Defender for IoT CLI users and access

This article provides an introduction to the Microsoft Defender for IoT command line interface (CLI). The CLI is a text-based user interface that allows you to access your OT and Enterprise IoT sensors, and the on-premises management console, for advanced configuration, troubleshooting, and support.

To access the Defender for IoT CLI, you'll need access to the sensor or on-premises management console.

  • For OT sensors or the on-premises management console, you'll need to sign in as a privileged user.
  • For Enterprise IoT sensors, you can sign in as any user.


Only documented configuration parameters on the OT network sensor and on-premises management console are supported for customer configuration. Do not change any non-documented configuration parameters, as changes may cause unexpected behavior and system failures.

Privileged user access for OT monitoring

Privileged users for OT monitoring are pre-defined together with the OT monitoring software installation, as part of the hardened operating system.

  • On the OT sensor, users include the cyberx, support, and cyberx_host users.
  • On the on-premises management console, users include the cyberx and support users.

The following table describes the access available to each privileged user:

Name Connects to Permissions
support The OT sensor or on-premises management console's configuration shell A powerful administrative account with access to:
- All CLI commands
- The ability to manage log files
- Start and stop services

This user has no filesystem access
cyberx The OT sensor or on-premises management console's terminal (root) Serves as a root user and has unlimited privileges on the appliance.

Used only for the following tasks:
- Changing default passwords
- Troubleshooting
- Filesystem access
cyberx_host The OT sensor's host OS terminal (root) Serves as a root user and has unlimited privileges on the appliance host OS.

Used for:
- Network configuration
- Application container control
- Filesystem access


We recommend that customers using the Defender for IoT CLI use the support user whenever possible. Other CLI users cannot be added.

Supported users by CLI actions

The following tables list the activities available by CLI and the privileged users supported for each activity.

Appliance maintenance commands

Service area Users Actions
Sensor health support, cyberx Check OT monitoring services health
Restart and shutdown support, cyberx, cyberx_host Restart an appliance
Shut down an appliance
Software versions support, cyberx Show installed software version
Update software version
Date and time support, cyberx, cyberx_host Show current system date/time
NTP support, cyberx Turn on NTP time sync
Turn off NTP time sync

Backup and restore commands

Service area Users Actions
Backup files support, cyberx List current backup files
Start an immediate, unscheduled backup
Restore support, cyberx Restore data from the most recent backup
Backup disk space cyberx Display backup disk space allocation

TLS/SSL certificate commands

Service area Users Actions
Certificate management cyberx Import TLS/SSL certificates to your OT sensor
Restore the default self-signed certificate

Local user management commands

Service area Users Actions
Password management cyberx, cyberx_host Change local user passwords
configuration support, cyberx, cyberx_host Control user session timeouts
configuration cyberx Define maximum number of failed sign-ins

Network configuration commands

Service area Users Actions
Network setting configuration cyberx_host Change networking configuration or reassign network interface roles
Network setting configuration support Validate and show network interface configuration
Network connectivity support, cyberx Check network connectivity from the OT sensor
Network connectivity cyberx Check network interface current load
Check internet connection
Network bandwidth limit cyberx Set bandwidth limit for the management network interface
Physical interfaces management support Locate a physical port by blinking interface lights
Physical interfaces management support, cyberx List connected physical interfaces

Traffic capture filter commands

Service area Users Actions
Capture filter management support, cyberx Create a basic filter for all components
Create an advanced filter for specific components
List current capture filters for specific components
Reset all capture filters

Alert commands

Service area Users Actions
Alert functionality testing cyberx Trigger a test alert
Alert exclusion rules support, cyberx Show current alert exclusion rules
Create a new alert exclusion rule
Modify an alert exclusion rule
Delete an alert exclusion rule

Defender for IoT CLI access

To access the Defender for IoT CLI, sign in to your OT or Enterprise IoT sensor or your on-premises management console using a terminal emulator and SSH.

  • On a Windows system, use PuTTY or another similar application.
  • On a Mac system, use Terminal.
  • On a virtual appliance, access the CLI via SSH, the vSphere client, or Hyper-V Manager. Connect to the virtual appliance's management interface IP address via port 22.

Each CLI command on an OT network sensor or on-premises management console is supported a different set of privileged users, as noted in the relevant CLI descriptions. Make sure you sign in as the user required for the command you want to run. For more information, see Privileged user access for OT monitoring.

Sign out of the CLI

Make sure to properly sign out of the CLI when you're done using it. You're automatically signed out after an inactive period of 300 seconds.

To sign out manually on an OT sensor or on-premises management console, run one of the following commands:

User Command
support logout
cyberx cyberx-xsense-logout
cyberx_host logout

Next steps

You can also control and monitor your cloud connected sensors from the Defender for IoT Sites and sensors page. For more information, see Manage sensors with Defender for IoT in the Azure portal.