You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-iot/organizations/monitor-zero-trust.md
+25-5Lines changed: 25 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,8 +15,6 @@ ms.collection:
15
15
|---------|---------|---------|
16
16
|Always authenticate and authorize based on all available data points. | Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. | Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
17
17
18
-
<!--replace with include file-->
19
-
20
18
Defender for IoT uses site and zone definitions across your OT network to ensure that you're maintaining network hygiene and keeping each subsystem separate and secure.
21
19
22
20
This tutorial describes how to monitor your OT network with Defender for IoT and Zero Trust principles.
@@ -29,6 +27,9 @@ In this tutorial, you learn how to:
29
27
> *[Look for alerts on cross-subnet traffic](#look-for-alerts-on-cross-subnet-traffic)
30
28
> *[Simulate traffic to test your network](#simulate-traffic-to-test-your-network)
31
29
30
+
> [!IMPORTANT]
31
+
> The **Recommendations** page in the Azure portal is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
32
+
32
33
## Prerequisites
33
34
34
35
To perform the tasks in this tutorial, you need:
@@ -67,7 +68,7 @@ You've separated your network in to sites and zones to keep each subsystem separ
67
68
68
69
## Look for alerts on unknown devices
69
70
70
-
Do you know what devices are on your network, and who they're communicating with? Defender for IoT triggers alerts for any new, unknown device detected on your network so that you can identify it and ensure both the device security and your network security.
71
+
Do you know what devices are on your network, and who they're communicating with? Defender for IoT triggers alerts for any new, unknown device detected in OT subnets so that you can identify it and ensure both the device security and your network security.
71
72
72
73
Unknown devices might include *transient* devices, which move between networks. For example, transient devices might include a technician's laptop, which they connect to the network when maintaining servers, or a visitor's smartphone, which connects to a guest network at your office.
73
74
@@ -104,6 +105,25 @@ Specific sites or zones that generate many alerts for unknown devices are at ris
104
105
- Learn the alert if the device is legitimate so that the alert isn't triggered again for the same device. On the alert details page, select **Learn**.
105
106
- Block the device if it's not legitimate.
106
107
108
+
## Look for unauthorized devices
109
+
110
+
We recommend that you proactively watch for new, unauthorized devices detected on your network. Regularly checking for unauthorized devices can help prevent threats of rogue or potentially malicious devices that might infiltrate your network.
111
+
112
+
For example, use the **Review unauthorized devices** recommendation to identify all unauthorized devices.
113
+
114
+
**To review unauthorized devices**:
115
+
116
+
1. In Defender for IoT on the Azure portal, select **Recommendations (Preview)** and search for the **Review unauthorized devices** recommendation.
117
+
1. View the devices listed in the **Unhealthy devices** tab. Each of these devices in unauthorized and might be a risk to your network.
118
+
119
+
Follow the remediation steps, such as to mark the device as authorized if the device is known to you, or disconnect the device from your network if the device remains unknown after investigation.
120
+
121
+
For more information, see [Enhance security posture with security recommendations](recommendations.md).
122
+
123
+
> [!TIP]
124
+
> You can also review unauthorized devices by [filtering the device inventory](how-to-manage-device-inventory-for-organizations.md#view-the-device-inventory) by the **Authorization** field, showing only devices marked as **Unauthorized**.
125
+
126
+
107
127
## Look for vulnerable systems
108
128
109
129
If you have devices on your network with outdated software or firmware, they might be vulnerable to attack. Devices that are end-of-life, and have no more security updates are especially vulnerable.
@@ -120,7 +140,7 @@ If you have devices on your network with outdated software or firmware, they mig
120
140
121
141
1. In the **SiteName** select at the top of the page, select one or more sites to filter the data by site. Filtering data by site can help you identify concerns at specific sites, which may require site-wide updates or device replacements.
122
142
123
-
## Simulate traffic to test your network
143
+
## Simulate malicious traffic to test your network
124
144
125
145
To verify the security posture of a specific device, run an **Attack vector** report to simulate traffic to that device. Use the simulated traffic to locate and mitigate vulnerabilities before they're exploited.
126
146
@@ -189,7 +209,7 @@ When monitoring for Zero Trust, the following list is an example of important De
189
209
190
210
:::row:::
191
211
:::column:::
192
-
- Unauthorized device connected to the network
212
+
- Unauthorized device connected to the network, especially any malicious IP/Domain name requests
0 commit comments