This blog is how to setup a physical lab environment for Microsoft Defender for IoT to get experience in deployment and usage of the product with real OT devices. Microsoft also supplies an out-of-the box lab environment with PCAPs etc.
I will use and describe my personal lab with hard- and software requirements for deployment, and write down the high level steps including tips & trics (do not make the mistakes I made in the past and to speed up the process).
The following hardware is required:
- Computer with 2 NICs (one NIC connected to the SPAN port of the switch and one NIC connected to the internet / Azure). I am using the ~$500 STRHIGP Mini Industrial PC
- Switch with SPAN port, I am using the Cisco SG250 8-ports switch (~$100+). TAP devices are also supported.
- Basic OT device; I am using a Moxa NPort 5100 series (bought 2nd hand bought for ~$50)
- Advanced OT device; I am using a Siemens S7–1200 (out-of-scope of this document for now)
The following software is required:
- Microsoft Defender for IoT; the new license model is a site-based license from the Microsoft 365 portal (the Azure license model is deprecated).
- A 60-day trial license is available via Large site license, I am using a paid license (XS license) for continues access to the environment.
- Hyper-V or VMware (I am using VMware workstation pro due to the network manager which is required if you use two physical NICs)
- Optional: DHCP server since the OT-network is air-gapped (I am using DHCP server for Windows (11) on the VMware host).
High level deployment steps:
- Setup the Paid or Trial license from Microsoft Defender for IoT via the Microsoft 365 Admin portal.
- Download the OT sensor (.ISO) from the Microsoft Defender for IoT portal and deploy a virtual machine.
VMware tip: Do not use the ISO but select I will install Operating system later and select Linux (see below) else Ubuntu will be installed instead of the OT sensor image.
Change the default disk size to 60GB and add a 2nd Network adapter for the SPAN port connection. After the configuration is finished connect the ISO, start the VM and install the OT sensor software.
Do not forget to write down (I always make a screen copy) the polulated credentials to logon locally to the ot sensor portal.
- Configure the SPAN port on the switch (Advanced settings), Set a Destination SPAN port (e.g. GE1 in this example config will be connected to the SPAN NIC of the sensor) and select source port(s) which will mirror the traffic to the SPAN port and connect the OT device(s) on those ports.
- Configure the Sensor & Site in the Microsoft Defender for IoT portal (Management -> Sites and sensors).
- Download the activation file, connect to the sensor via the local IP-address (web browser) and active the sensor.
If all steps above are completed, connect the (OT) device(s) to the switch (optional via the DHCP server). The Moxa NPort device search utility can be used to find the OT device and configure the IP-address (manual or DHCP). The device will become visible in the portal within an hour.
To create an alert in the portal I deployed a Kali Linux machine as 2nd VM and ran a port scan via NMAP. The result is an alert in the Microsoft Defender for IoT portal.
Microsoft Defender for IoT can be connected to Microsoft Sentinel via the Content hub solution called Microsoft Defender for IoT.
It includes the required Data Connector and a set of analytics (alert) rules and playbooks (automation).
I hope this blog will help people to setup their own Microsoft Defender or IoT lab (at home :-)).