TTechclick ⚡ XP 0% All lessons
Microsoft · Defender for IoT · Protocols & AlertsInteractive · L1 / L2 / L3

Microsoft Defender for IoT — OT Protocols, DPI & Alert Tuning

Microsoft Defender for IoT speaks the language of OT — parsing Modbus function codes, DNP3 data objects, Siemens S7 parameters, EtherNet/IP services and dozens more ICS protocols through passive deep packet inspection. This lesson maps the full protocol library, shows how the Horizon SDK adds custom dissectors, and walks through learning mode baselining so your alert queue surfaces real threats instead of commissioning noise.

📅 2026-06-18 · ⏱ 16 min · 5 infographics · live DPI demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Learn how Microsoft Defender for IoT parses 100+ OT/ICS protocols — Modbus, DNP3, S7, EtherNet/IP, BACnet, IEC-104, IEC 61850, Profinet — via passive DPI, extends coverage with the Horizon SDK, and uses learning mode baselining to cut false-positive OT alerts.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

DPI & OT protocols

Why parsing function codes matters more than IP headers.

 2

Protocol library

Modbus to IEC 61850 — what Defender extracts from each.

 3

Learning mode

Baseline-building, the training period, and Operational mode.

 4

Alert tuning

Exclusions, custom rules, zone scoping, Sentinel SOAR.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Can you tell a normal Modbus poll from an attack just by reading the TCP header?

Answered in DPI & OT protocols.

2. What does the Horizon SDK let you do?

Answered in Protocol library.

3. Why run the sensor in learning mode before raising alerts?

Answered in Learning mode.

Most engineers think…

Most people assume a network security sensor only needs to know IP addresses and TCP ports — 'Modbus is port 502, so flag anything unusual on port 502'. That is dangerously shallow for OT.

The real threat hides inside a well-formed Modbus packet: an attacker writing to a coil that controls a pump, or a DNP3 message issuing an unsolicited integrity poll at 100x normal rate. Microsoft Defender for IoT parses packets all the way to application-layer function codes, data objects and CIP service IDs — and it does this passively via SPAN/TAP, so no PLC ever sees an extra packet. That depth, combined with a learned baseline of what is actually normal in your plant, is what separates a useful alert from a false-positive flood.

① Why OT protocol DPI is not optional

When a Modbus TCP packet arrives at your historian, the TCP header tells you it came from a Rockwell PLC on port 502 — but it tells you nothing about whether the packet is reading a temperature sensor or writing the setpoint of a reactor. Deep packet inspection (DPI) at the application layer is what extracts that meaning. Microsoft Defender for IoT's OT sensor receives a mirror of all OT traffic via a SPAN/TAP and parses each packet to the protocol level.

The parsed fields feed Defender for IoT's five detection engines: the Protocol Violation engine flags packets that deviate from the protocol specification; the Policy Violation engine flags forbidden function codes or addresses; the Anomaly engine detects deviations from the learned baseline; the Malware engine matches industrial malware signatures; and the Operational engine catches operational issues such as unexpected reboots or firmware changes. Without DPI to extract those fields, all five engines would be blind to the actual OT commands being issued.

Legendflow arrowspipeline stage labelsdiagram headingdetail textcanvas / panel
Figure 1 — OT DPI pipeline — from SPAN to alert
Every OT packet flows through passive capture, DPI parsing, field extraction, and the five detection engines before generating an alert.OT DPI pipeline — from SPAN to alertSPAN/TAPpassive mirror copyDPI parseprotocol to app layerField extractfunc codes, objects5 enginesviolation/anomaly/malwareAlertscored + inventoried
Every OT packet flows through passive capture, DPI parsing, field extraction, and the five detection engines before generating an alert.

▶ Watch a Modbus write command get flagged in real time

How a single OT packet is captured, parsed, and raised as a Policy Violation alert. Press Play for the healthy detection path, then Break it to see a common DPI blind spot.

① MirrorThe OT sensor receives a copy of a Modbus TCP packet via the SPAN port — the PLC and historian see nothing extra.
② DPI parseThe sensor parses the packet to the application layer and extracts function code 0x05 (Write Single Coil) and destination coil address 0x00FF.
③ Engine checkThe Policy Violation engine finds that coil 0x00FF was never written during the learning period — this write is not in the approved baseline.
④ Alert raisedAn alert is raised: 'Unauthorized Modbus write — function code 05 to coil 0x00FF from engineering station IP 10.1.1.50'. The device inventory is also updated.
Press Play to step through the Modbus write detection path. Then press Break it.
Quick check · Q1 of 10 · Understand

Why does Microsoft Defender for IoT need DPI rather than just port-based detection for OT traffic?

Correct: b. A Modbus TCP packet on port 502 looks identical at the TCP level whether it is a normal coil-read or an attacker issuing an unauthorized write. DPI is needed to extract the function code and register address inside the packet and determine the actual OT command.
👉 So far: DPI via SPAN/TAP parses OT packets to the application layer — function codes, data objects, CIP services — so the five detection engines can distinguish a normal SCADA poll from an attacker issuing unauthorized commands.

② The OT protocol library — from Modbus to IEC 61850

Defender for IoT natively parses over 100 OT/ICS protocols. The most interview-critical ones: Modbus TCP/UDP (function codes, coil/register read/write — the most widely deployed fieldbus); DNP3 (data objects, integrity polls, unsolicited responses — dominant in energy/SCADA); Siemens S7/S7Plus (read/write parameters, system info for S7-300 to S7-1500 PLCs); EtherNet/IP (CIP) (CIP services, identity, I/O connections — Allen-Bradley/Rockwell); BACnet (object reads/writes, device discovery — building automation/HVAC); OPC DA & OPC UA (session setup, node reads/writes, subscriptions — historian connectivity); IEC 60870-5-104 (ASDU types, cause of transmission — substation SCADA, very common in Indian power utilities); IEC 61850 MMS/GOOSE (virtual file system, protection relay messaging — modern substations); and Profinet (DCP device discovery, cyclic IO, alarms — Siemens factory automation).

Extending the library with the Horizon SDK

For proprietary or niche vendor protocols not in the built-in library, the Horizon open development environment (ODE) SDK lets vendors, integrators or customers write sandboxed protocol dissectors and deploy them to the sensor without interrupting traffic capture. A Horizon plugin defines how to identify the protocol, which fields to extract, and what alert conditions apply — giving the same DPI depth as a built-in protocol.

Figure 2 — OT protocol stack — field to substation to factory
Defender for IoT natively parses protocols across all major OT verticals, from fieldbus to substation automation to building control.OT protocol stack — field to substation to factoryField/process busModbus, Profinet, EtherNet/IP (CIP), S7/S7Plus, OMRON FINSSCADA/energyDNP3, IEC 60870-5-104, IEC 61850 (MMS/GOOSE), ICCPBuilding & historianBACnet, OPC DA/UA — plus custom via Horizon SDK
Defender for IoT natively parses protocols across all major OT verticals, from fieldbus to substation automation to building control.
Figure 3 — Horizon SDK — one ODE, many custom protocols
The Horizon open development environment lets any party write a sandboxed dissector and deploy it to the sensor for DPI parity with built-in protocols.Horizon SDK — one ODE, many custom protocolsHorizon ODESDK + sandboxVendor pluginIntegrator pluginCustom fieldbusProprietary DCSAlert conditions
The Horizon open development environment lets any party write a sandboxed dissector and deploy it to the sensor for DPI parity with built-in protocols.
🔬
DPI (Deep Packet Inspection)
tap to flip

Parsing OT packets all the way to the application layer to extract protocol fields — function codes, data objects, CIP service IDs — not just IP addresses and ports.

🧩
Horizon SDK (ODE)
tap to flip

Microsoft's open development environment for writing custom protocol dissectors. Deploy to the sensor to add DPI support for proprietary or niche ICS protocols.

📚
Learning mode
tap to flip

The initial baseline-building phase where the OT sensor passively observes all OT traffic — communication pairs, protocols, function codes, volumes — before raising anomaly alerts.

🗺️
Sites & zones
tap to flip

Defender for IoT's logical groupings that let you scope alert policies per network segment — so a function code normal in engineering workstations is flagged as a violation in a Level 0 field device zone.

Know the protocol verticals

In an interview, group protocols by vertical: Modbus/Profinet/EtherNet/IP for factory; DNP3/IEC-104/IEC 61850 for energy/substations; BACnet for building automation; OPC DA/UA as the historian bridge. Defender for IoT covers all three verticals natively, plus custom protocols via the Horizon SDK.

Quick check · Q2 of 10 · Remember

Which Defender for IoT feature lets you add parsing support for a niche vendor's undocumented fieldbus protocol?

Correct: c. The Horizon open development environment (ODE) SDK is specifically designed for adding custom protocol dissectors to the OT sensor. It lets vendors, integrators, or customers write sandboxed plugins for proprietary or undocumented protocols.
👉 So far: Defender for IoT natively parses 100+ protocols across three verticals (factory: Modbus, Profinet, EtherNet/IP, S7; energy: DNP3, IEC-104, IEC 61850; building/historian: BACnet, OPC DA/UA) and extends to any proprietary protocol via the Horizon SDK.

③ Learning mode — building the baseline that makes alerts meaningful

On first deployment the OT sensor enters Learning mode (also called the learning period or training period). During this phase it observes all traffic passively and builds a baseline capturing: which devices communicate with which (communication pairs); which protocols and function codes are in use; normal traffic volumes and timing; and expected parameter ranges (e.g., the Modbus register addresses a given PLC normally reads). No anomaly alerts are raised during learning mode — the sensor is only accumulating knowledge.

Once traffic patterns have stabilised — typically after several days to a couple of weeks, depending on how long it takes the plant's process cycle to repeat — the sensor transitions to Operational mode. From this point, deviations from the baseline trigger alerts. A Modbus write to a register that was never written during the learning period, a new device appearing on the network, or a DNP3 session at 10× normal rate will all surface as alerts. The length and cleanliness of the learning period directly determines alert quality: a baseline contaminated by commissioning activity or a scheduled outage will produce false positives in production.

Figure 4 — Learning mode to Operational mode
The sensor passively observes and builds a baseline during the learning period, then transitions to Operational mode where anomaly alerts are raised on deviations.Learning mode to Operational modeDeploy sensorSPAN/TAP connectedLearning modeobserve, no alertsBaseline builtpairs, protocols,codesOps modedeviations alert
The sensor passively observes and builds a baseline during the learning period, then transitions to Operational mode where anomaly alerts are raised on deviations.
Learning during commissioning is a trap

Deploying the sensor and immediately running the learning period during site acceptance testing or commissioning captures abnormal traffic. That polluted baseline will generate false positives for months. Always run the learning period after commissioning is complete and the plant is in stable, representative operations.

Quick check · Q3 of 10 · Apply

A newly deployed Defender for IoT sensor is generating hundreds of anomaly alerts a day in a plant that just finished commissioning. What is the most likely cause?

Correct: a. Wait — the most likely cause here is that the baseline (learning period) captured commissioning traffic — unusual function codes, new devices, test patterns — which pollutes the baseline. When the plant returns to normal operation those 'normal commissioning' patterns are absent and trigger alerts. The fix is to re-run the learning period after commissioning completes.
👉 So far: Learning mode builds the baseline of normal OT communications (pairs, protocols, function codes, volumes) before any anomaly alerts are raised. A clean post-commissioning baseline is the single biggest factor in alert quality.

④ Tuning alerts so the SOC stays sane

Even with a clean baseline, production OT environments generate alert noise that needs active management. Defender for IoT provides several tuning levers. Exclusion rules whitelist specific communication pairs, function codes or address ranges that are known-benign in your environment. Custom alert rules let operators define conditions based on protocol fields (e.g., 'alert if any device issues a Modbus write to coil 0x00FF outside business hours'). Acknowledgement and suppression removes known-benign alerts from the queue while preserving the audit trail.

Sites and zones enable policy scoping: a firmware-upload function code that is normal in the engineering workstation zone can be a Policy Violation alert in a Level 0 field device zone. This per-zone granularity eliminates the all-or-nothing problem that plagues flat alert policies. Finally, the Microsoft Sentinel integration via the native data connector enables SOAR playbooks to auto-enrich OT alerts with IT context (is this source IP a known maintenance laptop?), auto-suppress confirmed benign patterns, and route high-severity OT incidents to the IT SOC in the same queue as IT alerts — closing the loop between OT visibility and SOC response.

Figure 5 — Alert tuning: before vs after baseline & exclusions
Proper learning-mode setup and exclusion rules transform a noisy alert queue into a high-signal feed for the SOC.Alert tuning: before vs after baseline & exclusionsBefore tuningHundreds of alerts per dayCommissioning traffic in baselineNo zone scoping — flat policyManual SOC triage every alertHigh false-positive rateAfter tuningHigh-signal alert queueClean baseline post-commissioningZone-scoped rules per segmentSentinel SOAR auto-enrichmentGenuine OT threats surfaced
Proper learning-mode setup and exclusion rules transform a noisy alert queue into a high-signal feed for the SOC.

Vikram Nair, OT security engineer at PowerGrid South Pvt. Ltd., Hyderabad

After deploying a Defender for IoT sensor on the substation LAN, the team receives 400+ IEC-104 alerts per day flagging 'unexpected ASDU type' on traffic from the RTUs to the SCADA server.

Likely cause

The sensor was deployed during a commissioning window when test ASDUs and non-standard data objects were being used — these patterns entered the baseline, so normal operational traffic now looks anomalous.

Diagnosis

Open the sensor local UI ▸ Alerts ▸ filter by 'IEC-104 Unexpected ASDU'. Inspect the matched communication pairs and ASDU types. Cross-reference with commissioning logs — these match the test patterns used during site acceptance testing.

Sensor UI ▸ Alerts ▸ filter by alert type + source device ▸ compare baseline capture window vs commissioning schedule
Fix

Re-run the learning period after commissioning is complete and the plant is in stable operations. Acknowledge and suppress the test-pattern alerts in the interim. After the new baseline stabilises, review the IEC-104 alert rate — it should drop dramatically to only genuine anomalies.

Verify

Alert count for IEC-104 ASDU anomalies drops to near zero under normal operations. A deliberate test — issuing an ASDU type not used in production — triggers an alert within seconds, confirming the baseline is now representative.

Test your tuning with a deliberate anomaly

After applying exclusion rules or a new baseline, always verify tuning by issuing a deliberate protocol anomaly (e.g., a Modbus write to an address outside the normal range, from a test device). If the alert fires within the expected detection window, your tuning preserved coverage. If it doesn't, you over-suppressed.

Quick check · Q4 of 10 · Analyze

An OT security engineer wants to allow firmware uploads from the engineering workstation zone but alert if the same action comes from a Level 0 field device zone. Which Defender for IoT feature handles this?

Correct: d. Sites and zones in Defender for IoT allow per-segment policy scoping. The same function code can be permitted (or excluded from alerting) in the engineering workstation zone while triggering a Policy Violation alert in the Level 0 zone — providing granular control without blanket suppression.
👉 So far: Alert tuning combines exclusion rules, custom alert conditions, and site/zone policy scoping. Sentinel SOAR playbooks auto-enrich and auto-suppress known-benign OT alerts, letting the SOC focus on genuine threats.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which IEC standard protocol is most commonly used for substation-to-SCADA communication in power utilities?

Correct: a. IEC 60870-5-104 (IEC-104) is the dominant telecontrol protocol for substation-to-SCADA communication in power utilities worldwide, including Indian power utilities. It runs over TCP/IP and carries ASDU messages that Defender for IoT parses.
Q6 · Understand

What is the primary benefit of the Horizon SDK over the built-in protocol library?

Correct: c. The Horizon SDK's primary value is extensibility — it lets operators write sandboxed protocol dissectors for proprietary or undocumented protocols, giving the same DPI depth as built-in protocols like Modbus or DNP3.
Q7 · Apply

An OT sensor is deployed on a refinery LAN. The first week produces hundreds of anomaly alerts on Modbus traffic. What is the recommended first action?

Correct: b. High false-positive anomaly rates on OT protocols almost always trace back to a contaminated or too-short learning period. The correct first step is to verify the baseline was built during representative operations and re-run it if needed, not to disable detection engines.
Q8 · Analyze

Which detection engine in Defender for IoT would raise an alert if a Modbus packet contains a function code that is syntactically invalid per the Modbus specification?

Correct: d. The Protocol Violation engine specifically flags packets that deviate from the protocol specification — such as invalid or reserved function codes, malformed PDUs, or incorrect PDU structure. The Anomaly engine flags deviations from the learned baseline, not specification violations.
Q9 · Evaluate

A SOC analyst wants firmware uploads allowed from engineering workstations but alerted on from Level 0 PLCs — using one Defender for IoT deployment. What is the cleanest way to achieve this?

Correct: c. Sites and zones in Defender for IoT enable per-segment policy scoping from a single deployment. The same function code can be excluded from alerting in the engineering workstation zone while triggering a Policy Violation in the Level 0 zone — the cleanest and most scalable approach.
Q10 · Evaluate

Microsoft Sentinel integration with Defender for IoT is most valuable for which alert-management task?

Correct: b. The Sentinel integration's primary value in alert management is SOAR automation — playbooks can enrich OT alerts with IT asset context (is the source IP a known maintenance laptop?), auto-suppress confirmed benign patterns, and route genuine high-severity OT incidents to the IT SOC in a unified queue.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is OT protocol DPI more important than port-based filtering for ICS security? Then compare with the expert version.

Expert version: Port-based filtering only tells you which protocol is in use — it cannot distinguish an authorized SCADA read from an attacker issuing an unauthorized write command inside the same protocol. OT protocol DPI parses packets to the application layer, extracting function codes, register addresses, data objects and CIP service IDs, which is the only way the detection engines can evaluate whether a command is within the expected operational baseline. Without DPI, you are blind to the most common OT attack vectors: unauthorized writes to PLCs, replay of control commands, and fuzzing of protocol fields.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

DPI (Deep Packet Inspection)
Parsing network packets to the application/protocol layer to extract OT-specific fields — function codes, data objects, CIP services — rather than just IP addresses and ports.
Modbus
The most widely deployed OT fieldbus protocol; uses function codes to read/write coils and registers on PLCs and RTUs.
DNP3
Distributed Network Protocol 3 — used in energy and SCADA for substation-to-control-center communication; carries data objects and integrity polls.
IEC 60870-5-104 (IEC-104)
IEC telecontrol protocol for SCADA over TCP/IP, widely used in power utilities. Defender parses ASDU types and cause-of-transmission fields.
IEC 61850
IEC substation automation standard; includes MMS for messaging and GOOSE for fast protection-relay communication.
Horizon SDK (ODE)
Microsoft's open development environment for writing sandboxed custom protocol dissectors and deploying them to the OT sensor.
Learning mode
The initial baseline-building phase of the OT sensor — it passively observes communication pairs, protocols, and function codes before raising anomaly alerts.
Protocol Violation engine
One of Defender for IoT's five detection engines; flags packets that deviate from the OT protocol specification (invalid function codes, malformed PDUs).
Sites and zones
Logical groupings in Defender for IoT that enable per-segment policy scoping — different alert rules can apply to different network zones.
EtherNet/IP (CIP)
Common Industrial Protocol over Ethernet — used by Allen-Bradley/Rockwell PLCs; Defender parses CIP services, identity objects, and I/O connections.

📚 Sources

  1. Microsoft Learn — Supported protocols in Microsoft Defender for IoT. learn.microsoft.com/en-us/azure/defender-for-iot/organizations/concept-supported-protocols
  2. Microsoft Learn — Defender for IoT OT sensor architecture & detection engines. learn.microsoft.com/en-us/azure/defender-for-iot/organizations/architecture
  3. Microsoft Learn — Horizon SDK: create custom protocol dissectors (ODE). learn.microsoft.com/en-us/azure/defender-for-iot/organizations/references-horizon-sdk
  4. Microsoft Learn — Manage OT alerts — exclusions, custom rules & alert tuning. learn.microsoft.com/en-us/azure/defender-for-iot/organizations/how-to-manage-the-alert-event
  5. Microsoft Learn — Sites and zones in Microsoft Defender for IoT. learn.microsoft.com/en-us/azure/defender-for-iot/organizations/best-practices/plan-corporate-monitoring-with-zone-and-site-topology
  6. Microsoft Learn — Connect Defender for IoT to Microsoft Sentinel. learn.microsoft.com/en-us/azure/defender-for-iot/organizations/iot-solution

What's next?

Now that you know how protocols are parsed and alerts tuned, the next lesson covers integrating Defender for IoT with Microsoft Sentinel — data connectors, OT analytics rules, SOAR playbooks, and building a unified IT/OT SOC view.

Next · All interview lessons → Practice on exam.techclick.in →