What's new in Microsoft Defender for IoT?
This article describes features available in Microsoft Defender for IoT, across both OT and Enterprise IoT networks, both on-premises and in the Azure portal, and for versions released in the last nine months.
Features released earlier than nine months ago are described in the What's new archive for Microsoft Defender for IoT for organizations. For more information specific to OT monitoring software versions, see OT monitoring software release notes.
Note
Noted features listed below are in PREVIEW. The Azure Preview Supplemental Terms include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
May 2023
| Service area | Updates |
|---|---|
| OT networks | Sensor versions 22.3.x and higher: - Configure Active Directory and NTP settings in the Azure portal |
Configure Active Directory and NTP settings in the Azure portal
Now you can configure Active Directory and NTP settings for your OT sensors remotely from the Sites and sensors page in the Azure portal. These settings are available for OT sensor versions 22.3.x and higher.
For more information, see Sensor setting reference
April 2023
| Service area | Updates |
|---|---|
| Documentation | End-to-end deployment guides |
| OT networks | Sensor version 22.3.8: - Proxy support for client SSL/TLS certificates - Download WMI script from OT sensor console - Automatically resolved OS notifications - UI enhancement when uploading SSL/TLS certificates |
End-to-end deployment guides
The Defender for IoT documentation now includes a new Deploy section, with a full set of deployment guides for the following scenarios:
- Standard deployment for OT monitoring
- Air-gapped deployment for OT monitoring with an on-premises sensor management
- Enterprise IoT deployment
For example, the recommended deployment for OT monitoring includes the following steps, which are all detailed in our new articles:
The step-by-step instructions in each section are intended to help customers optimize for success and deploy for Zero Trust. Navigational elements on each page, including flow charts at the top and Next steps links at the bottom, indicate where you are in the process, what you’ve just completed, and what your next step should be. For example:
For more information, see Deploy Defender for IoT for OT monitoring.
Proxy support for client SSL/TLS certificates
A client SSL/TLS certificate is required for proxy servers that inspect SSL/TLS traffic, such as when using services like Zscaler and Palo Alto Prisma. Starting in version 22.3.8, you can upload a client certificate through the OT sensor console.
For more information, see Configure a proxy.
Download WMI script from OT sensor console
The script used to configure OT sensors to detect Microsoft Windows workstations and servers is now available for download from the OT sensor itself.
For more information, see Download the script
Automatically resolved OS notifications
After updating your OT sensor to version 22.3.8, no new device notifications for Operating system changes are generated. Existing Operating system changes notifications are automatically resolved if they aren't dismissed or otherwise handled within 14 days.
For more information, see Device notification responses
UI enhancement when uploading SSL/TLS certificates
The OT sensor version 22.3.8 has an enhanced SSL/TLS Certificates configuration page for defining your SSL/TLS certificate settings and deploying a CA-signed certificate.
For more information, see Manage SSL/TLS certificates.
March 2023
| Service area | Updates |
|---|---|
| OT networks | Sensor version 22.3.6/22.3.7: - Support for transient devices - Learn DNS traffic by configuring allowlists - Device data retention updates - UI enhancements when uploading SSL/TLS certificates - Activation files expiration updates - UI enhancements for managing the device inventory - Updated severity for all Suspicion of Malicious Activity alerts - Automatically resolved device notifications Version 22.3.7 includes the same features as 22.3.6. If you have version 22.3.6 installed, we strongly recommend that you update to version 22.3.7, which also includes important bug fixes. Cloud features: - New Microsoft Sentinel incident experience for Defender for IoT |
Support for transient devices
Defender for IoT now identifies transient devices as a unique device type that represents devices that were detected for only a short time. We recommend investigating these devices carefully to understand their impact on your network.
For more information, see Defender for IoT device inventory and Manage your device inventory from the Azure portal.
Learn DNS traffic by configuring allowlists
The support user can now decrease the number of unauthorized internet alerts by creating an allowlist of domain names on your OT sensor.
When a DNS allowlist is configured, the sensor checks each unauthorized internet connectivity attempt against the list before triggering an alert. If the domain's FQDN is included in the allowlist, the sensor doesn’t trigger the alert and allows the traffic automatically.
All OT sensor users can view the list of allowed DNS domains and their resolved IP addresses in data mining reports.
For example:
For more information, see Allow internet connections on an OT network and Create data mining queries.
Device data retention updates
The device data retention period on the OT sensor and on-premises management console has been updated to 90 days from the date of the Last activity value.
For more information, see Device data retention periods.
UI enhancements when uploading SSL/TLS certificates
The OT sensor version 22.3.6 has an enhanced SSL/TLS Certificates configuration page for defining your SSL/TLS certificate settings and deploying a CA-signed certificate.
For more information, see Deploy an SSL/TLS certificate.
Activation files expiration updates
Activation files on locally-managed OT sensors now remain activated for as long as your Defender for IoT plan is active on your Azure subscription, just like activation files on cloud-connected OT sensors.
You'll only need to update your activation file if you're updating an OT sensor from a legacy version or switching the sensor management mode, such as moving from locally-managed to cloud-connected.
For more information, see Manage individual sensors.
UI enhancements for managing the device inventory
The following enhancements were added to the OT sensor's device inventory in version 22.3.6:
- A smoother process for editing device details on the OT sensor. Edit device details directly from the device inventory page on the OT sensor console using the new Edit button in the toolbar at the top of the page.
- The OT sensor now supports deleting multiple devices simultaneously.
- The procedures for merging and deleting devices now include confirmation messages that appear when the action has completed.
For more information, see Manage your OT device inventory from a sensor console.
Updated severity for all Suspicion of Malicious Activity alerts
All alerts with the Suspicion of Malicious Activity category now have a severity of Critical.
For more information, see Malware engine alerts.
Automatically resolved device notifications
Starting in version 22.3.6, selected notifications on the OT sensor's Device map page are now automatically resolved if they aren't dismissed or otherwise handled within 14 days.
After updating your sensor version, the Inactive devices and New OT devices notifications no longer appear. While any Inactive devices notifications that are left over from before the update are automatically dismissed, you may still have legacy New OT devices notifications to handle. Handle these notifications as needed to remove them from your sensor.
For more information, see Manage device notifications.
New Microsoft Sentinel incident experience for Defender for IoT
Microsoft Sentinel's new incident experience includes specific features for Defender for IoT customers. When investigating OT/IoT-related incidents, SOC analysts can now use the following enhancements on incident details pages:
View related sites, zones, sensors, and device importance to better understand an incident's business impact and physical location.
Review an aggregated timeline of affected devices and related device details, instead of investigating on separate entity details pages for the related devices
Review OT alert remediation steps directly on the incident details page
For more information, see Tutorial: Investigate and detect threats for IoT devices and Navigate and investigate incidents in Microsoft Sentinel.
February 2023
| Service area | Updates |
|---|---|
| OT networks | Cloud features: - Microsoft Sentinel: Microsoft Defender for IoT solution version 2.0.2 - Download updates from the Sites and sensors page (Public preview) - Alerts page GA in the Azure portal - Device inventory GA in the Azure portal - Device inventory grouping enhancements (Public preview) - Focused inventory in the Azure device inventory (Public preview) Sensor version 22.2.3: Configure OT sensor settings from the Azure portal (Public preview) |
| Enterprise IoT networks | Cloud features: Alerts page GA in the Azure portal |
Microsoft Sentinel: Microsoft Defender for IoT solution version 2.0.2
Version 2.0.2 of the Microsoft Defender for IoT solution is now available in the Microsoft Sentinel content hub, with improvements in analytics rules for incident creation, an enhanced incident details page, and performance improvements for analytics rule queries.
For more information, see:
- Tutorial: Investigate and detect threats for IoT devices
- Microsoft Defender for IoT solution versions in Microsoft Sentinel
Download updates from the Sites and sensors page (Public preview)
If you're running a local software update on your OT sensor or on-premises management console, the Sites and sensors page now provides a new wizard for downloading your update packages, accessed via the Sensor update (Preview) menu.
For example:
Threat intelligence updates are also now available only from the Sites and sensors page > Threat intelligence update (Preview) option.
Update packages for the on-premises management console are also available from the Getting started > On-premises management console tab.
For more information, see:
- Update Defender for IoT OT monitoring software
- Update threat intelligence packages
- OT monitoring software versions
Device inventory GA in the Azure portal
The Device inventory page in the Azure portal is now Generally Available (GA), providing a centralized view across all your detected devices, at scale.
Defender for IoT's device inventory helps you identify details about specific devices, such as manufacturer, type, serial number, firmware, and more. Gathering details about your devices helps your teams proactively investigate vulnerabilities that can compromise your most critical assets.
Manage all your IoT/OT devices by building up-to-date inventory that includes all your managed and unmanaged devices
Protect devices with risk-based approach to identify risks such as missing patches, vulnerabilities and prioritize fixes based on risk scoring and automated threat modeling
Update your inventory by deleting irrelevant devices and adding organization-specific information to emphasize your organization preferences
The Device inventory GA includes the following UI enhancements:
| Enhancement | Description |
|---|---|
| Grid-level enhancements | - Export the entire device inventory to review offline and compare notes with your teams - Delete irrelevant devices that no longer exist or are no longer functional - Merge devices to fine-tune the device list if the sensor has discovered separate network entities that are associated with a single, unique device. For example. a PLC with four network cards, a laptop with both WiFi and a physical network card, or a single workstation with multiple network cards. - Edit your table views to reflect only the data you are interested in viewing |
| Device-level enhancements | - Edit device details by annotating organization-specific contextual details, such as relative importance, descriptive tags, and business function information |
| Filter and search enhancements | - Run deep searches on any device inventory field to quickly find the devices that matter most - Filter the device inventory by any field. For example, filter by Type to identify Industrial devices, or time fields to determine active and inactive devices. |
Rich security, governance and admin controls also provide the ability to assign admins, restricting who can merge, delete and edit devices on an owner’s behalf.
Device inventory grouping enhancements (Public preview)
The Device inventory page on the Azure portal supports new grouping categories. Now you can group your device inventory by class, data source, location, Purdue level, site, type, vendor, and zone. For more information, see View full device details.
Focused inventory in the Azure device inventory (Public preview)
The Device inventory page on the Azure portal now includes a network location indication for your devices, to help focus your device inventory on the devices within your IoT/OT scope.
See and filter which devices are defined as local or routed, according to your configured subnets. The Network location filter is on by default. Add the Network location column by editing the columns in the device inventory. Configure your subnets either on the Azure portal or on your OT sensor. For more information, see:
- Manage your device inventory from the Azure portal
- Configure OT sensor settings from the Azure portal
- Define OT and IoT subnets on the OT sensor
Configure OT sensor settings from the Azure portal (Public preview)
For sensor versions 22.2.3 and higher, you can now configure selected settings for cloud-connected sensors using the new Sensor settings (Preview) page, accessed via the Azure portal's Sites and sensors page. For example:
For more information, see Define and view OT sensor settings from the Azure portal (Public preview).
Alerts GA in the Azure portal
The Alerts page in the Azure portal is now out for General Availability. Microsoft Defender for IoT alerts enhance your network security and operations with real-time details about events detected in your network. Alerts are triggered when OT or Enterprise IoT network sensors, or the Defender for IoT micro agent, detect changes or suspicious activity in network traffic that needs your attention.
Specific alerts triggered by the Enterprise IoT sensor currently remain in public preview.
For more information, see:
- View and manage alerts from the Azure portal
- Investigate and respond to an OT network alert
- OT monitoring alert types and descriptions
January 2023
| Service area | Updates |
|---|---|
| OT networks | Sensor version 22.3.4: Azure connectivity status shown on OT sensors Sensor version 22.2.3: Update sensor software from the Azure portal |
Update sensor software from the Azure portal (Public preview)
For cloud-connected sensor versions 22.2.3 and higher, now you can update your sensor software directly from the new Sites and sensors page on the Azure portal.
For more information, see Update your sensors from the Azure portal.
Azure connectivity status shown on OT sensors
Details about Azure connectivity status are now shown on the Overview page in OT network sensors, and errors are shown if the sensor's connection to Azure is lost.
For example:
For more information, see Manage individual sensors and Onboard OT sensors to Defender for IoT.
December 2022
| Service area | Updates |
|---|---|
| OT networks | New purchase experience for OT plans |
| Enterprise IoT networks | Enterprise IoT sensor alerts and recommendations (Public Preview) |
Enterprise IoT sensor alerts and recommendations (Public Preview)
The Azure portal now provides the following additional security data for traffic detected by Enterprise IoT network sensors:
| Data type | Description |
|---|---|
| Alerts | The Enterprise IoT network sensor now triggers the following alerts: - Connection Attempt to Known Malicious IP - Malicious Domain Name Request |
| Recommendations | The Enterprise IoT network sensor now triggers the following recommendation for detected devices, as relevant: Disable insecure administration protocol |
For more information, see:
- Malware engine alerts
- View and manage alerts from the Azure portal
- Enhance security posture with security recommendations
- Discover Enterprise IoT devices with an Enterprise IoT network sensor (Public preview)
New purchase experience for OT plans
The Plans and pricing page in the Azure portal now includes a new enhanced purchase experience for Defender for IoT plans for OT networks. Edit your OT plan in the Azure portal, for example to change your plan from a trial to a monthly or annual commitment, or update the number of devices or sites.
For more information, see Manage OT plans on Azure subscriptions.
November 2022
| Service area | Updates |
|---|---|
| OT networks | - Sensor versions 22.x and later: Site-based access control on the Azure portal (Public preview) - All OT sensor versions: New OT monitoring software release notes |
Site-based access control on the Azure portal (Public preview)
For sensor software versions 22.x, Defender for IoT now supports site-based access control, which allows customers to control user access to Defender for IoT features on the Azure portal at the site level.
For example, apply the Security Reader, Security Admin, Contributor, or Owner roles to determine user access to Azure resources such as the Alerts, Device inventory, or Workbooks pages.
To manage site-based access control, select the site in the Sites and sensors page, and then select the Manage site access control (Preview) link. For example:
For more information, see Manage OT monitoring users on the Azure portal and Azure user roles for OT and Enterprise IoT monitoring.
Note
Sites, and therefore site-based access control, are relevant only for OT network monitoring.
New OT monitoring software release notes
Defender for IoT documentation now has a new release notes page dedicated to OT monitoring software, with details about our version support models and update recommendations.
We continue to update this article, our main What's new page, with new features and enhancements for both OT and Enterprise IoT networks. New items listed include both on-premises and cloud features, and are listed by month.
In contrast, the new OT monitoring software release notes lists only OT network monitoring updates that require you to update your on-premises software. Items are listed by major and patch versions, with an aggregated table of versions, dates, and scope.
For more information, see OT monitoring software release notes.
October 2022
| Service area | Updates |
|---|---|
| OT networks | Enhanced OT monitoring alert reference |
Enhanced OT monitoring alert reference
Our alert reference article now includes the following details for each alert:
Alert category, helpful when you want to investigate alerts that are aggregated by a specific activity or configure SIEM rules to generate incidents based on specific activities
Alert threshold, for relevant alerts. Thresholds indicate the specific point at which an alert is triggered. The cyberx user can modify alert thresholds as needed from the sensor's Support page.
For more information, see OT monitoring alert types and descriptions, specifically Supported alert categories.
September 2022
| Service area | Updates |
|---|---|
| OT networks | All supported OT sensor software versions: - Device vulnerabilities from the Azure portal - Security recommendations for OT networks All OT sensor software versions 22.x: Updates for Azure cloud connection firewall rules Sensor software version 22.2.7: - Bug fixes and stability improvements Sensor software version 22.2.6: - Bug fixes and stability improvements - Enhancements to the device type classification algorithm Microsoft Sentinel integration: - Investigation enhancements with IoT device entities - Updates to the Microsoft Defender for IoT solution |
Security recommendations for OT networks (Public preview)
Defender for IoT now provides security recommendations to help customers manage their OT/IoT network security posture. Defender for IoT recommendations help users form actionable, prioritized mitigation plans that address the unique challenges of OT/IoT networks. Use recommendations for lower your network's risk and attack surface.
You can see the following security recommendations from the Azure portal for detected devices across your networks:
Review PLC operating mode. Devices with this recommendation are found with PLCs set to unsecure operating mode states. We recommend setting PLC operating modes to the Secure Run state if access is no longer required to the PLC to reduce the threat of malicious PLC programming.
Review unauthorized devices. Devices with this recommendation must be identified and authorized as part of the network baseline. We recommend taking action to identify any indicated devices. Disconnect any devices from your network that remain unknown even after investigation to reduce the threat of rogue or potentially malicious devices.
Access security recommendations from one of the following locations:
The Recommendations page, which displays all current recommendations across all detected OT devices.
The Recommendations tab on a device details page, which displays all current recommendations for the selected device.
From either location, select a recommendation to drill down further and view lists of all detected OT devices that are currently in a healthy or unhealthy state, according to the selected recommendation. From the Unhealthy devices or Healthy devices tab, select a device link to jump to the selected device details page. For example:
For more information, see View the device inventory and Enhance security posture with security recommendations.
Device vulnerabilities from the Azure portal (Public preview)
Defender for IoT now provides vulnerability data in the Azure portal for detected OT network devices. Vulnerability data is based on the repository of standards based vulnerability data documented at the US government National Vulnerability Database (NVD).
Access vulnerability data in the Azure portal from the following locations:
On a device details page select the Vulnerabilities tab to view current vulnerabilities on the selected device. For example, from the Device inventory page, select a specific device and then select Vulnerabilities.
For more information, see View the device inventory.
A new Vulnerabilities workbook displays vulnerability data across all monitored OT devices. Use the Vulnerabilities workbook to view data like CVE by severity or vendor, and full lists of detected vulnerabilities and vulnerable devices and components.
Select an item in the Device vulnerabilities, Vulnerable devices, or Vulnerable components tables to view related information in the tables on the right.
For example:
For more information, see Use Azure Monitor workbooks in Microsoft Defender for IoT.
Updates for Azure cloud connection firewall rules (Public preview)
OT network sensors connect to Azure to provide alert and device data and sensor health messages, access threat intelligence packages, and more. Connected Azure services include IoT Hub, Blob Storage, Event Hubs, and the Microsoft Download Center.
For OT sensors with software versions 22.x and higher, Defender for IoT now supports increased security when adding outbound allow rules for connections to Azure. Now you can define your outbound allow rules to connect to Azure without using wildcards.
When defining outbound allow rules to connect to Azure, you'll need to enable HTTPS traffic to each of the required endpoints on port 443. Outbound allow rules are defined once for all OT sensors onboarded to the same subscription.
For supported sensor versions, download the full list of required secure endpoints from the following locations in the Azure portal:
A successful sensor registration page: After onboarding a new OT sensor, version 22.x, the successful registration page now provides instructions for next steps, including a link to the endpoints you'll need to add as secure outbound allow rules on your network. Select the Download endpoint details link to download the JSON file.
For example:
The Sites and sensors page: Select an OT sensor with software versions 22.x or higher, or a site with one or more supported sensor versions. Then, select More actions > Download endpoint details to download the JSON file. For example:
For more information, see:
- Tutorial: Get started with Microsoft Defender for IoT for OT security
- Manage sensors with Defender for IoT in the Azure portal
- Networking requirements
Investigation enhancements with IoT device entities in Microsoft Sentinel
Defender for IoT's integration with Microsoft Sentinel now supports an IoT device entity page. When investigating incidents and monitoring IoT security in Microsoft Sentinel, you can now identify your most sensitive devices and jump directly to more details on each device entity page.
The IoT device entity page provides contextual device information about an IoT device, with basic device details and device owner contact information. Device owners are defined by site in the Sites and sensors page in Defender for IoT.
The IoT device entity page can help prioritize remediation based on device importance and business impact, as per each alert's site, zone, and sensor. For example:
You can also now hunt for vulnerable devices on the Microsoft Sentinel Entity behavior page. For example, view the top five IoT devices with the highest number of alerts, or search for a device by IP address or device name:
For more information, see Investigate further with IoT device entities and Site management options from the Azure portal.
Updates to the Microsoft Defender for IoT solution in Microsoft Sentinel's content hub
This month, we've released version 2.0 of the Microsoft Defender for IoT solution in Microsoft Sentinel's content hub, previously known as the IoT/OT Threat Monitoring with Defender for IoT solution.
Updates in this version of the solution include:
A name change. If you'd previously installed the IoT/OT Threat Monitoring with Defender for IoT solution in your Microsoft Sentinel workspace, the solution is automatically renamed to Microsoft Defender for IoT, even if you don't update the solution.
Workbook improvements: The Defender for IoT workbook now includes:
A new Overview dashboard with key metrics on the device inventory, threat detection, and security posture. For example:
A new Vulnerabilities dashboard with details about CVEs shown in your network and their related vulnerable devices. For example:
Improvements on the Device inventory dashboard, including access to device recommendations, vulnerabilities, and direct links to the Defender for IoT device details pages. The Device inventory dashboard in the IoT/OT Threat Monitoring with Defender for IoT workbook is fully aligned with the Defender for IoT device inventory data.
Playbook updates: The Microsoft Defender for IoT solution now supports the following SOC automation functionality with new playbooks:
Automation with CVE details: Use the AD4IoT-CVEAutoWorkflow playbook to enrich incident comments with CVEs of related devices based on Defender for IoT data. The incidents are triaged, and if the CVE is critical, the asset owner is notified about the incident by email.
Automation for email notifications to device owners. Use the AD4IoT-SendEmailtoIoTOwner playbook to have a notification email automatically sent to a device's owner about new incidents. Device owners can then reply to the email to update the incident as needed. Device owners are defined at the site level in Defender for IoT.
Automation for incidents with sensitive devices: Use the AD4IoT-AutoTriageIncident playbook to automatically update an incident's severity based on the devices involved in the incident, and their sensitivity level or importance to your organization. For example, any incident involving a sensitive device can be automatically escalated to a higher severity level.
For more information, see Investigate Microsoft Defender for IoT incidents with Microsoft Sentinel.
August 2022
| Service area | Updates |
|---|---|
| OT networks | Sensor software version 22.2.5: Minor version with stability improvements Sensor software version 22.2.4: New alert columns with timestamp data Sensor software version 22.1.3: Sensor health from the Azure portal (Public preview) |
New alert columns with timestamp data
Starting with OT sensor version 22.2.4, Defender for IoT alerts in the Azure portal and the sensor console now show the following columns and data:
Last detection. Defines the last time the alert was detected in the network, and replaces the Detection time column.
First detection. Defines the first time the alert was detected in the network.
Last activity. Defines the last time the alert was changed, including manual updates for severity or status, or automated changes for device updates or device/alert de-duplication.
The First detection and Last activity columns aren't displayed by default. Add them to your Alerts page as needed.
Tip
If you're also a Microsoft Sentinel user, you'll be familiar with similar data from your Log Analytics queries. The new alert columns in Defender for IoT are mapped as follows:
- The Defender for IoT Last detection time is similar to the Log Analytics EndTime
- The Defender for IoT First detection time is similar to the Log Analytics StartTime
- The Defender for IoT Last activity time is similar to the Log Analytics TimeGenerated For more information, see:
- View alerts on the Defender for IoT portal
- View alerts on your sensor
- OT threat monitoring in enterprise SOCs
Sensor health from the Azure portal (Public preview)
For OT sensor versions 22.1.3 and higher, you can use the new sensor health widgets and table column data to monitor sensor health directly from the Sites and sensors page on the Azure portal.
We've also added a sensor details page, where you drill down to a specific sensor from the Azure portal. On the Sites and sensors page, select a specific sensor name. The sensor details page lists basic sensor data, sensor health, and any sensor settings applied.
For more information, see Understand sensor health and Sensor health message reference.
July 2022
| Service area | Updates |
|---|---|
| Enterprise IoT networks | - Enterprise IoT and Defender for Endpoint integration in GA |
| OT networks | Sensor software version 22.2.4: - Device inventory enhancements - Enhancements for the ServiceNow integration API Sensor software version 22.2.3: - OT appliance hardware profile updates - PCAP access from the Azure portal - Bi-directional alert synch between sensors and the Azure portal - Sensor connections restored after certificate rotation - Support diagnostic log enhancements - Improved security for uploading protocol plugins - Sensor names shown in browser tabs Sensor software version 22.1.7: - Same passwords for cyberx_host and cyberx users |
| Cloud-only features | - Microsoft Sentinel incident synch with Defender for IoT alerts |
Enterprise IoT and Defender for Endpoint integration in GA
The Enterprise IoT integration with Microsoft Defender for Endpoint is now in General Availability (GA). With this update, we've made the following updates and improvements:
Onboard an Enterprise IoT plan directly in Defender for Endpoint. For more information, see Manage your subscriptions and the Defender for Endpoint documentation.
Seamless integration with Microsoft Defender for Endpoint to view detected Enterprise IoT devices, and their related alerts, vulnerabilities, and recommendations in the Microsoft 365 Security portal. For more information, see the Enterprise IoT tutorial and the Defender for Endpoint documentation. You can continue to view detected Enterprise IoT devices on the Defender for IoT Device inventory page in the Azure portal.
All Enterprise IoT sensors are now automatically added to the same site in Defender for IoT, named Enterprise network. When onboarding a new Enterprise IoT device, you only need to define a sensor name and select your subscription, without defining a site or zone.
Note
The Enterprise IoT network sensor and all detections remain in Public Preview.
Same passwords for cyberx_host and cyberx users
During OT monitoring software installations and updates, the cyberx user is assigned a random password. When updating from version 10.x.x to version 22.1.7, the cyberx_host password is assigned with an identical password to the cyberx user.
For more information, see Install OT agentless monitoring software and Update Defender for IoT OT monitoring software.
Device inventory enhancements
Starting in OT sensor versions 22.2.4, you can now take the following actions from the sensor console's Device inventory page:
Merge duplicate devices. You may need to merge devices if the sensor has discovered separate network entities that are associated with a single, unique device. Examples of this scenario might include a PLC with four network cards, a laptop with both WiFi and a physical network card, or a single workstation with multiple network cards.
Delete single devices. Now, you can delete a single device that hasn't communicated for at least 10 minutes.
Delete inactive devices by admin users. Now, all admin users, in addition to the cyberx user, can delete inactive devices.
Also starting in version 22.2.4, in the sensor console's Device inventory page, the Last seen value in the device details pane is replaced by Last activity. For example:
For more information, see Manage your OT device inventory from a sensor console.
Enhancements for the ServiceNow integration API
OT sensor version 22.2.4 provides enhancements for the devicecves API, which gets details about the CVEs found for a given device.
Now you can add any of the following parameters to your query to fine tune your results:
- “sensorId” - Shows results from a specific sensor, as defined by the given sensor ID.
- “score” - Determines a minimum CVE score to be retrieved. All results will have a CVE score equal to or higher than the given value. Default = 0.
- “deviceIds” - A comma-separated list of device IDs from which you want to show results. For example: 1232,34,2,456
For more information, see Integration API reference for on-premises management consoles (Public preview).
OT appliance hardware profile updates
We've refreshed the naming conventions for our OT appliance hardware profiles for greater transparency and clarity.
The new names reflect both the type of profile, including Corporate, Enterprise, and Production line, and also the related disk storage size.
Use the following table to understand the mapping between legacy hardware profile names and the current names used in the updated software installation:
| Legacy name | New name | Description |
|---|---|---|
| Corporate | C5600 | A Corporate environment, with: 16 Cores 32 GB RAM 5.6 TB disk storage |
| Enterprise | E1800 | An Enterprise environment, with: 8 Cores 32 GB RAM 1.8 TB disk storage |
| SMB | L500 | A Production line environment, with: 4 Cores 8 GB RAM 500 GB disk storage |
| Office | L100 | A Production line environment, with: 4 Cores 8 GB RAM 100 GB disk storage |
| Rugged | L64 | A Production line environment, with: 4 Cores 8 GB RAM 64 GB disk storage |
We also now support new enterprise hardware profiles, for sensors supporting both 500 GB and 1 TB disk sizes.
For more information, see Which appliances do I need?
PCAP access from the Azure portal (Public preview)
Now you can access the raw traffic files, known as packet capture files or PCAP files, directly from the Azure portal. This feature supports SOC or OT security engineers who want to investigate alerts from Defender for IoT or Microsoft Sentinel, without having to access each sensor separately.
PCAP files are downloaded to your Azure storage.
For more information, see View and manage alerts from the Azure portal.
Bi-directional alert synch between sensors and the Azure portal (Public preview)
For sensors updated to version 22.2.1, alert statuses and learn statuses are now fully synchronized between the sensor console and the Azure portal. For example, this means that you can close an alert on the Azure portal or the sensor console, and the alert status is updated in both locations.
Learn an alert from either the Azure portal or the sensor console to ensure that it's not triggered again the next time the same network traffic is detected.
The sensor console is also synchronized with an on-premises management console, so that alert statuses and learn statuses remain up-to-date across your management interfaces.
For more information, see:
- View and manage alerts from the Azure portal
- View and manage alerts on your sensor
- Work with alerts on the on-premises management console
Sensor connections restored after certificate rotation
Starting in version 22.2.3, after rotating your certificates, your sensor connections are automatically restored to your on-premises management console, and you don't need to reconnect them manually.
For more information, see Prepare CA-signed certificates and Deploy an SSL/TLS certificate.
Support diagnostic log enhancements (Public preview)
Starting in sensor version 22.1.1, you've been able to download a diagnostic log from the sensor console to send to support when you open a ticket.
Now, for locally managed sensors, you can upload that diagnostic log directly on the Azure portal.
Tip
For cloud-connected sensors, starting from sensor version 22.1.3, the diagnostic log is automatically available to support when you open the ticket.
For more information, see:
Improved security for uploading protocol plugins
This version of the sensor provides an improved security for uploading proprietary plugins you've created using the Horizon SDK.
For more information, see Manage proprietary protocols with Horizon plugins.
Sensor names shown in browser tabs
Starting in sensor version 22.2.3, your sensor's name is displayed in the browser tab, making it easier for you to identify the sensors you're working with.
For example:
For more information, see Manage individual sensors.
Microsoft Sentinel incident synch with Defender for IoT alerts
The IoT OT Threat Monitoring with Defender for IoT solution now ensures that alerts in Defender for IoT are updated with any related incident Status changes from Microsoft Sentinel.
This synchronization overrides any status defined in Defender for IoT, in the Azure portal or the sensor console, so that the alert statuses match that of the related incident.
Update your IoT OT Threat Monitoring with Defender for IoT solution to use the latest synchronization support, including the new AD4IoT-AutoAlertStatusSync playbook. After updating the solution, make sure that you also take the required steps to ensure that the new playbook works as expected.
For more information, see:
- Tutorial: Integrate Defender for Iot and Sentinel
- View and manage alerts on the Defender for IoT portal (Preview)
- View alerts on your sensor
June 2022
Sensor software version 22.1.6: Minor version with maintenance updates for internal sensor components
Sensor software version 22.1.5: Minor version to improve TI installation packages and software updates
We've also recently optimized and enhanced our documentation as follows:
- Updated appliance catalog for OT environments
- Documentation reorganization for end-user organizations
Updated appliance catalog for OT environments
We've refreshed and revamped the catalog of supported appliances for monitoring OT environments. These appliances support flexible deployment options for environments of all sizes and can be used to host both the OT monitoring sensor and on-premises management consoles.
Use the new pages as follows:
Understand which hardware model best fits your organization's needs. For more information, see Which appliances do I need?
Learn about the preconfigured hardware appliances that are available to purchase, or system requirements for virtual machines. For more information, see Pre-configured physical appliances for OT monitoring and OT monitoring with virtual appliances.
For more information about each appliance type, use the linked reference page, or browse through our new Reference > OT monitoring appliances section.
Reference articles for each appliance type, including virtual appliances, include specific steps to configure the appliance for OT monitoring with Defender for IoT. Generic software installation and troubleshooting procedures are still documented in Defender for IoT software installation.
Documentation reorganization for end-user organizations
We recently reorganized our Defender for IoT documentation for end-user organizations, highlighting a clearer path for onboarding and getting started.
Check out our new structure to follow through viewing devices and assets, managing alerts, vulnerabilities and threats, integrating with other services, and deploying and maintaining your Defender for IoT system.
New and updated articles include:
- Welcome to Microsoft Defender for IoT for organizations
- Microsoft Defender for IoT architecture
- Quickstart: Get started with Defender for IoT
- Tutorial: Microsoft Defender for IoT trial setup
- Tutorial: Get started with Enterprise IoT
- Plan your sensor connections for OT monitoring
Note
To send feedback on docs via GitHub, scroll to the bottom of the page and select the Feedback option for This page. We'd be glad to hear from you!
April 2022
Extended device property data in the Device inventory
Sensor software version: 22.1.4
Starting for sensors updated to version 22.1.4, the Device inventory page on the Azure portal shows extended data for the following fields:
- Description
- Tags
- Protocols
- Scanner
- Last Activity
For more information, see Manage your device inventory from the Azure portal.
March 2022
Sensor version: 22.1.3
- Use Azure Monitor workbooks with Microsoft Defender for IoT
- IoT OT Threat Monitoring with Defender for IoT solution GA
- Edit and delete devices from the Azure portal
- Key state alert updates
- Sign out of a CLI session
Use Azure Monitor workbooks with Microsoft Defender for IoT (Public preview)
Azure Monitor workbooks provide graphs and dashboards that visually reflect your data, and are now available directly in Microsoft Defender for IoT with data from Azure Resource Graph.
In the Azure portal, use the new Defender for IoT Workbooks page to view workbooks created by Microsoft and provided out-of-the-box, or create custom workbooks of your own.
For more information, see Use Azure Monitor workbooks in Microsoft Defender for IoT.
IoT OT Threat Monitoring with Defender for IoT solution GA
The IoT OT Threat Monitoring with Defender for IoT solution in Microsoft Sentinel is now GA. In the Azure portal, use this solution to help secure your entire OT environment, whether you need to protect existing OT devices or build security into new OT innovations.
For more information, see OT threat monitoring in enterprise SOCs and Tutorial: Integrate Defender for IoT and Sentinel.
Edit and delete devices from the Azure portal (Public preview)
The Device inventory page in the Azure portal now supports the ability to edit device details, such as security, classification, location, and more:
For more information, see Edit device details.
You can only delete devices from Defender for IoT if they've been inactive for more than 14 days. For more information, see Delete a device.
Key state alert updates (Public preview)
Defender for IoT now supports the Rockwell protocol for PLC operating mode detections.
For the Rockwell protocol, the Device inventory pages in both the Azure portal and the sensor console now indicate the PLC operating mode key and run state, and whether the device is currently in a secure mode.
If the device's PLC operating mode is ever switched to an unsecured mode, such as Program or Remote, a PLC Operating Mode Changed alert is generated.
For more information, see Manage your IoT devices with the device inventory for organizations.
Sign out of a CLI session
Starting in this version, CLI users are automatically signed out of their session after 300 inactive seconds. To sign out manually, use the new logout CLI command.
For more information, see Work with Defender for IoT CLI commands.
February 2022
Sensor software version: 22.1.1
- New sensor installation wizard
- Sensor redesign and unified Microsoft product experience
- Enhanced sensor Overview page
- New support diagnostics log
- Alert updates
- Custom alert updates
- CLI command updates
- Update to version 22.1.x
- New connectivity model and firewall requirements
- Protocol improvements
- Modified, replaced, or removed options and configurations
New sensor installation wizard
Previously, you needed to use separate dialogs to upload a sensor activation file, verify your sensor network configuration, and configure your SSL/TLS certificates.
Now, when installing a new sensor or a new sensor version, our installation wizard provides a streamlined interface to do all these tasks from a single location.
For more information, see Defender for IoT installation.
Sensor redesign and unified Microsoft product experience
The Defender for IoT sensor console has been redesigned to create a unified Microsoft Azure experience and enhance and simplify workflows.
These features are now Generally Available (GA). Updates include the general look and feel, drill-down panes, search and action options, and more. For example:
Simplified workflows include:
The Device inventory page now includes detailed device pages. Select a device in the table and then select View full details on the right.
Properties updated from the sensor's inventory are now automatically updated in the cloud device inventory.
The device details pages, accessed either from the Device map or Device inventory pages, is shown as read only. To modify device properties, select Edit properties on the bottom-left.
The Data mining page now includes reporting functionality. While the Reports page was removed, users with read-only access can view updates on the Data mining page without the ability to modify reports or settings.
For admin users creating new reports, you can now toggle on a Send to CM option to send the report to a central management console as well. For more information, see Create a report
The System settings area has been reorganized in to sections for Basic settings, settings for Network monitoring, Sensor management, Integrations, and Import settings.
The sensor online help now links to key articles in the Microsoft Defender for IoT documentation.
Defender for IoT maps now include:
A new Map View is now shown for alerts and on the device details pages, showing where in your environment the alert or device is found.
Right-click a device on the map to view contextual information about the device, including related alerts, event timeline data, and connected devices.
Select Disable Display IT Networks Groups to prevent the ability to collapse IT networks in the map. This option is turned on by default.
The Simplified Map View option has been removed.
We've also implemented global readiness and accessibility features to comply with Microsoft standards. In the on-premises sensor console, these updates include both high contrast and regular screen display themes and localization for over 15 languages.
For example:
Access global readiness and accessibility options from the Settings icon at the top-right corner of your screen:
Enhanced sensor Overview page
The Defender for IoT sensor portal's Dashboard page has been renamed as Overview, and now includes data that better highlights system deployment details, critical network monitoring health, top alerts, and important trends and statistics.
The Overview page also now serves as a black box to view your overall sensor status in case your outbound connections, such as to the Azure portal, go down.
Create more dashboards using the Trends & Statistics page, located under the Analyze menu on the left.
New support diagnostics log
Now you can get a summary of the log and system information that gets added to your support tickets. In the Backup and Restore dialog, select Support Ticket Diagnostics.
For more information, see Download a diagnostics log for support
Alert updates
In the Azure portal:
Alerts are now available in Defender for IoT in the Azure portal. Work with alerts to enhance the security and operation of your IoT/OT network.
The new Alerts page is currently in Public Preview, and provides:
- An aggregated, real-time view of threats detected by network sensors.
- Remediation steps for devices and network processes.
- Streaming alerts to Microsoft Sentinel and empower your SOC team.
- Alert storage for 90 days from the time they're first detected.
- Tools to investigate source and destination activity, alert severity and status, MITRE ATT&CK information, and contextual information about the alert.
For example:
On the sensor console:
On the sensor console, the Alerts page now shows details for alerts detected by sensors that are configured with a cloud-connection to Defender for IoT on Azure. Users working with alerts in both Azure and on-premises should understand how alerts are managed between the Azure portal and the on-premises components.
Other alert updates include:
Access contextual data for each alert, such as events that occurred around the same time, or a map of connected devices. Maps of connected devices are available for sensor console alerts only.
Alert statuses are updated, and, for example, now include a Closed status instead of Acknowledged.
Alert storage for 90 days from the time that they're first detected.
The Backup Activity with Antivirus Signatures Alert. This new alert warning is triggered for traffic detected between a source device and destination backup server, which is often legitimate backup activity. Critical or major malware alerts are no longer triggered for such activity.
During upgrades, sensor console alerts that are currently archived are deleted. Pinned alerts are no longer supported, so pins are removed for sensor console alerts as relevant.
For more information, see View alerts on your sensor.
Custom alert updates
The sensor console's Custom alert rules page now provides:
Hit count information in the Custom alert rules table, with at-a-glance details about the number of alerts triggered in the last week for each rule you've created.
The ability to schedule custom alert rules to run outside of regular working hours.
The ability to alert on any field that can be extracted from a protocol using the DPI engine.
Complete protocol support when creating custom rules, and support for an extensive range of related protocol variables.
For more information, see Create custom alert rules on an OT sensor.
CLI command updates
The Defender for Iot sensor software installation is now containerized. With the now-containerized sensor, you can use the cyberx_host user to investigate issues with other containers or the operating system, or to send files via FTP.
This cyberx_host user is available by default and connects to the host machine. If you need to, recover the password for the cyberx_host user from the Sites and sensors page in Defender for IoT.
As part of the containerized sensor, the following CLI commands have been modified:
| Legacy name | Replacement |
|---|---|
cyberx-xsense-reconfigure-interfaces |
sudo dpkg-reconfigure iot-sensor |
cyberx-xsense-reload-interfaces |
sudo dpkg-reconfigure iot-sensor |
cyberx-xsense-reconfigure-hostname |
sudo dpkg-reconfigure iot-sensor |
cyberx-xsense-system-remount-disks |
sudo dpkg-reconfigure iot-sensor |
The sudo cyberx-xsense-limit-interface-I eth0 -l value CLI command was removed. This command was used to limit the interface bandwidth that the sensor uses for day-to-day procedures, and is no longer supported.
For more information, see Defender for IoT installation, Work with Defender for IoT CLI commands, and CLI command reference from OT network sensors.
Update to version 22.1.x
To use all of Defender for IoT's latest features, make sure to update your sensor software versions to 22.1.x.
If you're on a legacy version, you may need to run a series of updates in order to get to the latest version. You'll also need to update your firewall rules and re-activate your sensor with a new activation file.
After you've upgraded to version 22.1.x, the new upgrade log can be found at the following path, accessed via SSH and the cyberx_host user: /opt/sensor/logs/legacy-upgrade.log.
For more information, see Update OT system software.
Note
Upgrading to version 22.1.x is a large update, and you should expect the update process to require more time than previous updates.
New connectivity model and firewall requirements
Defender for IoT version 22.1.x supports a new set of sensor connection methods that provide simplified deployment, improved security, scalability, and flexible connectivity.
In addition to migration steps, this new connectivity model requires that you open a new firewall rule. For more information, see:
- New firewall requirements: Sensor access to Azure portal.
- Architecture: Sensor connection methods
- Connection procedures: Connect your sensors to Microsoft Defender for IoT
Protocol improvements
This version of Defender for IoT provides improved support for:
- Profinet DCP
- Honeywell
- Windows endpoint detection
For more information, see Microsoft Defender for IoT - supported IoT, OT, ICS, and SCADA protocols.
Modified, replaced, or removed options and configurations
The following Defender for IoT options and configurations have been moved, removed, and/or replaced:
Reports previously found on the Reports page are now shown on the Data Mining page instead. You can also continue to view data mining information directly from the on-premises management console.
Changing a locally managed sensor name is now supported only by onboarding the sensor to the Azure portal again with the new name. Sensor names can no longer be changed directly from the sensor. For more information, see Upload a new activation file.
Next steps
Feedback
Submit and view feedback for