Receiving AWS SNS email notification even though device behaviour is normal

sruthiA · January 8, 2023, 5:43pm

Hi,
I have created IoT role, SNS topic on AWS IoT console and activated email subscription for SNS notification. I have configured below security profile for Device Defender Could-Side metrics .

i am receiving SNS email notification from AWS, even though device sends less than 5messages in 5minutes. below is the email received for any number( <5, >5, =5) of messages sent from device.

How can i configure SNS in such way that i receive email notifications only when device violates the predefined behaviour of security profile created on AWS IoT console.

aggarg · January 9, 2023, 4:54am

If you look at the message, it says metric count value is 7. When you say only one message is sent, are you counting all the messages like CONNECT, SUBSCRIBE, PING etc?

sruthiA · January 9, 2023, 5:02am

No. I didn’t count CONNECT, SUBSCRIBE. do we need to consider these also, till now i am considering publish messages from device to AWS IoT Core.

aggarg · January 9, 2023, 5:04am

I think you need to count these too. Per definition here, these are the number of messages sent by a device.

sruthiA · January 9, 2023, 5:06am

ok thanks for the inputs. I will verify this.

sruthiA · January 10, 2023, 3:23am

Hi,
In below AWS SNS email notification received, I have set my device metrics as 1 as in below screenshot for established tcp connections count, but still i am receiving notification even though my device has only one tcp connection established.

aggarg · January 10, 2023, 6:56am

This is a device side metric - Device-side metrics - AWS IoT Core

Is your device sending this metric periodically? Here is an example of sending metrics from device - aws-iot-device-sdk-embedded-C/demos/defender/defender_demo_json at main · aws/aws-iot-device-sdk-embedded-C · GitHub

sruthiA · January 10, 2023, 7:06am

Yes, this is device side metric. Device is sending networking metric only once.
I am running below Device Defender FreeRTOS demo application.

amazon-freertos/demos/device_defender_for_aws at main · aws/amazon-freertos · GitHub

aggarg · January 10, 2023, 7:51am

That is the problem. What you are seeing is Missing Datapoint alarm because you stop sending this metric. You need to ensure that the networking metrics are sent periodically forever.

sruthiA · January 10, 2023, 9:31am

thank you, but i am receiving this notification with in 2minutes after device sends networking metrics to AWS IoT core.

aggarg · January 10, 2023, 11:23am

Can you try after changing the code to send metrics forever?

sruthiA · January 13, 2023, 6:46am

Thanks for reply. I have updated my security profile, its working fine now.

sruthiA · January 22, 2023, 3:44pm

Hi,
I have created my defender security profile as below.

I am receiving SNS email notification, when my sends more than 7messages and less than messages also, which i didn’t want it to be. As per my understanding i should receive email notification only when my device violates defined metrics behaviour in security profile. Below are screenshots of email i received in both cases.
when device sends 9 messages—

when device sends 3 messages —

aggarg · January 23, 2023, 6:55am

The following is from this page:

With Rules Detect behaviors, you define how your devices should behave

To be more clear, the behavior that you describe in security profile, specifies the behavior that, when violated by a device (thing), will cause an alert. So in your case, number of messages >= 7 is normal behavior and number of messages < 7 is violation.

Now, if you look at the notifications that you get -

The first notification is alarm-cleared (look at violationEventType) which tells you that the metric was in violation before and is not in violation anymore. This probably means that the device sent <7 messages before causing the metric to go in alarm state and later the device sent 9 messages, which brought the metric out of alarm.
The second notification is ;in-alarm` which tells you that the metric is in violation. This is true because 3 is less than 7 and is therfore, a violation of the specidifed behaviour.

Thanks.

sruthiA · January 23, 2023, 6:58am

thanks for reply. I understood the notification now.

sruthiA · January 23, 2023, 7:29am

Hi,
Can i add subscription policy so that i can receive only “violationEventType”:“in-alarm” email notifications.

aggarg · January 23, 2023, 9:26am

I am not sure that can be done. Why do you want to do that? Those notifications do provide you valuable information when you are investigating an issue - they tell you that you have fixed an issue.