TTechclick ⚡ XP 0% All lessons
Microsoft · Defender for IoT · Sentinel IntegrationInteractive · L1 / L2 / L3

Microsoft Defender for IoT + Sentinel — SIEM, SOAR & the Unified OT SOC

Microsoft Defender for IoT closes the gap between the OT floor and the IT SOC. This lesson walks the full integration path: from the Sentinel data connector that streams OT alerts into Log Analytics, through pre-built analytics rules and workbooks, SOAR playbooks that automate response, and the Defender XDR portal that gives a single pane of glass for every IT and OT alert — plus how to reach non-Microsoft stacks via Syslog/CEF.

📅 2026-06-18 · ⏱ 16 min · 5 infographics · live block demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

How Microsoft Defender for IoT connects to Microsoft Sentinel: the data connector, OT analytics rules, workbooks, SOAR playbooks, IT+OT incident correlation, the Defender XDR unified SOC, and third-party SIEM integration.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Why unify?

OT-only alerts miss lateral-movement chains.

 2

Sentinel connector

Tables, analytics rules and OT workbooks.

 3

SOAR & Defender XDR

Playbooks, IT+OT correlation, one portal.

 4

3rd-party & MSTIC

Syslog/CEF, ticketing, OT threat intel.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Can OT alerts be investigated alongside IT alerts in Microsoft Sentinel?

Answered in Why unify?.

2. What kind of Azure service powers a Sentinel SOAR playbook?

Answered in SOAR & Defender XDR.

3. How does an air-gapped OT sensor send alerts to a third-party SIEM?

Answered in 3rd-party & MSTIC.

Most engineers think…

Most people assume OT security is a silo — 'the OT team handles it, the SOC handles IT'. That mental model leaves a dangerous blind spot at the IT/OT boundary and is exactly where real-world attacks pivot.

Microsoft Defender for IoT is designed to dissolve that silo. Its native Sentinel data connector puts OT alerts, device events and vulnerability data in the same Log Analytics workspace as your IT alerts. Pre-built OT analytics rules fire on Modbus violations, PLC programming events and cross-segment traffic. SOAR playbooks automate response. And the Defender XDR portal gives one pane of glass — endpoints, identity, cloud apps, email and OT/IoT devices — so a single analyst can trace a lateral-movement chain from a phishing email all the way to a substation PLC.

① Why the SOC needs OT alerts — the IT/OT convergence problem

OT networks no longer sit in isolation. Industrial sites connect to corporate IT for remote access, ERP integration and cloud-based management — creating a Level 3.5 IT/OT DMZ that is a favourite pivot point for attackers. A threat that starts with a phishing email on the IT side can move laterally into the OT network within hours, and if the OT alerts only reach the OT team's local console, the IT SOC never sees the full picture.

Microsoft Defender for IoT addresses this by feeding OT sensor data into Microsoft Sentinel — the same SIEM/SOAR workspace the IT SOC already uses. This means one analyst can see a suspicious Azure AD login, a lateral-move alert from Defender for Endpoint, and a Modbus function-code violation from a substation sensor as a single correlated incident, slashing mean-time-to-detect across the IT/OT boundary.

Legendpipeline stage cardstage namestage detail textflow arrowscanvas / background
Figure 1 — OT alert path from sensor to SOC
An OT sensor alert travels from the field device through Defender for IoT into Sentinel and Defender XDR, where the SOC acts.OT alert path from sensor to SOCOT sensordetects anomalyDefender for IoTraises OT alertSentinel connectorstreams to workspaceAnalytics rulefires KQL detectionSOC incidenttriage + respond
An OT sensor alert travels from the field device through Defender for IoT into Sentinel and Defender XDR, where the SOC acts.
Quick check · Q1 of 10 · Understand

Why does feeding OT alerts into Microsoft Sentinel reduce mean-time-to-detect across the IT/OT boundary?

Correct: b. Shared Log Analytics workspace is the key: IT and OT signals can be queried together, and Sentinel fusion rules stitch low-fidelity OT anomalies with high-fidelity IT signals into one high-confidence incident.
👉 So far: OT alerts in isolation miss IT/OT lateral-movement chains — the Sentinel data connector puts OT and IT signals in the same workspace so fusion rules can join them into a single incident.

② The Sentinel data connector — tables, analytics rules & workbooks

The Microsoft Defender for IoT data connector in Sentinel is a native, one-click integration. Once enabled, the connector streams OT alerts into the SecurityAlert table and device/vulnerability data into the DefenderIoT family of Log Analytics tables. From there, Sentinel's analytics engine can query, correlate and alert on OT data using the same KQL used for IT signals.

Pre-built content you should enable immediately

Microsoft ships OT-specific analytics rules (KQL detection rules) tuned for alert types like Modbus function-code violations, PLC programming events, unusual firmware changes and cross-segment connectivity. These rules fire with appropriate severity so OT alerts don't drown in noise. Alongside them sit OT workbooks — dashboard templates that display device inventory by site and zone, alert trends, Purdue-level coverage maps, and vulnerability heat maps — giving the SOC instant OT situational awareness without custom development.

Figure 2 — Sentinel OT data layers
Three data types from Defender for IoT stack into Log Analytics, each serving a different SOC function.Sentinel OT data layersOT alertsSecurityAlert table — anomalies, violations, malwareDevice eventsDefenderIoT tables — inventory, firmware, protocolsVulnerability dataCVE matches, risk scores, compensating controls
Three data types from Defender for IoT stack into Log Analytics, each serving a different SOC function.
🔌
Sentinel data connector
tap to flip

The native one-click bridge that streams Defender for IoT OT alerts into SecurityAlert and DeviceIoT tables in a Log Analytics workspace.

📊
OT analytics rules
tap to flip

Pre-built KQL detection rules in Sentinel tuned for OT alert types — Modbus violations, PLC programming events, cross-segment traffic — so OT signals fire at the right severity.

SOAR playbook
tap to flip

An Azure Logic Apps workflow triggered by a Sentinel alert that automates response: opens a ticket, notifies the OT site owner, or isolates a device via firewall API.

🛡️
Defender XDR portal
tap to flip

The unified SOC portal (security.microsoft.com) showing OT/IoT devices, endpoints, identity, cloud and email alerts in one investigation timeline — no tool-switching.

Enable rules on Day 1

The Sentinel data connector alone is not enough — OT alerts arrive as raw SecurityAlerts but nothing fires until you activate the pre-built OT analytics rule templates. In Sentinel ▸ Analytics ▸ Rule templates, filter by 'Defender for IoT' and enable every rule relevant to your site. Add the OT workbooks for instant dashboards. This takes 15 minutes and transforms raw data into actionable detections.

▶ Watch an OT alert travel from sensor to Sentinel incident

Trace one Modbus function-code violation from the field sensor through the data connector into a Sentinel incident and playbook response. Press Play for the healthy path, then Break it to see the classic integration gap.

① OT sensor firesA Defender for IoT sensor detects an unauthorised Modbus write command to a PLC — an OT alert is raised and streamed to the Azure cloud plane.
② Connector ingestsThe Sentinel data connector picks up the alert within minutes and writes a row into the SecurityAlert table in the Log Analytics workspace.
③ Analytics rule firesThe pre-built 'Modbus function code violation' OT analytics rule (KQL) matches the SecurityAlert row and creates a Sentinel incident with severity High.
④ Playbook respondsThe SOAR playbook (Logic App) triggers automatically: it opens a ServiceNow ticket, posts a Teams alert to the OT site owner, and logs the incident in Defender XDR.
Press Play to step through the healthy detection path. Then press Break it.
Quick check · Q2 of 10 · Remember

Which Sentinel table receives Microsoft Defender for IoT OT alerts via the data connector?

Correct: c. The Defender for IoT Sentinel data connector streams OT alerts into the SecurityAlert table. Device and vulnerability data land in the DefenderIoT family of tables.
👉 So far: The Sentinel connector streams OT alerts into SecurityAlert and device data into DefenderIoT tables; pre-built OT analytics rules (KQL) and workbooks give instant detection and dashboards — enable them on Day 1.

③ SOAR playbooks, IT+OT correlation & the Defender XDR unified SOC

SOAR playbooks (Azure Logic Apps triggered by Sentinel analytics rules) automate the response steps that would otherwise take an analyst 30+ minutes. A critical OT alert can automatically open a ServiceNow or Jira ticket with full context, send a Teams/email notification to the OT site owner, or call a firewall API to isolate a suspected device — all within seconds of the alert firing.

IT+OT incident correlation works because both streams land in the same workspace: Sentinel's fusion engine can stitch a low-fidelity OT anomaly together with a high-fidelity IT lateral-movement signal into a single, high-confidence incident. Beyond Sentinel, the Microsoft Defender XDR portal (security.microsoft.com) surfaces OT alerts and the OT/IoT device inventory alongside Defender for Endpoint, Defender for Identity, Defender for Cloud Apps and Defender for Office 365 — one analyst, one portal, one investigation timeline for the full IT+OT estate.

Figure 3 — Defender XDR: one SOC portal
The Defender XDR portal is the single pane of glass that unifies every Microsoft security signal, including OT/IoT devices from Defender for IoT.Defender XDR: one SOC portalDefender XDRUnified SOC portalDefender for IoTDefender EndpointDefender IdentityDefender Cloud AppsDefender Office 365Sentinel incidents
The Defender XDR portal is the single pane of glass that unifies every Microsoft security signal, including OT/IoT devices from Defender for IoT.
Figure 4 — Sentinel-only vs Defender XDR unified SOC
Both approaches ingest OT data, but Defender XDR adds cross-workload correlation and automated disruption.Sentinel-only vs Defender XDR unified SOCSentinel onlyOT alerts in Log AnalyticsKQL analytics rules + workbooksSOAR playbooks (Logic Apps)Great for custom detectionDefender XDR + SentinelUnified IT+OT device inventoryCross-workload incidentAutomated attack disruptionOne portal for all Microsoft
Both approaches ingest OT data, but Defender XDR adds cross-workload correlation and automated disruption.

Priya Nair, SOC lead at IndoPower Grid Pvt. Ltd. in Hyderabad, faces this

An OT anomaly alert from the substation Defender for IoT sensor fires at 2 AM, but the SOC analyst dismisses it as background noise. Two hours later a Defender for Endpoint alert flags a suspicious lateral move from the IT/OT DMZ — only then does the team realise both signals were part of the same intrusion.

Likely cause

The Sentinel data connector is active but the pre-built OT analytics rules and the fusion correlation rule for IT/OT lateral movement are not enabled — OT alerts arrive as raw SecurityAlerts and never get stitched to the IT incident.

Diagnosis

Sentinel ▸ Analytics ▸ Rule templates — filter by 'Defender for IoT'; confirm the OT rules are inactive. Also check Microsoft Defender XDR ▸ Incidents — the two signals appear as separate unlinked incidents.

Sentinel ▸ Analytics ▸ Rule templates ▸ Defender for IoT + Fusion rules
Fix

Enable all Defender for IoT OT analytics rule templates and the IT/OT lateral-movement fusion rule. Deploy the SOAR playbook that auto-opens a high-severity ServiceNow incident and pages the on-call OT owner when a critical OT alert fires.

Verify

Re-test: the substation anomaly and the Defender for Endpoint lateral-move alert now fuse into a single Sentinel incident, severity Critical, automatically paging Priya's team within seconds and opening a ServiceNow ticket with full context.

'The SOC will notice it' is not a playbook

Relying on an analyst to manually notice a 2 AM OT alert and correlate it with an IT event is how breaches go undetected for hours. SOAR playbooks eliminate that dependency — a Logic App triggered by an OT analytics rule can page the on-call engineer, open a ticket and isolate a device faster than a human can read the alert. Build at least one playbook before you go live.

Quick check · Q3 of 10 · Apply

A critical OT alert fires at 2 AM and the OT site owner needs an immediate Teams notification and a ServiceNow ticket — all without analyst intervention. What should you build?

Correct: b. SOAR playbooks (Azure Logic Apps) are triggered automatically by Sentinel analytics rules and can call any API — Teams, ServiceNow, Jira, firewalls — within seconds of an alert, with no analyst needed.
👉 So far: SOAR playbooks (Logic Apps) automate OT response in seconds; Defender XDR gives one portal for OT + endpoint + identity + cloud + email so a single analyst can trace a full attack chain.

④ Third-party SIEM/ticketing & MSTIC OT threat intelligence

Not every organisation uses Microsoft Sentinel. Defender for IoT OT sensor alerts can be forwarded to Splunk, IBM QRadar, ArcSight and other SIEM platforms via Syslog/CEF (Common Event Format). For air-gapped sites that cannot reach Azure, the on-premises management console can forward alerts to a local Syslog collector — so even fully isolated OT environments can feed a third-party SIEM. Vulnerabilities and asset data can reach ServiceNow, Jira or PagerDuty through built-in connectors or via Sentinel SOAR playbooks.

Underpinning all detection — in Sentinel, in Defender XDR and on the sensors themselves — is MSTIC (Microsoft Threat Intelligence Center, formerly Section 52), Microsoft's OT-focused research team. MSTIC publishes OT-specific threat-intelligence packages that are pushed automatically to cloud-connected sensors and populate Sentinel analytics rules with current IOCs and threat behaviours, keeping detection current without manual updates.

Figure 5 — Third-party SIEM and ticketing integration paths
Air-gapped or non-Microsoft stacks connect via Syslog/CEF; cloud-connected sites can use Sentinel playbooks to push to ITSM tools.Third-party SIEM and ticketing integration pathsOT sensoralert generatedOn-prem consoleSyslog/CEF forwardSIEM collectorSplunk/QRadar/ArcSightITSM / ticketingServiceNow/Jira
Air-gapped or non-Microsoft stacks connect via Syslog/CEF; cloud-connected sites can use Sentinel playbooks to push to ITSM tools.
Test the full pipeline end-to-end

Before declaring the integration live: confirm an OT alert flows into SecurityAlert within 5 minutes of firing, the analytics rule fires and creates a Sentinel incident, the playbook executes and opens a ServiceNow/Jira ticket, and the incident appears in Defender XDR. End-to-end testing catches connector authentication issues, workspace ID mismatches and Logic App permission gaps that won't show up in configuration screens alone.

Quick check · Q4 of 10 · Analyze

An air-gapped substation cannot reach Azure. How should its OT sensor alerts reach the corporate Splunk SIEM?

Correct: d. The on-premises management console can forward alerts via Syslog/CEF even without cloud connectivity, so air-gapped OT environments can still feed Splunk, QRadar or ArcSight.
👉 So far: Non-Microsoft stacks use Syslog/CEF from the on-prem console — even air-gapped sites can feed Splunk or QRadar. MSTIC OT threat intel pushes automatically to cloud-connected sensors and Sentinel rules.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Which Azure service powers Microsoft Sentinel SOAR playbooks?

Correct: c. Sentinel SOAR playbooks are built on Azure Logic Apps, which provide event-driven workflow automation and can call any REST API — ServiceNow, Teams, Jira, firewalls — triggered by a Sentinel analytics rule.
Q6 · Understand

What is the primary purpose of the Defender for IoT OT analytics rules in Sentinel?

Correct: d. OT analytics rules are KQL queries that run against the SecurityAlert table. Without them, OT data is collected but never acted on — the rules convert raw alert rows into Sentinel incidents with the right severity and context.
Q7 · Apply

A SOC team wants to see OT device inventory alongside IT endpoints in a single portal without switching consoles. Which capability delivers this?

Correct: a. Defender XDR's unified device inventory includes OT/IoT assets from Defender for IoT alongside IT devices from Defender for Endpoint, all visible in one portal — exactly eliminating the tool-switching problem.
Q8 · Analyze

Why does Sentinel fusion improve OT threat detection compared with standalone OT alert monitoring?

Correct: b. Fusion correlation stitches together signals that individually look low-priority — an OT anomaly plus a suspicious Azure AD login plus a Defender for Endpoint lateral-move alert together form a high-confidence incident that neither stream would have escalated on its own.
Q9 · Evaluate

An organisation runs IBM QRadar, not Sentinel, and has an air-gapped OT site. What is the correct integration approach for OT alerts?

Correct: a. The on-premises management console can forward alerts via Syslog/CEF without Azure cloud connectivity, feeding any SIEM — QRadar, Splunk, ArcSight — directly from the OT site even in an air-gapped network.
Q10 · Evaluate

What is the strongest argument for enabling pre-built OT workbooks in Sentinel on Day 1 of the integration?

Correct: c. Pre-built OT workbooks deliver ready-made dashboards — device inventory by site/zone, alert summary, Purdue-level coverage, vulnerability heat maps — that would take weeks to build from scratch, giving immediate SOC visibility into the OT estate from the first day of integration.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what is the single most important action to take immediately after enabling the Defender for IoT Sentinel data connector? Then compare with the expert version.

Expert version: Enable the pre-built OT analytics rules in Sentinel (Analytics ▸ Rule templates ▸ filter 'Defender for IoT'). The data connector only moves data into the SecurityAlert table — without active analytics rules, OT alerts sit silently in Log Analytics and no incidents, notifications or playbooks ever fire. Rules are the difference between 'data collected' and 'detections working'. Add the OT workbooks for dashboards and at least one SOAR playbook for automated response.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Sentinel data connector
The native one-click bridge that streams Defender for IoT OT alerts into SecurityAlert and DefenderIoT tables in a Log Analytics workspace.
Log Analytics workspace
The Azure storage and query service where Sentinel ingests all security data — OT and IT alerts are queried here with KQL.
OT analytics rules
Pre-built KQL detection rules in Sentinel tuned for OT alert types (Modbus violations, PLC programming events) that create Sentinel incidents when matched.
SOAR playbook
An Azure Logic Apps workflow triggered by a Sentinel analytics rule to automate response — tickets, notifications, device isolation — without analyst intervention.
Defender XDR
Microsoft's unified SOC portal correlating OT/IoT devices, IT endpoints, identity, cloud apps and email in one investigation timeline.
MSTIC / Section 52
Microsoft's OT threat intelligence research team that pushes IOC packages and threat behaviours to cloud-connected sensors and Sentinel analytics rules.
Syslog/CEF
The protocol used to forward OT alerts from the on-premises management console to third-party SIEM platforms such as Splunk or IBM QRadar.
IT/OT convergence
The merging of corporate IT networks with industrial OT/ICS networks, creating the Level 3.5 DMZ that is a primary lateral-movement path for attackers.

📚 Sources

  1. Microsoft Learn — Connect Microsoft Defender for IoT with Microsoft Sentinel. learn.microsoft.com/en-us/azure/defender-for-iot/organizations/iot-solution
  2. Microsoft Learn — OT threat monitoring in enterprise SOCs — built-in Sentinel content for Defender for IoT (workbooks, analytics rules, playbooks). learn.microsoft.com/en-us/azure/defender-for-iot
  3. Microsoft Learn — Microsoft Defender XDR and Defender for IoT — unified device inventory & SOC portal. learn.microsoft.com/en-us/microsoft-365/security/defender
  4. Microsoft Security Blog — Section 52 / MSTIC: OT threat intelligence research for ICS/SCADA environments. microsoft.com/security/blog
  5. Microsoft Learn — Integrate Defender for IoT with third-party SIEM and ticketing via Syslog/CEF and on-premises management console. learn.microsoft.com/en-us/azure/defender-for-iot
  6. Microsoft Learn — Microsoft Sentinel SOAR: Logic Apps playbooks for automated security response. learn.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook

What's next?

Got the SOC integration story? Next, go deep on Defender for IoT deployment: where to place sensors, SPAN vs TAP, sizing by traffic and devices, and choosing cloud-connected vs air-gapped mode.

Next · All interview lessons → Practice on exam.techclick.in →