You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-iot/organizations/how-to-investigate-sensor-detections-in-a-device-inventory.md
+95-77Lines changed: 95 additions & 77 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,25 +1,46 @@
1
1
---
2
2
title: Gain insight into devices discovered by a specific sensor
3
3
description: The device inventory displays an extensive range of device attributes that a sensor detects.
4
-
ms.date: 11/09/2021
4
+
ms.date: 02/02/2022
5
5
ms.topic: how-to
6
6
---
7
7
8
-
# Investigate sensor detections in a device inventory
8
+
# Investigate sensor detections in an inventory
9
9
10
-
The device inventory displays an extensive range of device attributes that a sensor detects. Options are available to:
10
+
The device inventory displays an extensive range of device attributes that your sensor detects. Use the inventory to gain insight and full visibility into the devices on your network.
11
11
12
-
- Easily filter the information.
12
+
:::image type="content" source="media/how-to-inventory-sensor/inventory-sensor.png" alt-text="screen capture shows the Device inventory main screen":::
13
+
14
+
Options are available to:
15
+
16
+
- Customize and filter the inventory.
13
17
14
18
- Export information to a CSV file.
15
19
16
20
- Import Windows registry details.
17
21
18
22
- Create groups for display in the device map.
23
+
24
+
## What is an inventory device?
25
+
26
+
The Defender for IoT Device inventory displays an extensive range of asset attributes that are detected by sensors monitoring the organization's networks and managed endpoints.
27
+
28
+
Defender for IoT will identify and classify devices as a single unique network device in the inventory for:
29
+
30
+
- Standalone IT/OT/IoT devices (w/ 1 or multiple NICs)
31
+
- Devices composed of multiple backplane components (including all racks/slots/modules)
32
+
- Devices acting as network infrastructure such as Switch/Router (w/ multiple NICs).
33
+
34
+
Public internet IP addresses, multicast groups, and broadcast groups aren't considered inventory devices.
35
+
Devices that have been inactive for more than 60 days are classified as inactive inventory devices.
36
+
37
+
## View device attributes in the inventory
38
+
39
+
This section describes device details available from the inventory and describes how to work with inventory filters and view contextual information about each device.
19
40
20
-
## View device attributes in the Device inventory
41
+
**To view the device inventory:**
21
42
22
-
The following attributes appear in the Device inventory table.
43
+
- In the console left pane, select **Device inventory**. The following attributes appear in the inventory.
23
44
24
45
| Parameter | Description |
25
46
|--|--|
@@ -28,92 +49,91 @@ The following attributes appear in the Device inventory table.
28
49
| Vendor | The name of the device's vendor, as defined in the MAC address. |
29
50
| Operating System | The OS of the device, if detected. |
30
51
| Firmware version | The device's firmware, if detected. |
31
-
| IP Address | The IP address of the device where defined. |
52
+
| IP Address | The IP address of the device. |
32
53
| VLAN | The VLAN of the device. For details about instructing the sensor to discover VLANs, see [Define VLAN names](how-to-manage-the-on-premises-management-console.md#define-vlan-names).(how-to-define-management-console-network-settings.md#define-vlan-names). |
33
54
| MAC Address | The MAC address of the device. |
34
55
| Protocols | The protocols that the device uses. |
35
56
| Unacknowledged Alerts | The number of unacknowledged alerts associated with this device. |
36
-
| Is Authorized | The authorization status defined by the user:<br />- **True**: The device has been authorized.<br />- **False**: The device has not been authorized. |
57
+
| Is Authorized | The authorization status defined by the user:<br />- **True**: The device has been authorized.<br />- **False**: The device hasn't been authorized. |
37
58
| Is Known as Scanner | Defined as a network scanning device by the user. |
38
-
| Is Programming device | Defined as an authorized programming device by the user. <br />- **True**: The device performs programming activities for PLCs, RTUs, and controllers, which are relevant to engineering stations. <br />- **False**: The device is not a programming device. |
59
+
| Is Programming device | Defined as an authorized programming device by the user. <br />- **True**: The device performs programming activities for PLCs, RTUs, and controllers, which are relevant to engineering stations. <br />- **False**: The device isn't a programming device. |
39
60
| Groups | The groups that this device participates in. |
40
61
| Last Activity | The last activity that the device performed. |
41
62
| Discovered | When this device was first seen in the network. |
42
-
|**PLC mode (preview)**| The PLC operating mode includes the Key state (physical) and run state (logical). Possible **Key** states include, Run, Program, Remote, Stop, Invalid, Programming Disabled.Possible Run. The possible **Run** states are Run, Program, Stop, Paused, Exception, Halted, Trapped, Idle, Offline. if both states are the same, only oe state is presented. |
43
-
44
-
## What is an Inventory device?
45
-
46
-
The Defender for IoT Device inventory displays an extensive range of asset attributes that are detected by sensors monitoring the organizations networks and managed endpoints.
47
-
48
-
Defender for IoT will identify and classify devices as a single unique network device in the inventory for:
49
-
50
-
1. Standalone IT/OT/IoT devices (w/ 1 or multiple NICs)
51
-
1. Devices composed of multiple backplane components (including all racks/slots/modules)
52
-
1. Devices acting as network infrastructure such as Switch/Router (w/ multiple NICs).
53
-
54
-
Public internet IP addresses, multicast groups, and broadcast groups are not considered inventory devices.
55
-
Devices that have been inactive for more than 60 days are classified as inactive Inventory devices.
56
-
57
-
**To view the device inventory:**
63
+
| PLC mode (preview) | The PLC operating mode includes the Key state (physical) and run state (logical). Possible **Key** states include, Run, Program, Remote, Stop, Invalid, Programming Disabled.Possible Run. The possible **Run** states are Run, Program, Stop, Paused, Exception, Halted, Trapped, Idle, Offline. if both states are the same, only oe state is presented. |
58
64
59
-
1. In the left pane, select **Devices**. The **Devices** pane opens on the right.
65
+
**To hide and display columns:**
60
66
61
-
2. In the **Devices** pane, select :::image type="icon" source="media/how-to-work-with-asset-inventory-information/device-pane-icon.png" border="false":::.
67
+
1. Select **Edit Columns** and select a column you need or delete a column.
68
+
1. Select **Save**.
62
69
63
-
To hide and display columns, customize the device inventory table:
70
+
**To view additional details:**
64
71
65
-
1. On the upper-right menu of the device inventory, select :::image type="icon" source="media/how-to-work-with-asset-inventory-information/settings-icon.png" border="false":::.
72
+
1. Select an alert from the inventory and the select **View full details** in the dialog box that opens.
73
+
1. Navigate to additional information such as firmware details, and view contextual information such alerts related to the device, or a timeline of events associated with the device.
2. In the **Device Inventory Settings** window, select the columns that you want to display in the device inventory table.
77
+
Customize the inventory to view devices important to you. An option is also available to save inventory filters for quick access to device information you need.
70
78
71
-
3. Change the location of the columns in the table by using arrows.
72
-
73
-
4. Select **Save**. The **Device Inventory Settings** window closes, and the new settings appear in the table.
74
-
75
-
### Create temporary device inventory filters
79
+
**To create filters:**
76
80
77
-
You can set a filter that defines what information the table displays. For example, you can decide that you want to view only the PLC device's information.
81
+
1. Select **Add filter** from the Device inventory page.
82
+
1. Select a category from the **Column** field.
83
+
1. Select an **Operator**.
84
+
-**Equals**: The exact value according to which you want to filter the column. For example, if you filter the protocol column according to **Equals** and `value=ICMP`, the column will present devices that use the ICMP protocol only.
-**Contains**: The value that's contained among other values in the column. For example, if you filter the protocol column according to **Contains** and `value=ICMP`, the column will present devices that use the ICMP protocol as a part of the list of protocols that the device uses.
80
87
81
-
The filter is not saved when you leave the inventory.
88
+
1. Select a filter value.
82
89
83
90
### Save device inventory filters
84
91
85
-
You can save a filter or a combination of filters that you need and reapply them in the device inventory. Create broader filters based on a certain device type, or more narrow filters based on a specific type and a specific protocol.
92
+
You can save a filter or a combination of filters that you need and view them in the device inventory when needed. Create broader filters based on a certain device type, or more narrow filters based on a specific protocol.
86
93
87
-
The filters that you save are also saved as device map groups. This feature provides an additional level of granularity in viewing network devices on the map.
94
+
The filters that you save are also saved as Device map groups. This feature provides an additional level of granularity in viewing network devices on the map.
88
95
89
-
**To create filters:**
90
-
91
-
1. In the column that you want to filter, select :::image type="icon" source="media/how-to-work-with-asset-inventory-information/filter-icon.png" border="false":::.
96
+
**To save and view filters:**
92
97
93
-
2. In the **Filter** dialog box, select the filter type:
98
+
1. Use the **Add filter** option to filter the table.
99
+
1. Select **Save Filter**.
100
+
1. Add a filter name in the dialog box that opens and select **Submit**.
101
+
1. Select the double arrow >> on the left side of the page.
102
+
The filters you create appear in the **Saved Views** pane.
94
103
95
-
-**Equals**: The exact value according to which you want to filter the column. For example, if you filter the protocol column according to **Equals** and `value=ICMP`, the column will present devices that use the ICMP protocol only.
-**Contains**: The value that's contained among other values in the column. For example, if you filter the protocol column according to **Contains** and `value=ICMP`, the column will present devices that use the ICMP protocol as a part of the list of protocols that the device uses.
98
106
99
-
3. To organize the column information according to alphabetical order, select :::image type="icon" source="media/how-to-work-with-asset-inventory-information/alphabetical-order-icon.png" border="false":::. Arrange the order by selecting the :::image type="icon" source="media/how-to-work-with-asset-inventory-information/alphabetical-a-z-order-icon.png" border="false"::: and :::image type="icon" source="media/how-to-work-with-asset-inventory-information/alphabetical-z-a-order-icon.png" border="false"::: arrows.
107
+
### View filtered information as a map group
100
108
101
-
4. To save a new filter, define the filter and select **Save As**.
109
+
You can display devices from saved filters in the Device map.
102
110
103
-
5.To change the filter definitions, change the definitions and select **Save Changes**.
111
+
**To view devices in the map:**
104
112
105
-
To view filters:
113
+
1. After creating and saving an Inventory filter, navigate to the Device map.
114
+
1. In the map page, open the Groups pane on the left.
115
+
1. Scroll down to the **Asset Inventory Filters** group. The groups you saved from the Inventory appear.
106
116
107
-
- Open the left pane and view the filters that you've saved:
108
117
109
-
:::image type="content" source="media/how-to-work-with-asset-inventory-information/filters-from-left-pane-v2.png" alt-text="View the filters from the left-side pane.":::
118
+
### Update device properties
110
119
111
-
### View filtered information as a map group
120
+
Certain device properties can be updated manually. Information manually entered will override information discovered by Defender for IoT.
112
121
113
-
When you switch to the map view, the filtered devices are highlighted and filtered. The filter group that you saved appears in the side menu under the **Device Inventory Filters** group.
122
+
**To update properties:**
114
123
115
-
:::image type="content" source="media/how-to-work-with-asset-inventory-information/filters-in-the-map-view-v2.png" alt-text="View filters when in the map view.":::
124
+
1. Select a device from the inventory.
125
+
1. Select **View full details**.
126
+
1. Select **Edit properties.**
127
+
1. Update any of the following:
116
128
129
+
- Authorized status
130
+
- Device name
131
+
- Device type
132
+
- OS
133
+
- Purdue layer
134
+
- Description
135
+
1. Select **Save**.
136
+
117
137
## Learn Windows registry details
118
138
119
139
In addition to learning OT devices, you can discover Microsoft Windows workstations, and servers. These devices are also displayed in Device Inventory. After you learn devices, you can enrich the Device Inventory with detailed Windows information, such as:
@@ -134,9 +154,7 @@ Two options are available for retrieving this information:
134
154
135
155
- Local surveying by distributing and running a script on the device. Working with local scripts bypasses the risks of running WMI polling on an endpoint. It's also useful for regulated networks with waterfalls and one-way elements.
136
156
137
-
This article describes how to locally survey the Windows endpoint registry with a script. This information will be used for generating alerts, notifications, data mining reports, risk assessments, and attack vector reports.
This section describes how to locally survey the Windows endpoint registry with a script. This information will be used for generating alerts, notifications, data mining reports, risk assessments, and attack vector reports.
140
158
141
159
You can survey the following Windows operating systems:
142
160
@@ -172,7 +190,7 @@ You can deploy the script once or schedule ongoing queries by using standard aut
172
190
173
191
### About the script
174
192
175
-
- The script is run as a utility and not an installed program. Running the script does not affect the endpoint.
193
+
- The script is run as a utility and not an installed program. Running the script doesn't affect the endpoint.
176
194
177
195
- The files that the script generates remain on the local drive until you delete them.
178
196
@@ -210,15 +228,13 @@ Don't update file names.
210
228
211
229
**To import:**
212
230
213
-
1. Select **Import Settings** from the **Import Windows Configuration** dialog box.
214
-
215
-
:::image type="content" source="media/how-to-work-with-asset-inventory-information/import-windows-configuration-v2.png" alt-text="Import your Windows configurations.":::
2. Select **Add**, and then select all the files (Ctrl+A).
233
+
2. Select **Import File**, and then select all the files (Ctrl+A).
218
234
219
235
3. Select **Close**. The device registry information is imported. If there's a problem uploading one of the files, you'll be informed which file upload failed.
220
236
221
-
:::image type="content" source="media/how-to-work-with-asset-inventory-information/add-new-file.png" alt-text="Upload of added files was successful.":::
237
+
:::image type="content" source="media/how-to-work-with-asset-inventory-information/add-new-file.png" alt-text="Upload of added files was successful.":::
222
238
223
239
## View and delete inactive devices from the inventory
224
240
@@ -230,32 +246,34 @@ Devices may become inactive because of:
230
246
231
247
Deleting inactive devices helps:
232
248
233
-
- Defender for IoT create a more accurate representation of current network activity
249
+
- Defender for IoT creates a more accurate representation of current network activity
234
250
- Better evaluate committed devices when managing subscriptions
235
251
- Reduce clutter on your screen
236
252
237
253
### View inactive devices
238
254
239
255
You can filter the inventory to display devices that are inactive:
240
256
241
-
- for 7 days or more
257
+
- for seven days or more
242
258
- for 14 days or more
243
259
- 30 days or more
244
260
- 90 days or more
245
261
246
-
**To filter the inventory:**
262
+
**To filter:**
247
263
248
-
1. Select the **Last Seen** filter icon in the Inventory.
249
-
1. Select a filter option.
250
-
1. Select **Apply**.
264
+
1. Select **Add filter**.
265
+
1. Select **Last Activity** in the column field.
266
+
1. Choose the time period in the **Filter** field.
267
+
268
+
:::image type="content" source="media/how-to-inventory-sensor/save-filter.png" alt-text="Screen capture shows last activity filter in Inventory":::
251
269
252
270
### Delete inactive devices
253
271
254
272
Devices you delete from the Inventory are removed from the map and won't be calculated when generating Defender for IoT reports, for example Data Mining, Risk Assessment, and Attack Vector reports.
255
273
256
-
You will be prompted to record a reason for deleting devices. This information, as well as the time/date and number of devices deleted, appears in the Event timeline.
274
+
You'll be prompted to record a reason for deleting devices. This information, as well as the time/date and number of devices deleted, appears in the Event timeline.
257
275
258
-
**To delete devices from the inventory:**
276
+
**To delete inactive devices:**
259
277
260
278
1. Select the **Last Seen** filter icon in the Inventory.
261
279
1. Select a filter option.
@@ -265,14 +283,14 @@ You will be prompted to record a reason for deleting devices. This information,
265
283
266
284
## Export device inventory information
267
285
268
-
You can export device inventory information to an Excel file.
286
+
You can export device inventory information to .csv file.
269
287
270
-
To export a CSV file:
288
+
**To export:**
271
289
272
-
-On the upper-right menu of the device inventory, select :::image type="icon" source="media/how-to-work-with-asset-inventory-information/csv-excel-export-icon.png" border="false":::. The CSV report is generated and downloaded.
290
+
-Select **Export file** from the Device Inventory page. The report is generated and downloaded.
273
291
274
292
## See also
275
293
276
294
[Investigate all enterprise sensor detections in a device inventory](how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md)
277
295
278
-
[Work with site map views](how-to-gain-insight-into-global-regional-and-local-threats.md#work-with-site-map-views)
296
+
[Manage your IoT devices with the device inventory](../device-builders/how-to-manage-device-inventory-on-the-cloud.md#manage-your-iot-devices-with-the-device-inventory)
0 commit comments