I love that IoT Hub makes it easy to add custom alerts. You can also manage these alerts for groups of devices, instead of attempting to create them one at a time. These alerts allow you to build specific rules for these groups of devices that best fit the use case of the device.
The following the recommended method for setting these up in the portal. I’m still searching for a way to do this with Azure CLI, but when I find it I’ll post an update.
Because you as the developer will know your devices best and understand what sort of alerts you need to create for your device parameters, Azure Security Center provides a way for you to develop device behavior policies and alerts.
What are security groups?
Security groups are a logical way to maintain devices by tags. You choose how those devices are categorized. It could be by hardware type, region, or whatever best fits your particular domain needs.
This is tagged in the device twin settings under the tags property of “SecurityGroup,” and comes with a value of “Default”
After creating a group, you can assign custom alerts.
How do you customize an alert?
- On your IoT Hub Security section, open the Settings
- Click custom alerts
- If you haven’t, create a device security group
- Click on the new security group
- Click Create custom alert rule
- Select a rule from the list
You can find a list of customizable security alerts here:
Customizable security alerts – Azure Security Center for IoT
Set your parameters for the rule.
For example, I selected the custom alert for “Login by a local user that isn’t allowed,” and added an email for paul@raspberrypitestdevice.com.
Save the new rule. Continue this process for each group and each rule.
Hi Shawn. Can you actually get this to work – I’m trying to get this set up in IoT Hub at the moment but the alerts never get triggered. Is there a secret magic step that you’re not telling us?
Hmm, it’s been a while, but I did get this working in a lab. I do remember that it could take up to 15 or 20 minutes for the message to come through. I assume you’re getting telemetry data?
James, I’ve fired up a new hub and pointed a device to it. I’ve created a very basic MQTT too many messages within a timespan rule. I’ll let it run for a while and report my results. If it works, I’ll send you all my system details.
I let it run for a while throwing lots of messages at it. It should have triggered the rule. I’ll try to dig in deeper to see if I can find an answer.