Microsoft Defender for IoT solution for Microsoft Sentinel
Solution: IoTOTThreatMonitoringwithDefenderforIoT
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 2.0.2 |
| Author | Microsoft - support@microsoft.com |
| First Published | 2021-10-26 |
| Solution Folder | IoTOTThreatMonitoringwithDefenderforIoT |
| Marketplace | Azure Marketplace · Popularity: 🔵 Medium (78%) |
The Microsoft Defender for IoT solution for Microsoft Sentinel allows you to ingest Security alerts reported in Microsoft Defender for IoT on assessing your Internet of Things (IoT)/Operational Technology (OT) infrastructure.
** Underlying Microsoft Technologies used: **
This solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
a. Codeless Connector Platform/Native Microsoft Sentinel Polling
Contents
Data Connectors
This solution provides 1 data connector(s):
Internal Tables
The following 2 table(s) are used internally by this solution's content items:
| Table | Used By Connectors | Used By Content |
|---|---|---|
SecurityAlert |
Microsoft Defender for IoT | Analytics, Playbooks |
SecurityIncident |
- | Workbooks |
Content Items
This solution includes 24 content item(s) (23 in solution, 1 discovered 🔍):
| Content Type | Total | In Solution | Discovered |
|---|---|---|---|
| Analytic Rules | 15 | 15 | - |
| Playbooks | 8 | 7 | 1 |
| Workbooks | 1 | 1 | - |
Analytic Rules
Workbooks
| Name | Tables Used |
|---|---|
| IoTOTThreatMonitoringwithDefenderforIoT | Internal use:SecurityIncident |
Playbooks
| Name | Description | Tables Used |
|---|---|---|
| AD4IoT-AutoAlertStatusSync | This playbook updates alert statuses in Defender for IoT whenever a related alert in Microsoft Senti... | Internal use:SecurityAlert (read) |
| AD4IoT-AutoCloseIncidents | In some cases, maintenance activities generate alerts in Microsoft Sentinel which distracts the SOC ... | - |
| AD4IoT-AutoTriageIncident | SOC and OT engineers can stream their workflows using the playbook, which automatically updates the ... | Internal use:SecurityAlert (read) |
| AD4IoT-CVEAutoWorkflow | The playbook automates the SOC workflow by automatically enriching incident comments with the CVEs o... | Internal use:SecurityAlert (read) |
| AD4IoT-MailByProductionLine | The following playbook will send mail to notify specific stake holders. One example can be in the ca... | - |
| AD4IoT-NewAssetServiceNowTicket | Normally, the authorized entity to program a PLC is the Engineering Workstation, to program a PLC at... | - |
| AD4IoT-SendEmailtoIoTOwner | The playbooks automate the SOC workflow by automatically emailing the incident details to the right ... | Internal use:SecurityAlert (read) |
| Get-AD4IoTDeviceCVEs - Incident ⚠️ | For each IoT device entity included in the alert, this playbook will get CVEs from the Azure Defende... | - |
⚠️ Items marked with ⚠️ are not listed in the Solution JSON file. They were discovered by scanning the solution folder and may be legacy items, under development, or excluded from the official solution package.
Additional Documentation
Overview
There has been a long-standing split between ICS/SCADA (OT) and Corporate (IT) cybersecurity. This split was often driven by significant differences in technology/tooling. Microsoft Defender for IoT's integration with Microsoft Sentinel drives convergency by providing a single pane for coverage of both D4IOT (OT) and Microsoft Sentinel (IT) alerting. This solution includes Workbooks and Analytics rules providing a guide OT detection and Analysis.
Try on Portal
You can deploy the solution by clicking on the buttons below:
Getting Started
1️⃣ Onboard Microsoft Defender for IoT 2️⃣ Onboard Microsoft Sentinel 3️⃣ Enable Microsoft Defender for IoT Connector to Microsoft Sentinel 4️⃣ View the Workbook: Microsoft Sentinel > Workbooks > My Workbooks > IoT/OT Threat Monitoring with Defender for IoT > View 5️⃣ View the Analytics Rules: Navigate to Microsoft Sentinel > Analytics > Search "IOT"
Workbook
The OT Threat Monitoring with Defender for IoT Workbook features OT filtering for Security Alerts, Incidents, Vulnerabilities and Asset Inventory. The workbook features a dynamic assessment of the MITRE ATT&CK for ICS matrix across your environment to analyze and respond to OT-based threats. This workbook is designed to enable SecOps Analysts, Security Engineers, and MSSPs to gain situational awareness for IT/OT security posture.
Analytics Rules
1) Denial of Service (Microsoft Defender for IoT)
This alert leverages Defender for IoT to detect attacks that would prevent the use or proper operation of a DCS system including Denial of Service events.
2) Excessive Login Attempts (Microsoft Defender for IoT)
This alert leverages Defender for IoT to detect excessive login attempts that may indicate improper service configuration, human error, or malicious activity on the network such as a cyber threat attempting to manipulate the SCADA network.
3) Firmware Updates (Microsoft Defender for IoT)
[Content truncated...]
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.2 | 29-01-2025 | Corrected Entity Mappings structure of Analytic Rules |
| 3.0.1 | 10-01-2025 | Reverted Entity Mappings of Analytic Rules to earlier version |
| 3.0.0 | 30-11-2023 | Added new Entity Mapping to Analytic Rules |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