Edit

Share via

Set up sites

  • Article

Microsoft Defender for IoT in the Microsoft Defender portal includes the Site security page, which offers an overview of the security state of your entire operational technology (OT) environment. Your organization's security team use this page to regularly monitor the security status of your production sites.

In this article, you learn how to set up a site in the Site security page.

Learn more about the site security benefits and use cases.

Important

This article discusses Microsoft Defender for IoT in the Defender portal (Preview).

If you're an existing customer working on the classic Defender for IoT portal (Azure portal), see the Defender for IoT on Azure documentation.

Learn more about the Defender for IoT management portals.

Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.

Prerequisites

Create a site

To set up a site and associate the OT devices in your network to it:

  1. In the Microsoft Defender portal menu, select Operational technology > Site security.

  2. In the Site security page, select Create new site or Create Your First Site.

  3. Type the following details:

    • Site name: A name for the site, for example, San Francisco.
    • Location: The physical location of the production site.
    • Site description: Describe the purpose of the site, what activities occur there, the types and number of devices used, and other important information about the site.
    • Owners: The contact emails of any users administering the site who must be contacted when problems occur.

    Screenshot showing the details for creating a new site in the Site security page of Microsoft Defender for IoT in the Microsoft Defender portal.

  4. When completed, select Next to associate devices to the site.

Associate devices

In this stage, you configure Defender for IoT to associate devices to the site, so it can correctly identify and associate all types of devices at the same site.

  1. In the search bar, type either:

    • A public IP address
    • The IP/MAC address for a specific device located at this site
    • The name of a specific device located at this site (can be an OT, IT, network, enterprise IoT device, and so on)

    A list of suggested sites appears in the table.

  2. If you don't know any of the site's device addresses:

    1. Select Show all suggestions.

      A list of all possible sites appears in the table. Each row in the table represents a suggested site location based on the devices in that location.

    2. Open the location and check that at least one of these devices exists at your site.

      Check each location, because Defender for IoT might list your devices in more than one suggested location. If this happens, select all of the suggested locations that include an identified device. You can select any number of locations. However, you can't edit the list of devices that appear at a specific location.

  3. Review the devices and select the suggested sites to associate with the site. You might need to select more than one suggested site.

    Use the Group column to check the ID for each suggested site. Sites with the same ID indicate that the devices are likely located at the same physical location. As these suggested sites are expected to belong to the same site, review and confirm that the devices listed are correct before making your selections and associating the suggested sites.

    Screenshot showing the associate devices screen and the suggested list of OT devices per location with the Group column in the site set-up page of Microsoft Defender for IoT in the Microsoft Defender portal.

  4. Select Next to review the site details.

Note

Currently, devices discovered in the Defender portal aren't synchronized with the Azure portal, and therefore the list of devices discovered could be different in each portal.

Preview devices

In this stage, you review all of the devices discovered by the system. This gives admins the opportunity to review and remove devices before confirming the site creation. A list of all devices to be associated with this site is displayed.

To manage devices in bulk, use the search bar to find devices by their name, IP, or MAC address.

If, during your editing, you want to reset the device list to its original state, selecting Discard all changes undoes any device exclusions and restores the initial device selection.

To remove any of the devices from this list:

  1. Select Deselect devices from site. All of the devices become editable.

  2. Deselect the checkbox of the devices to be removed.

    1. To reset the device list to its original state, select Discard all changes.

    Screenshot of the site associtation preview devices page

  3. When you're finished, select Next. The confirmation box appears.

    1. Select Confirm to change the list of devices to associate with this site and removal of any unchecked devices.

    2. If you haven't made changes, select Skip.

Important

When you exclude a specific device from site association, it is no longer assigned to sites based on network parameters. If the device is later moved to a different location, you’ll need to manually update its site settings, as automatic updates will not apply.

Review site details

Review the information for the site you want to create:

  1. Review the selected OT devices. If needed, select Edit devices to return to the Associate devices screen.

  2. Select Complete.

    The site is now set up and appears in the Site security page.

    Regarding device data:

    • The site data in the Device Inventory under Site tag and Site attribute starts to appear after each OT device performs network activity and contacts the Defender portal. For some devices, this happens quickly, but for other devices, the data takes time to appear in the inventory. When the site tag and attribute data appears, the device is protected by Defender for IoT, including all of the security value, such as alerts, vulnerabilities, and more.
    • Any new devices that are added to the network are automatically detected and added to the Device Inventory. If a device is moved to a different or new location within the network, these changes are automatically made to the network.

  3. Select Create device group to create a device group now, or select Close and set up a device group at a later stage.

Add device group

Use a device group to make sure that the correct users have access to the site. To create a device group:

  1. Select Create device group.

    The Settings > Endpoints > Device groups page opens.

  2. Select Add device group and type a device group name.

  3. Select the remediation level, type a description, and select Next.

    The Devices page opens.

  4. Type the value for the Tag condition in the format: Site: <Site name>. For example, Site: San Francisco.

  5. Select Next.

    The Preview devices page opens with a list of devices in the group.

  6. Select Next.

    The User access page opens.

  7. Filter the user groups or select the user groups to add to the device group.

  8. Select Submit and select Done.

    Your device group is now set up and appears in the device groups list.

Rank device groups

If a device group lists different preferences for the same user, you need to rank the importance of each device group.

To move a group up or down, drag the row to the correct position in the list. For more information, see ranking device groups in Microsoft Defender for Endpoint.

Assign device group roles and permissions

To get the full benefit of the Device group, you might need to create roles and permission settings. For more information, see role based access control in Microsoft Defender for Endpoint, and create and manage roles in Microsoft Defender for Endpoint.

Next steps

Monitor site security