Microsoft Defender for IoT Ninja Training

Hello David. Apologies for the delay in answering your question. I've been out of the country for a few weeks. We are working on getting the slide decks/PDF's posted. However, I do not believe they will help with your specific question. When deploying Defender for IoT in an air-gapped environment, the sensor may be locally accessed and monitored without the need for a central manager. This solution is agentless and out-of-band and therefore not inline to any traffic. This is by design. Most industrial network owners resist solutions which are inline, place packets on the process control network, or require an in-band endpoint agent (any of these could potentially cause unplanned downtime, which is high on the list of things which should never happen in OT networks). Defender for IoT operates on SPAN'd/brokered network traffic and would see malicious activities when they happen - regardless of where they originate, including USB media. Note that the connection of the USB is not something that will be seen with this solution, but any network activity generated will be seen. Using patented machine-to-machine analytics, a baseline is learned and continually adjusted to ensure that good/authorized traffic is always known. When malicious traffic is introduced to the environment, it will inevitably deviate from the baseline of what is known to be good and one or more alerts will be raised at that time.