis) sensors to monitor and provide deep visibility into IoT/OT risk with zero performance impact on the network and devices
+- Install the Defender for IoT embedded security agent with or without modifications. This option provides the highest level of enhanced security insights into device behavior and access.
+
+- Create your own agent and implement the Defender for IoT security message schema. This option enables usage of Defender for IoT analysis tools on top of your device security agent.
+
+- No security agent installation on your IoT devices. This option enables IoT Hub communication monitoring, with reduced security monitoring and management capabilities.
+
+## What does the Defender for IoT agent do?
+
+Defender for IoT agent provides device level threat coverage for device configuration, behavior, and access (by scanning the configuration), process & connectivity. The Defender for IoT security agent does not scan business-related data or activity.
+
+The Defender for IoT security agent is open source and available on GitHub in 32 bit and 64-bit Windows and Linux versions: https://github.com/Azure/Azure-IoT-Security.
+
+## What are the dependencies and prerequisites of the agent?
+
+Defender for IoT supports a wide variety of platforms. See [Supported Device platforms](how-to-deploy-agent.md) to verify support for your specific devices.
+
+## Which data is collected by the agent?
+
+Connectivity, access, firewall configuration, process list & OS baseline are collected by the agent.
+
+## How much data will the agent generate?
+
+Agent data generation is driven by device, application, connectivity type, and customer agent configuration. Due to the high variability between devices and IoT solutions, we recommend first deploying the agent in a lab or test setting to observe, learn, and set the specific configuration that fits your needs, while measuring the amount of generated data. After starting the service, the Defender for IoT agent provides operational recommendations for optimizing agent throughput to help you with the configuration and customization process.
+
+## Do agent messages use up quota from IoT Hub?
+
+Yes. Agent transmitted data is counted in your IoT Hub quota.
+
+## What next? I've installed an agent and don't see any activities or logs...
+
+1. Check the [agent type fits the designated OS platform of your device](how-to-deploy-agent.md)
+
+1. Confirm the [agent is running on the device](how-to-agent-configuration.md).
+
+1. Check the [service was enabled successfully](quickstart-onboard-iot-hub.md) to **Security** in your IoT Hub.
+
+1. Check that the device is [configured in IoT Hub with the Defender for IoT module](quickstart-create-security-twin.md).
+
+If the activities or logs are still unavailable, contact your Defender for IoT partner for additional help.
+
+## What happens when the internet connection stops working?
+
+The sensors and agents continue to run and store data as long as the device is running. Data is stored in the security message cache according to size configuration. When the device regains connectivity, security messages resume sending.
+
+## Can the agent affect the performance of the device or other installed software?
+
+The agent consumes machine resources as any other application/process and should not disrupt normal device activity. Resource consumption on the device the agent runs on is coupled with its setup and configuration. We recommend testing your agent configuration in a contained environment, along with interoperability with your other IoT applications and functionality, before attempting to deploy in a production environment.
+
+## I'm making some maintenance on the device. Can I turn off the agent?
+
+The agent cannot be turned off.
+
+## Is there a way to test if the agent is working correctly?
+
+If the agent stops communicating or fails to send security messages, a **Device is silent** alert is generated.
+
+## Can I create my own alerts?
+
+Yes, you can create custom alerts based on multiple parameters including IP/MAC address, protocol type, class, service, function, command, etc. as well as values of custom tags contained in the payloads. See [Create custom alerts](quickstart-create-custom-alerts.md) to learn more about custom alerts and how to create them.
+
+## Next steps
+
+To learn more about how to get started with Defender for IoT, see the following articles:
+
+- Read the Defender for IoT [overview](overview.md)
+- Understand [Defender for IoT security alerts](concept-security-alerts.md)
defender-for-iot Security Agent Architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/security-agent-architecture.md
+
+ Title: 'Quickstart: Security agents overview'
+description: In this quickstart, learn how to understand security agent architecture for the agents used in the Azure Defender for IoT service.
+ Last updated : 4/4/2021++
+# Quickstart: Security agent reference architecture
+
+Azure Defender for IoT provides reference architecture for security agents that log, process, aggregate, and send security data through IoT Hub.
+
+Security agents are designed to work in a constrained IoT environment, and are highly customizable in terms of values they provide when compared to the resources they consume.
+
+Security agents support the following features:
+
+- Authenticate with existing device identity, or a dedicated module identity. To learn more, seeΓÇ»[Security agent authentication methods](concept-security-agent-authentication-methods.md).
+
+- Collect raw security events from the underlying Operating System (Linux, Windows). To learn more about available security data collectors, see [Defender for IoT agent configuration](how-to-agent-configuration.md).
+
+- Aggregate raw security events into messages sent through IoT Hub.
+
+- Configure remotely through use of the **azureiotsecurity** module twin. To learn more, see [Configure a Defender for IoT agent](how-to-agent-configuration.md).
+
+Defender for IoT Security agents is developed as open-source projects, and are available from GitHub:
+
+- [Defender for IoT C-based agent](https://github.com/Azure/Azure-IoT-Security-Agent-C)
+- [Defender for IoT C#-based agent](https://github.com/Azure/Azure-IoT-Security-Agent-CS)
+
+## Prerequisites
+
+- None
+
+## Agent supported platforms
+
+Defender for IoT offers different installer agents for 32 bit and 64-bit Windows, and the same for 32 bit and 64-bit Linux. Make sure you have the correct agent installer for each of your devices according to the following table:
+
+| Architecture | Linux | Windows | Details |
+|--|--|--|--|
+| 32 bit | C | C# | |
+| 64 bit | C# or C | C# | We recommend using the C agent for devices with more restricted or minimal device resources. |
++
+## Next steps
+
+In this article, you got a high-level overview about Defender for IoT Defender-IoT-micro-agent architecture, and the available installers.
+To continue getting started with Defender for IoT deployment,
+
+> [!div class="nextstepaction"]
+> [security agent authentication methods](concept-security-agent-authentication-methods.md)
defender-for-iot Security Edge Architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/security-edge-architecture.md
+
+ Title: Defender for IoT Defender-IoT-micro-agent for IoT Edge
+description: Understand the architecture and capabilities of Azure Defender for IoT Defender-IoT-micro-agent for IoT Edge.
+ Last updated : 09/09/2020++
+# Azure Defender for IoT Edge Defender-IoT-micro-agent
+
+[Azure IoT Edge](../../iot-edge/index.yml) provides powerful capabilities to manage and perform business workflows at the edge.
+The key part that IoT Edge plays in IoT environments make it particularly attractive for malicious actors.
+
+Defender for IoT Defender-IoT-micro-agent provides a comprehensive security solution for your IoT Edge devices.
+Defender for IoT module collects, aggregates and analyzes raw security data from your Operating System and container system into actionable security recommendations and alerts.
+
+Similar to Defender for IoT security agents for IoT devices, the Defender for IoT Edge module is highly customizable through its module twin.
+See [Configure your agent](how-to-agent-configuration.md) to learn more.
+
+Defender for IoT Defender-IoT-micro-agent for IoT Edge offers the following features:
+
+- Collects raw security events from the underlying Operating System (Linux), and the IoT Edge Container systems.
+
+ See [Defender for IoT agent configuration](how-to-agent-configuration.md) to learn more about available security data collectors.
+
+- Analysis of IoT Edge deployment manifests.
+
+- Aggregates raw security events into messages sent through [IoT Edge Hub](../../iot-edge/iot-edge-runtime.md#iot-edge-hub).
+
+- Remove configuration through use of the Defender-IoT-micro-agent twin.
+
+ See [Configure a Defender for IoT agent](how-to-agent-configuration.md) to learn more.
+
+Defender for IoT Defender-IoT-micro-agent for IoT Edge runs in a privileged mode under IoT Edge.
+Privileged mode is required to allow the module to monitor the Operating System, and other IoT Edge modules.
+
+## Module supported platforms
+
+Defender for IoT Defender-IoT-micro-agent for IoT Edge is currently only available for Linux.
+
+## Next steps
+
+In this article, you learned about the architecture and capabilities of Defender for IoT Defender-IoT-micro-agent for IoT Edge.
+
+To continue getting started with Defender for IoT deployment, use the following articles:
+
+- Deploy [Defender-IoT-micro-agent for IoT Edge](how-to-deploy-edge.md)
+- Learn how to [configure your Defender-IoT-micro-agent](how-to-agent-configuration.md)
+- Learn how to [Enable Defender for IoT service in your IoT Hub](quickstart-onboard-iot-hub.md)
+- Learn more about the service from the [Defender for IoT FAQ](resources-agent-frequently-asked-questions.md)
defender-for-iot Troubleshoot Agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/troubleshoot-agent.md
+
+ Title: Troubleshoot security agent start-up (Linux)
+description: Troubleshoot working with Azure Defender for IoT security agents for Linux.
+ Last updated : 05/26/2021++
+# Security agent troubleshoot guide (Linux)
+
+This article explains how to solve potential problems in the security agent start-up process.
+
+Azure Defender for IoT agent self-starts immediately after installation. The agent start up process includes reading local configuration, connecting to Azure IoT Hub, and retrieving the remote twin configuration. Failure in any one of these steps may cause the security agent to fail.
+
+In this troubleshooting guide you'll learn how to:
+
+- Validate if the security agent is running
+- Get security agent errors
+- Understand and remediate security agent errors
+
+## Validate if the security agent is running
+
+1. To validate is the security agent is running, wait a few minutes after installing the agent and and run the following command.
+ <br>
+
+ **C agent**
+
+ ```bash
+ grep "ASC for IoT Agent initialized" /var/log/syslog
+ ```
+
+ **C# agent**
+
+ ```bash
+ grep "Agent is initialized!" /var/log/syslog
+ ```
+
+1. If the command returns an empty line, the security agent was unable to start successfully.
+
+## Force stop the security agent
+
+In cases where the security agent is unable to start, stop the agent with the following command, then continue to the error table below:
+
+```bash
+systemctl stop ASCIoTAgent.service
+```
+
+## Get security agent errors
+
+1. Retrieve security agent error(s) by running the following command:
+
+ ```bash
+ grep ASCIoTAgent /var/log/syslog
+ ```
+
+1. The get security agent error command retrieves all logs created by the Defender for IoT agent. Use the following table to understand the errors and take the correct steps for remediation.
+
+> [!Note]
+> Error logs are shown in chronological order. Make sure to note the timestamp of each error to help your remediation.
+
+## Restart the agent
+
+1. After locating and fixing a security agent error, try to restart the agent by running the following command.
+
+ ```bash
+ systemctl restart ASCIoTAgent.service
+ ```
+
+1. Repeat the previous process to retrieve stop and retrieve the errors if the agent continues to fail the startup process.
+
+## Understand security agent errors
+
+Most of the Security agent errors are displayed in the following format:
+
+```
+Defender for IoT agent encountered an error! Error in: {Error Code}, reason: {Error sub code}, extra details: {error specific details}
+```
+
+| Error Code | Error sub code | Error details | Remediate C | Remediate C# |
+|--|--|--|--|--|
+| Local Configuration | Missing configuration | A configuration is missing in the local configuration file. The error message should state which key is missing. | Add the missing key to the /var/LocalConfiguration.json file, see the [cs-localconfig-reference](azure-iot-security-local-configuration-c.md) for details. | Add the missing key to the General.config file, see the [c#-localconfig-reference](azure-iot-security-local-configuration-csharp.md) for details. |
+| Local Configuration | Cant Parse Configuration | A configuration value can't be parsed. The error message should state which key can't be parsed. A configuration value cannot be parsed either because the value is not in the expected type, or the value is out of range. | Fix the value of the key in /var/LocalConfiguration.json file so that it matches the LocalConfiguration schema, see the [c#-localconfig-reference](azure-iot-security-local-configuration-csharp.md) for details. | Fix the value of the key in General.config file so that it matches the schema, see the [cs-localconfig-reference](azure-iot-security-local-configuration-c.md) for details. |
+| Local Configuration | File Format | Failed to parse configuration file. | The configuration file is corrupted, download the agent and re-install. | - |
+| Remote Configuration | Timeout | The agent could not fetch the azureiotsecurity module twin within the timeout period. | Make sure authentication configuration is correct and try again. | The agent could not fetch the azureiotsecurity module twin within timeout period. Make sure authentication configuration is correct and try again. |
+| Authentication | File Not Exist | The file in the given path does not exist. | Make sure the file exists in the given path or go to the **LocalConfiguration.json** file and change the **FilePath** configuration. | Make sure the file exists in the given path or go to the **Authentication.config** file and change the **filePath** configuration. |
+| Authentication | File Permission | The agent does not have sufficient permissions to open the file. | Give the **asciotagent** user read permissions on the file in the given path. | Make sure the file is accessible. |
+| Authentication | File Format | The given file is not in the correct format. | Make sure the file is in the correct format. The supported file types are .pfx and .pem. | Make sure the file is a valid certificate file. |
+| Authentication | Unauthorized | The agent was not able to authenticate against IoT Hub with the given credentials. | Validate authentication configuration in LocalConfiguration file, go through the authentication configuration and make sure all the details are correct, validate that the secret in the file matches the authenticated identity. | Validate authentication configuration in Authentication.config, go through the authentication configuration and make sure all the details are correct, then validate that the secret in the file matches the authenticated identity. |
+| Authentication | Not Found | The device / module was found. | Validate authentication configuration - make sure the hostname is correct, the device exists in IoT Hub and has an azureiotsecurity twin module. | Validate authentication configuration - make sure the hostname is correct, the device exists in IoT Hub and has an azureiotsecurity twin module. |
+| Authentication | Missing Configuration | A configuration is missing in the *Authentication.config* file. The error message should state which key is missing. | Add the missing key to the *LocalConfiguration.json* file. | Add the missing key to the *Authentication.config* file, see the [c#-localconfig-reference](azure-iot-security-local-configuration-csharp.md) for details. |
+| Authentication | Cant Parse Configuration | A configuration value can't be parsed. The error message should state which key can't be parsed. A configuration value can not be parsed because either the value is not of the expected type, or the value is out of range. | Fix the value of the key in the **LocalConfiguration.json** file. | Fix the value of the key in **Authentication.config** file to match the schema, see the [cs-localconfig-reference](azure-iot-security-local-configuration-c.md) for details.|
+
+## Next steps
+
+- Read the Defender for IoT service [Overview](overview.md)
+- Learn more about Defender for IoT [agent-based solution for device builders](architecture-agent-based.md)
+- Enable the Defender for IoT [service](quickstart-onboard-iot-hub.md)
+- Read the Defender for IoT service [Defender for IoT FAQ](resources-agent-frequently-asked-questions.md)
+- Learn how to access [raw security data](how-to-security-data-access.md)
+- Understand [recommendations](concept-recommendations.md)
+- Understand security [alerts](concept-security-alerts.md)
defender-for-iot Troubleshoot Defender Micro Agent https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/device-builders/troubleshoot-defender-micro-agent.md
+
+ Title: Defender IoT micro agent troubleshooting (Preview)
+description: Learn how to handle unexpected or unexplained errors.
Last updated : 4/5/2021+++
+# Defender IoT micro agent troubleshooting (Preview)
+
+If an unexpected error occurs, you can use these troubleshooting methods in an attempt to resolve the issue. You can also reach out to the Azure Defender for IoT product team for assistance as needed.  
+
+## Service status
+
+To view the status of the service:
+
+1. Run the following command
+
+ ```bash
+ systemctl status defender-iot-micro-agent.service
+ ```
+
+1. Check that the service is stable by making sure it is `active`, and that the uptime in the process is appropriate.
+
+ :::image type="content" source="media/troubleshooting/active-running.png" alt-text="Ensure your service is stable by checking to see that it is active and the uptime is appropriate.":::
+
+If the service is listed as `inactive`, use the following command to start the service:
+
+```bash
+systemctl start defender-iot-micro-agent.service
+```
+
+You will know that the service is crashing if, the process uptime is less than 2 minutes. To resolve this issue, you must [review the logs](#review-the-logs).
+
+## Validate micro agent root privileges
+
+Use the following command to verify that the Defender IoT micro agent service is running with root privileges.
+
+```bash
+ps -aux | grep " defender-iot-micro-agent"
+```
+
+## Review the logs
+
+To review the logs, use the following command: 
+
+```bash
+sudo journalctl -u defender-iot-micro-agent | tail -n 200 
+```
+
+### Quick log review
+
+If an issue occurs when the micro agent is run, you can run the micro agent in a temporary state, which will allow you to view the logs using the following command:
+
+```bash
+sudo systectl stop defender-iot-micro-agent
+cd /var/defender_iot_micro_agent/
+sudo ./defender_iot_micro_agent
+```
+
+## Restart the service
+
+To restart the service, use the following command:
+
+```bash
+sudo systemctl restart defender-iot-micro-agent
+```
+
+## Next steps
+
+Check out the [Feature support and retirement](edge-security-module-deprecation.md).
defender-for-iot How To Work With The Sensor Console Dashboard https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/how-to-work with-the-sensor-console-dashboard.md
- Title: Work with the sensor console dashboard
-description: The dashboard allows you to quickly view the security status of your network. It provides a high-level overview of threats to your whole system on a timeline along with information about related devices.
Previously updated : 11/03/2020---
-# The dashboard
-
-The dashboard allows you to quickly view the security status of your network. It provides a high-level overview of threats to your whole system on a timeline along with information about related devices, including:
--- Alerts at different severity levels:--- Critical--- Major--- Minor--- Warnings--- The two indicators in the center of the page show the Packets per Second (PPS), and Unacknowledged Alerts (UA). **PPS** is the number of packets acknowledged by the system per second. **UA** is the number of alerts that have not been acknowledged yet.--- List of unacknowledged alerts with their description.--- Timeline with the alert description.--
-## Viewing the latest alerts
-
-The Unacknowledged Alerts (UA) gauge in the center of the page indicates the number of such alerts. To view a list of alerts, select **More Alerts** at the bottom of the dashboard page or select **Alerts** on the side menu.
--
-## Status boxes
-
-Each status box is described in this section.
-
-| Status Box and Gauges | Description |
-| -- | -- |
-| :::image type="content" source="media/how-to-work with-the-sensor-console-dashboard/critical-alert-status-box-v2.png" alt-text="Critical Alerts"::: | **Critical Alerts** - the box at the top middle of the page indicates the number of critical alerts. Select this box to display descriptions of the alerts on the timeline and on the list under the gauges, if any. |
-| :::image type="content" source="media/how-to-work with-the-sensor-console-dashboard/major-alert-status-box-v2.png" alt-text="Major Alerts"::: | **Major Alerts** - the box at the top right of the page indicates the number of major alerts. Select this box to display descriptions of the alerts on the timeline and on the list under the gauges, if any. |
-| :::image type="content" source="media/how-to-work with-the-sensor-console-dashboard/minor-alert-status-box-v2.png" alt-text="Minor Alerts"::: | **Minor Alerts** - the box at the bottom left of the page indicates the number of minor alerts. Select this box to display descriptions of the alerts on the timeline and on the list under the gauges, if any. |
-| :::image type="content" source="media/how-to-work with-the-sensor-console-dashboard/warnings-alert-status-box-v2.png" alt-text="Warning Alerts"::: | **Warning Alerts** - the box at the bottom middle of the page indicates the number of warning alerts. Select this box to display descriptions of the alerts on the timeline and on the list under the gauges, if any. |
-| :::image type="content" source="media/how-to-work with-the-sensor-console-dashboard/all-alert-status-box-v2.png" alt-text="All Alerts"::: | **All Alerts** - the box at the bottom right of the page indicates the total number of critical, major, minor, and warning alerts. Select this box to display descriptions of the alerts on the timeline and on the list under the gauges, if any. |
-| :::image type="content" source="media/how-to-work with-the-sensor-console-dashboard/packets-per-second-gauge-v2.png" alt-text="Packets Per Second"::: | **Packets Per Second (PPS)** - the PPS metric is an indicator of the performance of the network. |
-| :::image type="content" source="media/how-to-work with-the-sensor-console-dashboard/unacknowledged-events-gauge-v2.png" alt-text="Unacknowledged Events (UA)"::: | **Unacknowledged Events** - this metric indicates the number of unacknowledged events.
-
-## Using the timeline
-
-The alerts are displayed along a vertical timeline that includes date and time information.
-
-The Timeline graphically displays:
--- Critical Alerts--- Major Alerts--- Minor Alerts--- Warning Alerts--
-## Viewing alerts
-
-Select the down arrow **V** at the bottom of an alert box to display the alert entry and devices information.
---- Select the device to display the physical mode map. The subjected devices are highlighted.--- Click anywhere in the alert box to display additional details regarding the alert. A popup will display similar to the one below--- Select :::image type="content" source="media/how-to-work with-the-sensor-console-dashboard/excel-icon.png" alt-text="Excel"::: to export a CSV file about the alert.--- Administrators and Security Analysts Only ΓÇö Select :::image type="content" source="media/how-to-work with-the-sensor-console-dashboard/approve-all-icon.png" alt-text="Acknowledge all"::: to **Acknowledge All** associated alerts.--- Select :::image type="content" source="media/how-to-work with-the-sensor-console-dashboard/pdf-icon.png" alt-text="PDF":::to download an alert report as a PDF file.--- Select :::image type="content" source="media/how-to-work with-the-sensor-console-dashboard/pin-icon.png" alt-text="Pin":::to pin or unpin the alert. Selecting to pin will add it to the **Pinned Alerts** window on the **Alerts** screen.--- Select :::image type="content" source="media/how-to-work with-the-sensor-console-dashboard/download-icon.png" alt-text="Download"::: to investigate the alert by downloading the related PCAP file containing a network protocol analysis.--- Select :::image type="content" source="media/how-to-work with-the-sensor-console-dashboard/cloud-download-icon.png" alt-text="Cloud"::: to download a related filtered PCAP file that contains only the alert-relevant packets, thereby reducing output file size and allowing a more focused analysis. You can view it using [Wireshark](https://www.wireshark.org/).--- Select :::image type="content" source="media/how-to-work with-the-sensor-console-dashboard/navigate-icon.png" alt-text="Navigation"::: to navigate to the event timeline at the time of the requested alert. This allows you to assess other events that may be happening around the specific alert.--- Administrators and Security Analysts only - change the status of the alert from unacknowledged to acknowledged. Select Learn to approve detected activity.--
-## See also
-
-[Work with alerts on your sensor](how-to-work-with-alerts-on-your-sensor.md)
defender-for-iot Alert Engine Messages https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/organizations/alert-engine-messages.md
+
+ Title: Alert types and descriptions
+description: Review Defender for IoT Alert descriptions.
Last updated : 04/28/2021+++
+# Alert types and descriptions
+
+This article provides information on the alert types, descriptions, and severity that may be generated from the Defender for IoT engines. This information can be used to help map alerts into playbooks, define forwarding rules, exclusion rules, and custom alerts as well as define the appropriate rules within a SIEM. Alerts appear in the Alerts window, which allows you to manage the alert event.
+
+## Policy engine alerts
+
+Policy engine alerts describe detected deviations from learned baseline behavior.
+
+>[!NOTE]
+> This article contains references to the term *slave*, a term that Microsoft no longer uses. When the term is removed from the software, weΓÇÖll remove it from this article.
+
+| Title | Description | Severity |
+|--|--|--|
+| Abnormal usage of MAC Addresses | A new source device was detected on the network but has not been authorized. | Minor |
+| Beckhoff Software Changed | Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. | Major |
+| Database Login Failed | A failed login attempt was detected from a source device to a destination server. This might be the result of human error, but could also indicate a malicious attempt to compromise the server or data on it. | Major |
+| Emerson ROC Firmware Version Changed | Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. | Major |
+| External address within the network communicated with Internet | A source device defined as part of your network is communicating with Internet addresses. The source is not authorized to communicate with Internet addresses. | Critical |
+| Field Device Discovered Unexpectedly | A new source device was detected on the network but has not been authorized. | Major |
+| Firmware Change Detected | Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. | Major |
+| Firmware Version Changed | Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. | Major |
+| Foxboro I/A Unauthorized Operation | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| FTP Login Failed | A failed login attempt was detected from a source device to a destination server. This might be the result of human error, but could also indicate a malicious attempt to compromise the server or data on it. | Major |
+| Function Code Raised Unauthorized Exception | A source device (slave) returned an exception to a destination device (master). | Major |
+| GOOSE Message Type Settings | Message (identified by protocol ID) settings were changed on a source device. | Warning |
+| Honeywell Firmware Version Changed | Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. | Major |
+| Illegal HTTP Communication | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Internet Access Detected | A source device defined as part of your network is communicating with Internet addresses. The source is not authorized to communicate with Internet addresses. | Major |
+| Mitsubishi Firmware Version Changed | Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. | Major |
+| Modbus Address Range Violation | A master device requested access to a new slave memory address. | Major |
+| Modbus Firmware Version Changed | Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. | Major |
+| New Activity Detected - CIP Class | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - CIP Class Service | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - CIP PCCC Command | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - CIP Symbol | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - EtherNet/IP I/O Connection | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - EtherNet/IP Protocol Command | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - GSM Message Code | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - LonTalk Command Codes | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Port Discovery | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Warning |
+| New Activity Detected - LonTalk Network Variable | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - Ovation Data Request | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - Read/Write Command (AMS Index Group) | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - Read/Write Command (AMS Index Offset) | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - Unauthorized DeltaV Message Type | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - Unauthorized DeltaV ROC Operation | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - Unauthorized RPC Message Type | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - Unauthorized RPC Procedure Invocation | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - Using AMS Protocol Command | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - Using Siemens SICAM Command | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - Using Suitelink Protocol command | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - Using Suitelink Protocol sessions | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Activity Detected - Using Yokogawa VNetIP Command | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| New Asset Detected | A new source device was detected on the network but has not been authorized. | Major |
+| New LLDP Device Configuration | A new source device was detected on the network but has not been authorized. | Major |
+| New Port Discovery | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Warning |
+| Omron FINS Unauthorized Command | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| S7 Plus PLC Firmware Changed | Firmware was updated on a source device. This may be authorized activity, for example a planned maintenance procedure. | Major |
+| Sampled Values Message Type Settings | Message (identified by protocol ID) settings were changed on a source device. | Warning |
+| Suspicion of Illegal Integrity Scan | A scan was detected on a DNP3 source device (outstation). This scan was not authorized as learned traffic on your network. | Major |
+| Toshiba Computer Link Unauthorized Command | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Minor |
+| Unauthorized ABB Totalflow File Operation | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized ABB Totalflow Register Operation | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized Access to Siemens S7 Data Block | A source device attempted to access a resource on another device. An access attempt to this resource between these two devices has not been authorized as learned traffic on your network. | Warning |
+| Unauthorized Access to Siemens S7 Plus Object | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized Access to Wonderware Tag | A source device attempted to access a resource on another device. An access attempt to this resource between these two devices has not been authorized as learned traffic on your network. | Major |
+| Unauthorized BACNet Object Access | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized BACNet Route | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized Database Login | A login attempt between a source client and destination server was detected. Communication between these devices has not been authorized as learned traffic on your network. | Major |
+| Unauthorized Database Operation | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized Emerson ROC Operation | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized GE SRTP File Access | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized GE SRTP Protocol Command | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized GE SRTP System Memory Operation | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized HTTP Activity | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized HTTP Server | An unauthorized application was detected on a source device. The application has not been authorized as a learned application on your network. | Major |
+| Unauthorized HTTP SOAP Action | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized HTTP User Agent | An unauthorized application was detected on a source device. The application has not been authorized as a learned application on your network. | Major |
+| Unauthorized Internet Connectivity Detected | A source device defined as part of your network is communicating with Internet addresses. The source is not authorized to communicate with Internet addresses. | Critical |
+| Unauthorized Mitsubishi MELSEC Command | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized MMS Program Access | A source device attempted to access a resource on another device. An access attempt to this resource between these two devices has not been authorized as learned traffic on your network. | Major |
+| Unauthorized MMS Service | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized Multicast/Broadcast Connection | A Multicast/Broadcast connection was detected between a source device and other devices. Multicast/Broadcast communication is not authorized. | Critical |
+| Unauthorized Name Query | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized OPC UA Activity | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized OPC UA Request/Response | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized Operation was detected by a User Defined Rule | Traffic was detected between two devices. This activity is unauthorized based on a Custom Alert Rule defined by a user. | Major |
+| Unauthorized PLC Configuration Read | The source device is not defined as a programming device but performed a read/write operation on a destination controller. Programming changes should only be performed by programming devices. A programming application may have been installed on this device. | Warning |
+| Unauthorized PLC Configuration Write | The source device sent a command to read/write the program of a destination controller. This activity was not previously seen. | Major |
+| Unauthorized PLC Program Upload | The source device sent a command to read/write the program of a destination controller. This activity was not previously seen. | Major |
+| Unauthorized PLC Programming | The source device is not defined as a programming device but performed a read/write operation on a destination controller. Programming changes should only be performed by programming devices. A programming application may have been installed on this device. | Critical |
+| Unauthorized Profinet Frame Type | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized SAIA S-Bus Command | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized Siemens S7 Execution of Control Function | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized Siemens S7 Execution of User Defined Function | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized Siemens S7 Plus Block Access | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized Siemens S7 Plus Operation | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized SMB Login | A login attempt between a source client and destination server was detected. Communication between these devices has not been authorized as learned traffic on your network. | Major |
+| Unauthorized SNMP Operation | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized SSH Access | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unauthorized Windows Process | An unauthorized application was detected on a source device. The application has not been authorized as a learned application on your network. | Major |
+| Unauthorized Windows Service | An unauthorized application was detected on a source device. The application has not been authorized as a learned application on your network. | Major |
+| Unauthorized Operation was detected by a User Defined Rule | New traffic parameters were detected. This parameter combination violates a user defined rule | Major |
+| Unpermitted Modbus Schneider Electric Extension | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unpermitted Usage of ASDU Types | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unpermitted Usage of DNP3 Function Code | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+| Unpermitted Usage of Internal Indication (IIN) | A DNP3 source device (outstation) reported an internal indication (IIN) that has not authorized as learned traffic on your network. | Major |
+| Unpermitted Usage of Modbus Function Code | New traffic parameters were detected. This parameter combination has not been authorized as learned traffic on your network. The following combination is unauthorized. | Major |
+
+## Anomaly engine alerts
+
+Anomaly engine alerts describe detected anomalies in network activity.
+
+| Title | Description | Severity |
+|--|--|--|
+| Abnormal Exception Pattern in Slave | An excessive number of errors were detected on a source device. This may be the result of an operational issue. | Minor |
+| Abnormal HTTP Header Length | The source device sent an abnormal message. This may indicate an attempt to attack the destination device. | Critical |
+| Abnormal Number of Parameters in HTTP Header | The source device sent an abnormal message. This may indicate an attempt to attack the destination device. | Critical |
+| Abnormal Periodic Behavior In Communication Channel | A change in the frequency of communication between the source and destination devices was detected. | Minor |
+| Abnormal Termination of Applications | An excessive number of stop commands were detected on a source device. This may be the result of an operational issue or an attempt to manipulate the device. | Major |
+| Abnormal Traffic Bandwidth | Abnormal bandwidth was detected on a channel. Bandwidth appears to be significantly lower/higher than previously detected. For details, work with the Total Bandwidth widget. | Warning |
+| Abnormal Traffic Bandwidth Between Devices | Abnormal bandwidth was detected on a channel. Bandwidth appears to be significantly lower/higher than previously detected. For details, work with the Total Bandwidth widget. | Warning |
+| Address Scan Detected | A source device was detected scanning network devices. This device has not been authorized as a network scanning device. | Critical |
+| ARP Address Scan Detected | A source device was detected scanning network devices using Address Resolution Protocol (ARP). This device address has not been authorized as valid ARP scanning address. | Critical |
+| ARP Address Scan Detected | A source device was detected scanning network devices using Address Resolution Protocol (ARP). This device address has not been authorized as valid ARP scanning address. | Critical |
+| ARP Spoofing | An abnormal quantity of packets was detected in the network. This could indicate an attack, for example, an ARP spoofing or ICMP flooding attack. | Warning |
+| Excessive Login Attempts | A source device was seen performing excessive login attempts to a destination server. This may be a brute force attack. The server may be compromised by a malicious actor. | Critical |
+| Excessive Number of Sessions | A source device was seen performing excessive login attempts to a destination server. This may be a brute force attack. The server may be compromised by a malicious actor. | Critical |
+| Excessive Restart Rate of an Outstation | An excessive number of restart commands were detected on a source device. This may be the result of an operational issue or an attempt to manipulate the device. | Major |
+| Excessive SMB login attempts | A source device was seen performing excessive login attempts to a destination server. This may be a brute force attack. The server may be compromised by a malicious actor. | Critical |
+| ICMP Flooding | An abnormal quantity of packets was detected in the network. This could indicate an attack, for example, an ARP spoofing or ICMP flooding attack. | Warning |
+| Illegal HTTP Header Content | The source device initiated an invalid request. | Critical |
+| Inactive Communication Channel | A communication channel between two devices was inactive during a period in which activity is usually seen. This might indicate that the program generating this traffic was changed, or the program might be unavailable. It is recommended to review the configuration of installed program and verify it is configured properly. | Warning |
+| Long Duration Address Scan Detected | A source device was detected scanning network devices. This device has not been authorized as a network scanning device. | Critical |
+| Password Guessing Attempt Detected | A source device was seen performing excessive login attempts to a destination server. This may be a brute force attack. The server may be compromised by a malicious actor. | Critical |
+| PLC Scan Detected | A source device was detected scanning network devices. This device has not been authorized as a network scanning device. | Critical |
+| Port Scan Detected | A source device was detected scanning network devices. This device has not been authorized as a network scanning device. | Critical |
+| Unexpected message length | The source device sent an abnormal message. This may indicate an attempt to attack the destination device. | Critical |
+| Unexpected Traffic for Standard Port | Traffic was detected on a device using a port reserved for another protocol. | Major |
+
+## Protocol violation engine alerts
+
+Protocol engine alerts describe detected deviations in the packet structure, or field values compared to protocol specifications.
+
+| Title | Description | Severity |
+|--|--|--|
+| Excessive Malformed Packets In a Single Session | An abnormal number of malformed packets sent from the source device to the destination device. This might indicate erroneous communications, or an attempt to manipulate the targeted device. | Major |
+| Firmware Update | A source device sent a command to update firmware on a destination device. Verify that recent programming, configuration and firmware upgrades made to the destination device are valid. | Warning |
+| Function Code Not Supported by Outstation | The destination device received an invalid request. | Major |
+| Illegal BACNet message | The source device initiated an invalid request. | Major |
+| Illegal Connection Attempt on Port 0 | A source device attempted to connect to destination device on port number zero (0). For TCP, port 0 is reserved and cannot be used. For UDP, the port is optional and a value of 0 means no port. There is usually no service on a system that listens on port 0. This event may indicate an attempt to attack the destination device, or indicate that an application was programmed incorrectly. | Minor |
+| Illegal DNP3 Operation | The source device initiated an invalid request. | Major |
+| Illegal MODBUS Operation (Exception Raised by Master) | The source device initiated an invalid request. | Major |
+| Illegal MODBUS Operation (Function Code Zero) | The source device initiated an invalid request. | Major |
+| Illegal Protocol Version | The source device initiated an invalid request. | Major |
+| Incorrect Parameter Sent to Outstation | The destination device received an invalid request. | Major |
+| Initiation of an Obsolete Function Code (Initialize Data) | The source device initiated an invalid request. | Minor |
+| Initiation of an Obsolete Function Code (Save Config) | The source device initiated an invalid request. | Minor |
+| Master Requested an Application Layer Confirmation | The source device initiated an invalid request. | Warning |
+| Modbus Exception | A source device (slave) returned an exception to a destination device (master). | Major |
+| Slave Device Received Illegal ASDU Type | The destination device received an invalid request. | Major |
+| Slave Device Received Illegal Command Cause of Transmission | The destination device received an invalid request. | Major |
+| Slave Device Received Illegal Common Address | The destination device received an invalid request. | Major |
+| Slave Device Received Illegal Data Address Parameter | The destination device received an invalid request. | Major |
+| Slave Device Received Illegal Data Value Parameter | The destination device received an invalid request. | Major |
+| Slave Device Received Illegal Function Code | The destination device received an invalid request. | Major |
+| Slave Device Received Illegal Information Object Address | The destination device received an invalid request. | Major |
+| Unknown Object Sent to Outstation | The destination device received an invalid request. | Major |
+| Usage of a Reserved Function Code | The source device initiated an invalid request. | Major |
+| Usage of Improper Formatting by Outstation | The source device initiated an invalid request. | Warning |
+| Usage of Reserved Status Flags (IIN) | A DNP3 source device (outstation) used the reserved Internal Indicator 2.6. It is recommended to check the device's configuration. | Warning |
+
+## Malware engine alerts
+
+Malware engine alerts describe detected malicious network activity.
+
+| Title | Description| Severity |
+|--|--|--|
+| Connection Attempt to Known Malicious IP | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Major |
+| Invalid SMB Message (DoublePulsar Backdoor Implant) | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical |
+| Malicious Domain Name Request | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Major |
+| Malware Test File Detected - EICAR AV Success | An EICAR AV test file was detected in traffic between two devices. The file is not malware. It is used to confirm that the antivirus software is installed correctly; demonstrate what happens when a virus is found, and check internal procedures and reactions when a virus is found. Antivirus software should detect EICAR as if it were a real virus. | Major |
+| Suspicion of Conficker Malware | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Major |
+| Suspicion of Denial Of Service Attack | A source device attempted to initiate an excessive number of new connections to a destination device. This may be a Denial Of Service (DOS) attack against the destination device, and might interrupt device functionality, impact performance and service availability, or cause unrecoverable errors. | Critical |
+| Suspicion of Malicious Activity | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Major |
+| Suspicion of Malicious Activity (BlackEnergy) | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical |
+| Suspicion of Malicious Activity (DarkComet) | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical |
+| Suspicion of Malicious Activity (Duqu) | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical |
+| Suspicion of Malicious Activity (Flame) | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical |
+| Suspicion of Malicious Activity (Havex) | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical |
+| Suspicion of Malicious Activity (Karagany) | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical |
+| Suspicion of Malicious Activity (LightsOut) | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical |
+| Suspicion of Malicious Activity (Name Queries) | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Major |
+| Suspicion of Malicious Activity (Poison Ivy) | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical |
+| Suspicion of Malicious Activity (Regin) | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical |
+| Suspicion of Malicious Activity (Stuxnet) | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical |
+| Suspicion of Malicious Activity (WannaCry) | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Major |
+| Suspicion of NotPetya Malware - Illegal SMB Parameters Detected | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical |
+| Suspicion of NotPetya Malware - Illegal SMB Transaction Detected | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical |
+| Suspicion of Remote Code Execution with PsExec | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Major |
+| Suspicion of Remote Windows Service Management | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Major |
+| Suspicious Executable File Detected on Endpoint | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Major |
+| Suspicious Traffic Detected | Suspicious network activity was detected. This activity may be associated with an attack exploiting a method used by known malware. | Critical |
+
+## Operational engine alerts
+
+Operational engine alerts describe detected operational incidents, or malfunctioning entities.
+
+| Title | Description | Severity |
+|--|--|--|
+| An S7 Stop PLC Command was Sent | The source device sent a stop command to a destination controller. The controller will stop operating until a start command is sent. | Warning |
+| BACNet Operation Failed | A server returned an error code. This indicates a server error or an invalid request by a client. | Major |
+| Bad MMS Device State | An MMS Virtual Manufacturing Device (VMD) sent a status message. The message indicates that the server may not be configured correctly, partially operational, or not operational at all. | Major |
+| Change of Device Configuration | A configuration change was detected on a source device. | Minor |
+| Continuous Event Buffer Overflow at Outstation | A buffer overflow event was detected on a source device. The event may cause data corruption, program crashes, or execution of malicious code. | Major |
+| Controller Reset | A source device sent a reset command to a destination controller. The controller stopped operating temporarily and started again automatically. | Warning |
+| Controller Stop | The source device sent a stop command to a destination controller. The controller will stop operating until a start command is sent. | Warning |
+| Device Failed to Receive a Dynamic IP Address | The source device is configured to receive a dynamic IP address from a DHCP server but did not receive an address. This indicates a configuration error on the device, or an operational error in the DHCP server. It is recommended to notify the network administrator of the incident | Major |
+| Device is Suspected to be Disconnected (Unresponsive) | A source device did not respond to a command sent to it. It may have been disconnected when the command was sent. | Major |
+| EtherNet/IP CIP Service Request Failed | A server returned an error code. This indicates a server error or an invalid request by a client. | Major |
+| EtherNet/IP Encapsulation Protocol Command Failed | A server returned an error code. This indicates a server error or an invalid request by a client. | Major |
+| Event Buffer Overflow in Outstation | A buffer overflow event was detected on a source device. The event may cause data corruption, program crashes, or execution of malicious code. | Major |
+| Expected Backup Operation Did Not Occur | Expected backup/file transfer activity did not occur between two devices. This may indicate errors in the backup / file transfer process. | Major |
+| GE SRTP Command Failure | A server returned an error code. This indicates a server error or an invalid request by a client. | Major |
+| GE SRTP Stop PLC Command was Sent | The source device sent a stop command to a destination controller. The controller will stop operating until a start command is sent. | Warning |
+| GOOSE Control Block Requires Further Configuration | A source device sent a GOOSE message indicating that the device needs commissioning. This means the GOOSE control block requires further configuration and GOOSE messages are partially or completely non-operational. | Major |
+| GOOSE Dataset Configuration was Changed | A message (identified by protocol ID) dataset was changed on a source device. This means the device will report a different dataset for this message. | Warning |
+| Honeywell Controller Unexpected Status | A Honeywell Controller sent an unexpected diagnostic message indicating a status change. | Warning |
+| HTTP Client Error | The source device initiated an invalid request. | Warning |
+| Illegal IP Address | System detected traffic between a source device and IP address which is an invalid address. This may indicate wrong configuration or an attempt to generate illegal traffic. | Minor |
+| Master-Slave Authentication Error | The authentication process between a DNP3 source device (master) and a destination device (outstation) failed. | Minor |
+| MMS Service Request Failed | A server returned an error code. This indicates a server error or an invalid request by a client. | Major |
+| No Traffic Detected on Sensor Interface | A sensor stopped detecting network traffic on a network interface. | Critical |
+| OPC UA Server Raised an Event That Requires User's Attention | An OPC UA server sent an event notification to a client. This type of event requires user attention | Major |
+| OPC UA Service Request Failed | A server returned an error code. This indicates a server error or an invalid request by a client. | Major |
+| Outstation Restarted | A cold restart was detected on a source device. This means the device was physically turned off and back on again. | Warning |
+| Outstation Restarts Frequently | An excessive number of cold restarts were detected on a source device. This means the device was physically turned off and back on again an excessive number of times. | Minor |
+| Outstation's Configuration Changed | A configuration change was detected on a source device. | Major |
+| Outstation's Corrupted Configuration Detected | This DNP3 source device (outstation) reported a corrupted configuration. | Major |
+| Profinet DCP Command Failed | A server returned an error code. This indicates a server error or an invalid request by a client. | Major |
+| Profinet Device Factory Reset | A source device sent a factory reset command to a Profinet destination device. The reset command clears Profinet device configurations and stops its operation. | Warning |
+| RPC Operation Failed | A server returned an error code. This indicates a server error or an invalid request by a client. | Major |
+| Sampled Values Message Dataset Configuration was Changed | A message (identified by protocol ID) dataset was changed on a source device. This means the device will report a different dataset for this message. | Warning |
+| Slave Device Unrecoverable Failure | An unrecoverable condition error was detected on a source device. This kind of error usually indicates a hardware failure or failure to perform a specific command. | Major |
+| Suspicion of Hardware Problems in Outstation | An unrecoverable condition error was detected on a source device. This kind of error usually indicates a hardware failure or failure to perform a specific command. | Major |
+| Suspicion of Unresponsive MODBUS Device | A source device did not respond to a command sent to it. It may have been disconnected when the command was sent. | Minor |
+| Traffic Detected on Sensor Interface | A sensor resumed detecting network traffic on a network interface. | Warning |
+
+## Next steps
+
+You can [Manage alert events](how-to-manage-the-alert-event.md).
+Learn how to [Forward alert information](how-to-forward-alert-information-to-partners.md).
defender-for-iot Architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/organizations/architecture.md
+
+ Title: What is agentless solution architecture
+description: Learn about Azure Defender for IoT agentless architecture and information flow.
+ Last updated : 1/25/2021+++
+# Azure Defender for IoT architecture
+
+This article describes the functional system architecture of the Defender for IoT agentless solution. Azure Defender for IoT offers two sets of capabilities to fit your environment's needs, agentless solution for organizations, and agent-based solution for device builders.
+
+## Agentless solution for organizations
+### Defender for IoT components
+
+Defender for IoT connects both to the Azure cloud and to on-premises components. The solution is designed for scalability in large and geographically distributed environments with multiple remote locations. This solution enables a multi-layered distributed architecture by country, region, business unit, or zone.
+
+Azure Defender for IoT includes the following components:
+
+**Cloud connected deployments**
+
+- Azure Defender for IoT sensor VM or appliance
+- Azure portal for cloud management and integration to Azure Sentinel
+- On-premises management console for local-site management
+- An embedded security agent (optional)
+
+**Air-gapped (Offline) deployments**
+
+- Azure Defender for IoT sensor VM or appliance
+- On-premises management console for local site management
++
+### Azure Defender for IoT sensors
+
+The Defender for IoT sensors discover, and continuously monitor network devices. Sensors collect ICS network traffic using passive (agentless) monitoring on IoT and OT devices.
+
+Purpose-built for IoT and OT networks, the agentless technology delivers deep visibility into IoT and OT risk within minutes of being connected to the network. It has zero performance impact on the network and network devices due to its non-invasive, Network Traffic Analysis (NTA) approach.
+
+Applying patented, IoT and OT-aware behavioral analytics and Layer-7 Deep Packet Inspection (DPI), it allows you to analyze beyond traditional signature-based solutions to immediately detect advanced IoT and OT threats (such as fileless malware) based on anomalous or unauthorized activity.
+
+Defender for IoT sensors connects to a SPAN port or network TAP and immediately begins performing DPI on IoT and OT network traffic.
+
+Data collection, processing, analysis, and alerting takes place directly on the sensor. This process makes it ideally suited for locations with low bandwidth or high latency connectivity, because only metadata is transferred to the management console.
+
+The sensor includes five analytics detection engines. The engines trigger alerts based on analysis of both real-time and pre-recorded traffic. The following engines are available:
+
+#### Protocol violation detection engine
+The protocol violation detection engine identifies the use of packet structures and field values that violate ICS protocol specifications, for example: Modbus exception, and Initiation of an obsolete function code alerts.
+
+#### Policy violation detection engine
+Using machine learning, the policy violation detection engine alerts users of any deviation from baseline behavior, such as unauthorized use of specific function codes, access to specific objects, or changes to device configuration. For example: DeltaV software version changed, and Unauthorized PLC programming alerts. Specifically, the policy violation engine models the ICS networks as deterministic sequences of states and transitionsΓÇöusing a patented technique called Industrial Finite State Modeling (IFSM). The policy violation detection engine establishes a baseline of the ICS networks, so that the platform requires a shorter learning period to build a baseline of the network than generic mathematical approaches or analytics, which were originally developed for IT rather than OT networks.
+
+#### Industrial malware detection engine
+The industrial malware detection engine identifies behaviors that indicate the presence of known malware, such as Conficker, Black Energy, Havex, WannaCry, NotPetya, and Triton.
+
+#### Anomaly detection engine
+The anomaly detection engine detects unusual machine-to-machine (M2M) communications and behaviors. By modeling ICS networks as deterministic sequences of states and transitions, the platform requires a shorter learning period than generic mathematical approaches or analytics originally developed for IT rather than OT. It also detects anomalies faster, with minimal false positives. Anomaly detection engine alerts include Excessive SMB sign in attempts, and PLC Scan Detected alerts.
+
+#### Operational incident detection
+The operational incident detection detects operational issues such as intermittent connectivity that can indicate early signs of equipment failure. For example, the device is thought to be disconnected (unresponsive), and Siemens S7 stop PLC command was sent alerts.
+
+### Management consoles
+Managing Azure Defender for IoT across hybrid environments is accomplished via two management portals:
+- Sensor console
+- The on-premises management console
+- The Azure portal
+
+### Sensor console
+Sensor detections are displayed in the sensor console, where they can be viewed, investigated, and analyzed in a network map, device inventory, and in an extensive range of reports, for example risk assessment reports, data mining queries and attack vectors. You can also use the console to view and handle threats detected by sensor engines, forward information to partner systems, manage users, and more.
++
+### On-premises management console
+The on-premises management console enables security operations center (SOC) operators to manage and analyze alerts aggregated from multiple sensors into one single dashboard and provides an overall view of the health of the OT networks.
+
+This architecture provides a comprehensive unified view of the network at a SOC level, optimized alert handling, and the control of operational network security, ensuring that decision-making and risk management remain flawless.
+
+In addition to multi-tenancy, monitoring, data analysis, and centralized sensor remote control, the management console provides extra system maintenance tools (such as alert exclusion) and fully customized reporting features for each of the remote appliances. This architecture supports both local management at a site level, zone level, and global management within the SOC.
+
+The management console can be deployed for high-availability configuration, which provides a backup console that periodically receives backups of all configuration files required for recovery. If the primary console fails, the local site management appliances will automatically fail over to synchronize with the backup console to maintain availability without interruption.
+
+Tightly integrated with your SOC workflows and run books, it enables easy prioritization of mitigation activities and cross-site correlation of threats.
+
+- Holistic - reduce complexity with a single unified platform for device management, risk and vulnerability management, and threat monitoring with incident response.
+
+- Aggregation and correlation ΓÇô display, aggregate, and analyze data and alerts collected from all sites.
+
+- Control all sensors ΓÇô configure and monitor all sensors from a single location.
+
+ :::image type="content" source="media/updates/alerts-and-site-management-v2.png" alt-text="Manage all of your alerts and information.":::
+
+### Azure portal
+
+The Defender for IoT portal in Azure is used to help you:
+
+- Purchase solution appliances
+
+- Install and update software
+
+- Onboard sensors to Azure
+
+- Update Threat Intelligence packages
+
+## Next steps
+
+[Defender for IoT FAQ](resources-frequently-asked-questions.md)
+
+[System prerequisites](quickstart-system-prerequisites.md)
defender-for-iot Concept Key Concepts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/organizations/concept-key-concepts.md
+
+ Title: Key advantages
+description: Learn about basic Defender for IoT concepts.
Last updated : 12/13/2020+++
+# Basic concepts
+
+This article describes key advantages of Azure Defender for IoT.
+
+## Rapid non-invasive deployment and passive monitoring
+
+Defender for IoT sensors connects to switch SPAN (Mirror) ports, and network TAPs and immediately begin collecting ICS network traffic via passive (agentless) monitoring. Deep packet inspection (DPI) is used to dissect traffic from both serial and Ethernet control network equipment. Defender for IoT has zero impact on OT networks because it isn't placed in the data path and doesn't actively scan OT devices.
+
+To deliver instant snapshots of detailed Windows device information, Defender for IoT sensor can be configured to supplement passive monitoring with an optional active component. This component uses safe, vendor-approved commands to query Windows devices for device details, as often or as infrequently as you want.
+
+## Embedded knowledge of ICS protocols, devices, and applications
+
+DPI alone is not enough to identify protocol anomalies and identify device at a granular level. The Defender for IoT sensor addresses some of the largest and most complex environments. More than 1,300 OT networks have been analyzed to date, across all industrial sectors.
+
+## Analytics and self-learning engines
+
+Engines identify security issues via continuous monitoring and five analytics engines that incorporate self-learning to eliminate the need for updating signatures or defining rules. The engines use ICS-specific behavioral analytics and data science to continuously analyze OT network traffic for anomalies. The five engines are:
+
+- **Protocol violation detection**: Identifies the use of packet structures and field values that violate ICS protocol specifications.
+
+- **Policy violation detection**: Identifies policy violations such as unauthorized use of function codes, access to specific objects, or changes to device configuration.
+
+- **Industrial malware detection**: Identifies behaviors that indicate the presence of known malware such as Conficker, Black Energy, Havex, WannaCry, and NotPetya.
+
+- **Anomaly detection**: Detects unusual machine-to-machine (M2M) communications and behaviors. By modeling ICS networks as deterministic sequences of states and transitions, the engine uses a patented technique called Industrial Finite State Modeling (IFSM). The solution requires a shorter learning period than generic mathematical approaches or analytics, which were originally developed for IT rather than OT. It also detects anomalies faster, with minimal false positives.
+
+- **Operational incident detection**: Identifies operational issues such as intermittent connectivity that can indicate early signs of equipment failure.
+
+## Network Traffic Analysis for risk and vulnerability assessment
+
+Unique in the industry, Defender for IoT uses proprietary Network Traffic Analysis (NTA) algorithms to passively identify all network and endpoint vulnerabilities, such as:
+
+- Unauthorized remote access connections
+- Rogue or undocumented devices
+- Weak authentication
+- Vulnerable devices (based on unpatched CVEs)
+- Unauthorized bridges between subnets
+- Weak firewall rules
+
+## Data mining for investigations, forensics, and threat hunting
+
+The platform provides an intuitive data-mining interface for granular searching of historical traffic across all relevant dimensions. Examples include time period, IP address, MAC address, and ports. You can also make protocol-specific queries based on function codes, protocol services, and modules. Full-fidelity PCAPs are available for further drill-down analysis.
+
+## Sensor Cloud Management mode
+
+The Sensor Cloud Management mode determines where device, alert, and other information that the sensor detects is displayed.
+
+For **cloud-connected sensors**, information that the sensor detects is displayed in the sensor console. Alert information is delivered through an IoT hub and can be shared with other Azure services, such as Azure Sentinel.
+
+For **locally connected sensors**, information that the sensor detects is displayed in the sensor console. Detection information is also shared with the on-premises management console if the sensor is connected to it.
+
+## Air-gapped networks
+
+If you're working in an air-gapped environment, the on-premises management console in Defender for IoT delivers a real-time view of key IoT and OT risk indicators and alerts across all of your facilities. Tightly integrated with your SOC workflows and runbooks, it enables easy prioritization of mitigation activities and cross-site correlation of threats.
+
+Defender for IoT provides a consolidated view of all your devices. It also provides critical information about the devices, such as type (PLC, RTU, DCS, and more), manufacturer, model, and firmware revision level, as well as alert information.
+
+Defender for IoT enables the effective management of multiple deployments and a comprehensive unified view of the network. Defender for IoT optimizes alert handling and control of operational network security.
+
+The on-premises management console is a web-based administrative platform that lets you monitor and control the activities of global sensor installations. In addition to managing the data received from deployed sensors, the on-premises management console seamlessly integrates data from various business resources: CMDBs, DNS, firewalls, Web APIs, and more.
++
+We recommend that you familiarize yourself with the concepts, capabilities, and features available to sensors before working with the on-premises management console.
+
+## Integrations
+
+You can expand the capabilities of Defender for IoT by sharing both device and alert information with partner systems. Integrations help enterprises bridge previously siloed security solutions to significantly enhance device visibility and threat intelligence. Integrations also help enterprises accelerate the system-wide responses and mitigate risks faster.
+
+Integrations reduce complexity and eliminate IT and OT silos by integrating them into your existing SOC workflows and security stack. For example:
+
+- SIEMs such as IBM QRadar, Splunk, ArcSight, LogRhythm, and RSA NetWitness
+
+- Security orchestration and ticketing systems such as ServiceNow and IBM Resilient
+
+- Secure remote access solutions such as CyberArk Privileged Session Manager (PSM) and BeyondTrust
+
+- Secure network access control (NAC) systems such as Aruba ClearPass and Forescout CounterACT
+
+- Firewalls such as Fortinet and Check Point
+
+## Complete protocol support
+
+In addition to embedded protocol support, you can secure IoT and ICS devices running proprietary and custom protocols, or protocols that deviate from any standard. By using the Horizon Open Development Environment (ODE) SDK, developers can create dissector plug-ins that decode network traffic based on defined protocols. Services analyzes traffic to provide complete monitoring, alerting, and reporting. Use Horizon to:
+
+- Expand visibility and control without the need to upgrade to new versions.
+
+- Secure proprietary information by developing on-site as an external plug-in.
+
+- Localize text for alerts, events, and protocol parameters.
+
+In addition, you can use proprietary protocol alerts to communicate information:
+
+- About traffic detections based on protocols and underlying protocols in a proprietary Horizon plug-in.
+
+- About a combination of protocol fields from all protocol layers. For example, in an environment running MODBUS, you might want to generate an alert when the sensor detects a write command to a memory register on a specific IP address and Ethernet destination. Or you might want to generate an alert when any access is performed to a specific IP address.
+
+Alerts are triggered when Horizon alert rule conditions are met.
+
+In addition, working with Horizon custom alerts lets you write your own alert titles and messages. Resolved protocol fields and values can be embedded in the alert message text.
+
+Using custom, condition-based alert triggering and messaging helps pinpoint specific network activity and effectively update your security, IT, and operational teams.
++
+## High availability
+
+Increase the resilience of your Defender for IoT deployment by installing a high-availability appliance in the on-premises management console. High-availability deployments ensure that your managed sensors continuously report to an active on-premises management console.
+
+This deployment is implemented with an on-premises management console pair that includes a primary and secondary appliance.
+
+## Localization
+
+Many console features support an extensive range of languages.
+
+## Next step
+
+[Getting started with Defender for IoT](getting-started.md)
defender-for-iot Getting Started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/organizations/getting-started.md
+
+ Title: 'Quickstart: Getting started'
+description: In this quickstart, learn how to get started with understanding the basic workflow for Defender for IoT deployment.
+ Last updated : 06/06/2021++
+# Quickstart: Get started with Defender for IoT
+
+This article provides an overview of the steps you'll take to set up Azure Defender for IoT. The process requires that you:
+
+- Register your subscription and sensors on the Azure Defender for IoT portal.
+- Install the sensor and on-premises management console software.
+- Perform initial activation of the sensor and management console.
+
+## Permission requirements
+
+### For sensors and on-premises management consoles
+
+Some of the setup steps require specific user permissions.
+
+Administrative user permissions are required to activate the sensor and management console, upload SSL/TLS certificates, and generate new passwords.
+### For the Defender for IoT portal
+
+The following table describes user access permissions to Azure Defender for IoT portal tools:
+
+| Permission | Security reader | Security administrator | Subscription contributor | Subscription owner |
+|--|--|--|--|--|
+| View details and access software, activation files and threat intelligence packages | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
+| Onboard a sensor | | Γ£ô | Γ£ô | Γ£ô |
+| Update pricing | | Γ£ô | Γ£ô | Γ£ô |
+| Recover password | Γ£ô | Γ£ô | Γ£ô | Γ£ô |
+
+## Identify the solution infrastructure
+
+**Clarify your network setup needs**
+
+Research your network architecture, monitored bandwidth, and other network details. For more information, see [About Azure Defender for IoT network setup](how-to-set-up-your-network.md).
+
+**Clarify which sensors and management console appliances are required to handle the network load**
+
+Azure Defender for IoT supports both physical and virtual deployments. For the physical deployments, you can purchase various certified appliances. For more information, see [Identify required appliances](how-to-identify-required-appliances.md).
+
+We recommend that you calculate the approximate number of devices that will be monitored. Later, when you register your Azure subscription to the portal, you'll be asked to enter this number. Numbers can be added in intervals of 1,000 seconds. The numbers of monitored devices are called *committed devices*.
+
+## Register with Azure Defender for IoT
+
+Registration includes:
+
+- Onboarding your Azure subscriptions to Defender for IoT.
+- Defining committed devices.
+- Downloading an activation file for the on-premises management console.
+
+**To register**:
+
+1. Go to the Azure Defender for IoT portal.
+
+1. Select **Onboard subscription**.
+
+1. On the **Pricing** page, select a subscription or create a new one, and add the number of committed devices.
+
+1. Select the **Download the on-premises management console** tab and save the downloaded activation file. This file contains the aggregate committed devices that you defined. The file will be uploaded to the management console after initial sign-in.
+
+For information on how to offboard a subscription, see [Offboard a subscription](how-to-manage-subscriptions.md#offboard-a-subscription).
+
+## Install and set up the on-premises management console
+
+After you acquire your on-premises management console appliance:
+
+- Download the ISO package from the Azure Defender for IoT portal.
+- Install the software.
+- Activate and carry out initial management console setup.
+
+**To install and set up**:
+
+1. Select **Getting Started** from the Defender for IoT portal.
+
+1. Select the **On-premises management console** tab.
+
+1. Choose a version and select **Download**.
+
+1. Install the on-premises management console software. For more information, see [Defender for IoT installation](how-to-install-software.md).
+
+1. Activate and set up the management console. For more information, see [Activate and set up your on-premises management console](how-to-activate-and-set-up-your-on-premises-management-console.md).
+
+## Onboard a sensor ##
+
+Onboard a sensor by registering it with Azure Defender for IoT and downloading a sensor activation file:
+
+1. Define a sensor name and associate it with a subscription.
+
+1. Choose a sensor connection mode:
+
+ - **Cloud connected sensors**: Information that sensors detect is displayed in the sensor console. In addition, alert information is delivered through an IoT hub and can be shared with other Azure services, such as Azure Sentinel. You can also choose to automatically push threat intelligence packages from the Azure Defender for IoT portal to your sensors. For more information, see [Threat intelligence research and packages](how-to-work-with-threat-intelligence-packages.md).
+
+ - **Locally managed sensors**: Information that sensors detect is displayed in the sensor console. If you're working in an air-gapped network and want a unified view of all information detected by multiple locally managed sensors, work with the on-premises management console.
+
+1. Select a site to associate your sensor to within an IoT Hub. The IoT Hub will serve as a gateway between this sensor and Azure Defender for IoT. Define the display name, and zone. You can also add descriptive tags. The display name, zone, and tags are descriptive entries on the [Sites and Sensors page](how-to-manage-sensors-on-the-cloud.md#view-onboarded-sensors).
+
+1. Select **Register**.
+
+1. Select **Download activation file**.
+
+For details about onboarding, see [Onboard and manage sensors in the Defender for IoT portal](how-to-manage-sensors-on-the-cloud.md).
+
+## Install and set up the sensor
+
+Download the ISO package from the Azure Defender for IoT portal, install the software, and set up the sensor.
+
+1. Select **Getting Started** from the Defender for IoT portal.
+
+1. Select **Set up sensor**.
+
+1. Choose a version and select **Download**.
+
+1. Install the sensor software. For more information, see [Defender for IoT installation](how-to-install-software.md).
+
+1. Activate and set up your sensor. For more information, see [Sign in and activate a sensor](how-to-activate-and-set-up-your-sensor.md).
+
+## Connect sensors to an on-premises management console
+
+Connect sensors to the management console to ensure that:
+
+- Sensors send alert and device inventory information to the on-premises management console.
+
+- The on-premises management console can perform sensor backups, manage alerts that sensors detect, investigate sensor disconnections, and carry out other activity on connected sensors.
+
+We recommend that you group multiple sensors monitoring the same networks in one zone. Doing this will coalesce information collected by multiple sensors.
+
+For more information, see [Connect sensors to the on-premises management console](how-to-activate-and-set-up-your-on-premises-management-console.md#connect-sensors-to-the-on-premises-management-console).
+
+## Populate Azure Sentinel with alert information (optional)
+
+Send alert information to Azure Sentinel by configuring Azure Sentinel. See [Connect your data from Defender for IoT to Azure Sentinel](how-to-configure-with-sentinel.md).
+
+## Next steps ##
+
+[Welcome to Azure Defender for IoT](overview.md)
+
+[Azure Defender for IoT architecture](architecture.md)
defender-for-iot How To Accelerate Alert Incident Response https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/organizations/how-to-accelerate-alert-incident-response.md
+
+ Title: Accelerate alert workflows
+description: Improve alert and incident workflows.
Last updated : 12/02/2020++++
+# Accelerate alert workflows
+
+This article describes how to accelerate alert workflows by using alert comments, alert groups, and custom alert rules in Azure Defender for IoT. These tools help you:
+
+- Analyze and manage the large volume of alert events detected in your network.
+
+- Pinpoint and handle specific network activity.
+
+## Accelerate incident workflows by using alert comments
+
+Work with alert comments to improve communication between individuals and teams during the investigation of an alert event.
++
+Use alert comments to improve:
+
+- **Workflow steps**: Provide alert mitigation steps.
+
+- **Workflow follow-up**: Notify that steps were taken.
+
+- **Workflow guidance**: Provide recommendations, insights, or warnings about the event.
++
+The list of available options appears in each alert. Users can select one or several messages.
+
+To add alert comments:
+
+1. On the side menu, select **System Settings**.
+
+2. In the **System Setting** window, select **Alert Comments**.
+
+3. In the **Add comments** box, enter the comment text. Use up to 50 characters. Commas are not permissible.
+
+4. Select **Add**.
+
+## Accelerate incident workflows by using alert groups
+
+Alert groups let SOC teams view and filter alerts in their SIEM solutions and then manage these alerts based on enterprise security policies and business priorities. For example, alerts about new detections are organized in a discovery group. This group includes alerts that deal with the detection of new devices, new VLANs, new user accounts, new MAC addresses, and more.
+
+Alert groups are applied when you create forwarding rules for the following partner solutions:
+
+ - Syslog servers
+
+ - QRadar
+
+ - ArcSight
++
+The relevant alert group appears in partner output solutions.
+
+### Requirements
+
+The alert group will appear in supported partner solutions with the following prefixes:
+
+- **cat** for QRadar, ArcSight, Syslog CEF, Syslog LEEF
+
+- **Alert Group** for Syslog text messages
+
+- **alert_group** for Syslog objects
+
+These fields should be configured in the partner solution to display the alert group name. If there is no alert associated with an alert group, the field in the partner solution will display **NA**.
+
+### Default alert groups
+
+The following alert groups are automatically defined:
+
+- Abnormal communication behavior
+- Custom alerts
+- Remote access
+- Abnormal HTTP communication behavior
+- Discovery
+- Restart and stop commands
+- Authentication
+- Firmware change
+- Scan
+- Unauthorized communication behavior
+- Illegal commands
+- Sensor traffic
+- Bandwidth anomalies
+- Internet access
+- Suspicion of malware
+- Buffer overflow
+- Operation failures
+- Suspicion of malicious activity
+- Command failures
+- Operational issues
+- Configuration changes
+- Programming
+
+Alert groups are predefined. For details about alerts associated with alert groups, and about creating custom alert groups, contact [Microsoft Support](https://support.microsoft.com/supportforbusiness/productselection?sapId=82c8f35-1b8e-f274-ec11-c6efdd6dd099).
+
+## Customize alert rules
+
+Use custom alert rules to more specifically pinpoint activity of interest to you.
+
+You can add custom alert rules based on:
+
+- A category, for example a protocol, port or file.
+- Source and destination addresses
+- A condition based on the category chosen, for example a function associated with a protocol, a file name, port or transport number.
+- A condition based on date and time reference, for example if a detection was made on a specific day or a certain part of the day.
+
+If the sensor detects the activity described in the rule, the alert is sent.
+ information that individual sensors detect. For example, define a rule that instructs a sensor to trigger an alert based on a source IP, destination IP, or command (within a protocol). When the sensor detects the traffic defined in the rule, an alert or event is generated.
+
+You can also use alert rule actions to instruct Defender for IoT to:
+
+- Allow users to access PCAP file from the alert.
+- Assign an alert severity.
+- Generate an event rather than alert. The detected information will appear in the event timeline.
++
+The alert message indicates that a user-defined rule triggered the alert.
++
+**To create a custom alert rule:**
+
+1. Select **Custom Alerts** from the side menu of a sensor.
+1. Select the plus sign (**+**) to create a rule.
+1. Define a rule name.
+1. Select a category or protocol from the **Categories** pane.
+1. Define a specific source and destination IP or MAC address, or choose any address.
+1. Define one or several rule conditions. Two categories of conditions can be created:
+ - Conditions based on unique values associated with the category selected. Select Add and define the values.
+ - Conditions based on the when the activity was detected. In the Detections section, select a time period and day in which the detection must occur in order to send the alert. You can choose to send the alert if the activity is detected anytime, during or after working hours. Use the Define working hours option to instruct Defender for IoT working hours for your organization.
+1. Define rule actions:
+ - Indicate if the rule triggers an **Alarm** or **Event**.
+ - Assign a severity level to the alert.
+ - Indicate if the alert will include a PCAP file.
+1. Select **Save**.
+
+The rule is added to the **Customized Alerts Rules** list, where you can review basic rule parameters, the last time the rule was triggered, and more. You can also enable and disable the rule from the list.
++
+### See also
+
+[View information provided in alerts](how-to-view-information-provided-in-alerts.md)
+
+[Manage the alert event](how-to-manage-the-alert-event.md)
defender-for-iot How To Activate And Set Up Your On Premises Management Console https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/organizations/how-to-activate-and-set-up-your-on-premises-management-console.md
+
+ Title: Activate and set up your on-premises management console
+description: Activating the management console ensures that sensors are registered with Azure and send information to the on-premises management console, and that the on-premises management console carries out management tasks on connected sensors.
Last updated : 05/05/2021+++
+# Activate and set up your on-premises management console
+
+Activation and setup of the on-premises management console ensures that:
+
+- Network devices that you're monitoring through connected sensors are registered with an Azure account.
+
+- Sensors send information to the on-premises management console.
+
+- The on-premises management console carries out management tasks on connected sensors.
+
+- You have installed an SSL certificate.
+
+## Sign in for the first time
+
+**To sign in to the management console:**
+
+1. Navigate to the IP address you received for the on-premises management console during the system installation.
+
+1. Enter the username and password you received for the on-premises management console during the system installation.
++
+If you forgot your password, select the **Recover Password** option, and see [Password recovery](how-to-manage-the-on-premises-management-console.md#password-recovery) for instructions on how to recover your password.
+
+## Activate the on-premises management console
+
+After you sign in for the first time, you will need to activate the on-premises management console by getting, and uploading an activation file.
+
+**To activate the on-premises management console:**
+
+1. Sign in to the on-premises management console.
+
+1. In the alert notification at the top of the screen, select the **Take Action** link.
+
+ :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/take-action.png" alt-text="Select the Take Action link from the alert on the top of the screen.":::
+
+1. In the Activation popup screen, select the **Azure portal** link.
+
+ :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/azure-portal.png" alt-text="Select the Azure portal link from the popup message.":::
+
+1. Select a subscription to associate the on-premises management console to, and then select the **Download on-premises management console activation file** button. The activation file is downloaded.
+
+ The on-premises management console can be associated to one, or more subscriptions. The activation file will be associated with all of the selected subscriptions, and the number of committed devices at the time of download.
+
+ :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/multiple-subscriptions.png" alt-text="You can select multiple subscriptions to onboard your on-premises management console to.":::
+
+ If you have not already onboarded a subscription, then [Onboard a subscription](how-to-manage-subscriptions.md#onboard-a-subscription).
+
+ > [!Note]
+ > If you delete a subscription, you will need to upload a new activation file to all on-premises management console that was affiliated with the deleted subscription.
+
+1. Navigate back to the **Activation** popup screen and select **Choose File**.
+
+1. Select the downloaded file.
+
+After initial activation, the number of monitored devices can exceed the number of committed devices defined during onboarding. This issue occurs if you connect more sensors to the management console. If there's a discrepancy between the number of monitored devices, and the number of committed devices, a warning will appear on the management console.
++
+If this warning appears, you need to upload a [new activation file](#activate-the-on-premises-management-console).
+
+### Activate an expired license (versions under 10.0)
+
+For users with versions prior to 10.0, your license may expire, and the following alert will be displayed.
++
+**To activate your license:**
+
+1. Open a case with [support](https://ms.portal.azure.com/?passwordRecovery=true&Microsoft_Azure_IoT_Defender=canary#create/Microsoft.Support)..
+
+1. Supply support with your Activation ID number.
+
+1. Support will supply you with new license information in the form of a string of letters.
+
+1. Read the terms and conditions, and check the checkbox to approve.
+
+1. Paste the string into space provided.
+
+ :::image type="content" source="media/how-to-activate-and-set-up-your-on-premises-management-console/add-license.png" alt-text="Paste the string into the provided field.":::
+
+1. Select **Activate**.
+
+## Set up a certificate
+
+After you install the management console, a local self-signed certificate is generated. This certificate is used to access the console. After an administrator signs in to the management console for the first time, that user is prompted to onboard an SSL/TLS certificate.
+
+Two levels of security are available:
+
+- Meet specific certificate and encryption requirements requested by your organization by uploading the CA-signed certificate.
+
+- Allow validation between the management console and connected sensors. Validation is evaluated against a certificate revocation list and the certificate expiration date. *If validation fails, communication between the management console and the sensor is halted and a validation error is presented in the console.* This option is enabled by default after installation.
+
+The console supports the following types of certificates:
+
+- Private and Enterprise Key Infrastructure (private PKI)
+
+- Public Key Infrastructure (public PKI)
+
+- Locally generated on the appliance (locally self-signed)
+
+ > [!IMPORTANT]
+ > We recommend that you don't use a self-signed certificate. The certificate is not secure and should be used for test environments only. The owner of the certificate can't be validated, and the security of your system can't be maintained. Never use this option for production networks.
+
+**To upload a certificate:**
+
+1. When you're prompted after sign-in, define a certificate name.
+
+1. Upload the CRT and key files.
+
+1. Enter a passphrase and upload a PEM file if necessary.
+
+You may need to refresh your screen after you upload the CA-signed certificate.
+
+**To disable validation between the management console and connected sensors:**
+
+1. Select **Next**.
+
+1. Turn off the **Enable system-wide validation** toggle.
+
+For information about uploading a new certificate, supported certificate files, and related items, see [Manage the on-premises management console](how-to-manage-the-on-premises-management-console.md).
+
+## Connect sensors to the on-premises management console
+
+Ensure that sensors send information to the on-premises management console, and that the on-premises management console can perform backups, manage alerts, and carry out other activity on the sensors. To do that, use the following procedures to verify that you make an initial connection between sensors and the on-premises management console.
+
+Two options are available for connecting Azure Defender for IoT sensors to the on-premises management console:
+
+- Connect from the sensor console
+
+- Connect by using tunneling
+
+After connecting, you must set up a site with these sensors.
+
+### Connect sensors to the on-premises management console from the sensor console
+
+**To connect sensors to the on-premises management console from the sensor console:**
+
+1. On the on-premises management console, select **System Settings**.
+
+1. Copy the **Copy Connection String**.
+
+ :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/connection-string.png" alt-text="Copy the connection string for the sensor.":::
+
+1. On the sensor, navigate to **System Settings** and select **Connection to Management Console** :::image type="icon" source="media/how-to-manage-sensors-from-the-on-premises-management-console/connection-to-management-console.png" border="false":::
+
+1. Paste the copied connection string from the on-premises management console into the **Connection string** field.
+
+ :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/paste-connection-string.png" alt-text="Paste the copied connection string into the connection string field.":::
+
+1. Select **Connect**.
+
+### Connect sensors by using tunneling
+
+Enable a secured tunneling connection between organizational sensors and the on-premises management console. This setup circumvents interaction with the organizational firewall, and as a result reduces the attack surface.
+
+Using tunneling allows you to connect to the on-premises management console from its IP address and a single port (that is, 9000) to any sensor.
+
+**To set up tunneling at the on-premises management console:**
+
+- Sign in to the on-premises management console and run the following commands:
+
+ ```bash
+ cyberx-management-tunnel-enable
+ service apache2 reload
+ sudo cyberx-management-tunnel-add-xsense --xsenseuid <sensorIPAddress> --xsenseport 9000
+ service apache2 reload
+ ```
+
+**To set up tunneling on the sensor:**
+
+1. Open TCP port 9000 on the sensor (network.properties) manually. If the port is not open, the sensor will reject the connection from the on-premises management console.
+
+2. Sign in to each sensor and run the following commands:
+
+ ```bash
+ sudo cyberx-xsense-management-connect -ip <centralmanagerIPAddress>
+ sudo cyberx-xsense-management-tunnel
+ sudo vi /var/cyberx/properties/network.properties
+ opened_tcp_incoming_ports=22,80,443,102,9000
+ sudo cyberx-xsense-network-validation
+ sudo /etc/network/if-up.d/iptables-recover
+ sudo iptables -nvL
+ ```
+
+## Set up a site
+
+The default enterprise map provides an overall view of your devices according to several levels of geographical locations.
+
+The view of your devices might be required where the organizational structure and user permissions are complex. In these cases, site setup might be determined by a global organizational structure, in addition to the standard site or zone structure.
+
+To support this environment, you need to create a global business topology that's based on your organization's business units, regions, sites, and zones. You also need to define user access permissions around these entities by using access groups.
+
+Access groups enable better control over where users manage and analyze devices in the Defender for IoT platform.
+
+### How it works
+
+You can define a business unit, and a region for each site in your organization. You can then add zones, which are logical entities that exist in your network.
+
+Assign at least one sensor per zone. The five-level model provides the flexibility and granularity required to deliver the protection system that reflects the structure of your organization.
++
+Using the Enterprise View, you can edit your sites directly. When you select a site from the Enterprise View, the number of open alerts appears next to each zone.
++
+**To set up a site:**
+
+1. Add new business units to reflect your organization's logical structure.
+
+ 1. From the Enterprise view, select **All Sites** > **Manage Business Units**.
+
+ :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/manage-business-unit.png" alt-text="Select manage business unit from the all sites drop down menu on the enterprise view screen.":::
+
+ 1. Enter the new business unit name and select **ADD**.
+
+1. Add new regions to reflect your organization's regions.
+
+ 1. From the Enterprise View, select **All Regions** > **Manage Regions**.
+
+ :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/manage-regions.png" alt-text="Select all regions and then manage regions to manage the regions in your enterprise.":::
+
+ 1. Enter the new region name and select **ADD**.
+
+1. Add a site.
+
+ 1. From the Enterprise view, select :::image type="icon" source="media/how-to-activate-and-set-up-your-on-premises-management-console/new-site-icon.png" border="false"::: on the top bar. Your cursor appears as a plus sign (**+**).
+
+ 1. Position the **+** at the location of the new site and select it. The **Create New Site** dialog box opens.
+
+ :::image type="content" source="media/how-to-activate-and-set-up-your-on-premises-management-console/create-new-site-screen.png" alt-text="Screenshot of the Create New Site view.":::
+
+ 1. Define the name and the physical address for the new site and select **SAVE**. The new site appears on the site map.
+
+4. [Add zones to a site](#create-enterprise-zones).
+
+5. [Connect the sensors](how-to-manage-individual-sensors.md#connect-a-sensor-to-the-management-console).
+
+6. [Assign sensor to site zones](#assign-sensors-to-zones).
+
+### Delete a site
+
+If you no longer need a site, you can delete it from your on-premises management console.
+
+**To delete a site:**
+
+1. In the **Site Management** window, select :::image type="icon" source="media/how-to-activate-and-set-up-your-on-premises-management-console/expand-view-icon.png" border="false"::: from the bar that contains the site name, and then select **Delete Site**. The confirmation box appears, verifying that you want to delete the site.
+
+2. In the confirmation box, select **CONFIRM**.
+
+## Create enterprise zones
+
+Zones are logical entities that enable you to divide devices within a site into groups according to various characteristics. For example, you can create groups for production lines, substations, site areas, or types of devices. You can define zones based on any characteristic that's suitable for your organization.
+
+You configure zones as a part of the site configuration process.
++
+The following table describes the parameters in the **Site Management** window.
+
+| Parameter | Description |
+|--|--|
+| Name | The name of the sensor. You can change this name only from the sensor. For more information, see the Defender for IoT user guide. |
+| IP | The sensor IP address. |
+| Version | The sensor version. |
+| Connectivity | The sensor connectivity status. The status can be **Connected** or **Disconnected**. |
+| Last Upgrade | The date of the last upgrade. |
+| Upgrade Progress | The progress bar shows the status of the upgrade process, as follows:<br />- Uploading package<br />- Preparing to install<br />- Stopping processes<br />- Backing up data<br />- Taking snapshot<br />- Updating configuration<br />- Updating dependencies<br />- Updating libraries<br />- Patching databases<br />- Starting processes<br />- Validating system sanity<br />- Validation succeeded<br />- Success<br />- Failure<br />- Upgrade started<br />- Starting installation<br /></br >For details about upgrading, refer to [Microsoft Support](https://support.microsoft.com/) for help. |
+| Devices | The number of OT devices that the sensor monitors. |
+| Alerts | The number of alerts on the sensor. |
+| :::image type="icon" source="media/how-to-activate-and-set-up-your-on-premises-management-console/assign-icon.png" border="false"::: | Enables assigning a sensor to zones. |
+| :::image type="icon" source="media/how-to-activate-and-set-up-your-on-premises-management-console/delete-icon.png" border="false":::| Enables deleting a disconnected sensor from the site. |
+| :::image type="icon" source="media/how-to-activate-and-set-up-your-on-premises-management-console/sensor-icon.png" border="false"::: | Indicates how many sensors are currently connected to the zone. |
+| :::image type="icon" source="media/how-to-activate-and-set-up-your-on-premises-management-console/ot-assets-icon.png" border="false"::: | Indicates how many OT assets are currently connected to the zone. |
+| :::image type="icon" source="media/how-to-activate-and-set-up-your-on-premises-management-console/number-of-alerts-icon.png" border="false"::: | Indicates the number of alerts sent by sensors that are assigned to the zone. |
+| :::image type="icon" source="media/how-to-activate-and-set-up-your-on-premises-management-console/unassign-sensor-icon.png" border="false"::: | Unassigns sensors from zones. |
+
+**To add a zone to a site:**
+
+1. In the **Site Management** window, select :::image type="icon" source="media/how-to-activate-and-set-up-your-on-premises-management-console/expand-view-icon.png" border="false"::: from the bar that contains the site name, and then select **Add Zone**. The **Create New Zone** dialog box appears.
+
+ :::image type="content" source="media/how-to-activate-and-set-up-your-on-premises-management-console/create-new-zone-screen.png" alt-text="Screenshot of the Create New Zone view.":::
+
+1. Enter the zone name.
+
+1. Enter a description for the new zone that clearly states the characteristics that you used to divide the site into zones.
+
+1. Select **SAVE**. The new zone appears in the **Site Management** window under the site that this zone belongs to.
+
+**To edit a zone:**
+
+1. In the **Site Management** window, select :::image type="icon" source="media/how-to-activate-and-set-up-your-on-premises-management-console/expand-view-icon.png" border="false"::: from the bar that contains the zone name, and then select **Edit Zone**. The **Edit Zone** dialog box appears.
+
+ :::image type="content" source="media/how-to-activate-and-set-up-your-on-premises-management-console/zone-edit-screen.png" alt-text="Screenshot that shows the Edit Zone dialog box.":::
+
+1. Edit the zone parameters and select **SAVE**.
+
+**To delete a zone:**
+
+1. In the **Site Management** window, select :::image type="icon" source="media/how-to-activate-and-set-up-your-on-premises-management-console/expand-view-icon.png" border="false"::: from the bar that contains the zone name, and then select **Delete Zone**.
+
+1. In the confirmation box, select **YES**.
+
+**To filter according to the connectivity status:**
+
+- From the upper-left corner, select :::image type="icon" source="media/how-to-activate-and-set-up-your-on-premises-management-console/down-pointing-icon.png" border="false"::: next to **Connectivity**, and then select one of the following options:
+
+ - **All**: Presents all the sensors that report to this on-premises management console.
+
+ - **Connected**: Presents only connected sensors.
+
+ - **Disconnected**: Presents only disconnected sensors.
+
+**To filter according to the upgrade status:**
+
+- From the upper-left corner, select :::image type="icon" source="media/how-to-activate-and-set-up-your-on-premises-management-console/down-pointing-icon.png" border="false"::: next to **Upgrade Status** and select one of the following options:
+
+ - **All**: Presents all the sensors that report to this on-premises management console.
+
+ - **Valid**: Presents sensors with a valid upgrade status.
+
+ - **In Progress**: Presents sensors that are in the process of upgrade.
+
+ - **Failed**: Presents sensors whose upgrade process has failed.
+
+## Assign sensors to zones
+
+For each zone, you need to assign sensors that perform local traffic analysis and alerting. You can assign only the sensors that are connected to the on-premises management console.
+
+**To assign a sensor:**
+
+1. Select **Site Management**. The unassigned sensors appear in the upper-left corner of the dialog box.
+
+ :::image type="content" source="media/how-to-activate-and-set-up-your-on-premises-management-console/unassigned-sensors-view.png" alt-text="Screenshot of the Unassigned Sensors view.":::
+
+1. Verify that the **Connectivity** status is connected. If not, see [Connect sensors to the on-premises management console](#connect-sensors-to-the-on-premises-management-console) for details about connecting.
+
+1. Select :::image type="icon" source="media/how-to-activate-and-set-up-your-on-premises-management-console/assign-icon.png" border="false"::: for the sensor that you want to assign.
+
+1. In the **Assign Sensor** dialog box, select the business unit, region, site, and zone to assign.
+
+ :::image type="content" source="media/how-to-activate-and-set-up-your-on-premises-management-console/assign-sensor-screen.png" alt-text="Screenshot of the Assign Sensor view.":::
+
+1. Select **ASSIGN**.
+
+**To unassign and delete a sensor:**
+
+1. Disconnect the sensor from the on-premises management console. See [Connect sensors to the on-premises management console](#connect-sensors-to-the-on-premises-management-console) for details.
+
+1. In the **Site Management** window, select the sensor and select :::image type="icon" source="media/how-to-activate-and-set-up-your-on-premises-management-console/unassign-sensor-icon.png" border="false":::. The sensor appears in the list of unassigned sensors after a few moments.
+
+1. To delete the unassigned sensor from the site, select the sensor from the list of unassigned sensors and select :::image type="icon" source="media/how-to-activate-and-set-up-your-on-premises-management-console/delete-icon.png" border="false":::.
+
+## See also
+
+[Troubleshoot the sensor and on-premises management console](how-to-troubleshoot-the-sensor-and-on-premises-management-console.md)
defender-for-iot How To Activate And Set Up Your Sensor https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/organizations/how-to-activate-and-set-up-your-sensor.md
+
+ Title: Activate and set up your sensor
+description: This article describes how to sign in and activate a sensor console.
Last updated : 04/29/2021+++
+# Activate and set up your sensor
+
+This article describes how to activate a sensor and perform initial setup.
+
+Administrator users carry out activation when signing in for the first time and when activation management is required. Setup ensures that the sensor is configured to optimally detect and alert.
+
+Security analysts and read-only users can't activate a sensor or generate a new password.
+
+## Sign-in and activation for administrator users
+
+Administrators who sign in for the first time should verify that they have access to activation and password recovery files that were downloaded during sensor onboarding. If not, they need Azure security administrator, subscription contributor, or subscription owner permissions to generate these files on the Azure Defender for IoT portal.
+
+### First-time sign-in and activation checklist
+
+Before signing in to the sensor console, administrator users should have access to:
+
+- The sensor IP address that was defined during the installation.
+
+- User sign-in credentials for the sensor. If you downloaded an ISO for the sensor, use the default credentials that you received during the installation. We recommend that you create a new *Administrator* user after activation.
+
+- An initial password. If you purchased a preconfigured sensor from Arrow, you need to generate a password when signing in for the first time.
+
+- The activation file associated with this sensor. The file was generated and downloaded during sensor onboarding on the Defender for IoT portal.
+
+- An SSL/TLS CA-signed certificate that your company requires.
+
+### About activation files
+
+Your sensor was onboarded to Azure Defender for IoT in a specific management mode:
+
+| Mode type | Description |
+|--|--|
+| **Cloud connected mode** | Information that the sensor detects is displayed in the sensor console. Alert information is also delivered through the IoT hub and can be shared with other Azure services, such as Azure Sentinel. You can also enable automatic threat intelligence updates. |
+| **Locally connected mode** | Information that the sensor detects is displayed in the sensor console. Detection information is also shared with the on-premises management console, if the sensor is connected to it. |
+
+A locally connected, or cloud-connected activation file was generated and downloaded for this sensor during onboarding. The activation file contains instructions for the management mode of the sensor. *A unique activation file should be uploaded to each sensor you deploy.* The first time you sign in, you need to upload the relevant activation file for this sensor.
++
+### About certificates
+
+Following sensor installation, a local self-signed certificate is generated and used to access the sensor console. After an administrator signs in to the console for the first time, that user is prompted to onboard an SSL/TLS certificate.
+
+Two levels of security are available:
+
+- Meet specific certificate and encryption requirements requested by your organization, by uploading the CA-signed certificate.
+- Allow validation between the management console and connected sensors. Validation is evaluated against a certificate revocation list and the certificate expiration date. *If validation fails, communication between the management console and the sensor is halted and a validation error appears in the console.* This option is enabled by default after installation.
+
+The console supports the following certificate types:
+
+- Private and Enterprise Key Infrastructure (private PKI)
+
+- Public Key Infrastructure (public PKI)
+
+- Locally generated on the appliance (locally self-signed)
+
+ > [!IMPORTANT]
+ > We recommend that you don't use the default self-signed certificate. The certificate is not secure and should be used for test environments only. The owner of the certificate can't be validated, and the security of your system can't be maintained. Never use this option for production networks.
+
+See [Manage certificates](how-to-manage-individual-sensors.md#manage-certificates) for more information about working with certificates.
+
+### Sign in and activate the sensor
+
+**To sign in and activate:**
+
+1. Go to the sensor console from your browser by using the IP defined during the installation. The sign-in dialog box opens.
+
+ :::image type="content" source="media/how-to-activate-and-set-up-your-sensor/azure-defender-for-iot-sensor-log-in-screen.png" alt-text="Azure Defender for IoT sensor.":::
+
+1. Enter the credentials defined during the sensor installation, or select the **Password recovery** option. If you purchased a preconfigured sensor from Arrow, generate a password first. For more information on password recovery, see [Investigate password failure at initial sign-in](how-to-troubleshoot-the-sensor-and-on-premises-management-console.md#investigate-password-failure-at-initial-sign-in).
+
+1. After you sign in, the **Activation** dialog box opens. Select **Upload** and go to the activation file that you downloaded during the sensor onboarding.
+
+ :::image type="content" source="media/how-to-activate-and-set-up-your-sensor/activation-upload-screen-with-upload-button.png" alt-text="Select Upload and go to the activation file.":::
+
+1. Select the **Sensor Network Configuration** link if you want to change the sensor network configuration before activation. See [Update sensor network configuration before activation](#update-sensor-network-configuration-before-activation).
+
+1. Accept the terms and conditions.
+
+1. Select **Activate**. The SSL/TLS certificate dialog box opens.
+
+1. Define a certificate name.
+1. Upload the CRT and key files.
+1. Enter a passphrase and upload a PEM file if required.
+1. Select **Next**. The validation screen opens. By default, validation between the management console and connected sensors is enabled.
+1. Turn off the **Enable system-wide validation** toggle to disable validation. We recommend that you enable validation.
+1. Select **Save**.
+
+You might need to refresh your screen after uploading the CA-signed certificate.
+
+For information about uploading a new certificate, supported certificate parameters, and working with CLI certificate commands, see [Manage individual sensors](how-to-manage-individual-sensors.md).
+
+#### Update sensor network configuration before activation
+
+The sensor network configuration parameters were defined during the software installation, or when you purchased a preconfigured sensor. The following parameters were defined:
+
+- IP address
+- DNS
+- Default gateway
+- Subnet mask
+- Host name
+
+You might want to update this information before activating the sensor. For example, you might need to change the preconfigured parameters defined by Arrow. You can also define proxy settings before activating your sensor.
+
+**To update sensor network configuration parameters:**
+
+1. Select the **Sensor Network Configuration** link form the **Activation** dialog box.
+
+ :::image type="content" source="media/how-to-activate-and-set-up-your-sensor/editable-network-configuration-screen-v2.png" alt-text="Sensor Network Configuration.":::
+
+2. The parameters defined during installation are displayed. The option to define the proxy is also available. Update any settings as required and select **Save**.
+
+### Activate an expired license (versions under 10.0)
+
+For users with versions prior to 10.0, your license may expire, and the following alert will be displayed.
++
+**To activate your license:**
+
+1. Open a case with [support](https://ms.portal.azure.com/?passwordRecovery=true&Microsoft_Azure_IoT_Defender=canary#create/Microsoft.Support).
+
+1. Supply support with your Activation ID number.
+
+1. Support will supply you with new license information in the form of a string of letters.
+
+1. Read the terms and conditions, and check the checkbox to approve.
+
+1. Paste the string into space provided.
+
+ :::image type="content" source="media/how-to-activate-and-set-up-your-on-premises-management-console/add-license.png" alt-text="Paste the string into the provided field.":::
+
+1. Select **Activate**.
+
+### Subsequent sign-ins
+
+After first-time activation, the Azure Defender for IoT sensor console opens after sign-in without requiring an activation file. You need only your sign-in credentials.
+
+After your sign in, the Azure Defender for IoT console opens.
++
+## Initial setup and learning (for administrators)
+
+After your first sign-in, the Azure Defender for IoT sensor starts to monitor your network automatically. Network devices will appear in the device map and device inventory sections. Azure Defender for IoT will begin to detect and alert you on all security and operational incidents that occur in your network. You can then create reports and queries based on the detected information.
+
+Initially this activity is carried out in the Learning Mode, which instructs your sensor to learn your network's usual activity. For example, the sensor learns devices discovered in your network, protocols detected in the network, and file transfers that occur between specific devices. This activity becomes your network's baseline activity.
+
+### Review and update basic system settings
+
+Review the sensor's system settings to make sure the sensor is configured to optimally detect and alert.
+
+Define the sensor's system settings. For example:
+
+- Define ICS (or IoT) and segregated subnets.
+
+- Define port aliases for site-specific protocols.
+
+- Define VLANs and names that are in use.
+
+- If DHCP is in use, define legitimate DHCP ranges.
+
+- Define integration with Active Directory and mail server as appropriate.
+
+### Disable learning mode
+
+After adjusting the system settings, you can let the Azure Defender for IoT sensor run in learning mode until you feel that system detections accurately reflect your network activity.
+
+The learning mode should run for about 2 to 6 weeks, depending on your network size and complexity. After you disable learning mode, any activity that differs from your baseline activity will trigger an alert.
+
+**To disable learning mode:**
+
+- Select **System Settings** and turn off the **Learning** option.
+
+## First-time sign-in for security analysts and read-only users
+
+Before you sign in, verify that you have:
+
+- The sensor IP address.
+- Sign-in credentials that your administrator provided.
+
+## Console tools: Overview
+
+You access console tools from the side menu.
+
+**Navigation**
+
+| Window | Icon | Description |
+| --|--|--|
+| Dashboard | :::image type="icon" source="media/concept-sensor-console-overview/dashboard-icon-azure.png" border="false"::: | View an intuitive snapshot of the state of the network's security. |
+| Device map | :::image type="icon" source="media/concept-sensor-console-overview/asset-map-icon-azure.png" border="false"::: | View the network devices, device connections, and device properties in a map. Various zooms, highlight, and filter options are available to display your network. |
+| Device inventory | :::image type="icon" source="media/concept-sensor-console-overview/asset-inventory-icon-azure.png" border="false"::: | The device inventory displays a list of device attributes that this sensor detects. Options are available to: <br /> - Sort, or filter the information according to the table fields, and see the filtered information displayed. <br /> - Export information to a CSV file. <br /> - Import Windows registry details.|
+| Alerts | :::image type="icon" source="media/concept-sensor-console-overview/alerts-icon-azure.png" border="false"::: | Display alerts when policy violations occur, deviations from the baseline behavior occur, or any type of suspicious activity in the network is detected. |
+| Reports | :::image type="icon" source="media/concept-sensor-console-overview/reports-icon-azure.png" border="false"::: | View reports that are based on data-mining queries. |
+
+**Analysis**
+
+| Window| Icon | Description |
+||||
+| Event timeline | :::image type="icon" source="media/concept-sensor-console-overview/event-timeline-icon-azure.png" border="false"::: | View a timeline with information about alerts, network events (informational), and user operations, such as user sign-ins and user deletions.|
+
+**Navigation**
+
+| Window | Icon | Description |
+||||
+| Data mining | :::image type="icon" source="media/concept-sensor-console-overview/data-mining-icon-azure.png" border="false"::: | Generate comprehensive and granular information about your network's devices at various layers. |
+| Investigation | :::image type="icon" source="media/concept-sensor-console-overview/trends-and-statistics-icon-azure.jpg" border="false"::: | View trends and statistics in an extensive range of widgets. |
+| Risk Assessment | :::image type="icon" source="media/concept-sensor-console-overview/vulnerabilities-icon-azure.png" border="false"::: | Display the **Vulnerabilities** window. |
+
+**Admin**
+
+| Window | Icon | Description |
+||||
+| Users | :::image type="icon" source="media/concept-sensor-console-overview/users-icon-azure.png" border="false"::: | Define users and roles with various access levels. |
+| Forwarding | :::image type="icon" source="medi) for details. |
+| System settings | :::image type="icon" source="media/concept-sensor-console-overview/system-settings-icon-azure.png" border="false"::: | Configure the system settings. For example, define DHCP settings, provide mail server details, or create port aliases. |
+| Import settings | :::image type="icon" source="medi) for details. |
+
+**Support**
+
+| Window| Icon | Description |
+|-|||
+| Support | :::image type="icon" source="media/concept-sensor-console-overview/support-icon-azure.png" border="false"::: | Contact [Microsoft Support](https://support.microsoft.com/) for help. |
+
+## See also
+
+[Threat intelligence research and packages #](how-to-work-with-threat-intelligence-packages.md)
+
+[Onboard a sensor](getting-started.md#onboard-a-sensor)
+
+[Manage sensor activation files](how-to-manage-individual-sensors.md#manage-sensor-activation-files)
+
+[Control what traffic is monitored](how-to-control-what-traffic-is-monitored.md)
defender-for-iot How To Configure Windows Endpoint Monitoring https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/organizations/how-to-configure-windows-endpoint-monitoring.md
+
+ Title: Configure Windows endpoint monitoring
+description: Enrich data resolved on devices by working with Windows endpoint monitoring (WMI).
Last updated : 05/03/2021++++
+# Configure Windows endpoint monitoring (WMI)
+
+With the Windows endpoint monitoring capability, you can configure Azure Defender for IoT to selectively probe Windows systems. This provides you with more focused and accurate information about your devices, such as service pack levels.
+
+You can configure probing with specific ranges and hosts, and configure it to be performed only as often as desired. You accomplish selective probing by using the Windows Management Instrumentation (WMI), which is Microsoft's standard scripting language for managing Windows systems.
+
+> [!NOTE]
+> - You can run only one scan at a time.
+> - You get the best results with users who have domain or local administrator privileges.
+> - Before you begin the WMI configuration, configure a firewall rule that opens outgoing traffic from the sensor to the scanned subnet by using UDP port 135 and all TCP ports above 1024.
+
+When the probe is finished, a log file with all the probing attempts is available from the option to export a log. The log contains all the IP addresses that were probed. For each IP address, the log shows success and failure information. There's also an error code, which is a free string derived from the exception. The scan of the last log only is kept in the system.
+
+You can perform scheduled scans or manual scans. When a scan is finished, you can view the results in a CSV file.
+
+**Prerequisites**
+
+Configure a firewall rule that opens outgoing traffic from the sensor to the scanned subnet by using UDP port 135 and all TCP ports above 1024.
+
+## Perform an automatic scan
+
+This section describes how to perform an automatic scan
+
+**To perform an automatic scan:**
+
+1. On the side menu, select **System Settings**.
+
+2. Select **Windows Endpoint Monitoring** :::image type="icon" source="media/how-to-control-what-traffic-is-monitored/windows-endpoint-monitoring-icon-v2.png" border="false":::.
+
+ :::image type="content" source="media/how-to-control-what-traffic-is-monitored/windows-endpoint-monitoring-screen-v2.png" alt-text="Screenshot that shows the selection of Windows Endpoint Monitoring.":::
+
+3. On the **Scan Schedule** pane, configure options as follows:
+
+ - **By fixed intervals (in hours)**: Set the scan schedule according to intervals in hours.
+
+ - **By specific times**: Set the scan schedule according to specific times and select **Save Scan**.
+
+ :::image type="content" source="media/how-to-control-what-traffic-is-monitored/schedule-a-scan-screen-v2.png" alt-text="Screenshot that shows the Save Scan button.":::
+
+4. To define the scan range, select **Set scan ranges**.
+
+5. Set the IP address range and add your user and password.
+
+ :::image type="content" source="media/how-to-control-what-traffic-is-monitored/edit-scan-range-screen.png" alt-text="Screenshot that shows adding a user and password.":::
+
+6. To exclude an IP range from a scan, select **Disable** next to the range.
+
+7. To remove a range, select :::image type="icon" source="media/how-to-control-what-traffic-is-monitored/remove-scan-icon.png" border="false"::: next to the range.
+
+8. Select **Save**. The **Edit Scan Ranges Configuration** dialog box closes, and the number of ranges appears in the **Scan Ranges** pane.
+
+## Perform a manual scan
+
+**To perform a manual scan:**
+
+1. On the side menu, select **System Settings**.
+
+2. Select **Windows Endpoint Monitoring** :::image type="icon" source="media/how-to-control-what-traffic-is-monitored/windows-endpoint-monitoring-icon-v2.png" border="false":::.
+
+ :::image type="content" source="media/how-to-control-what-traffic-is-monitored/windows-endpoint-monitoring-screen-v2.png" alt-text="Screenshot that shows the Windows Endpoint Monitoring setup screen.":::
+
+3. In the **Actions** pane, select **Start scan**. A status bar appears on the **Actions** pane and shows the progress of the scanning process.
+
+ :::image type="content" source="media/how-to-control-what-traffic-is-monitored/started-scan-screen-v2.png" alt-text="Screenshot that shows the Start scan button.":::
+
+## View scan results
+
+**To view scan results:**
+
+1. When the scan is finished, on the **Actions** pane, select **View Scan Results**. The CSV file with the scan results is downloaded to your computer.
defender-for-iot How To Configure With Sentinel https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/organizations/how-to-configure-with-sentinel.md
+
+ Title: Configure Azure Sentinel with Defender for IoT for organizations
+description: Explains how to configure Azure Sentinel to receive data from your Defender for IoT solution.
+ Last updated : 06/14/2021++
+# Connect your data from Defender for IoT for organizations to Azure Sentinel
+
+Use the Defender for IoT connector to stream all your Defender for IoT events into Azure Sentinel.
+
+This integration enables organizations to quickly detect multistage attacks that often cross IT and OT boundaries. Additionally, Defender for IoTΓÇÖs integration with Azure Sentinel's security orchestration, automation, and response (SOAR) capabilities enables automated response and prevention using built-in OT-optimized playbooks.
+
+## Prerequisites
+
+- **Read** and **Write** permissions on the Workspace onto which Azure Sentinel is deployed
+- **Defender for IoT** must be **enabled** on your relevant IoT Hub(s)
+- You must have **Contributor** permissions on the **Subscription** you want to connect
+
+## Connect to Defender for IoT
+
+1. In Azure Sentinel, select **Data connectors** and then select the **Defender for IoT** (may still be called Azure Security Center for IoT) from the gallery.
+
+1. From the bottom of the right pane, click **Open connector page**.
+
+1. Click **Connect**, next to each IoT Hub subscription whose alerts and device alerts you want to stream into Azure Sentinel.
+ - You will receive an error message if Defender for IoT is not enabled on at least one IoT Hub within a subscription. Enable Defender for IoT within the IoT Hub to remove the error.
+
+1. You can decide whether you want the alerts from Defender for IoT to automatically generate incidents in Azure Sentinel. Under **Create incidents**, select **Enable** to enable the default analytics rule to automatically create incidents from the generated alerts. This rule can be changed or edited under **Analytics** > **Active rules**.
+
+> [!NOTE]
+> It can take 10 seconds or more for the **Subscription** list to refresh after making connection changes.
+
+## Log Analytics alert view
+
+To use the relevant schema in Log Analytics to display the Defender for IoT alerts:
+
+1. Open **Logs** > **SecurityInsights** > **SecurityAlert**, or search for **SecurityAlert**.
+
+1. Filter to see only Defender for IoT generated alerts using the following kql filter:
+
+```kusto
+SecurityAlert | where ProductName == "Azure Security Center for IoT"
+```
+
+### Service notes
+
+After connecting a **Subscription**, the hub data is available in Azure Sentinel approximately 15 minutes later.
+
+## Next steps
+
+In this document, you learned how to connect Defender for IoT to Azure Sentinel. To learn more about threat detection and security data access, see the following articles:
+
+- Learn how to use Azure Sentinel to [Quickstart: Get started with Azure Sentinel](../../sentinel/quickstart-get-visibility.md).
defender-for-iot How To Control What Traffic Is Monitored https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/organizations/how-to-control-what-traffic-is-monitored.md
+
+ Title: Control what traffic is monitored
+description: Sensors automatically perform deep packet detection for IT and OT traffic and resolve information about network devices, such as device attributes and network behavior. Several tools are available to control the type of traffic that each sensor detects.
Last updated : 12/07/2020+++
+# Control what traffic is monitored
+
+Sensors automatically perform deep packet detection for IT and OT traffic and resolve information about network devices, such as device attributes and behavior. Several tools are available to control the type of traffic that each sensor detects.
+
+## Learning and Smart IT Learning modes
+
+The Learning mode instructs your sensor to learn your network's usual activity. Examples are devices discovered in your network, protocols detected in the network, file transfers between specific devices, and more. This activity becomes your network baseline.
+
+The Learning mode is automatically enabled after installation and will remain enabled until turned off. The approximate learning mode period is between two to six weeks, depending on the network size and complexity. After this period, when the learning mode is disabled, any new activity detected will trigger alerts. Alerts are triggered when the policy engine discovers deviations from your learned baseline.
+
+After the learning period is complete and the Learning mode is disabled, the sensor might detect an unusually high level of baseline changes that are the result of normal IT activity, such as DNS and HTTP requests. The activity is called nondeterministic IT behavior. The behavior might also trigger unnecessary policy violation alerts and system notifications. To reduce the amount of these alerts and notifications, you can enable the **Smart IT Learning** function.
+
+When Smart IT Learning is enabled, the sensor tracks network traffic that generates nondeterministic IT behavior based on specific alert scenarios.
+
+The sensor monitors this traffic for seven days. If it detects the same nondeterministic IT traffic within the seven days, it continues to monitor the traffic for another seven days. When the traffic is not detected for a full seven days, Smart IT Learning is disabled for that scenario. New traffic detected for that scenario will only then generate alerts and notifications.
+
+Working with Smart IT Learning helps you reduce the number of unnecessary alerts and notifications caused by noisy IT scenarios.
+
+If your sensor is controlled by the on-premises management console, you can't disable the learning modes. In cases like this, the learning mode can only be disabled from the management console.
+
+The learning capabilities (Learning and Smart IT Learning) are enabled by default.
+
+To enable or disable learning:
+
+- Select **System Settings** and toggle the **Learning** and **Smart IT Learning** options.
++
+## Configure subnets
+
+Subnet configurations affect how you see devices in the device map.
+
+By default, the sensor discovers your subnet setup and populates the **Subnet Configuration** dialog box with this information.
+
+To enable focus on the OT devices, IT devices are automatically aggregated by subnet in the device map. Each subnet is presented as a single entity on the map, including an interactive collapsing/expanding capability to "drill down" into an IT subnet and back.
+
+When you're working with subnets, select the ICS subnets to identify the OT subnets. You can then focus the map view on OT and ICS networks and collapse to a minimum the presentation of IT network elements. This effort reduces the total number of the devices shown on the map and provides a clear picture of the OT and ICS network elements.
++
+You can change the configuration or change the subnet information manually by exporting the discovered data, changing it manually, and then importing back the list of subnets that you manually defined. For more information about export and import, see [Import device information](how-to-import-device-information.md).
+
+In some cases, such as environments that use public ranges as internal ranges, you can instruct the sensor to resolve all subnets as internal subnets by selecting the **Do Not Detect Internet Activity** option. When you select that option:
+
+- Public IP addresses will be treated as local addresses.
+
+- No alerts will be sent about unauthorized internet activity, which reduces notifications and alerts received on external addresses.
+
+To configure subnets:
+
+1. On the side menu, select **System Settings**.
+
+2. In the **System Setting** window, select **Subnets**.
+
+ :::image type="content" source="media/how-to-control-what-traffic-is-monitored/edit-subnets-configuration-screen.png" alt-text="Screenshot that shows the subnet configuration screen.":::
+
+3. To add subnets automatically when new devices are discovered, keep **Auto Subnets Learning** selected.
+
+4. To resolve all subnets as internal subnets, select **Don't Detect Internet Activity**.
+
+5. Select **Add network** and define the following parameters for each subnet:
+
+ - The subnet IP address.
+ - The subnet mask address.
+ - The subnet name. We recommend that you name each subnet with a meaningful name that you can easily identify, so you can differentiate between IT and OT networks. The name can be up to 60 characters.
+
+6. To mark this subnet as an OT subnet, select **ICS Subnet**.
+
+7. To present the subnet separately when you're arranging the map according to the Purdue level, select **Segregated**.
+
+8. To delete a subnet, select :::image type="icon" source="media/how-to-control-what-traffic-is-monitored/delete-icon.png" border="false":::.
+
+9. To delete all subnets, select **Clear All**.
+
+10. To export configured subnets, select **Export**. The subnet table is downloaded to your workstation.
+
+11. Select **Save**.
+
+### Importing information
+
+To import subnet information, select **Import** and select a CSV file to import. The subnet information is updated with the information that you imported. If you important an empty field, you'll lose your data.
+
+## Detection engines
+
+Self-learning analytics engines eliminate the need for updating signatures or defining rules. The engines use ICS-specific behavioral analytics and data science to continuously analyze OT network traffic for anomalies, malware, operational problems, protocol violations, and baseline network activity deviations.
+
+> [!NOTE]
+> We recommend that you enable all the security engines.
+
+When an engine detects a deviation, an alert is triggered. You can view and manage alerts from the alert screen or from a partner system.
++
+The name of the engine that triggered the alert appears under the alert title.
+
+### Protocol violation engine
+
+A protocol violation occurs when the packet structure or field values don't comply with the protocol specification.
+
+Example scenario:
+*"Illegal MODBUS Operation (Function Code Zero)"* alert. This alert indicates that a primary device sent a request with function code 0 to a secondary device. This action is not allowed according to the protocol specification, and the secondary device might not handle the input correctly.
+
+### Policy violation engine
+
+A policy violation occurs with a deviation from baseline behavior defined in learned or configured settings.
+
+Example scenario:
+*"Unauthorized HTTP User Agent"* alert. This alert indicates that an application that was not learned or approved by policy is used as an HTTP client on a device. This might be a new web browser or application on that device.
+
+### Malware engine
+
+The Malware engine detects malicious network activity.
+
+Example scenario:
+*"Suspicion of Malicious Activity (Stuxnet)"* alert. This alert indicates that the sensor detected suspicious network activity known to be related to the Stuxnet malware. This malware is an advanced persistent threat aimed at industrial control and SCADA networks.
+
+### Anomaly engine
+
+The Anomaly engine detects anomalies in network behavior.
+
+Example scenario:
+*"Periodic Behavior in Communication Channel"* alert. The component inspects network connections and finds periodic and cyclic behavior of data transmission. This behavior is common in industrial networks.
+
+### Operational engine
+
+The Operational engine detects operational incidents or malfunctioning entities.
+
+Example scenario:
+*"Device is Suspected to be Disconnected (Unresponsive)"* alert. This alert is raised when a device is not responding to any kind of request for a predefined period. This alert might indicate a device shutdown, disconnection, or malfunction.
+
+### Enable and disable engines
+
+When you disable a policy engine, information that the engine generates won't be available to the sensor. For example, if you disable the Anomaly engine, you won't receive alerts on network anomalies. If you created a forwarding rule, anomalies that the engine learns won't be sent. To enable or disable a policy engine, select **Enabled** or **Disabled** for the specific engine.
+
+The overall score is displayed in the lower-right corner of the **System Settings** screen. The score indicates the percentage of available protection enabled through the threat protection engines. Each engine is 20 percent of available protection.
++
+## Configure DHCP address ranges
+
+Your network might consist of both static and dynamic IP addresses. Typically, static addresses are found on OT networks through historians, controllers, and network infrastructure devices such as switches and routers. Dynamic IP allocation is typically implemented on guest networks with laptops, PCs, smartphones, and other portable equipment (using Wi-Fi or LAN physical connections in different locations).
+
+If you're working with dynamic networks, you handle IP address changes that occur when new IP addresses are assigned. You do this by defining DHCP address ranges.
+
+Changes might happen, for example, when a DHCP server assigns IP addresses.
+
+Defining dynamic IP addresses on each sensor enables comprehensive, transparent support in instances of IP address changes. This ensures comprehensive reporting for each unique device.
+
+The sensor console presents the most current IP address associated with the device and indicates which devices are dynamic. For example:
+
+- The Data Mining report and Device Inventory report consolidate all activity learned from the device as one entity, regardless of the IP address changes. These reports indicate which addresses were defined as DHCP addresses.
+
+ :::image type="content" source="media/how-to-control-what-traffic-is-monitored/populated-device-inventory-screen-v2.png" alt-text="Screenshot that shows device inventory.":::
+
+- The **Device Properties** window indicates if the device was defined as a DHCP device.
+
+To set a DHCP address range:
+
+1. On the side menu, select **DHCP Ranges** from the **System Settings** window.
+
+ :::image type="content" source="media/how-to-control-what-traffic-is-monitored/dhcp-address-range-screen.png" alt-text="Screenshot that shows the selection of DHCP Ranges.":::
+
+2. Define a new range by setting **From** and **To** values.
+
+3. Optionally: Define the range name, up to 256 characters.
+
+4. To export the ranges to a CSV file, select **Export**.
+
+5. To manually add multiple ranges from a CSV file, select **Import** and then select the file.
+
+ > [!NOTE]
+ > The ranges that you import from a CSV file overwrite the existing range settings.
+
+6. Select **Save**.
+
+## Configure DNS servers for reverse lookup resolution
+
+To enhance device enrichment, you can configure multiple DNS servers to carryout reverse lookups. You can resolve host names or FQDNs associated with the IP addresses detected in network subnets. For example, if a sensor discovers an IP address, it might query multiple DNS servers to resolve the host name.
+
+All CIDR formats are supported.
+
+The host name appears in the device inventory, and device map,