You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Create risk assessment reports on an OT sensor - Microsoft Defender for IoT
3
3
description: Gain insight into network risks detected by individual Defender for IoT OT sensors or an aggregate view of risks detected by all OT sensors.
4
-
ms.date: 02/03/2022
4
+
ms.date: 12/01/2022
5
5
ms.topic: how-to
6
6
---
7
7
8
8
# Risk assessment reporting
9
9
10
-
Risk assessment reports, generated by Defender for IoT OT network sensors and on-premises management consoles, provide details about security scores, vulnerabilities, and operational issues on detected devices as well as risks coming from imported firewall rules.
10
+
Risk assessment reports provide details about security scores, vulnerabilities, and operational issues on detected devices as well as risks coming from imported firewall rules.
11
11
12
-
Each sensor has access to reports generated for that sensor, while the on-premises management console allows you view reports from all connected sensors from the same page. The on-premises management console also supports customizations for the logo that appears in your report.
12
+
Each Defender for IoT network sensor can generate a risk assessment report, while the on-premises management console collects those reports from all connected sensors.
13
13
14
14
## Prerequisites
15
15
16
16
- You must be an **Admin** user to import firewall rules to an OT sensor or add backup and anti-virus server addresses.
17
17
18
18
- You must be an **Admin** or **Security Analyst** user to create or view risk assessment reports on the OT sensor or on-premises management console.
19
19
20
-
## Import firewall rules to a OT sensor
20
+
## Create and view risk assessment reports for a specific sensor
21
+
22
+
Use an individual OT sensor to view reports generated for that sensor only.
23
+
24
+
**To generate a report**:
25
+
26
+
1. Sign in to the sensor console and select **Risk assessment** > **Generate report**. The report is generated and appears in the **Reports list**, along with the timestamp and report size.
27
+
28
+
Reports are automatically named `risk-assessment-report-<integer>`, where the `<integer>` is incremented automatically.
29
+
30
+
1. Select the report name to download it and open it in your browser.
31
+
32
+
## Risk assessment report contents
33
+
34
+
Risk assessment reports include the following details:
35
+
36
+
|Details |Description |
37
+
|---------|---------|
38
+
|**Security scores**| An overall security score for all detected devices, and a security score for each individual device. <br><br> Security scores are based on data learned from packet inspection, behavioral modeling engines, and a SCADA-specific state machine design, and are categorized as follows: <br><br> - **Secure Devices** are devices with a security score above 90%. <br> - **Devices Needing Improvement** are devices with a security score between 70 percent and 89%. <br> - **Vulnerable Devices** are devices with a security score below 70%. |
39
+
|**Security and operational issues**| Insight into any of the following security and operational issues: <br><br> - Configuration issues <br> - Device vulnerability, prioritized by security level <br> - Network security issues <br> - Network operational issues <br> - Connections to ICS networks <br> - Internet connections <br> - Industrial malware indicators <br> - Protocol issues <br> - Attack vectors |
40
+
|**Firewall rule risk**| The Risk Assessment report highlights if a rule isn't secure, or if there's a mismatch between the rule and the monitored network. |
41
+
42
+
## Enriching the risk assessment report
43
+
44
+
You can enrich a risk assessment report to provide you with more content. For example, you can import firewall data to your sensor, and then the risk assessment report will also include data about firewall rule risk, based on the imported rules. You can also define addresses for backup and anti-virus servers.
45
+
46
+
### Import firewall rules to an OT sensor
21
47
22
48
Import firewall rules to your OT sensor for analysis in **Risk assessment** reports. Importing firewall rules is supported for Checkpoint, Fortinet, and Juniper firewalls.
23
49
@@ -33,56 +59,32 @@ For example:
33
59
34
60
:::image type="content" source="media/how-to-create-risk-assessment-reports/import-firewall-rules.png" alt-text="Screenshot of how to import firewall rules." lightbox="media/how-to-create-risk-assessment-reports/import-firewall-rules.png":::
35
61
36
-
## Add backup and anti-virus server addresses to your sensor
62
+
###Add backup and anti-virus server addresses to your sensor
37
63
38
-
Backup and anti-virus servers are not defined on your sensor by default. We recommend defining these addresses on your sensor to keep your network risk assessment low.
64
+
Backup and anti-virus servers aren't defined on your sensor by default. We recommend defining these addresses on your sensor to keep your network risk assessment low.
39
65
40
66
**To add backup and anti-virus server addresses**:
41
67
42
68
1. Sign into your OT sensor and select **System Settings** > **System Properties** > **Vulnerability Assessment**.
43
69
1. Add your backup and anti-virus server addresses to the **backup_servers** and **AV_addresses** fields, respectively. Use commas to separate multiple addresses.
44
70
1. Select **Save** to save your changes.
45
71
46
-
## Create and view risk assessment reports for a specific sensor
47
-
48
-
Use an individual OT sensor to view reports generated for that sensor only.
49
-
50
-
**To generate a report**:
51
-
52
-
1. Sign in to the sensor console and select **Risk assessment** > **Generate report**. The report is generated and appears in the **Reports list**, along with the timestamp and report size.
53
-
54
-
Reports are automatically named `risk-assessment-report-<integer>`, where the `<integer>` is incremented automatically.
55
-
56
-
1. Select the report name to download it and open it in your browser.
57
-
58
72
## Create and view risk assessment reports for multiple sensors
59
73
60
-
Use an on-premises management console to create and view risk assessment reports for all connected sensors, or to customize your report logo.
74
+
Use an on-premises management console to view risk assessment reports for all connected sensors.
61
75
62
76
**To generate a report**:
63
77
64
78
1. Sign in to your on-premises management console and select **Risk assessment**.
65
79
66
-
1. To customize the logo that appears on your report, select **Import logo**. Browse to and select the logo file you want to use.
67
-
68
80
1. From the **Select Sensor** drop-down menu, select the sensor for which you want to generate the report, and then select **Generate Report**.
69
81
70
82
A new report is listed in the **Archived Reports** area, listed by the time and date it was created, and showing the security score and report size.
71
83
72
84
1. Select **Download** to download a report and open it in your browser.
73
85
74
-
## Risk assessment report contents
75
-
76
-
Risk assessment reports include the following details:
77
-
78
-
|Details |Description |
79
-
|---------|---------|
80
-
|**Security scores**| An overall security score for all detected devices, and a security score for each individual device. <br><br> Security scores are based on data learned from packet inspection, behavioral modeling engines, and a SCADA-specific state machine design, and are categorized as follows: <br><br> - **Secure Devices** are devices with a security score above 90%. <br> - **Devices Needing Improvement** are devices with a security score between 70 percent and 89%. <br> - **Vulnerable Devices** are devices with a security score below 70%. |
81
-
|**Security and operational issues**| Insight into any of the following security and operational issues: <br><br> - Configuration issues <br> - Device vulnerability, prioritized by security level <br> - Network security issues <br> - Network operational issues <br> - Connections to ICS networks <br> - Internet connections <br> - Industrial malware indicators <br> - Protocol issues <br> - Attack vectors |
82
-
|**Firewall rule risk**| If you've imported firewall data to your sensor, the risk assessment reports also include data about firewall rule risk, based on the imported rules. The Risk Assessment report highlights if a rule is not secure, or if there's a mismatch between the rule and the monitored network. |
83
-
84
86
## Next steps
85
87
86
-
Take action based on the recommendations provided in the risk assessment reports to improve your overall network security score. For example, you might install the latest security or firmware updates, or investigate any PLCs that are currently in unsecure states.
88
+
Take action based on the recommendations provided in the risk assessment reports to improve your overall network security score. For example, you might install the latest security or firmware updates, or investigate any PLCs that are currently in unsecure states.
87
89
88
90
For more information, see [Enhance security posture with security recommendations](recommendations.md).
0 commit comments