Microsoft Defender for IoT - supported IoT, OT, ICS, and SCADA protocols
This article lists the protocols that are supported by default in Microsoft Defender for IoT. If your organization uses proprietary protocols or other protocols not listed here, use the Defender for IoT Horizon SDK to extend support as needed.
Supported protocols for OT device discovery
OT network sensors can detect the following protocols when identifying assets and devices in your network:
| Brand / Vendor | Protocols |
|---|---|
| ABB | ABB 800xA DCS (IEC61850 MMS including ABB extension) CNCP RNRP ABB IAC ABB Totalflow |
| ASHRAE | BACnet BACnet BACapp BACnet BVLC |
| Beckhoff | AMS (ADS) Twincat |
| Cisco | CAPWAP Control CAPWAP Data CDP LWAPP |
| DNP. org | DNP3 |
| Emerson | DeltaV DeltaV - Discovery Emerson OpenBSI/BSAP Ovation DCS ADMD Ovation DCS DPUSTAT Ovation DCS SSRPC |
| Emerson Fischer | ROC |
| GE | ADL (MarkVIe) Bentley Nevada (System 1 / BN3500) ClassicSDI (MarkVle) EGD GSM (GE MarkVI and MarkVIe) InterSite SDI (MarkVle) SRTP (GE) GE_CMP |
| Generic Applications | Active Directory RDP Teamviewer VNC |
| Honeywell | ENAP Experion DCS CDA Experion DCS FDA Honeywell EUCN Honeywell Discovery |
| IEC | Codesys V3 IEC 60870-5-7 (IEC 62351-3 + IEC 62351-5) IEC 60870-5-104 IEC 60870-5-104 ASDU_APCI IEC 60870 ICCP TASE.2 IEC 61850 GOOSE IEC 61850 MMS IEC 61850 SMV (SAMPLED-VALUES) LonTalk (LonWorks) |
| IEEE | LLC STP VLAN |
| IETF | ARP DHCP DCE RPC DNS FTP (FTP_ADAT FTP_DATA) GSSAPI (RFC2743) HTTP ICMP IPv4 IPv6 LLDP MDNS NBNS NTLM (NTLMSSP Auth Protocol) RPC SMB / Browse / NBDGM SMB / CIFS SNMP SPNEGO (RFC4178) SSH Syslog TCP Telnet TFTP TPKT UDP |
| ISO | CLNP (ISO 8473) COTP (ISO 8073) ISO Industrial Protocol MQTT (IEC 20922) |
| Jenesys | FOX Niagara |
| Medical | ASTM HL7 DICOM POCT1 |
| Microsoft | Horizon community dissectors Horizon proprietary dissectors (developed by customers) |
| Mitsubishi | Melsoft / Melsec (Mitsubishi Electric) |
| Omron | FINS HTTP |
| OPC | AE Common DA HDA UA |
| Oracle | TDS TNS |
| Rockwell Automation | CSP2 ENIP EtherNet/IP CIP (including Rockwell extension) EtherNet/IP CIP FW version 27 and above |
| Samsung | Samsung TV |
| Schneider Electric | Modbus/TCP Modbus TCP–Schneider Unity Extensions OASYS (Schneider Electric Telvant) Schneider TSAA |
| Schneider Electric / Invensys | Foxboro Evo Foxboro I/A Trident TriGP TriStation |
| Schneider Electric / Modicon | Modbus RTU |
| Schneider Electric / Wonderware | Wonderware Suitelink |
| SEL | FTP Telnet |
| Siemens | CAMP PCS7 PCS7 WinCC – Historian Profinet DCP Profinet I/O Profinet Realtime Siemens PHD Siemens S7 Siemens S7 - Firmware and model extraction Siemens S7 – key state Siemens S7-Plus Siemens SICAM Siemens WinCC |
| Toshiba | Toshiba Computer Link |
| Yokogawa | Centum ODEQ (Centum / ProSafe DCS) HIS Equalize FA-M3 Vnet/IP |
Supported OT protocols for active monitoring
OT sensors support active monitoring for the following protocols:
| Scan type | Supported protocols | Method |
|---|---|---|
| Windows event scans | - WMI | Configure Windows Endpoint Monitoring |
| DNS lookup scans | - DNS | Configure reverse DNS lookup |
Supported protocols for Enterprise IoT device discovery
Enterprise IoT network sensors can detect the following protocols when identifying assets and devices in your network:
| Brand / Vendor | Protocols |
|---|---|
| ALARIS | BAXTER |
| ASHRAE | BACnet BACapp |
| Cisco | CDP |
| IANA | SIP |
| IETF | BROWSE DHCP DNS HTTP LLDP MDNS SNMP SSDP |
| Medical | DICOM HL7 POCT1 |
| SWARM | swarm |
Don't see your protocol here?
Build support for proprietary OT protocols with the Horizon SDK
Asset vendors, partners, or platform owners can use Defender for IoT's Horizon Protocol SDK to secure any OT protocol used in IoT and ICS environments that's not isn't already supported by default.
Horizon helps you to write plugins for OT sensors that enable Deep Packet Inspection (DPI) on the traffic and detect threats in real-time. Customize your plugins localize and customize text for alerts, events, and protocol parameters.
Horizon provides:
- Support for common, proprietary, or custom protocols that deviate from standards
- Extra flexibility and scope for DPI development
- Extra visibility and control over your OT assets without needing to update your Defender for IoT version
- The security of allowing proprietary development without divulging sensitive information
Next steps
For more information:
Feedback
Submit and view feedback for