Microsoft Defender for IoT alerts - Microsoft Defender for IoT (2023)

  • Article
  • 7 minutes to read

Microsoft Defender for IoT alerts enhance your network security and operations with real-time details about events logged in your network. Alerts are messages that a Defender for IoT engine triggers when OT or Enterprise IoT network sensors detect changes or suspicious activity in network traffic that needs your attention.

For example:

Use the details shown on the Alerts page, or on an alert details page, to investigate and take action that remediates any risk to your network, either from related devices or the network process that triggered the alert.


Use alert remediation steps to help your SOC teams understand possible issues and resolutions. We recommend that you review recommended remediation steps before updating an alert status or taking action on the device or network.

Alert management options

Defender for IoT alerts are available in the Azure portal, OT network sensor consoles, and the on-premises management console.

While you can view alert details, investigate alert context, and triage and manage alert statuses from any of these locations, each location also offers extra alert actions. The following table describes the alerts supported for each location and the extra actions available from that location only:

(Video) How to handle Microsoft Azure Defender for IoT alerts

LocationDescriptionExtra alert actions
Azure portalAlerts from all cloud-connected OT sensors and Enterprise IoT sensors- View related MITRE ATT&CK tactics and techniques
- Use out-of-the-box workbooks for visibility into high priority alerts
- View alerts from Microsoft Sentinel and run deeper investigations with Microsoft Sentinel playbooks and workbooks.
OT network sensor consolesAlerts generated by that OT sensor- View the alert's source and destination in the Device map
- View related events on the Event timeline
- Forward alerts directly to partner vendors
- Create alert comments
- Create custom alert rules
- Unlearn alerts
An on-premises management consoleAlerts generated by connected OT sensors- Forward alerts directly to partner vendors
- Create alert exclusion rules

For more information, see Accelerating OT alert workflows and Alert statuses and triaging options below.

Alert options also differ depending on your location and user role. For more information, see Azure user roles and permissions and On-premises users and roles.

Enterprise IoT alerts and Microsoft Defender for Endpoint

Alerts triggered by Enterprise IoT sensors are shown in the Azure portal only.

If you have an Enterprise IoT plan with Microsoft Defender for Endpoint, alerts for Enterprise IoT devices detected by Microsoft Defender for Endpoint are available in Microsoft 365 Defender only.

For more information, see Securing IoT devices in the enterprise and the Alerts queue in Microsoft 365 Defender.

Managing OT alerts in a hybrid environment

Users working in hybrid environments may be managing OT alerts in Defender for IoT on the Azure portal, the OT sensor, and an on-premises management console.

Alert statuses are fully synchronized between the Azure portal and the OT sensor, and between the sensor and the on-premises management console. This means that regardless of where you manage the alert in Defender for IoT, the alert is updated in other locations as well.

Setting an alert status to Closed or Muted on a sensor or on-premises management console updates the alert status to Closed on the Azure portal. On the on-premises management console, the Closed alert status is called Acknowledged.


If you're working with Microsoft Sentinel, we recommend that you configure the integration to also synchronize alert status with Microsoft Sentinel, and then manage alert statuses together with the related Microsoft Sentinel incidents.

(Video) How Microsoft Microsoft Defender for IoT uses the IoT Hub

For more information, see Tutorial: Investigate and detect threats for IoT devices.

Accelerating OT alert workflows

New alerts are automatically closed if no identical traffic is detected 90 days after the initial detection. If identical traffic is detected within those first 90 days, the 90-day count is reset.

In addition to the default behavior, you may want to help your SOC and OT management teams triage and remediate alerts faster. Sign into an OT sensor or an on-premises management console as an Admin user to use the following options:

  • Create custom alert rules. OT sensors only.

    Add custom alert rules to trigger alerts for specific activity on your network that's not covered by out-of-the-box functionality.

    For example, for an environment running MODBUS, you might add a rule to detect any written commands to a memory register on a specific IP address and ethernet destination.

    For more information, see Create custom alert rules on an OT sensor.

  • Create alert comments. OT sensors only.

    Create a set of alert comments that other OT sensor users can add to individual alerts, with details like custom mitigation steps, communications to other team members, or other insights or warnings about the event.

    Team members can reuse these custom comments as they triage and manage alert statuses. Alert comments are shown in a comments area on an alert details page. For example:

    Microsoft Defender for IoT alerts - Microsoft Defender for IoT (2)

    (Video) How to create custom alerts in Microsoft Defender for IoT

    For more information, see Create alert comments on an OT sensor.

  • Create alert exclusion rules: On-premises management consoles only.

    If you're working with an on-premises management console, define alert exclusion rules to ignore events across multiple sensors that meet specific criteria. For example, you might create an alert exclusion rule to ignore all events that would trigger irrelevant alerts during a specific maintenance window.

    Alerts ignored by exclusion rules aren't shown on the Azure portal, sensor, or on-premises management console, or in the event logs.

    For more information, see Create alert exclusion rules on an on-premises management console.

  • Forward alert data to partner systems to partner SIEMs, syslog servers, specified email addresses and more.

    Supported from both OT sensors and on-premises management consoles. For more information, see Forward alert information.

Alert statuses and triaging options

Use the following alert statuses and triaging options to manage alerts across Defender for IoT.

When triaging an alert, consider that some alerts might reflect valid network changes, such as an authorized device attempting to access a new resource on another device.

While triaging options from the OT sensor and the on-premises management console are available for OT alerts only, options available on the Azure portal are available for both OT and Enterprise IoT alerts.

Use the following table to learn more about each alert status and triage option.

(Video) How to handle Microsoft Defender for IoT alerts

Status / triage actionAvailable onDescription
New- Azure portal

- OT network sensors

- On-premises management console

New alerts are alerts that haven't yet been triaged or investigated by the team. New traffic detected for the same devices doesn't generate a new alert, but is added to the existing alert.

On the on-premises management console, New alerts are called Unacknowledged.

Note: You might see multiple, New or Unacknowledged alerts with the same name. In such cases, each separate alert is triggered by separate traffic, on different sets of devices.

Active- Azure portal onlySet an alert to Active to indicate that an investigation is underway, but that the alert can't yet be closed or otherwise triaged.

This status has no effect elsewhere in Defender for IoT.

Closed- Azure portal

- OT network sensors

- On-premises management console

Close an alert to indicate that it's fully investigated, and you want to be alerted again the next time the same traffic is detected.

Closing an alert adds it to the sensor event timeline.

On the on-premises management console, New alerts are called Acknowledged.

Learn- Azure portal

- OT network sensors

- On-premises management console

Unlearning an alert is available only on the OT sensor.

Learn an alert when you want to close it and add it as allowed traffic, so that you aren't alerted again the next time the same traffic is detected.

For example, when the sensor detects firmware version changes following standard maintenance procedures, or when a new, expected device is added to the network.

Learning an alert closes the alert and adds an item to the sensor event timeline. Detected traffic is included in data mining reports, but not when calculating other OT sensor reports.

Learning alerts is available for selected alerts only, mostly those triggered by Policy and Anomaly engine alerts.

Mute- OT network sensors

- On-premises management console

Unmuting an alert is available only on the OT sensor.

Mute an alert when you want to close it and not see again for the same traffic, but without adding the alert allowed traffic.

For example, when the Operational engine triggers an alert indicating that the PLC Mode was changed on a device. The new mode may indicate that the PLC isn't secure, but after investigation, it's determined that the new mode is acceptable.

Muting an alert closes it, but doesn't add an item to the sensor event timeline. Detected traffic is included in data mining reports, but not when when calculating data for other sensor reports.

Muting an alert is available for selected alerts only, mostly those triggered by the Anomaly, Protocol Violation, or Operational engines.


If you know ahead of time which events are irrelevant for you, such as during a maintenance window, or if you don't want to track the event in the event timeline, create an alert exclusion rule on an on-premises management console instead.

For more information, see Create alert exclusion rules on an on-premises management console.

Next steps

Review alert types and messages to help you understand and plan remediation actions and playbook integrations. For more information, see OT monitoring alert types and descriptions.

View and manage alerts from the Azure portal

View and manage alerts on your OT sensor

View and manage alerts on the on-premises management console

(Video) How Microsoft Azure Defender for IoT uses the IoT Hub


What is Microsoft Defender for IoT? ›

Microsoft Defender for IoT is a unified security solution built specifically to identify IoT and OT devices, vulnerabilities, and threats. Use Defender for IoT to secure your entire IoT/OT environment, including existing devices that may not have built-in security agents.

What is an IoT alert? ›

Within Dynamics 365 Field Service, IoT alerts are a subset of IoT messages that may require attention. For instance, maybe a configured sensor in a refrigerator you service has alerted that humidity has risen above an acceptable threshold.

Can Windows Defender send email notification? ›

Alert notifications

In Microsoft 365 Defender, you can add recipients for email notifications of detected alerts. In Microsoft 365 Defender, go to Settings and then Identities. Select Alert notifications. Enter the recipient's email address.

How do I enable Azure Defender for IoT? ›

To enable the collection of IP address data:
  1. Sign in to the Azure portal.
  2. Navigate to IoT Hub > Your hub > Defender for IoT > Settings > Data Collection.
  3. Ensure the IP data collection checkbox is selected.
  4. Select Save.
Dec 14, 2022

Is using Microsoft Defender enough? ›

Microsoft Defender is a good enough option for basic antivirus protection. It has a very strong firewall and a good number of features for the program and device security.

Should I turn Microsoft Defender off? ›

It's important to have Microsoft Defender Firewall on, even if you already have another firewall on. It helps protect you from unauthorized access. Select a network profile: Domain network, Private network, or Public network. Under Microsoft Defender Firewall, switch the setting to On.

What are three common IoT attacks? ›

IoT Attacks: The Most Common Security Risks
  • #1: Botnets. IoT devices are particularly vulnerable to malware because they don't have the same security mechanisms built into their operating systems as more advanced machines and computers. ...
  • #2: Ransomware. ...
  • #3: Convergence. ...
  • #4: Invisibility. ...
  • #5: Unencrypted Data.

What are the 3 main issues with IoT enabled devices? ›

These include the following.
  • Data Security. Some IoT devices collect highly sensitive information. ...
  • Data Privacy. Much of the information collected and processed by IoT devices may be protected under various data privacy laws. ...
  • Data Volume. ...
  • Data Complexity.
Oct 24, 2021

What can IoT track? ›

Asset tracking IoT solutions are cloud based systems that use sensors and other IoT devices to track the location and status of valuable assets in real-time. These systems can be used to track a wide range of assets, including inventory, vehicles, equipment, containers and people.

Is Windows Defender security warning legitimate? ›

Final Verdict. Microsoft windows defender security warning is a phishing scam used to get into the device and threaten users to steal data or money. It seems legitimate but dangerous malware, so do not call or click on any link from it.

Does Windows Defender give false alarms? ›

False positives/negatives can occur with any threat protection solution, including Defender for Endpoint. Fortunately, steps can be taken to address and reduce these kinds of issues.

What does Windows Defender do when it finds a threat? ›

As soon as Microsoft Defender detects a malicious file or software, Microsoft Defender blocks it and prevents it from running. And with cloud-delivered protection turned on, newly detected threats are added to the antivirus and antimalware engine so that your other devices and users are protected, as well.

Does Windows 10 IoT come with Defender? ›

Microsoft Defender is included and enabled by default as part of the Windows 10 IoT Enterprise installation.

How do I connect my device to Azure IoT? ›

Register a device
  1. Run the az iot hub device-identity create command in your CLI shell. This command creates the device identity. your_iot_hub_name. ...
  2. Run the az iot hub device-identity connection-string show command. Azure CLI Copy. Open Cloudshell. ...
  3. Save the connection string in a secure location.
Mar 11, 2022

What is Azure IoT? ›

The Azure Internet of Things (IoT) is a collection of Microsoft-managed cloud services that connect, monitor, and control billions of IoT assets. In simpler terms, an IoT solution is made up of one or more IoT devices that communicate with one or more back-end services hosted in the cloud.

Will Windows Defender remove Trojans? ›

The Windows Defender Offline scan will automatically detect and remove or quarantine malware.

Is Windows Defender enough or do I need an antivirus? ›

Windows Defender scans a user's email, internet browser, cloud, and apps for the above cyberthreats. However, Windows Defender lacks endpoint protection and response, as well as automated investigation and remediation, so more antivirus software is necessary.

Can Windows Defender detect spyware? ›

Windows Defender is a signature-based antimalware system, and these signatures provide the definitions that Windows Defender uses to identify malware on a Windows system. These signatures provide information about current spyware and other forms of malware.

What are the disadvantages of Windows Defender? ›

Cons of Windows Defender
  • Lacks integrated dashboard for all devices using Windows Defender.
  • No accountability if the computer is infected by malware.
  • Limited features for large scale use.
  • Slows down installation of frequently-used applications.
Sep 22, 2021

Why do people disable Windows Defender? ›

You should disable Windows Defender if you plan to install another virus app. If you don't, expect problems to occur. Windows 10 might fail to install updates. Windows Defender and your new virus program might identify each other as something malicious too.

How do hackers use IoT devices? ›

Just like the web servers, IoT devices use ports, protocols, and services that are unique to them, and hackers can use this information to find devices without ever leaving their couches.

What are the 2 main risks when using IoT devices? ›

Data interception: Since many IoT devices are not encrypted, attackers can snag information, such as login credentials, without needing to decrypt it. Physical attacks: Simply plugging a USB into an IoT device can be enough to spread malware to a network or spy on the communications.

How many IoT devices get hacked? ›

Internet of Things (IoT) devices are more vulnerable to cyberattacks than they ever have been before, according to research by Kaspersky. Data showed that more than 1.5 billion attacks have occurred against IoT devices in the first six months of 2021.

What are examples of IoT attacks? ›

5 Worst Examples of IoT Hacking and Vulnerabilities in Recorded...
  • The Mirai Botnet (aka Dyn Attack) It was the time of the end of the year 2016 when the most significant DDoS attack was done. ...
  • The TRENDnet webcam is not safe to use. ...
  • The Verkada Hack. ...
  • The Stuxnet Attack. ...
  • The New Jeep Hack.
Jan 9, 2023

What is the biggest problem on IoT? ›

Security. In our opinion, security is the most crucial issue that needs to be addressed for IoT. Developers working on your IoT programming are usually not security experts, which opens your code to a range of vulnerabilities and your devices to unauthorized access.

Is your phone an IoT device? ›

Smartphones are not considered to be IoT devices because they are mobile phones that were given general purpose computing capabilities to make them essentially pocket computers with phone functionality, as opposed to getting intelligence that would simply make the phone functionality work better, provide data about the ...

Do phones use IoT? ›

How IoT devices work. Smartphones play a key role in the IoT because you can control many IoT devices through an app on a smartphone. You can use your smartphone to communicate with your smart thermostat, for example, to set the perfect temperature for you by the time you get home from work.

Can everything on the internet be tracked? ›

Internet Service Providers (ISPs) can see everything you do online. They can track things like which websites you visit, how long you spend on them, the content you watch, the device you're using, and your geographic location.

How do I know if my Microsoft security Alert is real? ›

You'll know it's legitimate if it's from the Microsoft account team at

Can Windows Defender get hacked? ›

Useful Link: Cyberattacks Increase 50% in 2021, Peaking All-time High of 925 Weekly Attacks per Organization! The security researchers found that the list of locations exempted from Microsoft Defender scanning is unsecured, and any unprivileged user can access it.

How do I know if my Windows Defender has a virus? ›

Run a quick scan in Windows Security
  1. Select Start > Settings > Update & Security > Windows Security and then Virus & threat protection. Open Windows Security settings.
  2. Under Current threats, select Quick scan (or in early versions of Windows 10, under Threat history, select Scan now).

What is the difference between Windows 10 and Windows IoT? ›

Windows 10 IoT Editions

While only running a single app, it still has the manageability and security expected from Windows 10. By contrast, Windows 10 IoT Enterprise is a full version of Windows 10 with specialized features to create dedicated devices locked down to a specific set of applications and peripherals.

What is Windows IoT used for? ›

Windows IoT (formerly Windows Embedded) is a series of operating systems designed by Microsoft for use in embedded systems. This series brings enterprise-level power, security, and manageability to the Internet of Things (IoT) by leveraging the Windows' embedded experience, ecosystem, and cloud connectivity.

What is the cost of Windows 10 IoT? ›

Product Specs
General Information
CategoryPC OS software
DescriptionWindows 10 IoT Enterprise 2019 LTSC Value - License - 1 license - ESD
ManufacturerHP, Inc.
12 more rows

How do I access IoT devices? ›

The IoT device is on the same network as the device running the web browser. The network containing the server and client is linked. The IoT device can be accessed directly via an internet connection.
This includes:
  1. SSH connections.
  2. VPN connections.
  3. Proxy connections.
  4. RDP connections etc.
Oct 5, 2022

How do I make my device IoT enabled? ›

Building an IoT device: 10 things to know before you get started
  1. Start with the right problem. ...
  2. Build a prototype. ...
  3. Build the right team. ...
  4. Think about the Customer Experience. ...
  5. Find the Right Partner. ...
  6. Don't Underestimate the Technology. ...
  7. Don't Underestimate flexibility or scalability. ...
  8. Don't underestimate IoT security.
Nov 17, 2020

Who uses Azure IoT? ›

Who uses Azure IoT Hub?
Lenovo Group>1000M
Blackfriars Groupblackfriarsgroup.com1M-10M

What does IoT stand for? ›

The term IoT, or Internet of Things, refers to the collective network of connected devices and the technology that facilitates communication between devices and the cloud, as well as between the devices themselves.

What is the difference between cloud and IoT? ›

Cloud Computing differs from the Internet of Things. Cloud computing provides hosted services through the Internet. On the other hand, the Internet of Things (IoT) connects adjacent smart devices to the network to share and evaluate data.

What is Azure defender for IoT? ›

Microsoft Defender for IoT is a unified security solution built specifically to identify IoT and OT devices, vulnerabilities, and threats. Use Defender for IoT to secure your entire IoT/OT environment, including existing devices that may not have built-in security agents.

What is Defender for IoT and Defender for endpoint? ›

Microsoft Defender for IoT

It runs alongside Defender for Endpoint within the Microsoft 365 security console. Defender for IoT enhances vulnerability management, threat detection and response capabilities of operational technology (OT) and IoT devices all within the familiarity of Microsoft 365 security.

What is Microsoft IoT? ›

The Azure Internet of Things (IoT) is a collection of Microsoft-managed cloud services that connect, monitor, and control billions of IoT assets. In simpler terms, an IoT solution is made up of one or more IoT devices that communicate with one or more back-end services hosted in the cloud.

What is the purpose of Microsoft Defender? ›

It includes Microsoft Defender Antivirus, an antivirus tool that helps protect you against viruses, ransomware, and other malware.

What is the difference between Microsoft Defender and Microsoft Defender for Endpoint? ›

Key Differences to Note

One key difference between the two is that Office 365 does not include any endpoint security features, whereas Microsoft Defender for Endpoint is specifically designed to help protect your business against endpoint threats.

Do I need a VPN with Windows Defender? ›

Why does Microsoft Defender for Endpoint use a VPN and is my browsing activity being tracked? Microsoft Defender for Endpoint uses a virtual private network (VPN) to provide Web Protection capabilities that protect you against phishing or web-based attacks.

What are two capabilities of Microsoft Defender for Endpoint each correct answer? ›

  • Eliminate the blind spots in your environment.
  • Discover vulnerabilities and misconfigurations in real time.
  • Quickly go from alert to remediation at scale with automation.
  • Block sophisticated threats and malware.
  • Detect and respond to advanced attacks with deep threat monitoring and analysis.

What is IoT and its purpose? ›

What is IoT? The Internet of Things (IoT) describes the network of physical objects—“things”—that are embedded with sensors, software, and other technologies for the purpose of connecting and exchanging data with other devices and systems over the internet.

How can I tell if my windows is IoT? ›

Windows 10 IoT Enterprise is Windows 10 Enterprise LTSC.
Other ways to check:
  1. Open Settings, and click/tap on the System icon.
  2. Press the Windows + Pause/Break keys.
  3. Open the Control Panel (icons view), click/tap on the System icon.
  4. Open the Win+X power user tasks menu, click/tap on System.
  5. You can see your Windows edition.
Apr 9, 2019

What is example of IoT? ›

Smart Mobiles, smart refrigerators, smartwatches, smart fire alarms, smart door locks, smart bicycles, medical sensors, fitness trackers, smart security system, etc., are few examples of IoT products.

Does Windows Defender detect everything? ›

As part of the Windows Security suite, it will search for any files or programs on your computer that can cause harm to it. Defender looks for software threats like viruses and other malware across email, apps, the cloud, and the web.

Can you turn off Microsoft Defender? ›

Select the Windows Security app from the search results, go to Virus & threat protection, and under Virus & threat protection settings select Manage settings. Switch Real-time protection to Off.

What do I do if I get a Windows Defender security warning? ›

Removing the Windows Defender security warning from your browser
  1. Uninstall your browser of choice and make sure it's no longer on your computer.
  2. Download the browser again (make sure to check it's from a legitimate source).
  3. Reinstall and open the browser to see if the issue still persists.
Feb 1, 2023

Does Microsoft Defender remove viruses? ›

The Windows Defender Offline scan will automatically detect and remove or quarantine malware.


1. How to use Microsoft Defender for IOT in forensic investigations
(Microsoft Security Community)
2. Microsoft Defender for IoT
(Academy Hub)
3. Azure Defender for IoT Ep 8: Working with Alerts
(Matt Soseman)
4. Critical Defense for IoT and OT environments: Microsoft Defender for IoT
(Microsoft Security)
5. Microsoft Defender for IoT | Defender for Cloud in the Field #8
(Microsoft Security)
6. Microsoft Azure Defender for IoT Architecture
(Microsoft Security)


Top Articles
Latest Posts
Article information

Author: Greg Kuvalis

Last Updated: 09/15/2023

Views: 6266

Rating: 4.4 / 5 (55 voted)

Reviews: 94% of readers found this page helpful

Author information

Name: Greg Kuvalis

Birthday: 1996-12-20

Address: 53157 Trantow Inlet, Townemouth, FL 92564-0267

Phone: +68218650356656

Job: IT Representative

Hobby: Knitting, Amateur radio, Skiing, Running, Mountain biking, Slacklining, Electronics

Introduction: My name is Greg Kuvalis, I am a witty, spotless, beautiful, charming, delightful, thankful, beautiful person who loves writing and wants to share my knowledge and understanding with you.