TTechclick ⚡ XP 0% All lessons
Microsoft · OT/IoT Security · OverviewInteractive · L1 / L2 / L3

Microsoft Defender for IoT — Agentless OT/ICS NDR & Azure-Managed Visibility

Microsoft Defender for IoT (born from the CyberX acquisition) is a passive, no-agent OT/ICS/IoT network detection and response platform. A sensor mirrors traffic from a SPAN port or TAP, runs deep packet inspection against dozens of industrial protocols, and surfaces every device, vulnerability, and threat into the Azure and Microsoft Defender portal — with zero impact on your PLCs, RTUs, or HMIs.

📅 2026-06-18 · ⏱ 16 min · 5 infographics · live sensor demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear interactive guide to Microsoft Defender for IoT (2026): CyberX heritage, agentless OT/ICS NDR, passive SPAN/TAP sensors, five detection engines, Purdue model mapping, and Microsoft Sentinel integration for a unified OT/IT SOC.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

What it is

Agentless OT NDR, CyberX roots, passive capture.

 2

Building blocks

Sensor, on-prem console, Azure portal.

 3

How detection works

DPI, five engines, self-learning baseline.

 4

Purdue & the SOC

Level mapping, Sentinel, Defender XDR.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Does Microsoft Defender for IoT install agents on PLCs or RTUs?

Answered in What it is.

2. Where did the core technology come from?

Answered in What it is.

3. Which Microsoft cloud service is the central management portal?

Answered in Building blocks.

Most engineers think…

Most people assume OT security means 'put a firewall between IT and OT and you're done'. That fails both in interviews and in production.

Microsoft Defender for IoT is agentless and passive: a sensor watches a SPAN port or TAP, performs deep packet inspection of industrial protocols, and builds a live device inventory and threat picture — without touching a single PLC, RTU, or HMI. That architecture is the reason it can run in the most fragile Level-0/Level-1 OT environments where even a configuration read on a PLC can cause a process hiccup. Understanding the sensor-plus-portal model, the five detection engines, and the Microsoft Sentinel integration is what lets you answer OT security questions confidently in an interview.

① What Microsoft Defender for IoT actually is — agentless OT/ICS NDR

Microsoft Defender for IoT is an agentless OT/ICS/IoT network detection and response (NDR) platform managed from the Azure and Microsoft Defender portal. The word agentless is the whole point: there is nothing installed on PLCs, RTUs, HMIs, or SCADA servers. A passive OT network sensor mirrors traffic from a SPAN port or TAP and does all the work, with zero operational impact on fragile production equipment.

The technology came from Microsoft's 2020 acquisition of CyberX, an Israeli OT security pioneer. CyberX had already built five detection engines, deep OT protocol parsing, and a behavioural self-learning baseline — Microsoft rebranded it, integrated it into the Azure security stack, and extended it with Sentinel and Defender XDR connectivity.

The two buyer personas are the OT team (engineers who run the plant and want a live asset register and anomaly alerts without disrupting production) and the IT/SOC team (who want OT visibility inside the same Microsoft security tools they already use for IT). Defender for IoT bridges both.

Legendpassive sensor / SPAN tap & flow arrowsprocessing stage (DPI, detect, inventory)diagram canvas / paneldevice attributes / detail textAzure portal / Sentinel sink
Figure 1 — The passive OT detection loop
From traffic mirror to Azure alert — every step is passive; no packet is ever sent to an OT device.The passive OT detection loopMirror trafficSPAN port or TAPDPI & parse50+ OT protocolsDetect5 engines + baselineInventorydevice attributesAlert & reportAzure portal /Sentinel
From traffic mirror to Azure alert — every step is passive; no packet is ever sent to an OT device.
Figure 2 — Microsoft Defender for IoT — what it protects
One platform covers OT, ICS and IoT environments across the full Purdue stack.Microsoft Defender for IoT — what it protectsEnterprise IT (L4/L5)Integrated via Sentinel & Defender XDROT/ICS (L0–L3)PLCs, RTUs, HMIs, SCADA — zero-agent monitoringIoT devicesIP cameras, building systems, embedded devices
One platform covers OT, ICS and IoT environments across the full Purdue stack.
Quick check · Q1 of 10 · Understand

Microsoft Defender for IoT is best described as…

Correct: b. Defender for IoT is agentless and passive: an OT network sensor mirrors traffic from a SPAN port or TAP and performs DPI with no software installed on and no packets sent to OT devices.
👉 So far: Defender for IoT = agentless OT/ICS/IoT NDR from the 2020 CyberX acquisition — a passive SPAN/TAP sensor with zero impact on PLCs, RTUs, or HMIs, managed from the Azure/Defender portal.

② The three building blocks — sensor, management console & cloud portal

Microsoft Defender for IoT has three architectural pieces. The OT network sensor is the edge appliance — physical hardware or a virtual machine — deployed at each industrial site. It captures traffic from the SPAN/TAP, runs deep packet inspection and all five detection engines locally, builds the device inventory, and queues alerts. It does its job even when cut off from the cloud.

Management and cloud layers

The on-premises management console was the legacy aggregation tier for multi-sensor, air-gapped estates — it consolidated data from many sensors without cloud connectivity. Microsoft is retiring it and moving that function to the cloud. The Azure / Microsoft Defender portal is the cloud hub going forward: central device inventory, alert management, site and zone configuration, RBAC, sensor updates, and the integration point for Sentinel and Defender XDR.

Sensors operate in two modes: cloud-connected (data streams to the portal in near real-time) and locally-managed / air-gapped (the sensor runs standalone with no cloud path — for sites where regulations or safety rules prohibit internet connectivity). In both cases the sensor itself does the heavy lifting at the edge.

Figure 3 — OT sensor — the edge hub
The OT network sensor is the workhorse: it feeds the cloud portal, the on-prem console, and all downstream integrations.OT sensor — the edge hubOT Sensoredge appliance/VMAzure portalOn-prem consoleSentinel SIEMDefender XDR3rd-party SIEMTicketing/SOAR
The OT network sensor is the workhorse: it feeds the cloud portal, the on-prem console, and all downstream integrations.
📡
OT network sensor
tap to flip

The edge appliance (physical or VM) that mirrors OT traffic via SPAN/TAP, runs DPI and all five detection engines locally, and builds the device inventory — with zero impact on the OT network.

🧠
Behavioural self-learning
tap to flip

A learning period during which the sensor baselines normal OT communications; once in operational mode, any deviation triggers an Anomaly alert without needing pre-written signatures.

🏗️
Purdue reference model
tap to flip

A layered framework (Levels 0–5 + Level 3.5 IT/OT DMZ) that classifies industrial network devices; Defender for IoT auto-maps devices to their level and detects cross-level segmentation violations.

🔗
Section 52 / MSTIC
tap to flip

Microsoft's dedicated OT security research team that produces OT-specific threat intelligence packages pushed automatically to all Defender for IoT sensors.

Sensor does the work — cloud manages it

In interviews, separate the OT network sensor (the edge workhorse that does DPI and detection locally) from the Azure/Defender portal (the central management and integration hub). The sensor keeps working even if cloud connectivity is lost — that is the air-gapped deployment advantage.

Quick check · Q2 of 10 · Remember

Which management layer is Microsoft retiring in favour of the cloud portal?

Correct: c. The on-premises management console was the legacy aggregation tier for air-gapped multi-sensor estates. Microsoft is retiring it and moving that management function to the Azure/Defender portal.
👉 So far: Three building blocks: OT network sensor (edge DPI + detection), on-premises management console (legacy/retiring), and Azure/Defender portal (the cloud hub going forward). Sensors work air-gapped too.

③ How passive detection works — DPI, five engines & self-learning

The OT network sensor does deep packet inspection (DPI) of all mirrored traffic. It parses dozens of OT/ICS protocols natively: Modbus, DNP3, Siemens S7/S7Plus, EtherNet/IP (CIP), BACnet, OPC DA/UA, IEC 60870-5-104, IEC 61850 (MMS/GOOSE), Profinet, Honeywell, Emerson, and many more. Custom or proprietary protocols can be parsed with the Horizon open development environment (ODE) SDK.

