Tutorial: Integrate Splunk with Microsoft Defender for IoT

This tutorial will help you learn how to integrate, and use Splunk with Microsoft Defender for IoT.

Defender for IoT mitigates IIoT, ICS, and SCADA risk with patented, ICS-aware self-learning engines that deliver immediate insights about ICS devices, vulnerabilities, and threats in less than an image hour and without relying on agents, rules or signatures, specialized skills, or prior knowledge of the environment.

To address a lack of visibility into the security and resiliency of OT networks, Defender for IoT developed the Defender for IoT, IIoT, and ICS threat monitoring application for Splunk, a native integration between Defender for IoT and Splunk that enables a unified approach to IT and OT security.

The application provides SOC analysts with multidimensional visibility into the specialized OT protocols and IIoT devices deployed in industrial environments, along with ICS-aware behavioral analytics to rapidly detect suspicious or anomalous behavior. The application also enables both IT, and OT incident response from within one corporate SOC. This is an important evolution given the ongoing convergence of IT and OT to support new IIoT initiatives, such as smart machines and real-time intelligence.

The Splunk application can be installed locally ('Splunk Enterprise') or run on a cloud ('Splunk Cloud'). The Splunk integration along with Defender for IoT supports 'Splunk Enterprise' only.


References to CyberX refer to Microsoft Defender for IoT.

In this tutorial, you learn how to:

  • Download the Defender for IoT application in Splunk
  • Send Defender for IoT alerts to Splunk

If you don't have an Azure subscription, create a free account before you begin.


Version requirements

The following versions are required for the application to run.

  • Defender for IoT version 2.4 and above.

  • Splunkbase version 11 and above.

  • Splunk Enterprise version 7.2 and above.

Splunk permission requirements

The following Splunk permission is required:

  • Any user with an Admin level user role.

Download the Defender for IoT application in Splunk

To access the Defender for IoT application within Splunk, you will need to download the application form the Splunkbase application store.

To access the Defender for IoT application in Splunk:

  1. Navigate to the Splunkbase application store.

  2. Search for CyberX ICS Threat Monitoring for Splunk.

  3. Select the CyberX ICS Threat Monitoring for Splunk application.


Send Defender for IoT alerts to Splunk

The Defender for IoT alerts provides information about an extensive range of security events. These events include:

  • Deviations from the learned baseline network activity.

  • Malware detections.

  • Detections based on suspicious operational changes.

  • Network anomalies.

  • Protocol deviations from protocol specifications.

    A screen capture if an Address Scan Detected alert.

You can also configure Defender for IoT to send alerts to the Splunk server, where alert information is displayed in the Splunk Enterprise dashboard.

View all of the alerts and their details.

To send alert information to the Splunk servers from Defender for IoT, you will need to create a Forwarding Rule.

Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.

To create the forwarding rule:

  1. Sign in to the sensor, and select Forwarding from the left side pane.

  2. Select Create nre rule.

  3. In the Add forwarding rule dialog box, define the rule parameters.

    Create the rules for your forwarding rule.

    Parameter Description
    Name The forwarding rule name.
    Select Severity The minimal security level incident to forward. For example, if Minor is selected, minor alerts and any alert above this severity level will be forwarded.
    Protocols By default, all the protocols are selected. To select a specific protocol, select Specific and select the protocol for which this rule is applied.
    Engines By default, all the security engines are involved. To select a specific security engine for which this rule is applied, select Specific and select the engine.
    System Notifications Forward sensor system notifications to the Splunk server. For example, send the online/offline status of connected sensor. This option is only available if you have logged into the Central Manager.
  4. Select Action, and then select Send to Splunk Server.

  5. Enter the following Splunk parameters.

    Parameter Description
    Host Splunk server address
    Port 8089
    Username Splunk server username
    Password Splunk server password
  6. Select Submit.

Clean up resources

There are no resources to clean up.

Next steps

In this tutorial, you learned how to get started with the Splunk integration. Continue on to learn how to Integrate ServiceNow with Microsoft Defender for IoT.