Create a learned baseline of OT alerts

This article is one in a series of articles describing the deployment path for OT monitoring with Microsoft Defender for IoT, and describes how to create a baseline of learned traffic on your OT sensor.

Understand learning mode

An OT network sensor starts monitoring your network automatically after it's connected to the network and you've signed in. Network devices start appearing in your device inventory, and alerts are triggered for any security or operational incidents that occur in your network.

Initially, this activity happens in learning mode, which instructs your OT sensor to learn your network's usual activity, including the devices and protocols in your network, and the regular file transfers that occur between specific devices. Any regularly detected activity becomes your network's baseline traffic.

Tip

Use your time in learning mode to triage your alerts and Learn those that you want to mark as authorized, expected activity. Learned traffic doesn't generate new alerts the next time the same traffic is detected.

After learning mode is turned off, any activity that differs from your baseline data will trigger an alert.

For more information, see Microsoft Defender for IoT alerts.

Learn mode timeline

Creating your baseline of OT alerts can take anywhere from a few days to several weeks, depending on your network size and complexity. Learning mode automatically turns off when the sensor detects a decrease in newly detected traffic, which is typically between 2-6 weeks after deployment.

Turn off learning mode manually before then if you feel that the current alerts accurately reflect your network activity.

Prerequisites

You can perform the procedures in this article from the Azure portal, an OT sensor, or an on-premises management console.

Before you start, make sure that you have:

• An OT sensor installed, configured, and activated, with alerts being triggered by detected traffic.

• Access to your OT sensor as Security Analyst or Admin user. For more information, see On-premises users and roles for OT monitoring with Defender for IoT.

Triage alerts

Triage alerts towards the end of your deployment to create an initial baseline for your network activity.

1. Sign into your OT sensor and select the Alerts page.

2. Use sorting and grouping options to view your most critical alerts first. Review each alert to update statuses and learn alerts for OT authorized traffic.

For more information, see View and manage alerts on your OT sensor.

Next steps

« Verify and update your detected device inventory

After learning mode is turned off, you've moved from learning mode to operation mode. Continue with any of the following:

• Visualize Microsoft Defender for IoT data with Azure Monitor workbooks
• View and manage alerts from the Azure portal
• Manage your device inventory from the Azure portal

Integrate Defender for IoT data with Microsoft Sentinel to unify your SOC team's security monitoring. For more information, see:

• Tutorial: Connect Microsoft Defender for IoT with Microsoft Sentinel
• Tutorial: Investigate and detect threats for IoT devices