Five detection engines

Detection runs through five engines inherited from CyberX. Protocol Violation catches malformed or out-of-spec protocol use. Policy Violation flags communications that break defined rules (e.g. an HMI talking to a device in a zone it shouldn't reach). Malware (industrial) matches known industrial malware signatures. Anomaly relies on behavioural self-learning — the sensor spends a learning period baselining normal OT communications, then in operational mode any deviation generates an alert. Operational catches process-level anomalies such as unexpected command sequences or out-of-range values.

The device inventory is a passive by-product of DPI: every device seen on the wire is catalogued with vendor, model, firmware version, OS, IP and MAC addresses, open protocols, and Purdue level — all without sending a single active query to the device.

Figure 4 — Cloud-connected vs locally-managed sensor
Choose the deployment mode based on connectivity rules and regulatory constraints of each OT site.Cloud-connected vs locally-managed sensorCloud-connectedSensor streams data to AzureManaged & updated from theFull Sentinel + Defender XDRBest for internet-reachable OTLocally-managed (air-gapped)Sensor runs fully standaloneNo cloud path requiredData reviewed on-sensor or viaBest for
Choose the deployment mode based on connectivity rules and regulatory constraints of each OT site.
'Agentless means less protection' myth

Passive DPI of mirrored traffic often sees more than an agent can — every device on the OT segment is visible, including unmanaged and rogue devices that would never accept an agent. The agentless approach is a strength, not a compromise, in fragile OT environments.

▶ Watch a rogue device get caught on the OT network

How a new device connecting to the OT segment is passively discovered and flagged. Press Play for the healthy discovery path, then Break it to see the classic failure.

① Device connectsAn unauthorised laptop is plugged into a switch on the OT segment and begins sending Modbus read commands to a PLC.
② SPAN mirrorThe switch sends a mirrored copy of all traffic to the OT network sensor via the SPAN port — no packet is sent to the laptop.
③ DPI & classifyThe sensor's DPI engine parses the Modbus frames, identifies the source IP/MAC, and catalogues the device as an unknown Windows host.
④ Alert raisedBecause the device is not in the baseline, the Anomaly engine raises a 'New asset detected' alert; the Policy Violation engine also fires because the laptop is communicating outside its authorised zone. The alert appears in the Defender portal and Sentinel.
Press Play to step through the passive discovery path. Then press Break it.
Quick check · Q3 of 10 · Apply

An OT sensor sees a PLC send a valid but unusual Modbus command outside its normal polling window. Which detection engine raises the alert?

Correct: a. An unusual command that is syntactically valid but deviates from the learned baseline is an Anomaly alert. Protocol Violation handles malformed packets; Policy Violation requires an explicit rule breach; Malware needs a signature match.
👉 So far: Five detection engines: Protocol Violation, Policy Violation, Malware, Anomaly (self-learning baseline), Operational. DPI parses 50+ OT protocols; custom ones via Horizon SDK. Device inventory is a passive by-product.

④ Purdue model, Microsoft Sentinel & the unified SOC

Defender for IoT auto-maps every discovered device to its Purdue reference model level: Level 0 (physical process — sensors, actuators), Level 1 (control — PLCs, RTUs), Level 2 (supervisory — HMIs, SCADA), Level 3 (site operations), Level 3.5 (IT/OT DMZ), Level 4/5 (enterprise/cloud). Cross-level violations — a PLC at Level 1 suddenly communicating with an enterprise server at Level 4, for example — are flagged as segmentation violations, a critical ICS attack signal.

The Microsoft Sentinel data connector streams Defender for IoT device inventory and alerts into Sentinel automatically. Out-of-the-box OT analytics rules, workbooks, and SOAR playbooks let a SOC correlate IT and OT incidents in the same console. Microsoft Defender XDR adds unified incident management across endpoints, identity, email, cloud, and OT. OT-specific threat intelligence packages from Microsoft's Section 52 / MSTIC team are pushed automatically to sensors.

Third-party integrations cover SIEM, SOAR, ticketing, and firewalls — so Defender for IoT also works in non-Microsoft SOC stacks. Vulnerability management matches discovered devices to known CVEs, produces risk-assessment reports, and simulates attack paths to prioritise compensating controls where patching a PLC is simply not an option.

Figure 5 — OT alert to unified SOC incident
A Defender for IoT alert becomes a correlated IT+OT incident in Sentinel with zero manual export.OT alert to unified SOC incidentSensor alertanomaly detectedDefender portalalert triagedSentinel connectordata streamedAnalytics ruleOT workbook firesSOC incidentIT+OT correlated
A Defender for IoT alert becomes a correlated IT+OT incident in Sentinel with zero manual export.

Priya at an Indian power utility faces this

After deploying a Defender for IoT sensor at a regional substation in Hyderabad, alerts fire for 'Protocol Violation — IEC 60870-5-104' from an unknown IP that does not appear in the manual SCADA asset register.

Likely cause

A rogue engineering laptop connected to the substation LAN is sending IEC-104 commands to RTUs outside normal polling cycles.

Diagnosis

In Microsoft Defender portal → Defender for IoT → Device inventory, the sensor's DPI catalogued the unknown host as a Windows machine running engineering software with no authorised zone. The alert timeline shows commands to RTUs at unusual hours.

Defender portal ▸ Defender for IoT ▸ Device inventory + Alerts
Fix

Assign the device to a quarantine zone in the Defender portal, trigger a Microsoft Sentinel incident via the data connector, and escalate to the OT team to physically inspect and authorise or remove the laptop. Configure an alert-suppression rule for the one authorised maintenance window.

Verify

24 hours later — no further Protocol Violation alerts from that IP; Device Inventory shows the device as authorised with the correct site/zone label.

Check the learning period before going live

The behavioural self-learning baseline needs a realistic learning period of normal OT operations before you switch to operational mode. Go live too early — mid-maintenance or during a plant commissioning window — and the baseline will include abnormal behaviour, causing false positives or missed alerts. Confirm the plant is in steady-state first.

Quick check · Q4 of 10 · Analyze

A SOC analyst wants to see OT alerts alongside IT endpoint alerts in a single incident view. What is the correct Microsoft-native path?

Correct: d. The native Sentinel data connector streams Defender for IoT device inventory and alerts into Sentinel; out-of-the-box OT analytics rules and workbooks then enable IT+OT incident correlation in the same console.
👉 So far: Purdue Levels 0–5 + Level 3.5 IT/OT DMZ: devices auto-mapped, cross-level violations flagged. Sentinel data connector + OT analytics rules = IT+OT incidents in one SOC. Section 52 / MSTIC threat intel pushed to sensors.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Microsoft Defender for IoT technology originated from which acquisition?

Correct: b. Microsoft acquired CyberX in 2020. CyberX's five detection engines, DPI, and behavioural self-learning form the core of what became Microsoft Defender for IoT.
Q6 · Understand

Why is a SPAN port or TAP used instead of installing agents on OT devices?

Correct: b. OT devices like PLCs and RTUs are fragile — even a configuration change can disrupt a process. Passive SPAN/TAP capture mirrors traffic without ever sending a packet to the device, achieving zero operational impact.
Q7 · Apply

An OT site has strict regulations prohibiting any internet connectivity for its SCADA network. Which sensor deployment mode should be used?

Correct: c. Locally-managed (air-gapped) mode lets the OT sensor operate fully standalone with no cloud path. It performs DPI and detection locally; data is reviewed on-sensor or via the on-premises management console.
Q8 · Analyze

The Anomaly detection engine fires only after a learning period. Why is that learning period critical?

Correct: c. Behavioural self-learning works by first building a model of what is normal. Without that baseline, the Anomaly engine has no reference and cannot distinguish routine OT comms from genuine threats — leading to either alert floods or no alerts at all.
Q9 · Evaluate

An interviewer asks: 'What is the single most important OT-to-SOC integration in Microsoft Defender for IoT?' What is the strongest answer?

Correct: d. The Sentinel data connector is the bridge between OT and the IT SOC — it enables IT+OT incident correlation in one console with no manual export. Horizon, the sensor, and Purdue mapping are important but are OT-side features, not the OT-to-SOC integration path.
Q10 · Evaluate

A Defender for IoT deployment is reporting far too many Protocol Violation alerts from legacy PLCs using a non-standard dialect of Modbus. What is the most sustainable fix?

Correct: c. The Horizon SDK exists precisely for custom and proprietary protocol variants. Writing a correct parser eliminates false Protocol Violation alerts caused by vendor-specific dialect differences without disabling the engine or replacing hardware.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is 'agentless' the defining feature of Microsoft Defender for IoT in OT environments? Then compare with the expert version.

Expert version: Because OT devices — PLCs, RTUs, HMIs — are fragile and often cannot safely run additional software; even a configuration read can trigger a process fault. By listening on a SPAN port or TAP instead, the OT network sensor captures a complete picture of every device and communication on the segment with absolutely zero operational impact. That passive approach is what makes it safe to deploy in Level-0/Level-1 environments where a traditional agent-based tool would simply be too risky.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Agentless
No software installed on monitored OT devices; the sensor captures only mirrored network traffic via SPAN/TAP.
SPAN port / TAP
Switch Port Analyser or Test Access Point — hardware methods to send a passive copy of traffic to the OT sensor without interrupting the original flow.
OT network sensor
The edge appliance (physical or VM) that captures SPAN/TAP traffic, runs DPI and all five detection engines locally, and builds the device inventory.
Deep packet inspection (DPI)
Parsing packet payloads to the application/protocol layer to extract device attributes and detect anomalies or threats.
CyberX
The OT security company Microsoft acquired in 2020 whose technology — five detection engines, DPI, behavioural self-learning — became the core of Defender for IoT.
Purdue reference model
A layered framework dividing industrial networks into Levels 0–5 (physical process to enterprise) plus Level 3.5 IT/OT DMZ; used to segment and classify OT devices.
Behavioural self-learning
A learning period during which the sensor baselines normal OT communications; deviations in operational mode trigger Anomaly alerts.
Section 52 / MSTIC
Microsoft's dedicated OT security research team that publishes OT-specific threat intelligence packages automatically pushed to Defender for IoT sensors.
Microsoft Sentinel
Microsoft's cloud-native SIEM/SOAR; Defender for IoT has a native data connector for streaming OT inventory and alerts into Sentinel for IT+OT incident correlation.
Horizon SDK (ODE)
The open development environment SDK that allows custom parsers to be written for proprietary or non-standard OT/ICS protocols.

📚 Sources

  1. Microsoft Learn — What is Microsoft Defender for IoT? learn.microsoft.com/azure/defender-for-iot/overview
  2. Microsoft Learn — OT network sensors in Microsoft Defender for IoT. learn.microsoft.com/azure/defender-for-iot/ot-deploy/ot-deploy-path
  3. Microsoft Learn — Alert engines and alert types in Defender for IoT. learn.microsoft.com/azure/defender-for-iot/alert-engine-messages
  4. Microsoft Learn — Microsoft Sentinel integration with Defender for IoT. learn.microsoft.com/azure/defender-for-iot/integration-sentinel
  5. Microsoft Learn — Supported protocols — Microsoft Defender for IoT. learn.microsoft.com/azure/defender-for-iot/concept-supported-protocols
  6. Microsoft Security Blog — Microsoft acquires CyberX to accelerate IoT and OT security (2020). microsoft.com/security/blog

What's next?

Got the overview? Next, go deep on the three-tier architecture — OT sensor, on-premises management console, and the cloud portal — and learn exactly how data flows from the factory floor to your Azure dashboard.

Next · All interview lessons → Practice on exam.techclick.in →