This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
This article describes the legacy method for connecting your OT sensor to Microsoft Sentinel. Stream data into Microsoft Sentinel whenever you want to use Microsoft Sentinel's advanced threat hunting, security analytics, and automation features when responding to security incidents and threats across your network.
Important
This feature will be deprecated in January 2025.
If you're using a cloud connected sensor, we recommend that you connect Defender for IoT data using the Microsoft Sentinel solution instead of the legacy integration method. For more information, see:
Before you start, make sure that you have the following prerequisites as needed:
Access to the OT network sensor as an Admin user. For more information, see On-premises users and roles for OT monitoring with Defender for IoT.
A proxy machine prepared to send data to Microsoft Sentinel. For more information, see Get CEF-formatted logs from your device or appliance into Microsoft Sentinel.
If you want to encrypt the data you send to Microsoft Sentinel using TLS, make sure to generate a valid TLS certificate from the proxy server to use in your forwarding alert rule.
Sign into your OT network sensor and create a forwarding rule. For more information, see Forward on-premises OT alert information.
When creating your forwarding rule, make sure to select Microsoft Sentinel as the Server value. For example, on the OT sensor:
If you're using TLS encryption, make sure to select Enable encryption and upload your certificate and key files.
Select Save when you're done. Make sure to test the rule to make sure that it works as expected.
Important
To forward alert details to multiple Microsoft Sentinel instances, make sure to create a separate forwarding rule for each instance. Don't use the Add server option in the same forwarding rule to send data to multiple Microsoft Sentinel instances.
For more information, see:
Training
Learning path
SC-200: Connect logs to Microsoft Sentinel - Training
SC-200: Connect logs to Microsoft Sentinel
Certification
Microsoft Certified: Security Operations Analyst Associate - Certifications
Investigate, search for, and mitigate threats using Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender.
Documentation
Integrate with partner services - Microsoft Defender for IoT
Learn about supported integrations across your organization's security stack with Microsoft Defender for IoT.
Connect Microsoft Defender for IoT with Microsoft Sentinel - Microsoft Defender for IoT
This tutorial describes how to integrate Microsoft Sentinel and Microsoft Defender for IoT with the Microsoft Sentinel data connector to secure your entire environment. Detect and respond to threats, including multistage attacks that may cross IT and OT boundaries.
Investigate and detect threats for IoT devices - Microsoft Defender for IoT
This tutorial describes how to use the Microsoft Sentinel data connector and solution for Microsoft Defender for IoT to secure your entire environment. Detect and respond to threats, including multistage attacks that may cross IT and OT boundaries.