Integrations with Microsoft and partner services
Integrate Microsoft Defender for IoT with partner services to view data from across your security stack data in Defender for IoT, or to view Defender for IoT data in one of your security ecosystem integrations.
Important
Defender for IoT is refreshing its security stack integrations to improve the overall robustness, scalability, and ease of maintenance of various security solutions.
If you're integrating your security solution with cloud-based systems, we recommend that you use data connectors through Microsoft Sentinel. For on-premises integrations, we recommend that you either configure your OT sensor to forward syslog events), or use Defender for IoT APIs.
The legacy Aruba ClearPass, Palo Alto Panorama, and Splunk integrations are supported through October 2024 using sensor version 23.1.3, and won't be supported in upcoming major software versions. For customers using legacy integration methods, we recommend moving your integrations to the standard cloud or on-premises methods.
Aruba ClearPass
| Name | Description | Support scope | Supported by | Learn more |
|---|---|---|---|---|
| Aruba ClearPass (cloud) | View Defender for IoT data together with Aruba ClearPass data, using Microsoft Sentinel to create custom dashboards, custom alerts, and improve your investigation ability. Connect to Microsoft Sentinel, and install the Aruba ClearPass data connector. |
- OT networks - Cloud-connected or locally managed OT sensors |
Microsoft | Microsoft Sentinel documentation |
| Aruba ClearPass (on-premises) | View Defender for IoT data together with Aruba ClearPass data by doing one of the following: - Configure your sensor to send syslog files directly to ClearPass. - |
- OT networks - Cloud-connected or locally managed OT sensors |
Microsoft | Forward on-premises OT alert information Defender for IoT API reference |
| Aruba ClearPass (legacy) | Share Defender for IoT data directly with ClearPass Security Exchange and update the ClearPass Policy Manager Endpoint Database with Defender for IoT data. | - OT networks - Locally managed sensors and on-premises management consoles |
Microsoft | Integrate ClearPass with Microsoft Defender for IoT |
Axonius
| Name | Description | Support scope | Supported by | Learn more |
|---|---|---|---|---|
| Axonius Cybersecurity Asset Management | Import and manage device inventory discovered by Defender for IoT in your Axonius instance. | - OT networks - Locally managed sensors and on-premises management consoles |
Axonius | Axonius documentation |
CyberArk PSM
| Name | Description | Support scope | Supported by | Learn more |
|---|---|---|---|---|
| CyberArk Privileged Session Manager (PSM) | Send CyberArk PSM syslog data on remote sessions and verification failures to Defender for IoT for data correlation. | - OT networks - Locally managed sensors and on-premises management consoles |
Microsoft | Integrate CyberArk with Microsoft Defender for IoT |
Forescout
| Name | Description | Support scope | Supported by | Learn more |
|---|---|---|---|---|
| Forescout | Automate actions in Forescout based on activity detected by Defender for IoT, and correlate Defender for IoT data with other Forescout eyeExtended modules that oversee monitoring, incident management, and device control. | - OT networks - Locally managed sensors and on-premises management consoles |
Microsoft | Integrate Forescout with Microsoft Defender for IoT |
Fortinet
| Name | Description | Support scope | Supported by | Learn more |
|---|---|---|---|---|
| Fortinet FortiSIEM and FortiGate | Send Defender for IoT data to Fortinet services for: - Enhanced network visibility in FortiSIEM - Extra abilities in FortiGate to stop anomalous behavior |
- OT networks - Locally managed sensors and on-premises management consoles |
Microsoft | Integrate Fortinet with Microsoft Defender for IoT |
IBM QRadar
| Name | Description | Support scope | Supported by | Learn more |
|---|---|---|---|---|
| IBM QRadar | Send Defender for IoT alerts to IBM QRadar | - OT networks - Cloud connected sensors |
Microsoft | Stream Defender for IoT cloud alerts to a partner SIEM |
| IBM QRadar | Forward Defender for IoT alerts to IBM QRadar. | - OT networks - Locally managed sensors and on-premises management consoles |
Microsoft | Integrate Qradar with Microsoft Defender for IoT |
LogRhythm
| Name | Description | Support scope | Supported by | Learn more |
|---|---|---|---|---|
| LogRhythm | Forward Defender for IoT alerts to LogRhythm. | - OT networks - Locally managed sensors and on-premises management consoles |
Microsoft | Integrate LogRhythm with Microsoft Defender for IoT |
Micro Focus ArcSight
| Name | Description | Support scope | Supported by | Learn more |
|---|---|---|---|---|
| Micro Focus ArcSight | Forward Defender for IoT alerts to ArcSight. | - OT networks - Locally managed sensors and on-premises management consoles |
Microsoft | Integrate ArcSight with Microsoft Defender for IoT |
Microsoft Defender for Endpoint
| Name | Description | Support scope | Supported by | Learn more |
|---|---|---|---|---|
| Microsoft Defender for Endpoint | Integrates Defender for IoT data in Defender for Endpoint's device inventory, alerts, recommendations, and vulnerabilities. Displays device data about Defender for Endpoint endpoints in the Defender for IoT Device inventory page on the Azure portal. | - Enterprise IoT networks and sensors | Microsoft | Onboard with Microsoft Defender for IoT |
Microsoft Sentinel
| Name | Description | Support scope | Supported by | Learn more |
|---|---|---|---|---|
| Defender for IoT data connector in Microsoft Sentinel (cloud) | Displays Defender for IoT cloud data in Microsoft Sentinel, supporting end-to-end SOC investigations for Defender for IoT alerts. Connects to other partner services, allowing you to synchronize your data between Defender for IoT and supported partner systems, across Microsoft Sentinel. |
- OT and Enterprise IoT networks - Cloud-connected sensors |
Microsoft | - OT threat monitoring in enterprise SOCs - Tutorial: Connect Microsoft Defender for IoT with Microsoft Sentinel - Tutorial: Investigate and detect threats for IoT devices |
| Microsoft Sentinel (on-premises) | View Defender for IoT data together with Microsoft Sentinel data by configuring your sensor to send syslog files directly to Microsoft Sentinel. | - OT networks - Cloud-connected or locally managed OT sensors |
Microsoft | Forward on-premises OT alert information |
| Microsoft Sentinel (legacy) | Send Defender for IoT alerts from on-premises resources to Microsoft Sentinel. | - OT networks - Locally managed sensors and on-premises management consoles |
Microsoft | Connect on-premises OT network sensors to Microsoft Sentinel |
Palo Alto
| Name | Description | Support scope | Supported by | Learn more |
|---|---|---|---|---|
| Palo Alto Panorama (cloud) | View Defender for IoT data together with Panorama data. Use Microsoft Sentinel solutions, which include out-of-the-box workbooks, hunting queries, automation playbooks, and analytics rules, or create custom dashboards, alerts, and more. Connect to Microsoft Sentinel, and install one or more of the following solutions: - Palo Alto PAN-OS Solution - Palo Alto Networks Cortex Data Lake Solution - Palo Alto Prisma Cloud CSPM solution |
- OT networks - Cloud-connected or locally managed OT sensors |
Microsoft | Microsoft Sentinel documentation: - Palo Alto PAN-OS Solution - Palo Alto Networks Cortex Data Lake Solution - Palo Alto Prisma Cloud CSPM solution |
| Palo Alto Panorama (on-premises) | View Defender for IoT data together with Panorama data by configuring your sensor to send syslog files directly to Palo Alto Panorama. | - OT networks - Cloud-connected or locally managed OT sensors |
Microsoft | Forward on-premises OT alert information |
| Palo Alto (legacy) | Use Defender for IoT data to block critical threats with Palo Alto firewalls, either with automatic blocking or with blocking recommendations. | - OT networks - Locally managed sensors and on-premises management consoles |
Microsoft | Integrate Palo-Alto with Microsoft Defender for IoT |
RSA NetWitness
| Name | Description | Support scope | Supported by | Learn more |
|---|---|---|---|---|
| RSA NetWitness | Forward Defender for IoT alerts to RSA NetWitness | - OT networks - Locally managed sensors and on-premises management consoles |
Microsoft | Integrate RSA NetWitness with Microsoft Defender for IoT Defender for IoT - RSA NetWitness CEF Parser Implementation Guide |
ServiceNow
| Name | Description | Support scope | Supported by | Learn more |
|---|---|---|---|---|
| Vulnerability Response Integration with Microsoft Azure Defender for IoT | View Defender for IoT device vulnerabilities in ServiceNow. | - Supports the Central Manager - Locally managed sensors and on-premises management consoles |
ServiceNow | ServiceNow store Integrate ServiceNow with Microsoft Defender for IoT |
| Vulnerability Response Integration with Defender for IoT (On-premises Management Console) | View Defender for IoT device vulnerabilities in ServiceNow. | - Supports the Central Manager - Locally managed sensors and on-premises management consoles |
ServiceNow | ServiceNow store Integrate ServiceNow with Microsoft Defender for IoT |
| Service Graph Connector Integration with Microsoft Azure Defender for IoT | View Defender for IoT device detections, sensors, and network connections in ServiceNow. | - Supports the Azure based sensor - Locally managed sensors and on-premises management consoles |
ServiceNow | ServiceNow store Integrate ServiceNow with Microsoft Defender for IoT |
| Service Graph Connector for Microsoft Defender for IoT (On-premises Management Console) | View Defender for IoT device detections, sensors, and network connections in ServiceNow. | - Supports the On Premises sensor - Locally managed sensors and on-premises management consoles |
ServiceNow | ServiceNow store Integrate ServiceNow with Microsoft Defender for IoT |
| Microsoft Defender for IoT (Legacy) | View Defender for IoT device detections and alerts in ServiceNow. | - Supports the Legacy version - Locally managed sensors and on-premises management consoles |
Microsoft | ServiceNow store Integrate ServiceNow with Microsoft Defender for IoT (legacy) |
Skybox
| Name | Description | Support scope | Supported by | Learn more |
|---|---|---|---|---|
| Skybox | Import vulnerability occurrence data discovered by Defender for IoT in your Skybox platform. | - OT networks - Locally managed sensors and on-premises management consoles |
Skybox | Skybox documentation Skybox integration page |
Splunk
| Name | Description | Support scope | Supported by | Learn more |
|---|---|---|---|---|
| Splunk (cloud) | Send Defender for IoT alerts to Splunk using one of the following methods: - Via the OT Security Add-on for Splunk, which widens your capacity to ingest and monitor OT assets and provides OT vulnerability management reports that help you comply with and audit for NERC CIP. - Via a SIEM that supports Event Hubs, such as Microsoft Sentinel |
- OT networks - Cloud-connected or locally managed OT sensors |
Microsoft and Splunk | - Splunk documentation on The OT Security Add-on for Splunk and installing add-ins - Stream Defender for IoT cloud alerts to a partner SIEM |
| Splunk (on-premises) | View Defender for IoT data together with Splunk data by configuring your sensor to send syslog files directly to Splunk. | - OT networks - Cloud-connected or locally managed OT sensors |
Microsoft | Forward on-premises OT alert information |
| Splunk (on-premises, legacy integration) | Send Defender for IoT alerts to Splunk | - OT networks - Locally managed sensors and on-premises management consoles |
Microsoft | Integrate Splunk with Microsoft Defender for IoT |
Next steps
For more information, see:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for