Onboard OT sensors to Defender for IoT

This article describes how to onboard sensors with Defender for IoT in the Azure portal.

Tip

As part of the onboarding process, you'll assign your sensor to a site and zone. Segmenting your network by sites and zones is an integral part of implementing a Zero Trust security strategy. Assinging sensors to specific sites and zones will help you monitor for unauthorized traffic crossing segments.

Data ingested from sensors in the same site or zone can be viewed together, segemented out from other data in your system. If there's sensor data that you want to view grouped together in the same site or zone, make sure to assign sensor sites and zones accordingly.

Prerequisites

To perform the procedures in this article, you need:

• An OT plan added in Defender for IoT in the Azure portal.

• A clear understanding of where your OT network sensors are placed in your network, and how you want to segment your network into sites and zones.

Purchase sensors or download software for sensors

This procedure describes how to use the Azure portal to contact vendors for pre-configured appliances, or how to download software for you to install on your own appliances.

1. In the Azure portal, go to Defender for IoT > Getting started > Sensor.

2. Do one of the following steps:

   • To buy a pre-configured appliance, select Contact under Buy preconfigured appliance.

     This link opens an email to hardware.sales@arrow.comwith a template request for Defender for IoT appliances. For more information, see Pre-configured physical appliances for OT monitoring.

   • To install software on your own appliances, do the following:

     1. Make sure that you have a supported appliance available. For more information, see Which appliances do I need?.

     2. Under Select version, select the software version you want to install. We recommend that you always select the most recent version.

     3. Select Download. Download the sensor software and save it in a location that you can access from your selected appliance.

        All files downloaded from the Azure portal are signed by root of trust so that your machines use signed assets only.

     4. Install your software. For more information, see Defender for IoT installation.

Onboard an OT sensor

This procedure describes how to onboard, or register, an OT network sensor with Defender for IoT and download a sensor activation file.

To onboard your OT sensor to Defender for IoT:

1. In the Azure portal, go to Defender for IoT > Getting started and select Set up OT/ICS Security.

   Alternately, from the Defender for IoT Sites and sensors page, select Onboard OT sensor > OT.

2. By default, on the Set up OT/ICS Security page, Step 1: Did you set up a sensor? and Step 2: Configure SPAN port or TAP​ of the wizard are collapsed. If you haven't completed these steps, do so before continuing. For more information, see:

   • Choose a traffic mirroring method for traffic monitoring
   • Install OT monitoring software on OT sensors

3. In Step 3: Register this sensor with Microsoft Defender for IoT enter or select the following values for your sensor:

   1. In the Sensor name field, enter a meaningful name for your OT sensor.

      We recommend including your OT sensor's IP address as part of the name, or using another easily identifiable name. You want to keep track of the registration name in the Azure portal and the IP address of the sensor shown in the OT sensor console.

   2. In the Subscription field, select your Azure subscription.

      If you don't yet have a subscription to select, select Onboard subscription to add an OT plan to your Azure subscription.

   3. (Optional) Toggle on the Cloud connected option to have your OT sensor connected to Azure services, such as Microsoft Sentinel. For more information, see Cloud-connected vs. local OT sensors.

   4. (Optional) Toggle on the Automatic Threat Intelligence updates to have Defender for IoT automatically push threat intelligence packages to your OT sensor.

   5. In the Sensor version field, verify that 22.X and above is selected.

      If you're working with legacy OT sensor software, we recommend that you update your version. For more information, see Update Defender for IoT OT monitoring software.

   6. In the Site section, enter the following details to define your OT sensor's site.

      • In the Resource name field, select the site you want to use for your OT sensor, or select Create site to create a new one.

      • In the Display name field, enter a meaningful name for your site to be shown across Defender for IoT in Azure.

      • (Optional) In the Tags > Key and Value fields, enter tag values to help you identify and locate your site and sensor in the Azure portal.

   7. In the Zone field, select the zone you want to use for your OT sensor, or select Create zone to create a new one.

      For example:

      

4. When you're done with all other fields, select Register.

A success message appears and your activation file is automatically downloaded, and your sensor is now shown under the configured site on the Defender for IoT Sites and sensors page.

Until you activate your sensor, the sensor's status shows as Pending Activation.

Make the downloaded activation file accessible to the sensor console admin so that they can activate the sensor.

All files downloaded from the Azure portal are signed by root of trust so that your machines use signed assets only.

Next steps

• Install OT agentless monitoring software
• Activate and set up your sensor
• Manage sensors with Defender for IoT in the Azure portal
• Manage individual sensors
• View and manage alerts on the Defender for IoT portal (Preview)