|
| 1 | +--- |
| 2 | +title: MDE agent deployment guide for OT discovery - Microsoft Defender for IoT |
| 3 | +description: Learn how to deploy an MDE agent on your OT network sensors. |
| 4 | +ms.date: 12/19/2024 |
| 5 | +ms.topic: how-to |
| 6 | +author: limwainstein |
| 7 | +ms.author: lwainstein |
| 8 | +--- |
| 9 | +<!-- This isnt really a how-to but a concept - is that correct? Limor--> |
| 10 | +# MDE Agent Deployment Guide for OT Discovery |
| 11 | + |
| 12 | +## Placement of an MDE agent to receive maximum network value |
| 13 | + |
| 14 | +This guide provides step-by-step instructions for deploying a Microsoft Defender for Endpoint (MDE) agent in the correct network location to ensure that it receives the relevant traffic. Proper placement enhances data quality and optimal performance within the network. |
| 15 | + |
| 16 | +## MDE Discovery for OT Capabilities |
| 17 | + |
| 18 | +MDE agents offer various discovery and security capabilities, such as passive monitoring or standard probing. The MDE agent should be placed according to the capability type that your network needs. The capabilities include: |
| 19 | + |
| 20 | +- [Passive monitoring](#passive-monitoring) |
| 21 | + |
| 22 | +- [Standard probing](#standard-probing) |
| 23 | + |
| 24 | +## Usage Ability |
| 25 | + |
| 26 | +- Server 2019 and computers with Build Version 17763 |
| 27 | + |
| 28 | +- Lower operating system versions: Machines with lower operating system versions (e.g., Server 2016) can be onboarded to an MDE agent but can't run SENSENDR. |
| 29 | + |
| 30 | +## Passive Monitoring |
| 31 | + |
| 32 | +Passive monitoring involves silently analyzing network traffic using known endpoints and traffic patterns, for example, MDE passively monitors network traffic to discover OT devices. |
| 33 | + |
| 34 | +- Requirement: An MDE agent must be running on the LAN or subnet to be monitored. |
| 35 | + |
| 36 | +- Network traffic type required: the MDE agent needs to pass unicast traffic between the discovered OT devices and the agent/ sensor.<!--?--> |
| 37 | + |
| 38 | +:::image type="content" source="media/mde-agent-deployment-guide/mde-agent-deployment-guide-1.png" alt-text="A diagram showing the passive monitoring of a subnet." lightbox="media/mde-agent-deployment-guide/mde-agent-deployment-guide-1.png"::: |
| 39 | + |
| 40 | +## Standard Probing |
| 41 | + |
| 42 | +Standard probing involves actively probing observed devices in the network to enrich collected data. |
| 43 | + |
| 44 | +This mode leverages common discovery protocols that use multicast queries in the network to identify other devices not located using passive monitoring. For example, MDE can use standard probing to actively find devices in your network, which helps build a reliable and coherent device inventory. |
| 45 | + |
| 46 | +General recommendations for standard probing to set up the MDE agent as an OT discovery data source are: |
| 47 | + |
| 48 | +- Minimum Requirement: an MDE agent running on the LAN or subnet to be monitored. |
| 49 | + |
| 50 | +- Scanners per VLAN: at least five scanners per VLAN. |
| 51 | + |
| 52 | +- Onboarding Devices: onboard any devices with the "Can Be Onboarded" status in order to increase visibility. |
| 53 | + |
| 54 | +- Functionality: Broadcast packets allow the MDE agent to create the device in the inventory though not necessarily with all the information needed for OT classification and CVEs. Based on the initial information discovered, the agent uses standard probing to complete the necessary information using appropriate protocols. |
| 55 | + |
| 56 | +:::image type="content" source="media/mde-agent-deployment-guide/mde-agent-deployment-guide-2.png" alt-text="A diagram showing the standard probing discovery process." lightbox="media/mde-agent-deployment-guide/mde-agent-deployment-guide-2.png"::: |
| 57 | + |
| 58 | +These guidelines could ensure that the MDE agent is effectively deployed to maximize its value for OT discovery. |
0 commit comments