Investigate all enterprise sensor detections in the device inventory

You can view device information from connected sensors by using the device inventory in the on-premises management console. This feature gives you a comprehensive view of all network information. Use import, export, and filtering tools to manage this information. The status information about the connected sensor versions also appears.

Screenshot of the device inventory data table.

The following table describes the table columns in the device inventory.

Parameter Description
Unacknowledged Alerts The number of unhandled alerts associated with this device.
Business Unit The business unit that contains this device.
Region The region that contains this device.
Site The site that contains this device.
Zone The zone that contains this device.
Appliance The Microsoft Defender for IoT sensor that protects this device.
Name The name of this device as Defender for IoT discovered it.
Type The type of device, such as PLC or HMI.
Vendor The name of the device's vendor, as defined in the MAC address.
Operating System The OS of the device.
Firmware The device's firmware.
IP Address The IP address of the device.
VLAN The VLAN of the device.
MAC Address The MAC address of the device.
Protocols The protocols that the device uses.
Unacknowledged Alerts The number of unhandled alerts associated with this device.
Is Authorized The authorization status of the device:
- True: The device has been authorized.
- False: The device has not been authorized.
Is Known as Scanner Whether this device performs scanning-like activities in the network.
Is Programming Device Whether this is a programming device:
- True: The device performs programming activities for PLCs, RTUs, and controllers, which are relevant to engineering stations.
- False: The device is not a programming device.
Groups Groups in which this device participates.
Last Activity The last activity that the device performed.
Discovered When this device was first seen in the network.
PLC mode (preview) The PLC operating mode includes the Key state (physical) and run state (logical). Possible Key states include, Run, Program, Remote, Stop, Invalid, Programming Disabled.Possible Run. The possible Run states are Run, Program, Stop, Paused, Exception, Halted, Trapped, Idle, Offline. if both states are the same, only oe state is presented.

What is an Inventory device?

The Defender for IoT Device Inventory displays an extensive range of device attributes that are detected by sensors monitoring organizational networks and managed endpoints. Defender for IoT will identify and classify devices as a single unique network device in the inventory for:

  1. Standalone IT/OT/IoT devices (w/ 1 or multiple NICs)
  2. Devices composed of multiple backplane components (including all racks/slots/modules)
  3. Devices acting as network infrastructure such as Switch/Router (w/ multiple NICs).

Public internet IP addresses, multicast groups, and broadcast groups are not considered inventory devices. Devices that have been inactive for more than 60 days are classified as inactive Inventory devices.

Integrate data into the enterprise device inventory

Data integration capabilities let you enhance the data in the device inventory with information from other enterprise resources. These sources include CMDBs, DNS, firewalls, and Web APIs.

You can use this information to learn. For example:

  • Device purchase dates and end-of-warranty dates

  • Users responsible for each device

  • Opened tickets for devices

  • The last date when firmware was upgraded

  • Devices allowed access to the internet

  • Devices running active antivirus applications

  • Users signed in to devices

Data table on the device inventory screen.

You can integrate data by either:

  • Adding it manually

  • Running customized scripts that Defender for IoT provides

Diagram of the enterprise data integrator.

You can work with Defender for IoT technical support to set up your system to receive Web API queries.

To add data manually:

  1. On the side menu, select Device Inventory and then select .

    Edit your device's inventory settings.

  2. In the Device Inventory Settings dialog box, select ADD CUSTOM COLUMN.

    Add a custom column to your inventory.

  3. In the Add Custom Column dialog box, add the new column name (up to 250 characters UTF), select Manual, and select SAVE. The new item appears in the Device Inventory Settings dialog box.

  4. In the upper-right corner of the Device Inventory window, select and select Export All Device Inventory. The CSV file is generated.

    The exported CSV file.

  5. Manually add the information to the new column and save the file.

  6. In the upper-right corner of the Device Inventory window, select , select Import Manual Input Columns, and browse to the CSV file. The new data appears in the Device Inventory table.

To integrate data from other enterprise entities:

  1. In the upper-right corner of the Device Inventory window, select and select Export All Device Inventory.

  2. In the Device Inventory Settings dialog box, select ADD CUSTOM COLUMN.

    Add a custom column to your inventory.

  3. In the Add Custom Column dialog box, add the new column name (up to 250 characters UTF), and then select Automatic. The UPLOAD SCRIPT and TEST SCRIPT options appear.

    Automatically add custom columns.

  4. Upload and test the script that you received from Microsoft Support.

Retrieve information from the device inventory

You can retrieve an extensive range of device information detected by managed sensors and integrate that information with partner systems. For example, you can retrieve sensor, zone, site ID, IP address, MAC address, firmware, protocol, and vendor information. Filter information that you retrieve based on:

  • Authorized and unauthorized devices.

  • Devices associated with specific sites.

  • Devices associated with specific zones.

  • Devices associated with specific sensors.

Work with Defender for IoT API commands to retrieve and integrate this information. For more information, see Defender for IoT API sensor and management console APIs.

Filter the device inventory

You can filter the device inventory to show columns of interest. For example, you can view PLC device information.

Screenshot of the device inventory.

The filter is cleared when you leave the window.

To use the same filter multiple times, you can save a filter or a combination of filters that you need. You can open a left pane and view the filters that you've saved:

Device inventories screen.

To filter the device inventory:

  1. In the column that you want to filter, select .

  2. In the Filter dialog box, select the filter type:

    • Equals: The exact value according to which you want to filter the column. For example, if you filter the protocol column according to Equals and value=ICMP, the column will present devices that use the ICMP protocol only.

    • Contains: The value that's contained among other values in the column. For example, if you filter the protocol column according to Contains and value=ICMP, the column will present devices that use the ICMP protocol as a part of the list of protocols that the device uses.

  3. To organize the column information according to alphabetical order, select . Arrange the order by selecting the and arrows.

  4. To save a new filter, define the filter and select Save As.

  5. To change the filter definitions, change the definitions and select Save Changes.

Next steps

Investigate sensor detections in a device inventory