Techniques are provided to automatically generate and apply policy rules for IoT devices. Historical data associated with IoT behaviors is obtained, where the historical data describes the file systems and behavior trends for multiple different IoT devices. Groups of the IoT devices are generated by grouping together devices identified as being common with one another based on similarities between their identified behaviors. Policies are then automatically generated for each group, corresponding to the detected behavior trends. Each policy determines how to subsequently monitor any device categorized as belonging to that policy's group and also how to respond when a device is operating abnormally. After a device is characterized as belonging to a group, that device is monitored to determine whether it conforms with the group's policy. Optionally, mitigation operations may be performed when the device is non-conforming.