Merge pull request #228847 from yoninalmsft/22.3.6-sensor

22.3.6 sensor device inventory updates

Author: prmerger-automator[bot]

.openpublishing.redirection.defender-for-cloud.json

@@ -804,6 +804,11 @@
             "source_path_from_root": "/articles/defender-for-cloud/supported-machines-endpoint-solutions-clouds-servers.md",
             "redirect_url": "/azure/defender-for-cloud/support-matrix-defender-for-servers",
             "redirect_document_id": true
+        },
+        {
+            "source_path_from_root": "/articles/defender-for-cloud/faq-azure-monitor-logs.yml",
+            "redirect_url": "/azure/defender-for-cloud/faq-data-collection-agents",
+            "redirect_document_id": true
         }
     ]
 }

articles/defender-for-cloud/TOC.yml

@@ -23,8 +23,6 @@
       href: faq-data-collection-agents.yml
     - name: Azure Virtual Machines questions
       href: faq-vms.yml
-    - name: Azure Log Analytics questions
-      href: faq-azure-monitor-logs.yml
 
 - name: Quickstarts
   items:

articles/defender-for-cloud/faq-azure-monitor-logs.yml

@@ -6,7 +6,7 @@ metadata:
   ms.service: defender-for-cloud
   author: bmansheim
   ms.author: benmansheim
-  ms.date: 11/29/2022
+  ms.date: 03/05/2023
 title: Frequently asked questions for Defender for Servers
 summary: Get answers to common questions about Microsoft Defender for Servers.
 
@@ -17,7 +17,7 @@ sections:
       - question: |
           Can I enable Defender for Servers on a subset of machines in a subscription?
         answer: |
-          No. When you enable Microsoft Defender for Servers on an Azure subscription or on a connected AWS account or GCP project, all connected machines are protected by Defender for Servers. This includes servers that don't have the Log Analytics agent or Azure Monitor agent installed.
+          No. When you enable Microsoft Defender for Servers on an Azure subscription or on a connected AWS account or GCP project, all connected machines are protected by Defender for Servers. Servers that don't have the Log Analytics agent or Azure Monitor agent installed are also protected.
 
       - question: |
           Can I get a discount if I already have a Microsoft Defender for Endpoint license?
@@ -58,7 +58,7 @@ sections:
       - question: |
           Do I need to enable Defender for Servers on the subscription and on the workspace?
         answer: |
-          Defender for Servers Plan 1 does not depend on Log Analytics. When you enable Defender for Servers Plan 2 at the subscription level, Defender for Cloud automatically enables the plan on your default Log Analytics workspaces. If you use a custom workspace, make sure you enable the plan on the workspace. Here's more information:
+          Defender for Servers Plan 1 doesn't depend on Log Analytics. When you enable Defender for Servers Plan 2 at the subscription level, Defender for Cloud automatically enables the plan on your default Log Analytics workspaces. If you use a custom workspace, make sure you enable the plan on the workspace. Here's more information:
           
           - If you turn on Defender for Servers for a subscription and for a connected custom workspace, you aren't charged for both. The system identifies unique VMs.
           - If you enable Defender for Servers on cross-subscription workspaces:
@@ -67,11 +67,11 @@ sections:
           
           
       - question: |
-          Is the free allowance applied per workspace or per machine?
+          Is the 500 MB of free data ingestion allowance applied per workspace or per machine?
         answer: |
-          For every VM that's connected to the workspace, you get 500 MB of free data ingestion per day. The allowance is specifically for the security data types that are directly collected by Defender for Cloud.
+          When you have [Defender for Servers Plan 2](plan-defender-for-servers-select-plan.md) enabled, you get 500 MB of free data ingestion per day. The allowance is specifically for the security data types that are directly collected by Defender for Cloud.
           
-          This allowance is a daily rate that's averaged across all nodes. Your total daily free limit is equal to \[number of machines\] × 500 MB. Even if some machines send 100 MB and others send 800 MB, if the total doesn't exceed your total daily free limit, you aren't charged extra.
+          This allowance is a daily rate that's averaged across all nodes. Your total daily free limit is equal to \[number of machines\] × 500 MB. You aren't charged extra if the total doesn't exceed your total daily free limit, even if some machines send 100 MB and others send 800 MB.
 
       - question: |
           What data types are included in the daily allowance?
@@ -93,7 +93,7 @@ sections:
       - question: |
           Am I charged for machines that don't have Log Analytics installed?
         answer: |
-          Yes. When you enable Defender for Servers on an Azure subscription, connected AWS account, or connected GCP project, you're charged for all machines that are connected to your Azure subscription or your AWS account. The term *machines* includes Azure virtual machines, instances of Azure Virtual Machine Scale Sets, and Azure Arc-enabled servers. Machines that don't have Log Analytics installed are covered by protections that don't depend on the Log Analytics agent.
+          Yes. You are charged for all machines that are protected by Defender for Servers in Azure subscriptions, connected AWS accounts, or connected GCP projects. The term *machines* includes Azure virtual machines, instances of Azure Virtual Machine Scale Sets, and Azure Arc-enabled servers. Machines that don't have Log Analytics installed are covered by protections that don't depend on the Log Analytics agent.
 
       - question: |
           If an agent reports to multiple workspaces, am I charged twice?

articles/defender-for-cloud/faq-data-collection-agents.yml

@@ -98,7 +98,7 @@ The following use cases explain how deployment of the Log Analytics agent works
 - **A pre-existing VM extension is present**:
     - When the Monitoring Agent is installed as an extension, the extension configuration allows reporting to only a single workspace. Defender for Cloud doesn't override existing connections to user workspaces. Defender for Cloud will store security data from the VM in the workspace already connected, if the "Security" or "SecurityCenterFree" solution has been installed on it. Defender for Cloud may upgrade the extension version to the latest version in this process.
     - To see to which workspace the existing extension is sending data to, run the test to [Validate connectivity with Microsoft Defender for Cloud](/archive/blogs/yuridiogenes/validating-connectivity-with-azure-security-center). Alternatively, you can open Log Analytics workspaces, select a workspace, select the VM, and look at the Log Analytics agent connection.
-    - If you have an environment where the Log Analytics agent is installed on client workstations and reporting to an existing Log Analytics workspace, review the list of [operating systems supported by Microsoft Defender for Cloud](security-center-os-coverage.md) to make sure your operating system is supported. For more information, see [Existing log analytics customers](./faq-azure-monitor-logs.yml).
+    - If you have an environment where the Log Analytics agent is installed on client workstations and reporting to an existing Log Analytics workspace, review the list of [operating systems supported by Microsoft Defender for Cloud](security-center-os-coverage.md) to make sure your operating system is supported.
 
 Learn more about [working with the Log Analytics agent](working-with-log-analytics-agent.md).
 

articles/defender-for-cloud/faq-defender-for-servers.yml

@@ -1,7 +1,7 @@
 ---
 title: Manage your OT device inventory from a sensor console
 description: Learn how to view and manage OT devices (assets) from the Device inventory page on a sensor console.
-ms.date: 07/21/2022
+ms.date: 02/28/2023
 ms.topic: how-to
 ---
 
@@ -49,7 +49,13 @@ If you're working with a cloud-connected sensor, any edits you make in the senso
 
 **To edit device details**:
 
-1. Select one or more devices in the grid, and then select **View full details** in the pane on the right.
+1. Select a device in the grid, and then select **Edit** in the toolbar at the top of the page.
+
+1. In the **Edit** pane on the right, modify the device fields as needed, and then select **Save** when you're done.
+
+You can also open the edit pane from the device details page:
+
+1. Select a device in the grid, and then select **View full details** in the pane on the right.
 
 1. In the device details page, select **Edit Properties**.
 
@@ -61,8 +67,9 @@ Editable fields include:
 - Device name
 - Device type
 - OS
-- Purdue layer
+- Purdue level
 - Description
+- Scanner or programming device
 
 For more information, see [Device inventory column reference](#device-inventory-column-reference).
 
@@ -91,11 +98,9 @@ For example, if you merge two devices, each with an IP address, both IP addresse
 
 **To merge devices from the device inventory:**
 
-1. Use the SHIFT key to select two devices from the inventory, and then right-click one of them.
+In the device inventory grid, select the devices you want to merge, and then select **Merge** in the toolbar at the top of the page.
 
-1. Select **Merge** to merge the devices. This can take up to 2 minutes to complete.
-
-1. When the **Set merge device attributes** dialog appears, enter a meaningful name for your merged device, and then select **Save**.
+The devices are merged, and a confirmation message appears at the top right.
 
 ## View inactive devices
 
@@ -120,14 +125,17 @@ You may want to delete devices from your device inventory, such as if they've be
 
 Deleted devices are removed from the **Device map** and the device inventories on the Azure portal and on-premises management console, and aren't calculated when generating reports, such as Data Mining, Risk Assessment, or Attack Vector reports.
 
-**To delete a single device**:
+**To delete one or more devices**:
+
+You can delete a device when it's been inactive for more than 10 minutes.
+
+1. In the **Device inventory** page, select the device or devices you want to delete, and then select **Delete** :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/delete-device.png" border="false"::: in the toolbar at the top of the page.
 
-You can delete a single device when they’ve been inactive for more than 10 minutes.
+1. At the prompt, select **Confirm** to confirm that you want to delete the device from Defender for IoT.
 
-1. In the **Device inventory** page, select the device you want to delete, and then select **Delete** :::image type="icon" source="media/how-to-manage-device-inventory-on-the-cloud/delete-device.png" border="false"::: in the toolbar at the top of the page.
-1. At the prompt, select **Yes** to confirm that you want to delete the device from Defender for IoT.
+A confirmation message appears at the top right.
 
-**To delete all inactive devices**
+**To delete all inactive devices**:
 
 This procedure is supported for the *cyberx* and admin users only.
 

articles/defender-for-cloud/monitoring-components.md

@@ -18,8 +18,8 @@ The following table lists how long device data is stored in each Defender for Io
 | Storage type | Details |
 |---------|---------|
 | **Azure portal** | 90 days from the date of the **Last activity** value. <br><br> For more information, see [Manage your device inventory from the Azure portal](how-to-manage-device-inventory-for-organizations.md). |
-| **OT network sensor** | The retention of device inventory data isn't limited by time. <br><br> For more information, see [Manage your OT device inventory from a sensor console](how-to-investigate-sensor-detections-in-a-device-inventory.md). |
-| **On-premises management console** | The retention of device inventory data isn't limited by time. <br><br> For more information, see [Manage your OT device inventory from an on-premises management console](how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md). |
+| **OT network sensor** | 90 days from the date of the **Last activity** value. <br><br> For more information, see [Manage your OT device inventory from a sensor console](how-to-investigate-sensor-detections-in-a-device-inventory.md). |
+| **On-premises management console** | 90 days from the date of the **Last activity** value. <br><br> For more information, see [Manage your OT device inventory from an on-premises management console](how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md). |
 
 ## Alert data retention