Which mechanism does the Defender for IoT OT sensor use to receive a copy of OT network traffic?

Correct: c. The sensor receives a copy of traffic via a SPAN/mirror port or hardware TAP — it is entirely passive and never installs anything on OT devices or sends packets into the OT network.

What makes OT deep packet inspection different from standard network flow monitoring?

Correct: b. DPI reads inside the protocol payload — for example, it can distinguish a Modbus Read from a Modbus Write, or detect an S7 Stop CPU command. Flow monitoring sees only IP/port metadata and cannot identify the command being issued.

The Anomaly detection engine on the OT sensor raises alerts when it detects what?

Correct: c. The Anomaly engine uses behavioural self-learning — it builds a baseline during the learning period and then alerts on deviations such as new devices, new protocol relationships, or unusual communication patterns.

Priya's newly deployed OT sensor shows only Windows workstations in the device inventory and no PLCs. What should she check first?

Correct: a. If only Windows hosts appear, the sensor is receiving traffic from the IT segment, not the OT aggregation segment. The SPAN source port/VLAN configuration on the switch must be checked and corrected to mirror the OT VLAN.

A site needs an OT sensor for a safety instrumented system (SIS) segment carrying 800 Mbps of traffic with strict no-cloud requirements. Which sensor form fits best?

Correct: b. An 800 Mbps safety-critical segment needs a physical appliance rated for that bandwidth tier to guarantee no packet drops. Air-gapped / locally-managed mode satisfies the no-cloud requirement. Virtual sensors are subject to hypervisor SPAN forwarding limits and should not be used for high-throughput critical segments.

What is the strongest reason to wait for the learning period to complete before routing OT sensor alerts to the SOC?

Correct: c. The learning period builds the baseline that the Anomaly and Policy Violation engines compare traffic against. Without that baseline every communication looks like a policy violation or anomaly — the result is an alert storm. DPI and all five engines continue running during learning; only the alert disposition changes.

Microsoft Defender for IoT OT Network Sensors — Passive DPI & Edge Analytics (2026)

Q: Why does the Defender for IoT OT sensor use a SPAN port or TAP instead of installing an agent on PLCs?

Correct: b. OT devices run real-time deterministic firmware with no tolerance for unexpected packets or additional software loads. A passive SPAN/TAP copy never touches the OT device, giving the zero operational impact that PLCs and HMIs require.

Q: Which of the five detection engines identifies communications that deviate from the self-learned baseline of normal OT behaviour?

Correct: d. The Anomaly engine detects deviations from the behavioural baseline the sensor built during its learning period — new devices, new protocol relationships, or unusual traffic patterns that were not present at baseline.

Q: You are deploying a sensor at a plant with three isolated OT zones: production, utilities and safety. How many sensors are needed?

Correct: b. Each isolated OT zone requires its own sensor connected to that zone's aggregation switch, because SPAN traffic from one switch does not include traffic on other isolated segments. One sensor cannot see traffic it was never given a copy of.

Q: A newly deployed OT sensor is generating hundreds of alerts per hour and the SOC is overwhelmed. What is the most likely cause?

Correct: c. Skipping or shortening the learning period means the anomaly and policy engines have no established baseline of normal OT communications. Everything looks anomalous — hence the alert storm. Always allow the full learning period before promoting alerts to the SOC.

Most engineers think…

Most people assume OT security works like IT security — you install an agent, it phones home, and a cloud platform tells you what's wrong. Do that in a refinery or power substation and you risk disrupting the very process you're protecting.

Microsoft Defender for IoT's OT sensor flips that model. It sits on a SPAN port or TAP, reads a passive copy of every packet, runs five detection engines and deep packet inspection locally at the edge, and never sends a single byte to the PLC. Understanding why this architecture is non-negotiable — and how to deploy and size sensors correctly — is what separates a capable OT security engineer from someone who will blow up a production line on day one.

① Why OT monitoring must be passive — SPAN, TAP & agentless design

Industrial controllers — PLCs, RTUs and HMIs — are not servers. They run real-time operating systems with deterministic timing, vendor-specific firmware, and zero tolerance for unexpected network traffic. An unsolicited packet at the wrong moment can stall a ladder-logic scan cycle, trip an emergency shutdown, or corrupt a process value. That is why Microsoft Defender for IoT's OT network sensor is entirely passive and agentless: it never installs software on OT devices and never sends a single packet into the OT network.

Instead, the sensor receives a copy of traffic via one of two mechanisms. A SPAN port (port mirror) is a software feature on a managed switch: you configure selected ports or VLANs to be mirrored to a dedicated monitor port, and the sensor plugs into that port. It is easy to set up and costs nothing extra, but can drop packets under heavy switch load. A TAP (Test Access Point) is a passive hardware device spliced inline on the fibre or copper — it creates a guaranteed, full-fidelity copy regardless of traffic volume, with no dependency on switch software. TAPs are preferred for critical, high-throughput OT segments.

Either way, the OT network sees nothing. The PLCs keep polling their sensors, the HMIs keep displaying process data, and the SCADA server keeps writing setpoints — completely unaware that a security sensor is reading every packet. This zero operational impact guarantee is the foundation of the whole architecture.

Legendsensor & flow arrowsstage labelsdiagram headingdetail textcanvas / panel

Figure 1 — How passive capture reaches the sensor

Traffic flows through the OT network normally; the sensor reads only a copy via SPAN or TAP — zero packets sent back.

Figure 2 — SPAN port vs hardware TAP

Both deliver a passive copy — choose by reliability requirements and switch load.

TAP for critical paths

In an interview or design review, recommend a hardware TAP over a SPAN port for any high-throughput or safety-critical OT segment. TAPs cannot drop packets under load and have no dependency on switch software configuration — two failure modes SPAN ports introduce.

Quick check · Q1 of 10 · Understand

Why does the Defender for IoT OT sensor use a SPAN port or TAP instead of installing an agent on PLCs?

a) Agents are cheaper to deploy than SPAN portsb) PLCs and HMIs cannot tolerate unexpected traffic or additional software — passive capture gives zero operational impactc) SPAN ports provide faster detection than agentsd) Agents only work on Windows servers, not on OT devices

Correct: b. OT devices run real-time deterministic firmware with no tolerance for unexpected packets or additional software loads. A passive SPAN/TAP copy never touches the OT device, giving the zero operational impact that PLCs and HMIs require.

👉 So far: Passive = SPAN or TAP provides a read-only copy of OT traffic. The sensor never injects packets — zero operational impact on PLCs, RTUs and HMIs.

② Inside the OT sensor — DPI, edge analytics & detection engines

Once traffic arrives at the sensor via SPAN or TAP, the sensor's deep packet inspection (DPI) engine decodes it far beyond IP headers. For a Modbus packet it reads the function code (Read Coils vs Write Single Register), the register address, and the value. For a Siemens S7 packet it reads the CPU command type — including dangerous commands like Stop CPU. For an IEC 60870-5-104 packet it reads the ASDU type and cause of transmission. This command-level visibility is what makes OT DPI qualitatively different from flow monitoring or basic port inspection.

Five detection engines, all running at the edge

All detection logic runs locally on the sensor — no cloud round-trip is needed to generate an alert. The five engines are: Protocol Violation (malformed or out-of-spec packets), Policy Violation (communications that should not happen — e.g. a remote IP writing to a PLC that should only accept local commands), Malware (industrial) (known ICS malware indicators), Anomaly (deviations from the learned baseline — new devices, new protocols, new peer relationships), and Operational (process-layer events such as a PLC mode change or an unusual setpoint write). The sensor also runs a behavioural self-learning phase on first deployment to build the baseline before enforcement begins.

OT and ICS protocols parsed include Modbus, DNP3, Siemens S7/S7Plus, EtherNet/IP (CIP), BACnet, OPC (DA/UA), IEC 60870-5-104, IEC 61850 (MMS/GOOSE), Profinet, Honeywell, and many more. Custom or proprietary protocols can be added via the Horizon open development environment (ODE) SDK without waiting for a Microsoft update.

Figure 3 — Five detection engines on the sensor

All five engines run locally on the OT sensor — detection does not require a cloud round-trip.

📡

SPAN / Mirror Port

tap to flip

A switch software feature that copies selected port or VLAN traffic to a monitor port. The sensor plugs in passively — no impact to OT devices.

🔌

Hardware TAP

tap to flip

A passive inline hardware device that creates a guaranteed full-fidelity copy of all traffic on the cable — preferred for critical high-traffic OT segments.

🔬

Deep Packet Inspection

tap to flip

The sensor decodes OT protocols beyond IP headers — reading Modbus function codes, S7 CPU commands, DNP3 ASDU types — at the command level.

🏭

Edge Analytics

tap to flip

All five detection engines run locally on the sensor. Alerts are generated at the plant edge without needing a cloud round-trip — vital for air-gapped sites.

▶ Watch a rogue PLC write get detected passively

Trace a Modbus Write command from a new IP through DPI to a Policy Violation alert. Press Play for the healthy detection path, then Break it to see the classic failure.

① New deviceAn unknown IP address on the OT VLAN issues a Modbus Write Single Register command to a production PLC — a command that should only come from the authorised SCADA server.

▼

② SPAN copyThe aggregation switch mirrors the OT VLAN to the sensor's monitor port. The sensor receives the packet copy without the PLC knowing it is being observed.

▼

③ DPI decodeThe DPI engine identifies the packet as Modbus function code 06 (Write Single Register), records the source IP, destination PLC and register address.

▼

④ Policy alertThe Policy Violation engine flags the source IP as not in the authorised communicators baseline and raises a high-severity alert in the Defender portal.

Press Play to step through the passive detection path. Then press Break it.

Quick check · Q2 of 10 · Remember

Which of the five detection engines identifies communications that deviate from the self-learned baseline of normal OT behaviour?

a) Protocol Violationb) Policy Violationc) Malware (industrial)d) Anomaly

Correct: d. The Anomaly engine detects deviations from the behavioural baseline the sensor built during its learning period — new devices, new protocol relationships, or unusual traffic patterns that were not present at baseline.

👉 So far: DPI decodes OT protocols to command level (Modbus function codes, S7 CPU commands). Five detection engines run locally at the edge — no cloud round-trip needed for alerts.

③ Where sensors sit — Purdue placement, SPAN vs TAP & deployment modes

Sensor placement follows the Purdue reference model. The sweet spot is at the Level 2 aggregation switch — the switch that connects Level 1 PLCs/RTUs upward to Level 2 HMIs and engineering workstations. Mirroring this switch's OT VLAN captures all control-plane traffic in that zone. For a site with multiple isolated OT segments (e.g. a utilities zone, a production zone and a safety instrumented system zone) you deploy one sensor per zone, each connected to its own aggregation switch SPAN port or TAP.

Sensors are organised in the Microsoft Defender portal under Sites and Zones. A Site maps to a physical location (a plant, a substation, a building). A Zone maps to a logical network segment within that site. This hierarchy drives RBAC (an OT engineer at the Vadodara plant should see only Vadodara alerts) and scoping of alerts and inventory.

Two deployment modes exist. Cloud-connected: the sensor sends telemetry, alerts and device inventory to the Azure / Microsoft Defender portal in near-real-time; updates and threat intelligence packages from Microsoft's Section 52 / MSTIC team flow back automatically. Locally managed (air-gapped): the sensor operates fully on-prem with no internet connectivity — required for classified environments, critical national infrastructure, or sites with a strict no-cloud policy; managed from the on-premises management console (note: Microsoft is retiring the on-prem console and moving management to the cloud for new deployments).

Figure 4 — OT protocols decoded by DPI

One sensor parses dozens of OT/ICS protocols; custom protocols added via the Horizon SDK.

Wrong switch = wrong traffic

The most common sensor deployment mistake is connecting the SPAN port on the wrong switch — usually an IT access switch rather than the OT aggregation switch. The result: the sensor discovers only Windows laptops and sees zero industrial device traffic. Always confirm the SPAN source VLANs before calling a deployment complete.

Quick check · Q3 of 10 · Apply

You are deploying a sensor at a plant with three isolated OT zones: production, utilities and safety. How many sensors are needed?

a) One sensor placed at the IT/OT DMZ switch is sufficient for all zonesb) Three sensors — one per zone, each at the zone aggregation switchc) Two sensors — one for production and one shared for utilities and safetyd) No sensors needed if cloud-connected mode is enabled

Correct: b. Each isolated OT zone requires its own sensor connected to that zone's aggregation switch, because SPAN traffic from one switch does not include traffic on other isolated segments. One sensor cannot see traffic it was never given a copy of.

👉 So far: One sensor per zone at the Purdue Level 2 aggregation switch. Organised under Sites and Zones in the Defender portal. Cloud-connected or air-gapped deployment modes.

④ Physical vs virtual, sizing, the learning period & alert tuning

Sensors come in two forms. A physical appliance is a dedicated rack-unit server spec'd by Microsoft for OT deployments — chosen when you need certified hardware throughput for high-bandwidth OT backbones, when adding a new virtual host to the OT floor is unacceptable, or when the environment demands a purpose-built appliance. A virtual sensor (VM) runs on VMware ESXi, Hyper-V, or as an Azure VM — lower CAPEX, easier to pilot, and suitable for lower-bandwidth segments, provided the hypervisor host can forward the SPAN traffic at full line rate without dropping packets.

Sizing & the learning period

Sizing is governed by two factors: monitored bandwidth (choose the sensor tier whose throughput ceiling exceeds the peak bandwidth of the mirrored segment) and device count (the sensor builds an inventory; a very large OT floor with thousands of devices needs higher-tier hardware or multiple sensors). After first deployment, the sensor enters a learning period — it observes normal OT communications, builds a baseline of device relationships and protocol patterns, and keeps detection engines in informational mode. When learning is complete the engines switch to active alerting. Skipping or cutting short the learning period is the single most common cause of alert storms in new Defender for IoT deployments. Validate the learning period is complete before promoting alerts to your SOC workflow.

Figure 5 — Sensor deployment lifecycle

From unboxing to active SOC alerts — the learning period is the step most teams skip at their peril.

Priya Nair at Bharat Chemicals in Vadodara faces this

After deploying the OT sensor via SPAN, the device inventory shows only 12 devices — all Windows workstations — despite 150+ PLCs and HMIs on the plant floor.

Likely cause

The SPAN source port on the switch is mirroring the IT office access VLAN, not the OT aggregation VLAN where PLC and HMI traffic flows.

Diagnosis

Open the sensor's local console or Defender portal device inventory — only Windows hosts appear, no industrial devices. Check the SPAN source configuration on the switch and confirm which VLANs are being mirrored.

Defender portal ▸ Sites & Zones ▸ Sensor ▸ Device Inventory + switch SPAN config

Fix

Reconfigure the SPAN source on the OT aggregation switch (Layer 2 of the Purdue model) to mirror the correct OT VLANs. Restart the learning period after the port change so the sensor builds a complete baseline.

Verify

Device inventory begins populating with PLC/HMI assets within minutes. After the learning period, the protocol breakdown shows Modbus and DNP3 traffic. Alert count normalises as the baseline settles.

Always complete the learning period

Do not hand off a sensor to the SOC before the learning period is finished. Check the sensor status in the Defender portal — it shows 'Learning' until baseline is stable. Promoting alerts before baseline is set is the single most common cause of alert fatigue in new OT security deployments.

Quick check · Q4 of 10 · Analyze

A newly deployed OT sensor is generating hundreds of alerts per hour and the SOC is overwhelmed. What is the most likely cause?

a) The sensor's DPI engine is parsing too many protocols simultaneouslyb) The SPAN port is configured on the wrong switchc) The learning period was skipped or cut short before the baseline was establishedd) The sensor virtual machine has too little RAM allocated

Correct: c. Skipping or shortening the learning period means the anomaly and policy engines have no established baseline of normal OT communications. Everything looks anomalous — hence the alert storm. Always allow the full learning period before promoting alerts to the SOC.

👉 So far: Physical appliance for high-bandwidth critical segments; virtual sensor for lower-bandwidth or pilot deployments. Size by bandwidth tier + device count. Never skip the learning period.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

🧠 In your own words

Type one line: why can't you just install an antivirus agent on a PLC the way you would on a Windows server? Then compare with the expert version.

Expert version: PLCs run real-time deterministic operating systems with fixed scan cycles and vendor-locked firmware — they are not general-purpose computers and cannot run third-party software. Even if a vendor allowed it, the additional CPU load and network traffic from an agent heartbeat could disrupt the ladder-logic scan cycle or trigger safety shutdowns. That is why Microsoft Defender for IoT's OT sensor is passive and agentless: it reads a copy of OT traffic via a SPAN port or TAP, runs all analysis on the sensor itself, and the PLC never knows it is being monitored.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📩 Quiz me on this in 7 days. Opt in and we'll email 3 micro-questions on Microsoft Defender for IoT at Day 1, Day 7 and Day 30 — spaced repetition is how this sticks. Un-tick any time.

📖 Glossary

SPAN / mirror port: A switch software feature that copies selected port or VLAN traffic to a monitor port for passive capture — no hardware cost but may drop packets under load.
Hardware TAP: A passive inline device that guarantees a full-fidelity copy of all traffic on a cable segment with no switch software dependency.
Deep Packet Inspection (DPI): Inspection of packet payloads beyond IP/TCP headers — decoding OT protocol commands, function codes and device states at the application layer.
Edge analytics: Detection and analysis processing running locally on the sensor at the plant edge, without a cloud round-trip — essential for air-gapped OT environments.
Agentless monitoring: Security monitoring with no software installed on the monitored devices — critical for OT because PLCs and HMIs cannot tolerate additional software or unexpected traffic.
Learning period: The initial phase after sensor deployment when the sensor baselines normal OT communication patterns before switching to active alerting.
Sites and Zones: The organisational hierarchy in the Microsoft Defender portal — a Site is a physical location, a Zone is a network segment within it — used for RBAC and alert scoping.
Horizon SDK: Microsoft Defender for IoT's open development environment for writing custom DPI parsers for proprietary or vendor-specific OT protocols.

📚 Sources

Microsoft Learn — OT network sensor overview — Microsoft Defender for IoT. learn.microsoft.com/azure/defender-for-iot/organizations/overview
Microsoft Learn — OT sensor deployment overview — Microsoft Defender for IoT. learn.microsoft.com/azure/defender-for-iot/organizations/deploy-overview
Microsoft Learn — Prepare your OT network for Microsoft Defender for IoT. learn.microsoft.com/azure/defender-for-iot/organizations/best-practices/understand-network-architecture
Microsoft Learn — OT appliance sizing for Microsoft Defender for IoT sensors (physical & virtual). learn.microsoft.com/azure/defender-for-iot/organizations/ot-appliance-sizing
Microsoft Learn — Connect OT sensors to Microsoft Defender for IoT in the cloud. learn.microsoft.com/azure/defender-for-iot/organizations/connect-sensors
Microsoft Learn — Defender for IoT — detection engines and alerts overview. learn.microsoft.com/azure/defender-for-iot/organizations/concept-key-concepts

What's next?

Got the sensor architecture? Next, explore how Defender for IoT builds its passive OT device inventory — capturing vendor, model, firmware, IP/MAC and Purdue level for every PLC and HMI on the network automatically.

Next · All interview lessons → Practice on exam.techclick.in →

Microsoft Defender for IoT OT Sensors — Passive DPI & Zero-Impact Monitoring

🎯 By the end you will be able to

Pick where you want to start

Why passive?

Inside the sensor

Placement & modes

Size, deploy & tune

① Why OT monitoring must be passive — SPAN, TAP & agentless design

② Inside the OT sensor — DPI, edge analytics & detection engines

Five detection engines, all running at the edge

▶ Watch a rogue PLC write get detected passively

③ Where sensors sit — Purdue placement, SPAN vs TAP & deployment modes

④ Physical vs virtual, sizing, the learning period & alert tuning

Sizing & the learning period

🤖 Ask the AI Tutor

📝 Wrap-up assessment — six more

🧠 In your own words

🗣 Teach a friend

📖 Glossary

📚 Sources

What's next?