Create a learned baseline of OT alerts
This article is one in a series of articles describing the deployment path for OT monitoring with Microsoft Defender for IoT, and describes how to create a baseline of learned traffic on your OT sensor.
Understand learning mode
An OT network sensor starts monitoring your network automatically after it's connected to the network and you've signed in. Network devices start appearing in your device inventory, and alerts are triggered for any security or operational incidents that occur in your network.
Initially, this activity happens in learning mode, which instructs your OT sensor to learn your network's usual activity, including the devices and protocols in your network, and the regular file transfers that occur between specific devices. Any regularly detected activity becomes your network's baseline traffic.
Tip
Use your time in learning mode to triage your alerts and Learn those that you want to mark as authorized, expected activity. Learned traffic doesn't generate new alerts the next time the same traffic is detected.
After learning mode is turned off, any activity that differs from your baseline data will trigger an alert.
For more information, see Microsoft Defender for IoT alerts.
Learn mode timeline
Creating your baseline of OT alerts can take anywhere from a few days to several weeks, depending on your network size and complexity. Learning mode automatically turns off when the sensor detects a decrease in newly detected traffic, which is typically between 2-6 weeks after deployment.
Turn off learning mode manually before then if you feel that the current alerts accurately reflect your network activity.
Prerequisites
You can perform the procedures in this article from the Azure portal, an OT sensor, or an on-premises management console.
Before you start, make sure that you have:
An OT sensor installed, configured, and activated, with alerts being triggered by detected traffic.
Access to your OT sensor as Security Analyst or Admin user. For more information, see On-premises users and roles for OT monitoring with Defender for IoT.
Triage alerts
Triage alerts towards the end of your deployment to create an initial baseline for your network activity.
Sign into your OT sensor and select the Alerts page.
Use sorting and grouping options to view your most critical alerts first. Review each alert to update statuses and learn alerts for OT authorized traffic.
For more information, see View and manage alerts on your OT sensor.
Next steps
After learning mode is turned off, you've moved from learning mode to operation mode. Continue with any of the following:
- Visualize Microsoft Defender for IoT data with Azure Monitor workbooks
- View and manage alerts from the Azure portal
- Manage your device inventory from the Azure portal
Integrate Defender for IoT data with Microsoft Sentinel to unify your SOC team's security monitoring. For more information, see:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for