Search

Connecting Azure Defender for IoT into Azure Sentinel

Dan Mitchell - Cloud Consultant, Satisnet

Azure Defender for IoT (previously CyberX) is a powerful tool that can be used to secure and monitor your IoT devices. To get the full benefits of this agentless security tool, many are taking advantage of the new Azure Sentinel integrations and utilising the powerful log analytics and security alerting that it offers. In this blog, we’ll take a look at how this can be accomplished.


Cost Considerations


Before configuring Azure Defender for IoT, it’s important to understand the pricing model. As an example, currently in UK South as of 1st April 2021, Azure Defender for IoT costs $2,000 per 1,000 committed devices per month. If you are just testing Azure Defender for IoT out, there is a 30-day trial for the first 1,000 committed devices, but you should be sure to clean up any resources afterwards as to not incur a surprise bill.


Official pricing can be found here.


Onboarding Subscription and Deploying a Sensor


Downloading and Installing the Operating System

Firstly, you’ll need to onboard a subscription. To do this, you must have an account with at least the Security Administrator role on the subscription that you want onboard. Once you have the correct permissions, go to the Azure Defender for IoT dashboard within the Azure portal. From here, under the “Getting started” pane, click on “Onboard subscription”.


Select “Onboard subscription” again, then click the subscription you would like to onboard, along with how many committed devices you want to be licenced for.


Now you’ve onboarded a subscription with a set number of committed devices, it’s time to onboard a sensor! On the “Getting started” pane, click the “Sensor” tab. From here, after selecting the latest stable version, select the “Download” option for the “Purchase an appliance and install software” box. This will download an ISO for the sensor appliance. You can install this on a physical box, or you can install this as a virtual machine.

The machine that it’s installed on must have a minimum of two NICs and should meet one of these specifications (NOTE: it is recommended you add slightly more storage, for example 10 GB extra, just to ensure that there is enough space):

1) Enterprise: recommended 8 CPUs, 32 GB RAM and 1.8 TB of storage.

2) Small Business: recommended 4 CPUs, 8 GB RAM and 500 GB of storage.

3) Office: 4 CPUs, recommended 8 GB RAM and 100 GB of storage.

4) Ruggedised: recommended 4 CPUs, 8 GB RAM and 60 GB of storage

5) (NOT RECOMMENDED, CURRENTLY NOT WORKING AS OF VERSION 10.0.3.12) Portable: recommended 2 CPUs, 4 GB RAM and 8 GB of storage.


You should consider where on your network to place the sensor; there will be one network adapter for your management interface and others for IoT traffic to be fed into (from a SPAN port for instance). For more information on where to deploy your sensor and how to set up your network, you can view the official Microsoft documentation, located here.

The machine that the appliance is to be installed on should have two NICs; one for data and one for management. To install the operating system to a physical appliance, you can use Rufus for example to create a bootable USB from the ISO, or you could burn the ISO to a disc. If you plan to use a virtual machine, you should attach the ISO to the virtual disc drive of the VM.


In this example, I’ll be using a Hyper-V virtual machine, however the process should be the same as installing on a physical server or a virtual machine on another hypervisor. For virtual machines, you should check the Microsoft documentation to ensure the virtual machine is configured with the correct settings (https://docs.microsoft.com/en-us/azure/defender-for-iot/how-to-install-software). Follow the next steps to install the operating system:


1) First, choose your language.

2) Next, choose the type of deployment you want to use. Again, it is recommended to not use portable as it is not working as of version 10.0.3.12. For this demo, I will use ruggedised, which is recommended for any testing.

3) Wait for the initial setup process to finish. This may take a while.

4) Once this is done, you will be asked to configure your hardware profile. Just enter the name of the deployment you chose.

5) Following this, configure your network settings. You should double check that all your settings are correct, then type “Y” and hit enter. If not, enter “n” and you will be able to redo this process.

6) Again, wait for the setup to finish. This may take some time.

7) Once the setup is finished, it’s important that you note down the credentials that are given to you before you hit enter. You should save this in a secure password manager. However, if you forget and hit enter before noting down the credentials, you shouldn’t worry. You can reset the password by editing the GRUB config file on boot. However, it is recommended that you set a password for the GRUB interface at some point to prevent others doing this when they are not authorised to do so.

The setup of the operating system is now complete! Now we can move on and get the sensor cloud connected.


Getting Your Sensor Cloud Connected

Provided you are on the same network as your management interface, you should now be able to browse to your management interface at https://[your management IP address]/. As of version 10.0.3.12, the only supported browsers are modern versions of Google Chrome and Internet Explorer.


Once you have verified that you can connect to the management interface, you’ll need to onboard your sensors. Follow the instructions below to do this:

1) Go to the Azure portal, then to Defender for IoT.

2) Go onto the “Sites and sensors” section, then click “Onboard sensor”.

3) Ensure that “On the cloud” is selected for where the sensor is being installed as this will connect the sensor into IoT Hub. You will need to create an IoT Hub, which is where the alerts will be parsed and then forwarded to Sentinel. Go through the process of creating your IoT Hub, then provide a name, and a zone if you wish, to the sensor. You could assign the sensor’s name as the IP address you are using for the sensor to make this easier to manage.

4) Once you have registered your sensor, download the activation file and store it somewhere safe.

5) Go to your sensor’s management console and login with your details. (NOTE: If you reset the password of the accounts through GRUB, you’ll need to click on “Password recovery”. From there, you can upload your activation file and retrieve the passwords for the accounts.)

6) Once logged in, simply upload your activation file, and your sensor will automatically connect itself to IoT Hub! Be sure that your firewall rules allow for the sensor to reach Azure. See Azure’s documentation for the ports required: https://docs.microsoft.com/en-us/azure/defender-for-iot/how-to-set-up-your-network#network-access-requirements

7) The final step is to activate the connector on Sentinel. To do this, go to Azure Sentinel from the portal, go to the “Data connectors” tab, then find “Azure Defender for IoT”. Click “Open connector page”.

8) Now simply click “Connect” for your subscription that you enrolled for Azure Defender for IoT. All done!

Alerts can be delayed when reaching Sentinel, allow up to 15 minutes for them to appear.


Need Further Assistance?


If your company is looking to use Azure Defender for IoT and would like help, please reach out to Satisnet using the Contact tab!