CISOs and security administrators have a lot on their plate. Managing OT/IoT security posture across different sites and systems requires constant attention. Now, Defender for IoT makes this easy to do with built in workbooks providing at-a-glance visibility to sensor health, alerts, and device inventory.
In this blog post, learn how to use workbooks created by Microsoft or create your own custom workbooks.
Each workbook graph or chart is based on an Azure Resource Graph query running on your data. In Defender for IoT, you might use ARG queries to:
- Gather sensor statuses
- Identify new devices in your network
- Find alerts related to specific IP addresses
- Understand which alerts are seen by each sensor.
Working with Workbooks
ARG queries can be integrated into Dashboards or Workbooks, enabling you to see your data where it is most relevant. Each query can be presented both textually and graphically. To view out-of-the-box workbooks created by Microsoft, or other workbooks already saved to your subscription, go to Defender for IoT and select Workbooks on the left.
Defender for IoT provides the following workbooks out-of-the-box:
- Sensor health. Displays data about your sensor health, such as the sensor console software versions installed on your sensors.
- Alerts. Displays data about alerts occurring on your sensors, including alerts by sensor, alert types, recent alerts generated, and more.
- Devices. Displays data about your device inventory, including devices by vendor, subtype, and new devices identified.
Create Custom Workbooks
Use the Defender for IoT Workbooks page to create custom Azure Monitor workbooks directly in Defender for IoT.
- On the Workbooks page, select New, or to start from another template, open the template workbook and select Edit.
- In your new workbook, select Add, and select the option you want to add to your workbook. If you're editing an existing workbook or template, select the options (...) button on the right to access the Add menu.
Queries can be both predefined, and open to user input.
In the toolbar, select “Save” or “Save as” to save your workbook, and then select Done editing.
For more workbooks and other great content, we invite you to join Defender for IoT’s private community. This is a great place to collaborate with peers, gain access to early designs and features and share feedback that will directly influence our features before they become public. To join us, follow this link: https://aka.ms/PrSecCom.
To make the most of ARG queries, you can use one of the following example queries, or build your own queries using the Azure Resource Graph Explorer.
| where type == "microsoft.iotsecurity/sensors"
| extend Status= properties.sensorStatus
| summarize count() by tostring(Status)
- New alerts from the last 24 hours.
| where type == "microsoft.iotsecurity/locations/devicegroups/alerts"
| where properties.status!='Closed'
| extend AlertTime=properties.startTimeUtc
| extend Type=properties.displayName
| extend DeviceID= properties.extendedProperties.DeviceId
| where AlertTime > ago(1d)
| project AlertTime, Type, DeviceID
For more information on related tools, see the following pages: