Connect OT network sensors or on-premises management consoles to Microsoft Sentinel (legacy)

This article describes the legacy method for connecting your OT sensor or on-premises management console to Microsoft Sentinel. Stream data into Microsoft Sentinel whenever you want to use Microsoft Sentinel's advanced threat hunting, security analytics, and automation features when responding to security incidents and threats across your network.


If you're using a cloud connected sensor, we recommend that you connect Defender for IoT data using the Microsoft Sentinel solution instead of the legacy integration method. For more information, see:


Before you start, make sure that you have the following prerequisites as needed:

Set up forwarding alert rules

  1. Sign into your OT network sensor or on-premises management console and create a forwarding rule. For more information, see Forward on-premises OT alert information.

  2. When creating your forwarding rule, make sure to select Microsoft Sentinel as the Server value. For example, on the OT sensor:

    Screenshot of the Microsoft Sentinel option from the OT sensor.

  3. If you're using TLS encryption, make sure to select Enable encryption and upload your certificate and key files.

Select Save when you're done. Make sure to test the rule to make sure that it works as expected.


To forward alert details to multiple Microsoft Sentinel instances, make sure to create a separate forwarding rule for each instance. Don't use the Add server option in the same forwarding rule to send data to multiple Microsoft Sentinel instances.

Next steps

For more information, see: