Connect your data from Defender for IoT to Azure Sentinel
Use the Defender for IoT connector to stream all your Defender for IoT events into Azure Sentinel.
This integration enables organizations to quickly detect multistage attacks that often cross IT and OT boundaries. Additionally, Defender for IoT’s integration with Azure Sentinel's security orchestration, automation, and response (SOAR) capabilities enables automated response and prevention using built-in OT-optimized playbooks.
- Read and Write permissions on the Workspace onto which Azure Sentinel is deployed
- Defender for IoT must be enabled on your relevant IoT Hub(s)
- You must have Contributor permissions on the Subscription you want to connect
Connect to Defender for IoT
In Azure Sentinel, select Data connectors and then select the Defender for IoT (may still be called Azure Security Center for IoT) from the gallery.
From the bottom of the right pane, click Open connector page.
Click Connect, next to each IoT Hub subscription whose alerts and device alerts you want to stream into Azure Sentinel.
- You will receive an error message if Defender for IoT is not enabled on at least one IoT Hub within a subscription. Enable Defender for IoT within the IoT Hub to remove the error.
You can decide whether you want the alerts from Defender for IoT to automatically generate incidents in Azure Sentinel. Under Create incidents, select Enable to enable the default analytics rule to automatically create incidents from the generated alerts. This rule can be changed or edited under Analytics > Active rules.
It can take 10 seconds or more for the Subscription list to refresh after making connection changes.
Log Analytics alert view
To use the relevant schema in Log Analytics to display the Defender for IoT alerts:
Open Logs > SecurityInsights > SecurityAlert, or search for SecurityAlert.
Filter to see only Defender for IoT generated alerts using the following kql filter:
SecurityAlert | where ProductName == "Azure Security Center for IoT"
After connecting a Subscription, the hub data is available in Azure Sentinel approximately 15 minutes later.
In this document, you learned how to connect Defender for IoT to Azure Sentinel. To learn more about threat detection and security data access, see the following articles:
- Learn how to use Azure Sentinel to get visibility into your data, and potential threats.
- Learn how to Access your IoT security data