Microsoft Defender for IoT - supported IoT, OT, ICS, and SCADA protocols

This article lists the protocols that are supported by default in Microsoft Defender for IoT. If your organization uses proprietary protocols or other protocols not listed here, use the Defender for IoT Horizon SDK to extend support as needed.

Supported protocols for OT device discovery

Defender for IoT can detect the following protocols when identifying assets and devices in your network:

Brand / Vendor Protocols
ABB ABB 800xA DCS (IEC61850 MMS including ABB extension)
CNCP
RNRP
ASHRAE BACnet
BACnet BACapp
BACnet BVLC
Beckhoff AMS (ADS)
Twincat
Cisco CAPWAP Control
CAPWAP Data
CDP
LWAPP
DNP. org DNP3
Emerson DeltaV
DeltaV - Discovery
Emerson OpenBSI/BSAP
Ovation DCS ADMD
Ovation DCS DPUSTAT
Ovation DCS SSRPC
Emerson Fischer ROC
Eurocontrol ASTERIX
GE Bentley Nevada (System 1 / BN3500)
EGD
GSM (GE MarkVI and MarkVIe)
SRTP (GE)
Generic Applications Active Directory
RDP
Teamviewer
VNC
Honeywell ENAP
Experion DCS CDA
Experion DCS FDA
Honeywell EUCN
Honeywell Discovery
IEC Codesys V3
IEC 60870-5-7 (IEC 62351-3 + IEC 62351-5)
IEC 60870-5-101 (encapsulated serial)
IEC 60870-5-103 (encapsulated serial)
IEC 60870-5-104
IEC 60870-5-104 ASDU_APCI
IEC 60870 ICCP TASE.2
IEC 61850 GOOSE
IEC 61850 MMS
IEC 61850 SMV (SAMPLED-VALUES)
LonTalk (LonWorks)
IEEE LLC
STP
VLAN
IETF ARP
DHCP
DCE RPC
DNS
FTP (FTP_ADAT
FTP_DATA)
GSSAPI (RFC2743)
HTTP
ICMP
IPv4
IPv6
LLDP
MDNS
NBNS
NTLM (NTLMSSP Auth Protocol)
RPC
SMB / Browse / NBDGM
SMB / CIFS
SNMP
SPNEGO (RFC4178)
SSH
Syslog
TCP
Telnet
TFTP
TPKT
UDP
ISO CLNP (ISO 8473)
COTP (ISO 8073)
ISO Industrial Protocol
MQTT (IEC 20922)
Medical ASTM
HL7
Microsoft Horizon community dissectors
Horizon proprietary dissectors (developed by customers)
Mitsubishi Melsoft / Melsec (Mitsubishi Electric)
Omron FINS
OPC UA
Oracle TDS
TNS
Rockwell Automation ENIP
EtherNet/IP CIP (including Rockwell extension)
EtherNet/IP CIP FW version 27 and above
Schneider Electric Modbus/TCP
Modbus TCP–Schneider Unity Extensions
OASYS (Schneider Electric Telvant)
Schneider TSAA
Schneider Electric / Invensys Foxboro Evo
Foxboro I/A
Trident
TriGP
TriStation
Schneider Electric / Modicon Modbus RTU
Schneider Electric / Wonderware Wonderware Suitelink
Siemens CAMP
PCS7
PCS7 WinCC – Historian
Profinet DCP
Profinet Realtime
Siemens PHD
Siemens S7
Siemens S7-Plus
Siemens SICAM
Siemens WinCC
Toshiba Toshiba Computer Link
Yokogawa Centum ODEQ (Centum / ProSafe DCS)
HIS Equalize
FA-M3
Vnet/IP

Supported OT protocols for active monitoring

OT sensors support active monitoring for the following protocols:

Scan type Supported protocols Method
Windows event scans - WMI Configure Windows Endpoint Monitoring
DNS lookup scans - DNS Configure reverse DNS lookup

Supported protocols for Enterprise IoT device discovery

Enterprise IoT network sensors can detect the following protocols when identifying assets and devices in your network:

Brand / Vendor Protocols
ALARIS BAXTER
ASHRAE BACnet BACapp
Cisco CDP
IANA SIP
IETF BROWSE
DHCP
DNS
HTTP
LLDP
MDNS
SNMP
SSDP
Medical DICOM
HL7
POCT1
SWARM swarm

Don't see your protocol here?

Build support for proprietary OT protocols with the Horizon SDK

Asset vendors, partners, or platform owners can use Defender for IoT's Horizon Protocol SDK to secure any OT protocol used in IoT and ICS environments that's not isn't already supported by default.

Horizon helps you to write plugins for OT sensors that enable Deep Packet Inspection (DPI) on the traffic and detect threats in realtime. Customize your plugins localize and customize text for alerts, events, and protocol parameters.

Horizon provides:

  • Support for common, proprietary, or custom protocols that deviate from standards
  • Extra flexibility and scope for DPI development
  • Extra visibility and control over your OT assets without needing to update your Defender for IoT version
  • The security of allowing proprietary development without divulging sensitive information

Infographic that describes features provided by the Horizon SDK.

Collaborate with the Horizon community

Join our community to help lead the way towards digital transformation and industry-wide collaboration for protocol support!

The Horizon ICS community shares knowledge between domain experts in critical infrastructures, building management, production lines, transportation systems, and leading industries. For example, our community shares tutorials, discussion forums, instructor-led training, educational white papers, and more.

To join the Horizon community, email us at: horizon-community@microsoft.com

Next steps

For more information: