Set up SNMP MIB health monitoring on an OT sensor
This article describes how to configure your OT sensors for health monitoring via an authorized SNMP monitoring server. SNMP queries are polled up to 50 times a second, using UDP over port 161.
Setup for SNMP monitoring includes configuring settings on your OT sensor and on your SNMP server. To define Defender for IoT sensors on your SNMP server, either define your settings manually or use a predefined SNMP MIB file downloaded from the Azure portal.
Prerequisites
Before you perform the procedures in this article, make sure that you have the following:
An SNMP monitoring server, using SNMP versions 2 or 3. If you're using SNMP version 3 and want to use AES and 3-DES encryption, you must also have:
- A network management station (NMS) that supports SNMP version 3
- An understanding of SNMP terminology, and the SNMP architecture in your organization
- The UDP port 161 open in your firewall
Have the following details of your SNMP server ready:
- IP address
- Username and password
- Authentication type: MD5 or SHA
- Encryption type: DES or AES
- Secret key
- SNMP v2 community string
An OT sensor installed and activated, with access as an Admin user. For more information, see On-premises users and roles for OT monitoring with Defender for IoT.
To download a predefined SNMP MIB file from the Azure portal, you need access to the Azure portal as a Security admin, Contributor, or Owner user. For more information, see Azure user roles and permissions for Defender for IoT.
Configure SNMP monitoring settings on your OT sensor
Sign into your OT sensor and select System settings > Sensor management > Health and troubleshooting > SNMP MIB monitoring.
In the SNMP MIB monitoring configuration pane, select + Add host and enter the following details:
Host 1: Enter the IP address of your SNMP monitoring server. Select + Add host again if you have multiple servers, as many times as needed.
SNMP V2: Select if you're using SNMP version 2, and then enter your SNMP V2 community string. A community string can have up to 32 alphanumeric characters, and no spaces.
SNMP V3: Select if you're using SNMP version 3, and then enter the following details:
Name Description Username and Password Enter the SNMP v3 credentials used to access the SNMP server. Both usernames and passwords must be configured on both the OT sensor and the SNMP server.
Usernames can include up to 32 alphanumeric characters, and no spaces.
Passwords are case-sensitive, and can include 8-12 alphanumeric characters.Auth Type Select the authentication type used to access the SNMP server: MD5 or SHA Encryption Select the encryption used when communicating with the SNMP server:
- DES (56-bit key size): RFC3414 User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3).
- AES (AES 128 bits supported): RFC3826 The Advanced Encryption Standard (AES) Cipher Algorithm in the SNMP User-based Security Model.Secret Key Enter a secret key used when communicating with the SNMP server. The secret key must have exactly eight alphanumeric characters.
Select Save to save your changes.
Download Defender for IoT's SNMP MIB file
Defender for IoT in the Azure portal provides a downloadable MIB file for you to load into your SNMP monitoring system to predefine Defender for IoT sensors.
To download the SNMP MIB file from Defender for IoT on the Azure portal, select Sites and sensors > More actions > Download SNMP MIB file.
OT sensor OIDs for manual SNMP configurations
If you're configuring Defender for IoT sensors on your SNMP monitoring system manually, use the following table for reference regarding sensor object identifier values (OIDs):
| Management console and sensor | OID | Format | Description |
|---|---|---|---|
| sysDescr | 1.3.6.1.2.1.1.1 | DISPLAYSTRING | Returns Microsoft Defender for IoT |
| Platform | 1.3.6.1.2.1.1.1.0 | STRING | Sensor or on-premises management console |
| sysObjectID | 1.3.6.1.2.1.1.2 | DISPLAYSTRING | Returns the private MIB allocation, for example 1.3.6.1.4.1.53313.1.1 is the private OID root for 1.3.6.1.4.1.53313 |
| sysUpTime | 1.3.6.1.2.1.1.3 | DISPLAYSTRING | Returns the sensor uptime in hundredths of a second |
| sysContact | 1.3.6.1.2.1.1.4 | DISPLAYSTRING | Returns the textual name of the admin user for this sensor |
| Vendor | 1.3.6.1.2.1.1.4.0 | STRING | Microsoft Support (support.microsoft.com) |
| sysName | 1.3.6.1.2.1.1.5 | DISPLAYSTRING | Returns the appliance name |
| Appliance name | 1.3.6.1.2.1.1.5.0 | STRING | Appliance name for the on-premises management console |
| sysLocation | 1.3.6.1.2.1.1.6 | DISPLAYSTRING | Returns the default location Portal.azure.com |
| sysServices | 1.3.6.1.2.1.1.7 | INTEGER | Returns a value indicating the service this entity offers, for example, 7 signifies “applications” |
| ifIndex | 1.3.6.1.2.1.2.2.1.1 | GAUGE32 | Returns the sequential ID numbers for each network card |
| ifDescription | 1.3.6.1.2.1.2.2.1.2 | DISPLAYSTRING | Returns a string of the hardware description for each network interface card |
| ifType | 1.3.6.1.2.1.2.2.1.3 | INTEGER | Returns the type of network adapter, for example 1.3.6.1.2.1.2.2.1.3.117 signifies Gigabit Ethernet |
| ifMtu | 1.3.6.1.2.1.2.2.1.4 | GAUGE32 | Returns the MTU value for this network adapter. Note monitoring interfaces don't show an MTU value |
| ifspeed | 1.3.6.1.2.1.2.2.1.5 | GAUGE32 | Returns the interface speed for this network adapter |
| Serial number | 1.3.6.1.4.1.53313.1 | STRING | String that the license uses |
| Software version | 1.3.6.1.4.1.53313.2 | STRING | Xsense full-version string and management full-version string |
| CPU usage | 1.3.6.1.4.1.53313.3.1 | GAUGE32 | Indication for zero to 100 |
| CPU temperature | 1.3.6.1.4.1.53313.3.2 | STRING | Celsius indication for zero to 100 based on Linux input. Any machine that has no actual physical temperature sensor (for example VMs) returns "No sensors found" |
| Memory usage | 1.3.6.1.4.1.53313.3.3 | GAUGE32 | Indication for zero to 100 |
| Disk Usage | 1.3.6.1.4.1.53313.3.4 | GAUGE32 | Indication for zero to 100 |
| Service Status | 1.3.6.1.4.1.53313.5 | STRING | Online or offline if one of the four crucial components has failed |
| Locally/cloud connected | 1.3.6.1.4.1.53313.6 | STRING | Activation mode of this appliance: Cloud Connected / Locally Connected |
| License status | 1.3.6.1.4.1.53313.7 | STRING | Activation period of this appliance: Active / Expiration Date / Expired |
Note that:
- Nonexisting keys respond with null, HTTP 200.
- Hardware-related MIBs (CPU usage, CPU temperature, memory usage, disk usage) should be tested on all architectures and physical sensors. CPU temperature on virtual machines is expected to be non applicable.
Next steps
For more information, see Maintain OT network sensors from the GUI.