Receiving AWS SNS email notification even though device behaviour is normal

Hi,
I have created IoT role, SNS topic on AWS IoT console and activated email subscription for SNS notification. I have configured below security profile for Device Defender Could-Side metrics .

i am receiving SNS email notification from AWS, even though device sends less than 5messages in 5minutes. below is the email received for any number( <5, >5, =5) of messages sent from device.

How can i configure SNS in such way that i receive email notifications only when device violates the predefined behaviour of security profile created on AWS IoT console.

If you look at the message, it says metric count value is 7. When you say only one message is sent, are you counting all the messages like CONNECT, SUBSCRIBE, PING etc?

No. I didn’t count CONNECT, SUBSCRIBE. do we need to consider these also, till now i am considering publish messages from device to AWS IoT Core.

I think you need to count these too. Per definition here, these are the number of messages sent by a device.

ok thanks for the inputs. I will verify this.

Hi,
In below AWS SNS email notification received, I have set my device metrics as 1 as in below screenshot for established tcp connections count, but still i am receiving notification even though my device has only one tcp connection established.


This is a device side metric - Device-side metrics - AWS IoT Core

Is your device sending this metric periodically? Here is an example of sending metrics from device - aws-iot-device-sdk-embedded-C/demos/defender/defender_demo_json at main · aws/aws-iot-device-sdk-embedded-C · GitHub

Yes, this is device side metric. Device is sending networking metric only once.
I am running below Device Defender FreeRTOS demo application.

amazon-freertos/demos/device_defender_for_aws at main · aws/amazon-freertos · GitHub

That is the problem. What you are seeing is Missing Datapoint alarm because you stop sending this metric. You need to ensure that the networking metrics are sent periodically forever.

thank you, but i am receiving this notification with in 2minutes after device sends networking metrics to AWS IoT core.

Can you try after changing the code to send metrics forever?

Thanks for reply. I have updated my security profile, its working fine now.

Hi,
I have created my defender security profile as below.

I am receiving SNS email notification, when my sends more than 7messages and less than messages also, which i didn’t want it to be. As per my understanding i should receive email notification only when my device violates defined metrics behaviour in security profile. Below are screenshots of email i received in both cases.
when device sends 9 messages—

when device sends 3 messages —

The following is from this page:

With Rules Detect behaviors, you define how your devices should behave 

To be more clear, the behavior that you describe in security profile, specifies the behavior that, when violated by a device (thing), will cause an alert. So in your case, number of messages >= 7 is normal behavior and number of messages < 7 is violation.

Now, if you look at the notifications that you get -

  1. The first notification is alarm-cleared (look at violationEventType) which tells you that the metric was in violation before and is not in violation anymore. This probably means that the device sent <7 messages before causing the metric to go in alarm state and later the device sent 9 messages, which brought the metric out of alarm.
  2. The second notification is ;in-alarm` which tells you that the metric is in violation. This is true because 3 is less than 7 and is therfore, a violation of the specidifed behaviour.

Thanks.

thanks for reply. I understood the notification now.

Hi,
Can i add subscription policy so that i can receive only “violationEventType”:“in-alarm” email notifications.

I am not sure that can be done. Why do you want to do that? Those notifications do provide you valuable information when you are investigating an issue - they tell you that you have fixed an issue.