View and manage alerts on the on-premises management console (Legacy)

Article
12/17/2023

Important

Defender for IoT now recommends using Microsoft cloud services or existing IT infrastructure for central monitoring and sensor management, and plans to retire the on-premises management console on January 1st, 2025.

For more information, see Deploy hybrid or air-gapped OT sensor management.

Microsoft Defender for IoT alerts enhance your network security and operations with real-time details about events logged in your network. OT alerts are triggered when OT network sensors detect changes or suspicious activity in network traffic that needs your attention.

This article describes how to view Defender for IoT alerts on an on-premises management console, which aggregates alerts from all connected OT sensors. You can also view OT alerts on the Azure portal or an OT network sensor.

Prerequisites

Before performing the procedures in this article, make sure that you have:

An on-premises management console installed, activated, and configured. To view alerts by location or zone, make sure that you've configured sites and zones on the on-premises management console.
One or more OT sensors installed, configured, activated, and connected to your on-premises management console. To view alerts per zone, make sure that each sensor is assigned to a specific zone.
Access to the on-premises management console with one of the following user roles:
- To view alerts the on-premises management console, sign in as an Admin, Security Analyst, or Viewer user.
- To manage alerts on the on-premises management console, sign in as an Admin or Security Analyst user. Management activities include acknowledging or muting an alert, depending on the alert type.

View alerts on the on-premises management console

Sign into the on-premises management console and select Alerts on the left-hand menu.

Alerts are shown in a simple table, showing the sensor that triggered the alert and alert details in two columns.
Select an alert row to expand its full details. For example:
In an expanded alert row, do any of the following to view more context about the alert:
- Select OPEN SENSOR to open the sensor that generated the alert and continue your investigation. For more information, see View and manage alerts on your OT sensor.
- Select SHOW DEVICES to show the affected devices on a zone map. For more information, see Create OT sites and zones on an on-premises management console.

Note

On the on-premises management console, New alerts are called Unacknowledged, and Closed alerts are called Acknowledged. For more information, see Alert statuses and triaging options.

Filter the alerts displayed

At the top of the Alerts page, use the Free Search, Sites, Zones, Devices, and Sensors options to filter the alerts displayed by specific parameters, or to help locate a specific alert.

Acknowledged alerts aren't listed by default. Select Show Acknowledged Alerts to include them in the list.
Select Clear to remove all filters.

View alerts by location

To view alerts from connected OT sensors across your entire global network, use the Enterprise View map on an on-premises management console.

Sign into your on-premises management console and select Enterprise View. The default map view shows your sites at their locations around the world.

(Optional) Use the All Sites and All Regions menus at the top of the page to filter your map and display only specific sites, or only specific regions.
From the Default View menu at the top of the page, select any of the following to drill down to specific types of alerts:
- Risk Management. Highlights site risk alerts, helping you prioritize mitigation activities and plan security improvements.
- Incident Response Highlights any active (unacknowledged) alerts on each site.
- Malicious Activity. Highlights malware alerts, which require immediate action.
- Operational Alerts. Highlights operational alerts, such as PLC stops and firmware or program uploads.
In any view but the Default View, your sites appear in red, yellow, or green. Red sites have alerts that require immediate action, yellow sites have alerts that justify investigation, and green sites require no action.
Select any site that's red or yellow, and then select the alerts button for a specific OT sensor to jump to that sensor's current alerts. For example:

The Alerts page opens, automatically filtered to the selected alerts.

View alerts by zone

To view alerts from connected OT sensors for a specific zone, use the Site Management page on an on-premises management console.

Sign into your on-premises management console and select Site Management.
Locate the site and zone you want to view, using the filtering options at the top as needed:
- Connectivity: Select to view only all OT sensors, or only connected / disconnected sensors only.
- Upgrade Status: Select to view all OT sensors, or only those with a specific software update status.
- Business Unit: Select to view all OT sensors, or only those from a specific business unit.
- Region: Select to view all OT sensors, or only those from a specific region.
Select the alerts button for a specific OT sensor to jump to that sensor's current alerts.

Manage alert status and triage alerts

Use the following options to manage alert status on your on-premises management console, depending on the alert type:

To acknowledge or unacknowledge an alert: In an expanded alert row, select ACKNOWLEDGE or UNACKNOWLEDGE as needed.
To mute or unmute an alert: In an expanded alert row, hover over the top of the row and select the Mute button or Unmute button as needed.