Home >
ICS
>
Participants >
Microsoft > TRITON Configuration
|
Microsoft Configuration
Product Versions
- Azure Defender for IoT version: 10.0.3
- Azure Sentinel
Description
Azure Defender for IoT offers agentless, network-layer security for ICS environments that’s rapidly deployed (typically less than one day per site); works with diverse OT automation equipment including proprietary embedded devices and legacy Windows platforms; and integrates with Azure Sentinel and other SOC tools such as Splunk, IBM QRadar, and ServiceNow. Deploy fully on-premises, in Azure-connected, or in hybrid environments where all monitoring is performed locally, sensors are provisioned and managed from the cloud, and selected alerts are forwarded to a cloud-based SIEM.

Discover and map all your ICS devices
Use passive monitoring to gain a complete inventory of all your ICS assets, with zero performance impact on the control network. Analyze diverse industrial protocols to identify device details including manufacturer, type, serial number, firmware level, and IP/MAC. Visualize your entire ICS network topology, see device communication paths, and quickly identify the root cause of operational issues such as misconfigured devices.

Protect devices with risk-based vulnerability management
Proactively address vulnerabilities in your ICS environment. Identify risks such as unpatched devices, open ports, unauthorized connections, and unauthorized applications. Detect changes to device configurations, PLC code, firmware, and backplanes. Prioritize fixes based on risk scoring.

Detect threats with ICS-aware behavioral analytics
Monitor for anomalous or unauthorized activity using patented, ICS-aware behavioral analytics and threat intelligence from our CISA-recognized ICS security research team. Strengthen zero trust by instantly detecting unauthorized or compromised ICS devices. Rapidly triage real-time alerts, investigate historical traffic, and hunt for threats. Catch modern threats like zero-day malware and living-off-the-land tactics missed by static IOCs. Leverage Layer7 deep packet inspection (DPI) to analyze payloads and immediately alert on malicious commands like “PLC Stop” or “Program Upload.” Explore full-fidelity packet captures (PCAPs) for deeper analysis.

Proactively address risk for crown jewel assets with automated ICS threat modeling
Automated ICS threat modeling applies proprietary algorithms to risk and vulnerability data in order to simulate the most likely paths of targeted attacks on control networks. By generating a visual representation of all possible attack vector chains — ranked by risk — targeting your most critical OT assets, it enables you to prioritize essential mitigations and simulate what-if scenarios to reduce your attack surface (e.g., “If I isolate or patch this insecure device, does it eliminate the risk to my crown jewel’ assets?”). This enables more effective use of limited skilled resources during narrow maintenance windows.

Unify IT/OT security with Integrated SIEM/SOAR and XDR
Get a bird's-eye view across IT/OT boundaries with deep integration between Azure Defender for IoT and Azure Sentinel, Microsoft’s cloud-native SIEM/SOAR platform and a Leader in the Forrester Wave report. Plus get built-in integration with other SOC tools such as Splunk, IBM QRadar, and ServiceNow. Leverage Sentinel to automate incident response with ICS-specific playbooks, rules, and dashboards. Use machine learning and threat intelligence derived from trillions of signals collected daily across Microsoft’s global ecosystem (endpoints, Active Directory, Office 365, Xbox Live, Digital Crimes Unit, etc.). Accelerate threat detection and reduce alert fatigue with Microsoft 365 Defender, Microsoft’s extended detection and response (XDR) solution, which automatically consolidates disparate alerts across platforms (Windows, Mac, Linux, Android, and iOS) and domains (identities, endpoints, cloud apps, email and documents).

Product Configuration
Azure Defender for IoT
- Triton Test Learning Phase - Learning Mode (default)
- Triton Test Attack Phase - Learning Mode Disabled
Azure Sentinel
- Azure Defender for IoT connector enabled
- CEF connector enabled