Microsoft IT/OT convergence in Defender XDR (New) and Sentinel

8 min readJul 16, 2024

Disclaimer there is no change for existing Microsoft Defender for IoT (Azure) deployments.

OT (Operational Technology) is (often old) technology (hard- and software) used to control industrial systems, for examples critical infrastructure like (nuclear) power plant, water utility, oil rafinery, etc. In the OT domain, the main concern is safety and availability.

IT (Information Technology) is (new) technology with the latest Security features (e.g. XDR) leveraging Cloud technology. In the IT domain, the main concern is information and data protection (e.g. prevent unauthorized access).

Real world OT Attack(s)

Stuxnet (discovered in June 2010) was the first cyber weapon targeting critical infrastructure (nuclear plant in Iran), many more attacks followed the years after. The Stuxnet attack confirms that even air-gapped OT networks can get infected via IT resources like USB-keys.

Different OT Attacks in the last 15 years

Personal opinion: 99% of all OT attacks start from the IT environment

In my personal opinion air-gapped is not always more safe or secure compared to Cloud-connected networks(controlled via ACLs; IP, port, protocol, DNS, etc.). The advantage of (controlled) internet access is leveraging the power of the Cloud like real-time scanning and detections, up-to-date AV signatures, real-time Threat Intelligence, signal sharing, alert/incident correlation, etc.

Overview of Microsoft Defender products for OT networks

An OT network consists of different infrastructure assets, each in their own layer of the Purdue model (network segmentation to protect OT environments).

In the most simple form; the IT and OT network (including Active Directory) should be seperated!

IT for OT; supported and unsupported O.S. e.g. historian, operator console but also OT Active Directory, etc.
Purdue level 3(.5) and above
OT devices; PLC, RTU, HMI, etc.
Purdue level 2 and below

The example above visualizes the Better Together (XDR) Microsoft Security story.

Microsoft Defender for Endpoint to protect the Windows clients in the OT network
Microsoft Defender for Server to protect the Windows and/or Linux Servers in the OT network
Microsoft Defender for Identity to protect the OT Active Directory
Microsoft Defender for IoT to protect the OT network and OT devices
Microsoft Sentinel to connect Microsoft Defender for IoT to Microsoft Sentinel and Microsoft Defender XDR . Additionally add non-Microsoft (e.g. Firewall) Data Sources for enrichment

Microsoft Sentinel | IT/OT Convergence

Microsoft Sentinel provides IT/OT convergence via the ‘Microsoft Defender for IoT’ content hub solution.

Microsoft Sentinel | Content Hub | Microsoft Defender for IoT

The Microsoft Defender content hub solution consists of:

Data Connector (1) to connect Microsoft Defender for IoT to Microsoft Sentinel (unidirectional)

Analytics Rules (15) to detect OT alerts (pre-defined / customizable use cases / KQL queries)

Playbooks (7) for automated triage and tasks, e.g. sync Alert status back from Microsoft Sentinel to Microsoft Defender for IoT (example below) or send e-mail to the device owner if an incident is triggered

Workbook (1) for Defender for IoT data visualization

IoT/OT Threat Monitoring with Defender for IoT workbook

Microsoft Defender XDR (July 2024 update)

Microsoft Defender XDR integrates all Microsoft 365 Defender products like Defender for Identity, Endpoint, Office 365, Cloud Apps (April 2021) and Defender for Cloud (May 2024). The next step is the integration of Microsoft Defender for IoT in the Microsoft Defender XDR portal (July 2024). First some background information on the device discovery feature introduced in April 2021.

Microsoft Defender for Endpoint | Device Discovery

Device discovery scans (probes) the network via Defender for Endpoint devices (Windows 10/11 and/or Server 2019/2022).

July 2024 marks the date for OT devices support by device discovery!

Defender for Endpoint | Device Discovery

The scan options are Basic (passive) and Standard (active) mode.

Since uptime of ‘old’ OT devices can be interrupted via any form of active scanning, the advise for OT networks with ‘old’ OT devices is to use passive scanning. Modern OT networks can be seen as IT networks and can use the active scanning mode since it’s not that intrusive.

A Microsoft Tenant has a 1-on-1 relationship to a Microsoft Defender XDR tenant (results in one discovery mode for scanning all networks).

Discovery Mode options for IT/OT networks

The device discovery mode options for ‘old’ OT networks are:

Dedicated OT tenant (seperate from the IT tenant) where Basic mode is the standard for OT (IT can use Standard mode in the IT tenant)
IT/OT tenant in Basic mode (in which the IT network is also passively scanned results in less enriched data set)
IT/OT tenant in Standard mode where the OT network(s) are excluded from Standard mode via the Exclusions (IP or subnet) option. Xxcluded networks are still discovered via Basic mode. If a network really needs to be excluded from any type of scanning use the Ignore network option.

The Defender for IoT | OT sensor is still supported if passive monitoring via the network devices is required, the discovered devices are however not (yet) visible in the Defender XDR portal, only in the Defender for IoT portal.

Defender XDR OT feature #1 | Assets | Devices

The Device Inventory is the 1st feature where the integration is visible. On the top of the All devices page.

The IoT tab is renamed to IoT/OT devices.

Microsoft Defender for Endpoint now discover(s) OT devices and propagates the devices list under the IoT/OT devices category. Without the Defender for IoT License only shows regular data and not security data.

OT devices discovered via the Defender for IoT sensor (NDR via SPAN port or TAP device) are only visible in the Defender for IoT on-premises- and Azure portal, the devices are not synced to Defender XDR.

Seeing is believing

Let’s put it to the test, I connected my Siemens S7 PLC (the PLC from the Stuxnet attack) to my IT network with MDE devices.

After a few hours the OT device is detected, categorized and enriched with the correct information. The result is visible in the IoT/OT devices category.

But wait … the Site value is empty?

Defender XDR OT feature #2 | Operational technology | Site security

The new Operational technology | Site security feature is the 2nd feature where the OT integration is visible.

Disclaimer: at least one OT device has to be discovered by MDE and classified as Device category: OT to be able to create a Site (example below is the view of All devices with filter Device category: OT).

When there is at least one device visible we can proceed to the Site security page. First we need to create a new OT site (physical location) before we can associate OT devices. Select the button Create Your First Site (requires Defender for IoT license, else you will see: You do not have any license yet).

Enter the details of the Site: name, location, description and owner (the e-mail address of the owner is for example used in a playbook to send an e-mail to device owners when there is an incident triggered).

The next screen is to associate an OT device with the newly created OT site via the IP address of the OT device for example. All other devices in the same subnet will get the Site name automatically propagated.

The main Site security page provides an overview of all OT Site structure(s) in Microsoft Defender XDR including all associated devices and security info.

The Filter option in the All devices section can be used to filter specific OT sites and their devices.

Defender XDR OT feature #3 | Incidents & alerts

The Microsoft Defender XDR | Incident section is the 3rd feature where OT is integrated. The Defender for IoT alerts are streamed into Microsoft Sentinel and are bi-directional synced to Microsoft Defender XDR where the (OT) Incident is visible.

In the future Microsoft Defender for IoT will stream alerts directly into Microsoft Defender XDR

The new Alert/Incident integration requires both the Microsoft Defender for IoT and Microsoft Defender XDR Data Connector to be connected.

The Microsoft Defender XDR | Incident page provides an overview of all Microsoft Defender (single or multi-stage) incidents (including Microsoft Defender for IoT).

The alert/incident flow is from 1. Defender for IoT sensor to 2. Defender for IoT (Azure) to 3. Microsoft Sentinel to 4. Microsoft Defender XDR.

The image below provides an overview of all different Microsoft portals where Microsoft Defender for IoT Alerts (Incidents) are visible.

Defender for IoT Alert overview in different portals

Air-gapped via the Microsoft Defender for IoT sensor (and/or soon to be deprecated on-premises management portal) OR Cloud-connected via the Azure (Defender for IoT) portal, Defender XDR (NEW) portal and the Microsoft Sentinel portal.

Resume

The future is here, Microsoft Defender XDR supports OT networks and OT devices in this first release, it will take some time for feature parity with Defender for IoT with minimal impact for current deployments.

First, the new OT device discovery method is a real game changer in the world of OT, no more network changes (downtime) and appliances (expensive, maintenance, etc.) required.

Second, the best of suite approach (versus best of breed) is imho the best Security approach to provide IT/OT convergance with true XDR (signal sharing and alert correlation) to see an attack from patient zero to the compromised OT device in lists and/or graphs, which can be replayed to see how the attack occured.

So more to come but the first release is very promising.