Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Enabling IoT/OT Threat Monitoring in Your SOC with Microsoft Sentinel
Published Nov 02 2021 08:00 AM 16.6K Views


Recent ransomware attacks that shut down a US gas pipeline and global food processor have raised board-level awareness about IoT and Operational Technology (OT) risk, including safety risks and lost revenue from production downtime.


We're seeing that CISOs and SOC teams are now increasingly responsible for new threats from cyber physical systems (CPS) and parts of the organization they never traditionally worried about.


What has changed? Pervasive IT/OT connectivity to support digital business and optimize operations – such as monitoring production in real-time and sharing information with ERP and CRM systems – has removed the air-gap that once existed between IT and OT.


It’s also made it easier for adversaries to move laterally from IT to OT (and vice-versa), as you’ll see in the TRITON attack example below. This may also explain why many organizations proactively disable connectivity between IT and OT in case of a ransomware attack — even when the ransomware appears to initially only affect IT assets.


By bringing rich telemetry into Microsoft Sentinel from our agentless IoT/OT security monitoring solution, Microsoft Defender for IoT (formerly Azure Defender for IoT ), Microsoft enables SOC teams to detect and respond faster to the entire attack timeline, across all domains — including IT assets, applications such as SAP, and network devices — making life easier for both security analysts and OT personnel.


In this blog post we’ll describe a new Sentinel solution for IoT/OT threat monitoring that includes IoT/OT-specific analytics rules, workbooks, and SOAR playbooks, plus incident mappings to MITRE ATT&CK for ICS (industrial control systems), an OT-specific version of the MITRE ATT&CK framework.


Need for OT risk visibility in the SOC

IoT/OT security risks are often overlooked because security departments have traditionally lacked the visibility and expertise to monitor IoT/OT networks for compromise.


This is despite the potentially significant business impacts of OT attacks, which include:

  • Safety and environmental incidents.
  • Financial losses when an attack brings your plants to a halt.
  • Theft of sensitive IP such as formulas and manufacturing processes.

Security Operations Center (SOC) teams face several challenges in monitoring IoT/OT networks, including:

  • Lack of visibility: Security teams lack visibility and insight into these networks, even at the most basic level of understanding what devices they have and how they're connected to each other (asset inventory).
  • Lack of expertise to understand incidents involving specialized industrial equipment, protocols, and behaviors.
  • Silo'ed organizations: There is often very little communication between IoT/OT and security teams — and lack of a common vocabulary to describe suspicious or unauthorized behaviors.
  • Need for enterprise-wide view: To detect modern multi-stage attacks, we need to evaluate and link information across all of our data sources, including both IoT/OT assets (PLCs, HMIs, historians, etc.) and IT assets (desktops, servers, firewalls, identities, applications such as SAP, and cloud services).

When we look at what’s available today to protect our customers’ OT environments, we find that there are either traditional SOC solutions focused only on IT security – but without OT telemetry and context – or point solutions focused exclusively on OT security, but lacking deep integration with existing SOC tools and workflows.


In addition, many teams are struggling with a flood of fragmented security data across multiple point solutions — resulting in missed detections and frustrated analysts.


Gaining a bird’s eye view across IT and OT – why it matters

Modern multi-stage attacks often cross IT/OT boundaries – so detecting and responding to them requires an enterprise-wide, bird’s eye view of the entire attack chain.


This is illustrated in the TRITON attack chain below, which was used in the recent MITRE ATT&CK for ICS evaluation. (Learn how Microsoft achieved the #1 score for threat visibility coverage in the MITRE ATT&CK for ICS evaluatio...


1TRITON.pngYou can see that detecting and responding quickly to this type of attack requires “connecting the dots” between IT and IoT/OT events. With the new solution we’re introducing today, our goal is to bring the power of cloud-based AI and automation to help SOC teams more easily address these challenges.


New Sentinel solution: IoT/OT Threat Monitoring with Defender for IoT

Taking a step forward in protecting our critical OT assets requires a unified SOC experience that brings IT and OT together for the first time.


The new IoT/OT-focused solution for Sentinel includes a workbook collection and set of analytics rules that enable SOC teams to quickly incorporate detailed OT threat and contextual asset data into Sentinel, while minimizing noise and allowing them to focus on what matters most. This data is continuously obtained from Defender for IoT, Microsoft’s agentless OT security monitoring solution, which incorporates IoT/OT-aware asset discovery, vulnerability management, and behavioral analytics from Microsoft’s acquisition of CyberX in 2020.


The workbook collection provides a guided investigation for OT entities based on open incidents, alert notifications, and activities for OT assets. This workbook also provides a hunt across MITRE ATT&CK for ICS tactics and is designed to enable analysts, security engineers, and MSSPs to gain situational awareness of their OT security posture.


Sentinel alert workbook showing alerts by type (policy violation, protocol violation, malware, etc.); severity; OT device type (PLC, HMI, engineering workstation); OT equipment vendor; and alerts over time.



Sentinel incident workbook showing efficiency metrics (Mean Time to Respond, Mean Time to Resolve) plus reasons for closing. Also shows breakdown of OT incidents by severity, IP addresses, OT protocols, device types, and equipment vendors.



MITRE ATT&CK for ICS workbook showing the result of mapping alerts to MITRE ATT&CK for ICS tactics, plus the distribution of tactics by count and time period.


Analytics rules

Here are some examples of rules that cover potential IoT/OT incidents automatically created in Sentinel from alerts generated by Defender for IoT:

  • Unauthorized PLC change: Changes to PLC code are typically only made occasionally, so any PLC changes need to be immediately verified with a control engineer to determine if they are legitimate or malicious. For example, malicious activity can include an adversary inserting dangerous process parameters or a custom back-door into the PLC (as in the TRITON attack).
  • PLC stop: This is a high severity incident that can result in an adversary shutting down a major production line – or electricity to an entire city. It can also be due to a misconfigured application, but this needs to be immediately verified by the SOC.
  • Insecure PLC operating mode: Adversaries may change the operating mode of a controller to gain additional access to engineering functions such as Program Download. PLCs typically have several modes of operation that control the state of the user program and control access to the controller’s API. Operating modes can be physically selected using a key switch on the face of the controller but may also be selected with calls to the controller’s API.
  • PLC firmware update: Unauthorized firmware updates can indicate malicious activity such as an adversary inserting malicious code enabling them to achieve persistency.
  • Unauthorized remote access: Remote access is one of the top OT attack vectors. Employees and 3rd-party contractors are often provided with remote access credentials that can be compromised by adversaries in supply chain attacks.
  • Illegal OT function code: Indicates malicious activity, such as an adversary attempting to exploit a PLC vulnerability by sending it an function code that is undefined or malicious. It can also be due to an application or device that have been misconfigured.
  • Internet connectivity: Indicates that an IoT/OT device is communicating with a public Internet address, which is typically not permitted by policy. It can be due to misconfigured application (such as antivirus software attempting to download updates from an external server); an employee or contractor adding a new device without authorization; or malicious activity such as an adversary establishing contact with their C2 server.
  • Unauthorized device: Can be a legitimate new device recently deployed on the network by an employee or contractor without following the proper change control process, or an indication of unauthorized or malicious activity.
  • Malware: Indicates known malware has been detected, such as EternalBlue or malware used in the SolarWinds breach.


SOAR Playbooks

You can also find a number of OT-specific SOAR playbooks in GitHub (search for “AD4IoT”), and we expect these to grow over time. The current list includes playbooks to automatically:


Planned enhancements

Here are some of the other exciting capabilities we’re developing:

  • Built-in mapping to physical locations. An incident is created based on analytics rules you have created or enabled on the Analytics page. After you tell Sentinel what types of OT threats you are looking for, you can monitor the detected threats and understand their impact on the business by having them mapped to the appropriate business locations.


 IoT/OT incidents classified by site, zone, and sensor.


  • Contextual details about IoT/OT equipment. When you come across an IoT/OT equipment entity associated with an incident, you can select the entity and be taken to an entity page, a fact sheet of useful contextual information about that entity such as its device type, physical location, and Purdue Model layer location. You’ll also find a timeline of notable alerts and other insights about the entity's behavior on the network.


IoT/OT equipment entity page showing details such as device type, manufacturer, associated alerts, remote connections, communication with external IP addresses, etc.


  • Extension of Sentinel investigation graph with additional OT network context. The investigation graph helps you understand the scope of a potential OT security threat and identify the root cause by correlating relevant data with each entity involved. You can dive deeper and investigate any OT entity displayed in the graph by selecting it and choosing between different extension options. In addition to the already supported options, we are introducing a new extension enabling you to view associated OT network connections.

7IncidentGraph.pngIoT/OT incident investigation graph enriched with additional contextual data such as network connections associated with an IoT/OT entity.


  • MITRE ATT&CK® for ICS mapping. MITRE ATT&CK® for ICS is a knowledge base useful for describing the actions an adversary may take while operating within an ICS network. The knowledge base can be used to better characterize and describe post-compromise adversary behavior. Since many organizations now use ATT&CK to keep track of their overall security posture, we introduce a library of mappings that link Sentinel incidents to MITRE ATT&CK for ICS techniques.


Call to action: Check out the new solution in the Sentinel Solutions Marketplace. Join our Public Preview program as a design partner and help us shape the modern SOC.


Special thanks to Hesham Saad and Meir Sawdayee for their help in developing the MITRE ATT&CK for ICS mapping.


Learn more

Version history
Last update:
‎Nov 02 2021 03:46 PM
Updated by: