Configure active monitoring for OT networks

This article describes how to configure active monitoring on OT networks with Microsoft Defender for IoT, including methods for Windows Event monitoring and reverse DNS lookup.

Plan your active monitoring


Active monitoring runs detection activity directly in your network and may cause some downtime. Take care when configuring active monitoring so that you only scan necessary resources.

When planning active monitoring:

  • Verify the following questions:

    • Can the devices you want to scan be discovered by the default Defender for IoT monitoring? If so, active monitoring may be unnecessary.
    • Are you able to run active queries on your network and on the devices you want to scan? To make sure, try running an active query on a staging environment.

    Use the answers to these questions to determine exactly which sites and address ranges you want to monitor.

  • Identify maintenance windows where you can schedule active monitoring intervals safely.

  • Identify active monitoring owners, which are personnel who can supervise the active monitoring activity and stop the monitoring process if needed.

  • Determine which active monitoring method to use:

Configure network access

Before you can configure active monitoring, you must also configure your network to allow the sensor's management port IP address access to the OT network where your devices reside.

For example, the following image highlights in grey the extra network access you must configure from the management interface to the OT network.

Diagram highlighting the extra management network configuration required for active monitoring.

Next steps

For more information, see: