Investigate incidents and alerts
Microsoft Defender for IoT in the Microsoft Defender portal displays incidents and alerts, which enhance your network security and operations with real-time details about events logged in your operational technology (OT) network.
Alerts are the basis of all incidents and indicate the occurrence of malicious or suspicious events in your environment. Within an incident, you analyze the alerts that affect your network, understand what they mean, and collate the evidence so that you can devise an effective remediation plan.
Learn more about alerts and incidents in the Defender portal.
In this article, you learn how to investigate a Microsoft Defender for IoT incident and its associated alerts, and how to remediate the security issues raised by the alert.
Alerts in the Incidents page uniquely combine IT and OT environment signals to detect potential threats and data leaks. The Incidents page displays:
- A history of the alerts connected to the incident and an incident graph. The graph shows other devices connected to the affected OT device that might also be compromised.
- Alert descriptions, which explain the type of detected security issue.
- Remediation options to solve the security problem.
Note
Incident and alert data for Defender for IoT only appear once you have a site set up and your devices are sending data to the Defender portal. Learn how to set up a site.
Important
This article discusses Microsoft Defender for IoT in the Defender portal (Preview).
If you're an existing customer working on the classic Defender for IoT portal (Azure portal), see the Defender for IoT on Azure documentation.
Learn more about the Defender for IoT flavors.
Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
Investigate alerts
To investigate an alert:
In the Microsoft Defender portal menu, select Incidents & alerts > Incidents.
To display OT related incidents:
- Select Add filter.
- Select Product name and select Add.
- Select the Product names tab that appears and type: Defender for IoT.
- Select Apply.
Locate and select an incident.
The specific incident page shows the attack story made up of the alert timeline, an incident graph and the incident details.
Select an alert from the alerts list.
The incident graph and incident details display specific data for this alert.
In the Incident panel, review the information, read the Alert description, Evidence and Impacted assetts and follow the Alert recommended actions to remediate the issue.
Defender for IoT alert
Defender for IoT generates its own unique alert.
| Name | Description |
|---|---|
| Possible operational impact due to a compromised device | A compromised device communicated with an operational technology (OT) asset. An attacker might be attempting to control or disrupt physical operations. |
Advanced hunting
Use the Site property listed in the DeviceInfo table to write queries for advanced hunting. This allows you to filter devices according to a specific site, for example, all devices that communicated with malicious devices at a specific site.
The following query lists all endpoint devices with the specific IP address at the San Francisco site.
DeviceInfo
|where Site == "SanFrancisco" and PublicIP == "192.168.1.1" and DeviceCategory == "Endpoint"
This is relevant for both the device inventory and site security. For more information, see Advanced hunting and the Advanced hunting DeviceInfo schema.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for