Securing Critical Infrastructure with Microsoft Sentinel & Microsoft Defender for IoT
Published Jan 14 2022 03:01 PM 2,725 Views

As cloud security threats continue to evolve, we are seeing an increase in attacks targeting IoT devices used in enterprise environments in addition to operational technology (OT) devices used in industrial systems and critical infrastructure. These devices, which are often unpatched, misconfigured, and unmonitored, are ideal targets for adversaries.  


Security teams traditionally have not had tooling nor the expertise to provide them with visibility to monitor Internet of Things (IoT)/ Operational Technology (OT) networks for vulnerabilities. As a result, IoT/ OT security risks have traditionally been overlooked. This poses a great risk to organizations, as we see adversaries moving laterally from IT to OT with ease.  


Existing Security Operations Center (SOC) solutions focus on IT security and tend to lack OT telemetry and insights. Where we do see OT solutions, they lack integration with existing SOC tools and workflows. Teams are looking for a comprehensive, unified solution that spans IT and OT. 


Microsoft Sentinel: IT/OT Threat Monitoring with Defender for IoT Solution unites IT and OT, providing an unprecedented step toward protecting critical OT assets and securing your organization. 


This solution provides visibility, remediation, and response all from one pane of glass; empowering security teams to detect, analyze and respond to IoT/OT threats within the context of their IT environment and by leveraging their existing tooling.  


Learn more by watching the demo: Demo: Microsoft Sentinel: IoT/OT Threat Monitoring with Defender for IoT solution - YouTube 





Content Use Cases 


This solution provides the foundation for building a SOC for monitoring IoT/ OT and includes (1) workbook for visibility/reporting, (14) analytics rules for monitoring, and (4) playbooks for response. The workbook leverages Microsoft Sentinel telemetry to create visualization to understand, analyze, and respond to IoT/OT threats. Understanding alerts over time provides unprecedented insights into security posture and where teams need to focus to harden against threats. Deep links directly to Microsoft Defender for IoT alerts empower analysts to focus on remediating threats rather than pivoting between tools.  







  • Detect, analyze, and respond to IoT/OT threats from a single pane of glass  
  • Assess security alert and incident response efficiency to improve SOC team capability  
  • Streamlined, consistent alignment between threat behavior and MITRE ATT&CK for ICS matrix 
  • Customizable reporting for subscription, workspace, and time filters 
  • Deep links integration for seamless pivots between Microsoft Sentinel and Microsoft Defender for IoT 
  • Device Inventory for identification, configuration, and baselining of OT 
  • Advanced analytics for detection of IoT/OT threats 
  • Playbook Automation for response to IoT/OT threats 


Getting Started 


This content is designed to provide the foundation for designing, building, and operating an IoT/OT monitoring team. Below are the steps to onboard required dependencies, review content, and provide feedback. 


  1. Onboard Microsoft Sentinel   
  2. Onboard Microsoft Defender for IoT 
  3. Connect Microsoft Defender for IoT to Microsoft Sentinel 
  4. Deploy the Microsoft Sentinel: IT/OT Threat Monitoring with Defender for IoT Solution 
    1. Microsoft Sentinel > Content Hub > Select IT/OT Threat Monitoring with Defender Solution > Install TJBanasik_2-1642197319142.png
    2. In Government Regions, leverage the Deploy to Azure Gov button from the GitHub ReadMe for deployments.  TJBanasik_3-1642197319143.png 
  5. Review the IT/OT Threat Monitoring with Defender for IoT Workbook 
    1. Microsoft Sentinel > Workbooks > Select IT/OT Threat Monitoring with Defender for IoT 
  6. Review the IT/OT Threat Monitoring with Defender for IoT Analytics Rules 
    1. Microsoft Sentinel > Analytics > Search “IoT” 
  7. Review the IT/OT Threat Monitoring with Defender for IoT Playbooks 
    1. Microsoft Sentinel > Automation > Playbooks > Search “IoT” 
  8. Review the content and provide feedback through the survey 


Frequently Asked Questions 


  1. Are custom views and reports supported? 
    1. Yes, via subscription, workspace, time, parameters.  
  2. Are additional products required? 
    1. There are not additional product requirements beyond Microsoft Sentinel and Microsoft Defender for IoT.  
  3. Is this available in government regions? 
    1.  Yes, this is deployable in all environments. 
  4. What rights are required to use this content? 
    1. Security Contributor can create and edit workbooks, analytics rules, and other Microsoft Sentinel resources. Security Reader can view data, incidents, workbooks, and other Microsoft Sentinel resources.  


Learn More About Defending IoT/OT with Microsoft Security 



Version history
Last update:
‎Jan 14 2022 03:01 PM
Updated by: