Manage your device inventory from the Azure portal

Use the Device inventory page in the Azure portal to manage all network devices detected by cloud-connected sensors, including OT, IoT, and IT. Identify new devices detected, devices that might need troubleshooting, and more.

For more information, see What is a Defender for IoT committed device?.

Note

The Device inventory page in Defender for IoT on the Azure portal is in PREVIEW. The Azure Preview Supplemental Terms include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Alternately, view device inventory from a specific sensor console, or from an on-premises management console.

View the device inventory

To view detected devices in the Device inventory page in the Azure portal, go to Defender for IoT > Device inventory.

Screenshot of the Device inventory page in the Azure portal.

Use any of the following options to modify or filter the devices shown:

Option Steps
Sort devices Select a column header to sort the devices by that column. Select it again to change the sort direction.
Filter devices shown Either use the Search box to search for specific device details, or select Add filter to filter the devices shown.

In the Add filter box, define your filter by column name, operator, and value. Select Apply to apply your filter.

You can apply multiple filters at the same time. Search results and filters aren't saved when you refresh the Device inventory page.
Modify columns shown Select Edit columns . In the Edit columns pane:

- Select the + Add Column button to add new columns to the grid.
- Drag and drop fields to change the columns order.
- To remove a column, select the Delete icon to the right.
- To reset the columns to their default settings, select Reset .

Select Save to save any changes made.
Group devices From the Group by above the gird, select either Type or Class to group the devices shown. Inside each group, devices retain the same column sorting. To remove the grouping, select No grouping.

For more information, see Device inventory column reference.

View full device details

To view full details about a specific device, select the device row. Initial details are shown in a pane on the right, where you can also select View full details to open the device details page and drill down more.

For example:

Screenshot of a device details pane and the View full details button in the Azure portal.

The device details page displays comprehensive device information, including the following tabs:

Section Description
Attributes Displays full device details such as class, data source, firmware details, activity, type, protocols, Purdue level, sensor, site, zone, and more.
Backplane Displays the backplane hardware configuration, including slot and rack information. Select a slot in the backplane view to see the details of the underlying devices. The backplane tab is usually visible for Purdue level 1 devices that have slots in use, such as PLC, RTU, and DCS devices.
Vulnerabilities Displays current vulnerabilities specific to the device. Vulnerability data is based on the repository of standards based vulnerability data documented at the US government National Vulnerability Database (NVD). Select the CVE name to see the CVE details and description. You can also view vulnerability data across your network with the Defender for IoT Vulnerability workbook.
Alerts Displays current open alerts related to the device. Select any alert to view more details, and then select View full details to open the alert page to view the full alert information and take action. For more information on the alerts page, see View alerts on the Azure portal.
Recommendations Displays current recommendations for the device, such as Review PLC operating mode and Review unauthorized devices. For more information on recommendations, see Enhance security posture with security recommendations.

For example:

Screenshot of the backplane tab in on the full device details page.

Identify devices that aren't connecting successfully

If you suspect that certain devices aren't actively communicating with Azure, we recommend that you verify whether those devices have communicated with Azure recently at all. For example:

  1. In the Device inventory page, make sure that the Last activity column is shown.

    Select Edit columns > Add column > Last Activity > Save.

  2. Select the Last activity column to sort the grid by that column.

  3. Filter the grid to show active devices during a specific time period:

    1. Select Add filter.
    2. In the Column field, select Last activity.
    3. Select a predefined time range, or define a custom range to filter for.
    4. Select Apply.
  4. Search for the devices you're verifying in the filtered list of devices.

Edit device details

As you manage your network devices, you may need to update their details. For example, you may want to modify security value as assets change, or personalize the inventory to better identify devices, or if a device was classified incorrectly.

To edit device details:

  1. Select one or more devices in the grid, and then select Edit .

  2. If you've selected multiple devices, select Add field type and add the fields you want to edit, for all selected devices.

  3. Modify the device fields as needed, and then select Save when you're done.

Your updates are saved for all selected devices.

For more information, see Device inventory column reference.

Reference of editable fields

The following device fields are supported for editing in the Device inventory page:

Name Description
General information
Name Mandatory. Supported for editing only when editing a single device.
Authorized Device Toggle on or off as needed as device security changes.
Description Enter a meaningful description for the device.
Location Enter a meaningful location for the device.
Category Use the Class, Type, and Subtype options to categorize the device.
Business Function Enter a meaningful description of the device's business function.
Hardware Model Select the device's hardware model from the dropdown menu.
Hardware Vendor Select the device's hardware vendor from the dropdown menu.
Firmware Device the device's firmware name and version. You can either select the delete button to delete an existing firmware definition, or select + Add to add a new one.
Tags Enter meaningful tags for the device. Select the delete button to delete an existing tag, or select + Add to add a new one.
Settings
Importance Select Low, Normal, or High to modify the device's importance.
Programming device Toggle the Programming Device option on or off as needed for your device.

For more information, see Device inventory column reference.

Export the device inventory to CSV

Export your device inventory to a CSV file to manage or share data outside of the Azure portal. You can export a maximum of 30,000 devices at a time.

To export device inventory data:

On the Device inventory page, select Export .

The device inventory is exported with any filters currently applied, and you can save the file locally.

Delete a device

If you have devices no longer in use, delete them from the device inventory so that they're no longer connected to Defender for IoT.

Devices might be inactive because of misconfigured SPAN ports, changes in network coverage, or because the device was unplugged from the network.

Delete inactive devices to maintain a correct representation of current network activity, better understand your committed devices when managing your Defender for IoT plans, and to reduce clutter on your screen.

To delete a device:

In the Device inventory page, select the device you want to delete, and then select Delete in the toolbar at the top of the page.

At the prompt, select Yes to confirm that you want to delete the device from Defender for IoT.

Device inventory column reference

The following table describes the device properties shown in the Device inventory page on the Azure portal.

Parameter Description
Application The application that exists on the device.
Authorized Device Editable. Determines whether or not the device is authorized. This value may change as device security changes.
Business Function Editable. Describes the device's business function.
Class Editable. The class of the device.
Default: IoT
Data source The source of the data, such as a micro agent, OT sensor, or Microsoft Defender for Endpoint.
Default: MicroAgent
Description Editable. The description of the device.
Firmware vendor Editable. The vendor of the device's firmware.
Firmware version Editable. The version of the firmware.
First seen The date, and time the device was first seen. Presented in format MM/DD/YYYY HH:MM:SS AM/PM.
Hardware Model Editable. Determines the device's hardware model.
Hardware Vendor Editable. Determines the device's hardware vendor.
Importance Editable. The level of importance of the device.
IPv4 Address The IPv4 address of the device.
IPv6 Address The IPv6 address of the device.
Last activity The date, and time the device last sent an event to the cloud. Presented in format MM/DD/YYYY HH:MM:SS AM/PM.
Last update time The date, and time the device last sent a system information event to the cloud. Presented in format MM/DD/YYYY HH:MM:SS AM/PM.
Location Editable. The physical location of the device.
MAC Address The MAC address of the device.
Model The device's model.
Name Mandatory, and editable. The name of the device as the sensor discovered it, or as entered by the user.
OS architecture Editable. The architecture of the operating system.
OS distribution Editable. The distribution of the operating system, such as Android, Linux, and Haiku.
OS platform Editable. The OS of the device, if detected.
OS version Editable. The version of the operating system, such as Windows 10 and Ubuntu 20.04.1.
PLC mode The PLC operating mode that includes the Key state (physical, or logical), and the Run state (logical). Possible Key states include, Run, Program, Remote, Stop, Invalid, and Programming Disabled. Possible Run states are Run, Program, Stop, Paused, Exception, Halted, Trapped, Idle, or Offline. If both states are the same, then only one state is presented.
PLC secured Determines if the PLC mode is in a secure state. A possible secure state is Run. A possible unsecured state can be either Program, or Remote.
Programming device Editable. Determines whether the device is a Programming Device.
Programming time The last time the device was programmed.
Protocols The protocols that the device uses.
Purdue level Editable. The Purdue level in which the device exists.
Scanner Whether the device performs scanning-like activities in the network.
Sensor The sensor the device is connected to.
Site The site that contains this device.

All Enterprise IoT sensors are automatically added to the Enterprise network site.
Slots The number of slots the device has.
Subtype Editable. The subtype of the device, such as speaker and smart tv.
Default: Managed Device
Tags Editable. Tagging data for each device.
Type Editable. The type of device, such as communication, and industrial.
Default: Miscellaneous
Underlying devices Any relevant underlying devices for the device
Underlying device region The region for an underlying device
Vendor The name of the device's vendor, as defined in the MAC address.
VLAN The VLAN of the device.
Zone The zone that contains this device.

Next steps

For more information, see: