Manage individual sensors

This article describes how to manage individual sensors, such as managing activation files, certificates, backups, and more.

You can also perform some management tasks for multiple sensors simultaneously from the Azure portal or an on-premises management console. For more information, see Next steps.

Caution

Only documented configuration parameters on the OT network sensor and on-premises management console are supported for customer configuration. Do not change any non-documented configuration parameters, as changes may cause unexpected behavior and system failures.

View overall sensor status

When you sign into your sensor, the first page shown is the Overview page.

For example:

Screenshot of the overview page.

The Overview page shows the following widgets:

Name Description
General Settings Displays a list of the sensor's basic configuration settings and connectivity status.
Traffic Monitoring Displays a graph detailing traffic in the sensor. The graph shows traffic as units of Mbps per hour on the day of viewing.
Top 5 OT Protocols Displays a bar graph that details the top five most used OT protocols. The bar graph also provides the number of devices that are using each of those protocols.
Traffic By Port Displays a pie chart showing the types of ports in your network, with the amount of traffic detected in each type of port.
Top open alerts Displays a table listing any currently open alerts with high severity levels, including critical details about each alert.

Select the link in each widget to drill down for more information in your sensor.

Validate connectivity status

Verify that your sensor is successfully connected to the Azure portal directly from the sensor's Overview page.

If there are any connection issues, a disconnection message is shown in the General Settings area on the Overview page, and a Service connection error warning appears at the top of the page in the System Messages area. For example:

Screenshot of a sensor page showing the connectivity status as disconnected.

  1. Find more information about the issue by hovering over the information icon. For example:

    Screenshot of a connectivity error message.

  2. Take action by selecting the Learn more option under System Messages. For example:

    Screenshot of the system messages pane.

Manage sensor activation files

Your sensor was onboarded with Microsoft Defender for IoT from the Azure portal. Each sensor was onboarded as either a locally connected sensor or a cloud-connected sensor.

A unique activation file is uploaded to each sensor that you deploy. For more information about when and how to use a new file, see Upload new activation files. If you can't upload the file, see Troubleshoot activation file upload.

About activation files for locally connected sensors

Locally connected sensors are associated with an Azure subscription. The activation file for your locally connected sensors contains an expiration date. One month before this date, a warning message appears in the System Messages window in the top-right corner of the console. The warning remains until after you've updated the activation file.

You can continue to work with Defender for IoT features even if the activation file has expired. You can continue to work with Defender for IoT features even if the activation file has expired.

About activation files for cloud-connected sensors

Sensors that are cloud connected aren't limited by time periods for their activation file. The activation file for cloud-connected sensors is used to ensure the connection to Defender for IoT.

Upload new activation files

You might need to upload a new activation file for an onboarded sensor when:

  • An activation file expires on a locally connected sensor.

  • You want to work in a different sensor management mode.

  • For sensors connected via an IoT Hub (legacy), you want to assign a new Defender for IoT hub to a cloud-connected sensor.

To add a new activation file:

  1. Go to the Azure portal for Defender for IoT.

  2. Use the search bar to find the sensor you need.

  3. Select the three dots (...) on the row and select Delete sensor.

  4. Onboard the sensor again by selecting Getting Started> Set up OT/ICS Security > Register this sensor with Microsoft Defender for IoT.

  5. Go to the Sites and sensors page.

  6. Use the search bar to find the sensor you just added, and select it.

  7. Select the three dots (...) on the row and select Download activation file.

    All files downloaded from the Azure portal are signed by root of trust so that your machines use signed assets only.

  8. Save the file.

  9. Sign in to the Defender for IoT sensor console.

  10. Select System Settings > Sensor management > Subscription & Activation Mode.

  11. Select Upload and select the file that you saved.

  12. Select Activate.

Troubleshoot activation file upload

You'll receive an error message if the activation file couldn't be uploaded. The following events might have occurred:

  • For locally connected sensors: The activation file isn't valid. If the file isn't valid, go to Defender for IoT in the Azure portal. On the Sensor Management page, select the sensor with the invalid file, and download a new activation file.

  • For cloud-connected sensors: The sensor can't connect to the internet. Check the sensor's network configuration. If your sensor needs to connect through a web proxy to access the internet, verify that your proxy server is configured correctly on the Sensor Network Configuration screen. Verify that the required endpoints are allowed in the firewall and/or proxy.

    For OT sensors version 22.x, download the list of required endpoints from the Sites and sensors page on the Azure portal. Select an OT sensor with a supported software version, or a site with one or more supported sensors. And then select More actions > Download endpoint details. For sensors with earlier versions, see Sensor access to Azure portal.

  • For cloud-connected sensors: The activation file is valid but Defender for IoT rejected it. If you can't resolve this problem, you can download another activation from the Sites and Sensors page in the Azure portal. If this doesn't work, contact Microsoft Support.

Manage certificates

Following sensor installation, a local self-signed certificate is generated and used to access the sensor web application. When logging in to the sensor for the first time, Administrator users are prompted to provide an SSL/TLS certificate.

Sensor Administrators may be required to update certificates that were uploaded after initial login. This may happen, for example, if a certificate expired.

To update a certificate:

  1. Select System Settings and then select Basic.

  2. Select SSL/TLS Certificate.

    Upload a certificate

  3. In the SSL/TLS Certificates dialog box, delete the existing certificate and add a new one.

    • Add a certificate name.
    • Upload a CRT file and key file.
    • Upload a PEM file if necessary.

If the upload fails, contact your security or IT administrator, or review the information in About Certificates.

To change the certificate validation setting:

  1. Enable or disable the Enable Certificate Validation toggle. If the option is enabled and validation fails, communication between relevant components is halted, and a validation error is presented in the console. If disabled, certificate validation is not carried out. See About certificate validation for more information.

  2. Select Save.

For more information about first-time certificate upload, see, First-time sign-in and activation checklist

Connect a sensor to the management console

This section describes how to ensure connection between the sensor and the on-premises management console. You need to do this if you're working in an air-gapped network and want to send device and alert information to the management console from the sensor. This connection also allows the management console to push system settings to the sensor and perform other management tasks on the sensor.

To connect:

  1. Sign in to the on-premises management console.

  2. Select System Settings.

  3. In the Sensor Setup – Connection String section, copy the automatically generated connection string.

    Screenshot of the Connection string screen.

  4. Sign in to the sensor console.

  5. On the left pane, select System Settings.

  6. Select Management Console Connection.

    Screenshot of the Management Console Connection dialog box.

  7. Paste the connection string in the Connection string box and select Connect.

  8. In the on-premises management console, in the Site Management window, assign the sensor to a site and zone.

Continue with additional settings, such as adding users, setting up an SMTP server, forwarding alert rules, and more. For more information, see Activate and set up your on-premises management console.

Change the name of a sensor

You can change the name of your sensor console. The new name will appear in:

  • The sensor console web browser
  • Various console windows
  • Troubleshooting logs
  • The Sites and sensors page in the Defender for IoT portal on Azure.

The process for changing sensor names is the same for locally managed sensors and cloud-connected sensors.

The sensor name is defined by the name assigned during the registration. The name is included in the activation file that you uploaded when signing in for the first time. To change the name of the sensor, you need to upload a new activation file.

To change the name:

  1. In the Azure portal, go to the Sites and sensors page.

  2. Delete the sensor from the page.

  3. Register with the new name by selecting Set up OT/ICS Security from the Getting Started page.

  4. Download the new activation file.

  5. Sign in to the Defender for IoT sensor console.

  6. In the sensor console, select System settings > Sensor management and then select Subscription & Activation Mode.

  7. Select Upload and select the file you saved.

  8. Select Activate.

Update the sensor network configuration

The sensor network configuration was defined during the sensor installation. You can change configuration parameters. You can also set up a proxy configuration.

If you create a new IP address, you might be required to sign in again.

To change the configuration:

  1. On the side menu, select System Settings.

  2. In the System Settings window, select Network.

  3. Set the parameters:

    Parameter Description
    IP address The sensor IP address
    Subnet mask The mask address
    Default gateway The default gateway address
    DNS The DNS server address
    Hostname The sensor hostname
    Proxy Proxy host and port name
  4. Select Save.

Synchronize time zones on the sensor

You can configure the sensor's time and region so that all the users see the same time and region.

Parameter Description
Timezone The time zone definition for:
- Alerts
- Trends and statistics widgets
- Data mining reports
-Risk assessment reports
- Attack vectors
Date format Select one of the following format options:
- dd/MM/yyyy HH:mm:ss
- MM/dd/yyyy HH:mm:ss
- yyyy/MM/dd HH:mm:ss
Date and time Displays the current date and local time in the format that you selected.
For example, if your actual location is America and New York, but the time zone is set to Europe and Berlin, the time is displayed according to Berlin local time.

To configure the sensor time:

  1. On the side menu, select System settings > Basic, > Time & Region.

  2. Set the parameters and select Save.

Set up backup and restore files

System backup is performed automatically at 3:00 AM daily. The data is saved on a different disk in the sensor. The default location is /var/cyberx/backups.

You can automatically transfer this file to the internal network.

Note

  • The backup and restore procedure can be performed between the same versions only.
  • In some architectures, the backup is disabled. You can enable it in the /var/cyberx/properties/backup.properties file.

When you control a sensor by using the on-premises management console, you can use the sensor's backup schedule to collect these backups and store them on the management console or on an external backup server. For more information, see Define sensor backup schedules.

What is backed up: Configurations and data.

What is not backed up: PCAP files and logs. You can manually back up and restore PCAPs and logs. For more information, see Upload and play PCAP files.

Sensor backup files are automatically named through the following format: <sensor name>-backup-version-<version>-<date>.tar. An example is Sensor_1-backup-version-2.6.0.102-2019-06-24_09:24:55.tar.

To configure backup:

  • Sign in to an administrative account and enter cyberx-xsense-system-backup.

To restore the latest backup file:

  • Sign in to an administrative account and enter cyberx-xsense-system-restore.

To save the backup to an external SMB server:

  1. Create a shared folder in the external SMB server.

    Get the folder path, username, and password required to access the SMB server.

  2. In the sensor, make a directory for the backups:

    • sudo mkdir /<backup_folder_name_on_cyberx_server>

    • sudo chmod 777 /<backup_folder_name_on_cyberx_server>/

  3. Edit fstab:

    • sudo nano /etc/fstab

    • add - //<server_IP>/<folder_path> /<backup_folder_name_on_cyberx_server> cifsrw,credentials=/etc/samba/user,vers=X.X,uid=cyberx,gid=cyberx,file_mode=0777,dir_mode=0777 0 0

  4. Edit and create credentials to share for the SMB server:

    sudo nano /etc/samba/user

  5. Add:

    • username=&gt:user name&lt:

    • password=<password>

  6. Mount the directory:

    sudo mount -a

  7. Configure a backup directory to the shared folder on the Defender for IoT sensor: 

    • sudo nano /var/cyberx/properties/backup.properties

    • set backup_directory_path to <backup_folder_name_on_cyberx_server>

Restore sensors

You can restore a sensor from a backup file using the sensor console or the CLI.

To restore from the sensor console:

To restore a backup from the sensor console, the backup file must be accessible from the sensor.

  • To download a backup file:

    1. Access the sensor using an SFTP client.

    2. Sign in to an administrative account and enter the sensor IP address.

    3. Download the backup file from your chosen location and save it. The default location for system backup files is /var/cyberx/backups.

  • To restore the sensor:

    1. Sign in to the sensor console and go to System settings > Sensor management > Backup & restore > Restore. For example:

      Screenshot of Restore tab in sensor console.

    2. Select Browse to select your downloaded backup file. The sensor will start to restore from the selected backup file.

    3. When the restore process is complete, select Close.

To restore the latest backup file by using the CLI:

  • Sign in to an administrative account and enter cyberx-xsense-system-restore.

Configure SMTP settings

Define SMTP mail server settings for the sensor so that you configure the sensor to send data to other servers.

You'll need an SMTP mail server configured to enable email alerts about disconnected sensors, failed sensor backup retrievals, and SPAN monitoring port failures from the on-premises management console, and to set up mail forwarding and configure forwarding alert rules.

Prerequisites:

Make sure you can reach the SMTP server from the sensor's management port.

To configure an SMTP server on your sensor:

  1. Sign in to the sensor as an Admin user and select System settings > Integrations > Mail server.

  2. In the Edit Mail Server Configuration pane that appears, define the values for your SMTP server as follows:

    Parameter Description
    SMTP Server Address Enter the IP address or domain address of your SMTP server.
    SMTP Server Port Default = 25. Adjust the value as needed.
    Outgoing Mail Account Enter an email address to use as the outgoing mail account from your sensor.
    SSL Toggle on for secure connections from your sensor.
    Authentication Toggle on and then enter a username and password for your email account.
    Use NTLM Toggle on to enable NTLM. This option only appears when you have the Authentication option toggled on.
  3. Select Save when you're done.

Forward sensor failure alerts

You can forward alerts to third parties to provide details about:

  • Disconnected sensors

  • Remote backup failures

This information is sent when you create a forwarding rule for system notifications.

Note

Administrators can send system notifications.

To send notifications:

  1. Sign in to the on-premises management console.
  2. Select Forwarding from the side menu.
  3. Create a forwarding rule.
  4. Select Report System Notifications.

For more information about forwarding rules, see Forward alert information.

Upload and play PCAP files

When troubleshooting, you may want to examine data recorded by a specific PCAP file. To do so, you can upload a PCAP file to your sensor console and replay the data recorded.

To view the PCAP player in your sensor console, you'll first need to configure the relevant advanced configuration option.

Maximum size for uploaded files is 2 GB.

To show the PCAP player in your sensor console:

  1. On your sensor console, go to System settings > Sensor management > Advanced Configurations.

  2. In the Advanced configurations pane, select the Pcaps category.

  3. In the configurations displayed, change enabled=0 to enabled=1, and select Save.

The Play PCAP option is now available in the sensor console's settings, under: System settings > Basic > Play PCAP.

To upload and play a PCAP file:

  1. On your sensor console, select System settings > Basic > Play PCAP.

  2. In the PCAP PLAYER pane, select Upload and then navigate to and select the file you want to upload.

  3. Select Play to play your PCAP file, or Play All to play all PCAP files currently loaded.

Tip

Select Clear All to clear the sensor of all PCAP files loaded.

Adjust system properties

System properties control various operations and settings in the sensor. Editing or modifying them might damage the operation of the sensor console.

Consult with Microsoft Support before you change your settings.

To access system properties:

  1. Sign in to the on-premises management console or the sensor.

  2. Select System Settings.

  3. Select System Properties from the General section.

Download a diagnostics log for support

This procedure describes how to download a diagnostics log to send to support in connection with a specific support ticket.

This feature is supported for the following sensor versions:

  • 22.1.1 - Download a diagnostic log from the sensor console
  • 22.1.3 - For locally managed sensors, upload a diagnostics log from the Sites and sensors page in the Azure portal. This file is automatically sent to support when you open a ticket on a cloud-connected sensor.

All files downloaded from the Azure portal are signed by root of trust so that your machines use signed assets only.

To download a diagnostics log:

  1. On the sensor console, select System settings > Backup & Restore > Backup.

  2. Under Logs, select Support Ticket Diagnostics, and then select Export.

    Screenshot of the Backup & Restore pane showing the Support Ticket Diagnostics option.

  3. For a locally managed sensor, version 22.1.3 or higher, continue with Upload a diagnostics log for support.

Retrieve forensics data stored on the sensor

Use Defender for IoT data mining reports on an OT network sensor to retrieve forensic data from that sensor’s storage. The following types of forensic data are stored locally on OT sensors, for devices detected by that sensor:

  • Device data
  • Alert data
  • Alert PCAP files
  • Event timeline data
  • Log files

Each type of data has a different retention period and maximum capacity. For more information see Create data mining queries.

Clearing sensor data

In cases where the sensor needs to be relocated or erased, the sensor can be reset.

Clearing data deletes all detected or learned data on the sensor. After clearing data on a cloud connected sensor, cloud inventory will be updated accordingly. Additionally, some actions on the corresponding cloud alerts such as downloading PCAPs or learning alerts will not be supported.

Note

Network settings such as IP/DNS/GATEWAY will not be changed by clearing system data.

To clear system data:

  1. Sign in to the sensor as the cyberx user.

  2. Select Support > Clear data.

  3. In the confirmation dialog box, select Yes to confirm that you do want to clear all data from the sensor and reset it. For example:

    Screenshot of clearing system data on the support page in the sensor console.

A confirmation message appears that the action was successful. All learned data, allowlists, policies, and configuration settings are cleared from the sensor.

Next steps

For more information, see: