Activate and set up your sensor
This article describes how to activate a sensor and perform initial setup.
Administrator users carry out activation when signing in for the first time and when activation management is required. Setup ensures that the sensor is configured to optimally detect and alert.
Security analysts and read-only users can't activate a sensor or generate a new password.
Sign in and activation for administrator users
Administrators who sign in for the first time should verify that they have access to the activation and password recovery files for this sensor. These files were downloaded during sensor onboarding. If Administrators don't have these files, they can generate new ones via Defender for IoT in the Azure portal. The following Azure permissions are needed to generate the files:
- Azure security administrator
- Subscription contributor
- Subscription owner permissions
First-time sign in and activation checklist
Before signing in to the sensor console, administrator users should have access to:
The sensor IP address that was defined during the installation.
User sign in credentials for the sensor. If you downloaded an ISO for the sensor, use the default credentials that you received during the installation. We recommend that you create a new Administrator user after activation.
An initial password. If you purchased a preconfigured sensor from Arrow, you need to generate a password when signing in for the first time.
The activation file associated with this sensor. The file was generated and downloaded during sensor onboarding by Defender for IoT.
An SSL/TLS CA-signed certificate that your company requires.
All files downloaded from the Azure portal are signed by root of trust so that your machines use signed assets only.
About activation files
Your sensor was onboarded to Microsoft Defender for IoT in a specific management mode:
|Cloud connected mode||Information that the sensor detects is displayed in the sensor console. Alert information is also delivered to Azure and can be shared with other Azure services, such as Microsoft Sentinel. You can also enable automatic threat intelligence updates.|
|Locally connected mode||Information that the sensor detects is displayed in the sensor console. Detection information is also shared with the on-premises management console, if the sensor is connected to it.|
A locally connected, or cloud-connected activation file was generated and downloaded for this sensor during onboarding. The activation file contains instructions for the management mode of the sensor. A unique activation file should be uploaded to each sensor you deploy. The first time you sign in, you need to upload the relevant activation file for this sensor.
Following sensor installation, a local self-signed certificate is generated. The certificate is used to access the sensor console. After administrators sign in to the console for the first time, they're prompted to onboard an SSL/TLS certificate.
Two levels of security are available:
- Meet specific certificate and encryption requirements requested by your organization, by uploading the CA-signed certificate.
- Allow validation between the management console and connected sensors. Validation is evaluated against a certificate revocation list and the certificate expiration date. If validation fails, communication between the management console and the sensor is halted and a validation error appears in the console. This option is enabled by default after installation.
The console supports the following certificate types:
Private and Enterprise Key Infrastructure (private PKI)
Public Key Infrastructure (public PKI)
Locally generated on the appliance (locally self-signed)
We recommend that you don't use the default self-signed certificate. The certificate is not secure and should be used for test environments only. The owner of the certificate can't be validated, and the security of your system can't be maintained. Never use this option for production networks.
For more information about working with certificates, see Manage certificates.
Sign in and activate the sensor
To sign in and activate:
Go to the sensor console from your browser by using the IP defined during the installation. The sign-in dialog box opens.
Enter the credentials defined during the sensor installation, or select the Password recovery option. If you purchased a preconfigured sensor from Arrow, generate a password first. For more information on password recovery, see Investigate password failure at initial sign-in.
Select Login/Next. The Sensor Network Settings tab opens.
Use this tab if you want to change the sensor network configuration before activation. The configuration parameters were defined during the software installation, or when you purchased a preconfigured sensor. The following parameters were defined:
- IP address
- Default gateway
- Subnet mask
- Host name
You might want to update this information before activating the sensor. For example, you might need to change the preconfigured parameters defined by Arrow. You can also define proxy settings before activating your sensor.
If you want to work with a proxy, enable the proxy toggle and add the proxy host, port and username.
Select Next. The Activation tab opens.
Select Upload and go to the activation file that you downloaded during the sensor onboarding.
Approve the terms and conditions.
Select Activate. The SSL/TLS certificate tab opens. Before defining certificates, see Deploy SSL/TLS certificates on OT appliances.
It is not recommended to use a locally generated certificate in a production environment.
Enable the Import trusted CA certificate (recommended) toggle.
Define a certificate name.
Upload the Key, CRT, and PEM files.
Enter a passphrase and upload a PEM file if necessary.
It's recommended to select Enable certificate validation to validate the connections between management console and connected sensors.
You might need to refresh your screen after uploading the CA-signed certificate.
For information about uploading a new certificate, supported certificate parameters, and working with CLI certificate commands, see Manage individual sensors.
After activating a sensor, you'll need to apply new activation files as follows:
|Cloud-connected sensors||Cloud-connected sensors remain activated for as long as your Azure subscription with your Defender for IoT plan is active.
However, you'll also need to apply a new activation file when updating your sensor software from a legacy version to version 22.2.x.
|Locally managed||Apply a new activation file to locally managed sensors every year. After a sensor's activation file has expired, the sensor will continue to monitor your network, but you'll see a warning message when signing in to the sensor.|
Activate an expired license (versions under 10.0)
For users with versions prior to 10.0, your license may expire, and the following alert will be displayed.
To activate your license:
Open a case with support.
Supply support with your Activation ID number.
Support will supply you with new license information in the form of a string of letters.
Read the terms and conditions, and check the checkbox to approve.
Paste the string into space provided.
Subsequent sign ins
After first-time activation, the Microsoft Defender for IoT sensor console opens after sign-in without requiring an activation file or certificate definition. You only need your sign-in credentials.
After your sign-in, the Microsoft Defender for IoT sensor console opens.
Initial setup and learning (for administrators)
After your first sign-in, the Microsoft Defender for IoT sensor starts to monitor your network automatically. Network devices will appear in the device map and device inventory sections. Microsoft Defender for IoT will begin to detect and alert you on all security and operational incidents that occur in your network. You can then create reports and queries based on the detected information.
Initially this activity is carried out in the Learning mode, which instructs your sensor to learn your network's usual activity. For example, the sensor learns devices discovered in your network, protocols detected in the network, and file transfers that occur between specific devices. This activity becomes your network's baseline activity.
Review and update basic system settings
Review the sensor's system settings to make sure the sensor is configured to optimally detect and alert.
Define the sensor's system settings. For example:
Define ICS (or IoT) and segregated subnets.
Define port aliases for site-specific protocols.
Define VLANs and names that are in use.
If DHCP is in use, define legitimate DHCP ranges.
Define integration with Active Directory and mail server as appropriate.
Disable Learning mode
After adjusting the system settings, you can let the sensor run in Learning mode until you feel that system detections accurately reflect your network activity.
The learning mode should run for about 2 to 6 weeks, depending on your network size and complexity. After you disable Learning mode, any activity that differs from your baseline activity will trigger an alert.
To disable learning mode:
- Select System Settings, Network Monitoring, Detection Engines and Network Modeling and disable the Learning toggle.
First-time sign in for security analysts and read-only users
Before you sign in, verify that you have:
The sensor IP address.
Sign in credentials that your administrator provided.
Console tools: Overview
You can access console tools from the side menu. Tools help you:
Gain deep, comprehensive visibility into your network
Analyze network risks, vulnerabilities, trends and statistics
Set up your sensor for maximum performance
Create and manage users
|Overview||View a dashboard with high-level information about your sensor deployment, alerts, traffic, and more.|
|Device map||View the network devices, device connections, Purdue levels, and device properties in a map. Various zoom, highlight, and filter options are available to help you gain the insight you need. For more information, see Investigate sensor detections in the Device Map.|
|Device inventory||The Device inventory displays a list of device attributes that this sensor detects. Options are available to:
- Sort, or filter the information according to the table fields, and see the filtered information displayed.
- Export information to a CSV file.
- Import Windows registry details. For more information, see Detect Windows workstations and servers with a local script.
|Alerts||Alerts are triggered when sensor engines detect changes or suspicious activity in network traffic that requires your attention. For more information, see View and manage alerts on your OT sensor.|
|Event timeline||View a timeline with information about alerts, network events, and user operations. For more information, see Track sensor activity.|
|Data mining||Generate comprehensive and granular information about your network's devices at various layers. For more information, see Sensor data mining queries.|
|Trends and Statistics||View trends and statistics about an extensive range of network traffic and activity. As a small example, display charts and graphs showing top traffic by port, connectivity drops by hours, S7 traffic by control function, number of devices per VLAN, SRTP errors by day, or Modbus traffic by function. For more information, see Sensor trends and statistics reports.|
|Risk Assessment||Proactively address vulnerabilities, identify risks such as missing patches or unauthorized applications. Detect changes to device configurations, controller logic, and firmware. Prioritize fixes based on risk scoring and automated threat modeling. For more information, see Risk assessment reporting.|
|Attack Vector||Display a graphical representation of a vulnerability chain of exploitable devices. These vulnerabilities can give an attacker access to key network devices. The Attack Vector Simulator calculates attack vectors in real time and analyzes all attack vectors for a specific target. For more information, see Attack vector reporting.|
|System settings||Configure the system settings. For example, define DHCP settings, provide mail server details, or create port aliases.|
|Custom alert rules||Use custom alert rules to more specifically pinpoint activity or traffic of interest to you. For more information, see Create custom alert rules on an OT sensor.|
|Users||Define users and roles with various access levels. For more information, see Create and manage users on an OT network sensor.|
|Forwarding||Forward alert information to partners that integrate with Defender for IoT, for example, Microsoft Sentinel, Splunk, ServiceNow. You can also send to email addresses, webhook servers, and more.
See Forward alert information for details.
|Support||Contact Microsoft Support for help.|
Review system messages
System messages provide general information about your sensor that may require your attention, for example if:
- your sensor activation file is expired or will expire soon
- your sensor isn't detecting traffic
- your sensor SSL certificate is expired or will expire soon
To review system messages:
- Sign into the sensor
- Select the System Messages icon (Bell icon).
For more information, see: