Muokkaa

Jaa


Import extra data for detected OT devices

OT networks sensors automatically monitor and analyze detected device traffic. In some cases, your organization's network policies may prevent some device data from being ingested to Microsoft Defender for IoT.

This article describes how you can manually import the missing data to your OT sensor and add it to the device data already detected.

Prerequisites

Before performing the procedures in this article, you must have:

  • An OT network sensor installed, configured, and activated.

  • Access to your OT network sensor as an Admin user. For more information, see On-premises users and roles for OT monitoring with Defender for IoT.

  • An understanding of the extra device data you want to import. Use that understanding to choose one of the following import methods:

    • Import data from the device map to import device names, types, groups, or Purdue layer
    • Import data from system settings to import device IP addresses, operating systems, patch levels, or authorization statuses

Tip

A device's authorization status affects the alerts that are triggered by the OT sensor for the selected device. You'll receive alerts for any devices not listed as authorized devices, as they'll be considered to be unauthorized.

Import data from the OT sensor device map

To import device names, types, groups, or Purdue layers:

  1. Sign into your OT sensor and select Device map > Export Devices to export the device data already detected by your OT sensor.

  2. Open the downloaded .CSV file for editing and modify only the following data, as needed:

    • Name. Maximum length: 30 characters
    • Type. Access the Defender for IoT device settings file and use one of the options listed in the Devices type tab
    • Group. Maximum length: 30 characters
    • Purdue layer. Enter one of the following: Enterprise, Supervisory, or Process Control

    Make sure to use capitalization standards already in use in the downloaded file. For example, in the Purdue Layer column, use Title Caps.

    Important

    Make sure that you don't import data to your OT sensor that you've exported from a different sensor.

  3. When you're done, save your file to a location accessible from your OT sensor.

  4. On your OT sensor, in the Device map page, select Import Devices and select your modified .CSV file.

Your device data is updated.

Import data from the OT sensor system settings

To import device IP addresses, operating systems, or patch levels:

  1. Download the Defender for IoT device settings file and open it for editing.

  2. In the downloaded file, enter the following details for each device:

    • IP Address. Enter the device's IP address.
    • Device Type. Enter one of the device types listed on the Devices type sheet.
    • Last Update. Enter the date that the device was last updated, in YYYY-MM-DD format.
  3. Sign into your OT sensor and select System settings > Import settings > Device information.

  4. In the Device information pane, select + Import file and then select your edited .CSV file.

  5. Select Close to save your changes.

To import device authorization status:

Important

After importing device authorization status, any devices not included in the import list are newly defined as not-authorized, and you'll start to receive new alerts about any traffic on each of these devices.

  1. Download the Defender for IoT device authorization file and open it for editing.

  2. In the downloaded file, list IP addresses and names for any devices you want to list as authorized devices.

    Make sure that your names are accurate. Names imported from a .CSV file overwrite any names already shown in the OT sensor's device map.

  3. Sign into your OT sensor and select System settings > Import settings > Authorized devices.

  4. In the Authorized devices pane, select + Import File and then select your edited .CSV file.

  5. Select Close to save your changes.

Next steps

For more information, see Detect Windows workstations and servers with a local script and Manage your OT device inventory from a sensor console.