Description:

Microsoft Defender for IoT provides advanced security protection for Azure IoT Hub resources. It detects unauthorized device access, anomalous device-to-cloud or cloud-to-device activity, malicious traffic patterns, exploitation attempts, misconfigurations, and insecure IoT behaviors. This check ensures that Defender for IoT Hub is enabled at the subscription level in Microsoft Defender for Cloud, delivering continuous monitoring, threat detection, and behavior analysis for IoT environments.


Rationale:

This rule verifies whether Microsoft Defender for IoT Hub is enabled in Defender for Cloud under Environment Settings for IoT Hub. If the feature is disabled, IoT deployments may operate without threat detection, anomaly monitoring, behavioral analytics, incident reporting, and security recommendations. IoT devices are frequently targeted for lateral movement, botnet activity, device spoofing, and unauthorized access. Enabling Defender for IoT Hub is therefore essential for securing cloud-managed IoT applications.


Impact:

  • Provides advanced threat detection for IoT Hub

  • Protects against suspicious device operations and attacks

  • Improves alignment with CIS, NIST, and Azure Security Benchmark

  • Enhances IoT security posture and alerting

  • Centralizes IoT security monitoring in Defender for Cloud


Default Value:

Microsoft Defender for IoT Hub is off by default and does not provide any threat detection, analytics, or monitoring unless manually enabled.


Pre-Requisites:

  • Defender for Cloud must be enabled on the subscription, and an Azure IoT Hub must exist.

  • The user must have permissions to manage IoT Hub resources and, if applicable, Defender plan settings.


Test Plan:

  1. Sign in to the Azure Portal https://portal.azure.com 

  2. Search for and open Azure IoT Hub

  3. Select the relevant IoT Hub

  4. Expand Defender for IoT from the left menu

  5. Open Overview

  6. Verify whether the Secure your IoT solution button is displayed

  7. If the button is not displayed and security insights/threat detection are shown, confirm Microsoft Defender for IoT is enabled

  1. If the Secure your IoT solution button is displayed, follow the implementation steps


Implementation Steps:

  1. Sign in to the Azure Portal https://portal.azure.com 

  2. Search for and open Azure IoT Hub

  3. Select the relevant IoT Hub

  4. Expand Defender for IoT in the left menu

  5. Open Overview

                                   

  1. Select Secure your IoT solution

  2. Complete the onboarding process by granting the required permissions and confirming pricing

  3. Save and finish the setup to enable Microsoft Defender for IoT


Backout Plan:

  1. Sign in to the Azure Portal https://portal.azure.com 

  2. Search for and open Azure IoT Hub

  3. Select the relevant IoT Hub

  4. Expand Defender for IoT in the left menu

  5. Open Settings

  6. Disable Microsoft Defender for IoT or stop the Defender for IoT service for the IoT Hub

  7. Save the changes


Reference: