Azure Defender for IoT is now in public preview

Published Oct 15 2020 09:00 AM 12.9K Views


Summary: Agentless security for unmanaged IoT/OT devices

As industrial and critical infrastructure organizations implement digital transformation, the number of networked IoT and Operational Technology (OT) devices has greatly proliferated. Many of these devices lack visibility by IT teams and are often unpatched and misconfigured, making them soft targets for adversaries looking to pivot deeper into corporate networks.


Business risks include financial losses due to production downtime, corporate liability from safety and environmental incidents, and theft of sensitive intellectual property such as proprietary formulas and manufacturing processes.


Incorporating agentless, IoT/OT-aware behavioral analytics from Microsoft's recent acquisition of CyberX, the new version of Azure Defender for IoT addresses these risks by discovering unmanaged IoT/OT assets, identifying IoT/OT vulnerabilities, and continuously monitoring for threats.


These new capabilities are now available in public preview for on-premises deployments, with the option of connecting securely to Azure Sentinel to eliminate IT/OT silos and provide a unified view of threats across both IT and OT environments. It also integrates out-of-the box with third-party tools like Splunk, IBM QRadar, and ServiceNow.



Announced at Ignite 2020, Azure Defender for IoT delivers agentless security for continuously monitoring OT networks in industrial and critical infrastructure organizations.


You can deploy these capabilities fully on-premises without sending any data to Azure. Or, you can deploy in Azure-connected environments using our new native connector to integrate IoT/OT alerts into Azure Sentinel, benefiting from the scalability and cost benefits of the industry’s first cloud-native SIEM/SOAR platform.


Microsoft offers a number of end-to-end IoT security solutions for managed (or “greenfield”) IoT deployments, including Azure IoT HubAzure Sphere and micro-agents for embedded operating systems. However,  most of today’s IoT/OT devices are “unmanaged” because they do not get provisioned, are not monitored, and lack built-in security such as agents or automated updates.


As a result, most IT security organizations have limited or no visibility into their OT networks. What’s more, these devices are often unpatched and misconfigured, making them soft targets for adversaries looking to pivot deeper into corporate networks.


Network security monitoring tools developed for IT networks are unable to address these environments because they’re blind to specialized industrial protocols (Modbus, DNP3, BACnet, etc.). They also lack an understanding of the specialized device types, applications, and machine-to-machine (M2M) behaviors in IoT/OT environments.


Key capabilities

Azure Defender for IoT enables IT and OT teams to auto-discover their unmanaged IoT/OT assets, identify critical vulnerabilities, and detect anomalous or unauthorized behavior — without impacting IoT/OT stability or performance.


Azure Defender for IoT delivers insights within minutes of being connected to the network, leveraging patented IoT/OT-aware behavioral analytics and machine learning to eliminate the need to configure any rules, signatures, or other static IOCs. To capture the traffic, it uses an on-premises network sensor deployed as a virtual or physical appliance connected to a SPAN port or tap. The sensor implements non-invasive passive monitoring with Network Traffic Analysis (NTA) and Layer 7 Deep Packet Inspection (DPI) to extract detailed IoT/OT information in real-time.


You also benefit from out-of-the box integration with third-party IT security tools like Splunk, IBM QRadar, and ServiceNow. Plus, it’s designed to fit right into existing OT environments, even across diverse automation equipment from all major OT suppliers (Rockwell Automation, Schneider Electric, GE, Emerson, Siemens, Honeywell, ABB, Yokogawa, etc.).


Integration with existing SOC workflows is key to removing IT/OT silos while delivering unified monitoring and governance across both IT and OT. To help automate this complex security challenge, we’ve also beefed up Azure Sentinel with IoT/OT-specific SOAR playbooks and threat intelligence.


Combined with previous support in Azure Security Center for IoT for protecting managed IoT/OT devices connected via Azure IoT Hub, these new capabilities enable organizations to accelerate their digital transformation initiatives with a combined solution for both unmanaged and managed devices.


Rapid Deployment.png


Rapid non-invasive deployment leveraging patented IoT/OT-aware behavioral analytics, available either for on-premises or Azure-connected environments.


Real-time OT threat alerts provided by Azure Defender for IoT (examples)

  • Unauthorized device connected to the network
  • Unauthorized connection to the internet
  • Unauthorized remote access
  • Network scanning operation detected
  • Unauthorized PLC programming
  • Changes to firmware versions
  • “PLC Stop” and other potentially malicious commands
  • Device is suspected of being disconnected
  • Ethernet/IP CIP service request failure
  • BACnet operation failed
  • Illegal DNP3 operation
  • Master-slave authentication error
  • Known malware detected (e.g., WannaCry, EternalBlue)
  • Unauthorized SMB login


Screenshot examples.png



Azure Defender for IoT provides holistic IoT/OT security including asset discovery, vulnerability management, and continuous threat monitoring, combined with deep Azure Sentinel integration.


Try it now at no charge

Try Azure Defender for IoT during public preview. This version includes the agentless security provided via the integration of CyberX, plus the ability to connect to Azure Sentinel. And please give us your feedback in the IoT Security Tech Community.


Learn more with these educational resources









Honored Contributor

Really amazing feature, If I had the opportunity i would have definitely implemented these security features in my own factory/company. but for now at least I can learn them and advice others who have the facilities to benefit from these new technologies.


Also I hope the marketing team can advertise properly and honestly make relevant people known about these features, that these things exist in Azure.


Valued Contributor

This is super exciting.

One of great challenge with IoT is because they are small devices with limit functionalities, we couldn't install security tools on them and we have to relay on monitoring network traffics for potential attacks.

It would have been interesting in case it would detect out of date firmware updates too. 

We normally won't know what devices are update and which are not and updating firmware is not easy and it is like manual copying files and having list of devices where need update would be interesting.

Occasional Visitor

Thanks for sharing great Knowledge 

Frequent Visitor

PTA offers Training Services in Industrial Training in the Middle Eastern Regions as per accredited scopes and African& Asian regions based on international accreditation, and affiliations under the same management. You can check their ohs basic safety training

Frequent Visitor

Great, you should check out these folks records in the town.

Frequent Visitor

Its great offering from microsoft, like we are offering great Google Ads services in Kerala.

Frequent Visitor

Its a great service by Microsoft. Check out these Insurance Claim Adjuster Morris County NJ

Frequent Visitor

Check Opening closings hours of popular brands on

Version history
Last update:
‎May 11 2021 02:02 PM
Updated by: