This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This article describes how to send Microsoft Defender for IoT alerts to ArcSight. Integrating Defender for IoT with ArcSight provides visibility into the security and resiliency of OT networks and a unified approach to IT and OT security.
Before you begin, make sure that you have the following prerequisites:
To configure your ArcSight server settings so that it can receive Defender for IoT alert information:
For more information, see the ArcSight SmartConnectors Documentation.
This procedure describes how to create a forwarding rule from your OT sensor to send Defender for IoT alerts from that sensor to ArcSight.
Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created aren't affected by the rule.
For more information, see Forward alert information.
Sign in to your OT sensor console and select Forwarding.
Select + Create new rule.
In the Add forwarding rule pane, define the rule parameters:
| Parameter | Description |
|---|---|
| Rule name | Enter a meaningful name for your rule. |
| Minimal alert level | The minimal security level incident to forward. For example, if you select Minor, you're notified about all minor, major and critical incidents. |
| Any protocol detected | Toggle off to select the protocols you want to include in the rule. |
| Traffic detected by any engine | Toggle off to select the traffic you want to include in the rule. |
In the Actions area, define the following values:
| Parameter | Description |
|---|---|
| Server | Select ArcSight. |
| Host | The ArcSight server address. |
| Port | The ArcSight server port. |
| Timezone | Enter the timezone of the ArcSight server. |
Select Save to save your forwarding rule.
Training
Learning path
Deploy Microsoft Defender for IoT for OT monitoring - Training
Learn how to deploy Defender for IoT to discover and secure IoT and OT devices.
Certification
Microsoft Certified: Security Operations Analyst Associate - Certifications
Investigate, search for, and mitigate threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender.