Merge pull request #222522 from Shereen-Bhar/Clarify-scope-for-forwarding-alert-rules

prmerger-automator[bot] · web-flow · commit 02453da446b3 · 2023-01-08T13:07:49.000Z
Clarify scope for forwarding alert rules
diff --git a/articles/defender-for-iot/organizations/integrations/arcsight.md b/articles/defender-for-iot/organizations/integrations/arcsight.md
@@ -28,6 +28,8 @@ For more information, see the [ArcSight SmartConnectors Documentation](https://w
 
 This procedure describes how to create a forwarding rule from your OT sensor to send Defender for IoT alerts from that sensor to ArcSight.
 
+Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.
+
 For more information, see [Forward alert information](../how-to-forward-alert-information-to-partners.md).
 
 1. Sign in to your OT sensor console and select **Forwarding** on the left.
diff --git a/articles/defender-for-iot/organizations/integrations/logrhythm.md b/articles/defender-for-iot/organizations/integrations/logrhythm.md
@@ -19,6 +19,8 @@ Before you begin, make sure that you have the following prerequisites:
 
 This procedure describes how to create a forwarding rule from your OT sensor to send Defender for IoT alerts from that sensor to LogRhythm.
 
+Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.
+
 For more information, see [Forward alert information](../how-to-forward-alert-information-to-partners.md).
 
 1. Sign in to your OT sensor console and select **Forwarding** on the left.
diff --git a/articles/defender-for-iot/organizations/integrations/netwitness.md b/articles/defender-for-iot/organizations/integrations/netwitness.md
@@ -21,6 +21,8 @@ Before you begin, make sure that you have the following prerequisites:
 
 This procedure describes how to create a forwarding rule from your OT sensor to send Defender for IoT alerts from that sensor to NetWitness.
 
+Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.
+
 For more information, see [Forward alert information](../how-to-forward-alert-information-to-partners.md).
 
 1. Sign in to your OT sensor console and select **Forwarding** on the left.
diff --git a/articles/defender-for-iot/organizations/integrations/service-now-legacy.md b/articles/defender-for-iot/organizations/integrations/service-now-legacy.md
@@ -7,45 +7,47 @@ ms.date: 08/11/2022
 
 # Tutorial: Integrate ServiceNow with Microsoft Defender for IoT (legacy)
 
-> [!Note]
+> [!NOTE]
 > A new [Operational Technology Manager](https://store.servicenow.com/sn_appstore_store.do#!/store/application/31eed0f72337201039e2cb0a56bf65ef/1.1.2?referer=%2Fstore%2Fsearch%3Flistingtype%3Dallintegrations%25253Bancillary_app%25253Bcertified_apps%25253Bcontent%25253Bindustry_solution%25253Boem%25253Butility%25253Btemplate%26q%3Doperational%2520technology%2520manager&sl=sh) integration is now available from the ServiceNow store. The new integration streamlines Microsoft Defender for IoT sensor appliances, OT assets, network connections, and vulnerabilities to ServiceNow’s Operational Technology (OT) data model.
 >
 >Please read the ServiceNow’s supporting links and docs for the ServiceNow's terms of service.
 >
 >Microsoft Defender for IoT's legacy integration with ServiceNow is not affected by the new integrations and Microsoft will continue supporting it.  
 >
 > For more information, see the new [ServiceNow integrations](../tutorial-servicenow.md), and the ServiceNow documentation on the ServiceNow store:
+>
 >- [Service Graph Connector (SGC)](https://store.servicenow.com/sn_appstore_store.do#!/store/application/ddd4bf1b53f130104b5cddeeff7b1229)
 >- [Vulnerability Response (VR)](https://store.servicenow.com/sn_appstore_store.do#!/store/application/463a7907c3313010985a1b2d3640dd7e).
 
 This tutorial will help you learn how to integrate, and use ServiceNow with Microsoft Defender for IoT.
 
 The Defender for IoT integration with ServiceNow provides a new level of centralized visibility, monitoring, and control for the IoT and OT landscape. These bridged platforms enable automated device visibility and threat management to previously unreachable ICS & IoT devices.
 
-The ServiceNow Configuration Management Database (CMDB) is enriched, and supplemented with a rich set of device attributes that are pushed by the Defender for IoT platform. This ensures a comprehensive, and continuous visibility into the device landscape. This visibility lets you monitor, and respond from a single-pane-of-glass. 
+The ServiceNow Configuration Management Database (CMDB) is enriched, and supplemented with a rich set of device attributes that are pushed by the Defender for IoT platform. This ensures a comprehensive, and continuous visibility into the device landscape. This visibility lets you monitor, and respond from a single-pane-of-glass.
 
 In this tutorial, you learn how to:
 
 > [!div class="checklist"]
-> * Download the Defender for IoT application in ServiceNow
-> * Set up Defender for IoT to communicate with ServiceNow
-> * Create access tokens in ServiceNow
-> * Send Defender for IoT device attributes to ServiceNow
-> * Set up the integration using an HTTPS proxy
-> * View Defender for IoT detections in ServiceNow
-> * View connected devices
+>
+> - Download the Defender for IoT application in ServiceNow
+> - Set up Defender for IoT to communicate with ServiceNow
+> - Create access tokens in ServiceNow
+> - Send Defender for IoT device attributes to ServiceNow
+> - Set up the integration using an HTTPS proxy
+> - View Defender for IoT detections in ServiceNow
+> - View connected devices
 
 ## Prerequisites
 
 ### Software requirements
 
-Access to ServiceNow and Defender for IoT 
+Access to ServiceNow and Defender for IoT
 
 - ServiceNow Service Management version 3.0.2.
 
 - Defender for IoT patch 2.8.11.1 or above.
 
-> [!Note]
+> [!NOTE]
 >If you are already working with a Defender for IoT and ServiceNow integration and upgrade using the on-premises management console. In that case, the previous data from Defender for IoT sensors should be cleared from ServiceNow.
 
 ### Architecture
@@ -58,7 +60,7 @@ Access to ServiceNow and Defender for IoT
 
 ## Download the Defender for IoT application in ServiceNow
 
-To access the Defender for IoT application within ServiceNow, you will need to download the application from the ServiceNow application store. 
+To access the Defender for IoT application within ServiceNow, you will need to download the application from the ServiceNow application store.
 
 **To access the Defender for IoT application in ServiceNow**:
 
@@ -82,6 +84,8 @@ To access the Defender for IoT application within ServiceNow, you will need to d
 
 Configure Defender for IoT to push alert information to the ServiceNow tables. Defender for IoT alerts will appear in ServiceNow as security incidents. This can be done by defining a Defender for IoT forwarding rule to send alert information to ServiceNow.
 
+Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.
+
 **To push alert information to the ServiceNow tables**:
 
 1. Sign in to the on-premises management console.
@@ -123,7 +127,7 @@ Configure Defender for IoT to push alert information to the ServiceNow tables. D
       | Client Secret | Enter the client secret string you created for Defender for IoT in the **Application Registries** page in ServiceNow. |
       | Report Type | **Incidents**: Forward a list of alerts that are presented in ServiceNow with an incident ID and short description of each alert.<br /><br />**Defender for IoT Application**: Forward full alert information, including the  sensor details, the engine, the source, and destination addresses. The information is forwarded to the Defender for IoT on the ServiceNow application. |
 
-1. Select **SAVE**. 
+1. Select **SAVE**.
 
 Defender for IoT alerts will now appear as incidents in ServiceNow.
 
@@ -189,7 +193,7 @@ Defender for IoT supports an HTTPS proxy in the ServiceNow integration by enabli
 
 3. Select **Save and Exit**.
 
-4. Reset the on-premises management console using the following command: 
+4. Reset the on-premises management console using the following command:
 
     ```bash
     sudo monit restart all
@@ -227,4 +231,4 @@ There are no resources to clean up.
 
 ## Next steps
 
-In this article, you learned how to get started with the ServiceNow integration. Continue on to learn about our [Cisco integration](../tutorial-forescout.md).
+In this article, you learned how to get started with the ServiceNow integration. Continue on to learn about our [Cisco integration](../tutorial-forescout.md).
diff --git a/articles/defender-for-iot/organizations/tutorial-clearpass.md b/articles/defender-for-iot/organizations/tutorial-clearpass.md
@@ -25,6 +25,7 @@ The integration allows for the following:
 In this tutorial, you learn how to:
 
 > [!div class="checklist"]
+>
 > - Create a ClearPass API user
 > - Create a ClearPass operator profile
 > - Create a ClearPass OAuth API client
@@ -151,6 +152,8 @@ To enable viewing the device inventory in ClearPass, you need to set up Defender
 
 To enable viewing the alerts discovered by Defender for IoT in Aruba, you need to set the forwarding rule. This rule defines which information about the ICS, and SCADA security threats identified by Defender for IoT security engines is sent to ClearPass.
 
+Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.
+
 **To define a ClearPass forwarding rule on the Defender for IoT sensor**:
 
 1. In the Defender for IoT sensor, select **Forwarding** and then select **Create new rule**.
@@ -166,13 +169,12 @@ To enable viewing the alerts discovered by Defender for IoT in Aruba, you need t
 1. In the **Host** field, define the ClearPass server IP and port to send alert information.
 1. Define which alert information you want to forward.
     - **Report illegal function codes:** Protocol violations - Illegal field value violating ICS protocol specification (potential exploit).
-    -  **Report unauthorized PLC programming and firmware updates:** Unauthorized PLC changes.
-    -  **Report unauthorized PLC stop:** PLC stop (downtime). 
-    - **Report malware related alerts:** Industrial malware attempts, such as TRITON, NotPetya. 
+    - **Report unauthorized PLC programming and firmware updates:** Unauthorized PLC changes.
+    - **Report unauthorized PLC stop:** PLC stop (downtime).
+    - **Report malware related alerts:** Industrial malware attempts, such as TRITON, NotPetya.
     - **Report unauthorized scanning:** Unauthorized scanning (potential reconnaissance)
 1. Select **Save**.
 
-
 ## Monitor ClearPass and Defender for IoT communication
 
 Once the sync has started, endpoint data is populated directly into the Policy Manager EndpointDb, you can view the last update time from the integration configuration screen.
@@ -183,7 +185,6 @@ Once the sync has started, endpoint data is populated directly into the Policy M
 
 1. Select **System settings** > **Integrations** > **ClearPass**.
 
-
     :::image type="content" source="media/tutorial-clearpass/last-sync.png" alt-text="Screenshot of the view the time and date of your last sync.":::
 
 If Sync is not working, or shows an error, then it’s likely you’ve missed capturing some of the information. Recheck the data recorded, additionally you can view the API calls between Defender for IoT and ClearPass from **Guest** > **Administration** > **Support** > **Application Log**.
@@ -198,6 +199,4 @@ There are no resources to clean up.
 
 ## Next steps
 
-In this article, you learned how to get started with the ClearPass integration. Continue on to learn about our [CyberArk integration](./tutorial-cyberark.md). 
-
-
+In this article, you learned how to get started with the ClearPass integration. Continue on to learn about our [CyberArk integration](./tutorial-cyberark.md).
diff --git a/articles/defender-for-iot/organizations/tutorial-fortinet.md b/articles/defender-for-iot/organizations/tutorial-fortinet.md
@@ -37,6 +37,7 @@ Using a Business Services view, the complexity of managing network and security
 In this tutorial, you learn how to:
 
 > [!div class="checklist"]
+>
 > - Create an API key in Fortinet
 > - Set a forwarding rule to block malware-related alerts
 > - Block the source of suspicious alerts
@@ -96,6 +97,8 @@ When the API key is generated, save it as it will not be provided again.
 
 The FortiGate firewall can be used to block suspicious traffic.
 
+Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.
+
 **To set a forwarding rule to block malware-related alerts**:
 
 1. Sign in to the Microsoft Defender for IoT Management Console.
@@ -172,6 +175,8 @@ Each Defender for IoT alert is then parsed without any other configuration on th
 
 You can then use Defender for IoT's Forwarding Rules to send alert information to FortiSIEM.
 
+Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.
+
 **To use Defender for IoT's Forwarding Rules to send alert information to FortiSIEM**:
 
 1. From the sensor, or management console left pane, select **Forwarding**.
@@ -252,5 +257,3 @@ There are no resources to clean up.
 ## Next steps
 
 In this article, you learned how to get started with the Fortinet integration. Continue on to learn about our [Palo Alto integration](./tutorial-palo-alto.md)
-
-
diff --git a/articles/defender-for-iot/organizations/tutorial-palo-alto.md b/articles/defender-for-iot/organizations/tutorial-palo-alto.md
@@ -20,6 +20,7 @@ The following integration types are available:
 In this tutorial, you learn how to:
 
 > [!div class="checklist"]
+>
 > - Configure immediate blocking by a specified Palo Alto firewall
 > - Create Panorama blocking policies in Defender for IoT
 
@@ -33,7 +34,9 @@ If you don't have an Azure subscription, create a [free account](https://azure.m
 
 ## Configure immediate blocking by a specified Palo Alto firewall
 
-In cases, such as malware-related alerts, you can enable automatic blocking. Defender for IoT forwarding rules is utilized to send a blocking command directly to a specific Palo Alto firewall.
+In cases, such as malware-related alerts, you can enable automatic blocking. Defender for IoT forwarding rules are utilized to send a blocking command directly to a specific Palo Alto firewall.
+
+Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.
 
 When Defender for IoT identifies a critical threat, it sends an alert that includes an option of blocking the infected source. Selecting **Block Source** in the alert’s details activates the forwarding rule, which sends the blocking command to the specified Palo Alto firewall.
 
@@ -106,15 +109,15 @@ The first step in creating Panorama blocking policies in Defender for IoT is to
 
 1. In the console left pane, select **System settings** > **Network monitoring** > **DNS Reverse Lookup**.
 1. Select **Add DNS server**.
-1. In the **Schedule Reverse Lookup** field define the scheduling options:
+1. In the **Schedule Reverse Lookup** field, define the scheduling options:
       - By specific times: Specify when to perform the reverse lookup daily.
-    - By fixed intervals (in hours): Set the frequency for performing the reverse lookup.
-1. In the **Number of Labels** field instruct Defender for IoT to automatically resolve network IP addresses to device FQDNs. <br />To configure DNS FQDN resolution, add the number of domain labels to display. Up to 30 characters are displayed from left to right.
+      - By fixed intervals (in hours): Set the frequency for performing the reverse lookup.
+1. In the **Number of Labels** field instruct Defender for IoT to automatically resolve network IP addresses to device FQDNs. <br /> To configure DNS FQDN resolution, add the number of domain labels to display. Up to 30 characters are displayed from left to right.
 1. Add the following server details:
 
-    - **DNS Server Address**: Enter the IP address, or the FQDN of the network DNS Server.
-   - **DNS Server Port**: Enter the port used to query the DNS server.
-   - **Subnets**: Set the Dynamic IP address subnet range. The range that Defender for IoT reverses lookup their IP address in the DNS server to match their current FQDN name.
+      - **DNS Server Address**: Enter the IP address, or the FQDN of the network DNS Server.
+      - **DNS Server Port**: Enter the port used to query the DNS server.
+      - **Subnets**: Set the Dynamic IP address subnet range. The range that Defender for IoT reverses lookup their IP address in the DNS server to match their current FQDN name.
 
 1. Select **Save**.
 1. Turn on the **Enabled** toggle to activate the lookup.
@@ -125,6 +128,8 @@ The first step in creating Panorama blocking policies in Defender for IoT is to
 
 Suspicious traffic will need to be blocked with the Palo Alto firewall. You can block suspicious traffic through the use forwarding rules in Defender for IoT.
 
+Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.
+
 **To block suspicious traffic with the Palo Alto firewall using a Defender for IoT forwarding rule**:
 
 1. In the left pane, select **Forwarding**.
@@ -191,4 +196,3 @@ There are no resources to clean up.
 ## Next step
 
 In this article, you learned how to get started with the [Palo Alto integration](./tutorial-splunk.md).
-
diff --git a/articles/defender-for-iot/organizations/tutorial-qradar.md b/articles/defender-for-iot/organizations/tutorial-qradar.md
@@ -72,6 +72,8 @@ A **QID** is a QRadar event identifier. Since all Defender for IoT reports are t
 
 Create a forwarding rule from your on-premises management console to forward alerts to QRadar.
 
+Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.
+
 **To create a QRadar forwarding rule**:
 
 1. Sign in to the on-premises management console and select **Forwarding** on the left.
diff --git a/articles/defender-for-iot/organizations/tutorial-splunk.md b/articles/defender-for-iot/organizations/tutorial-splunk.md
@@ -24,6 +24,7 @@ The Splunk application can be installed locally ('Splunk Enterprise') or run on
 In this tutorial, you learn how to:
 
 > [!div class="checklist"]
+>
 > * Download the Defender for IoT application in Splunk
 > * Send Defender for IoT alerts to Splunk
 
@@ -35,17 +36,17 @@ If you don't have an Azure subscription, create a [free account](https://azure.m
 
 The following versions are required for the application to run.
 
-- Defender for IoT version 2.4 and above.
+* Defender for IoT version 2.4 and above.
 
-- Splunkbase version 11 and above.
+* Splunkbase version 11 and above.
 
-- Splunk Enterprise version 7.2 and above.
+* Splunk Enterprise version 7.2 and above.
 
 ### Splunk permission requirements
 
 The following Splunk permission is required:
 
-- Any user with an *Admin* level user role.
+* Any user with an *Admin* level user role.
 
 ## Download the Defender for IoT application in Splunk
 
@@ -65,15 +66,15 @@ To access the Defender for IoT application within Splunk, you will need to downl
 
 The Defender for IoT alerts provides information about an extensive range of security events. These events include:
 
-- Deviations from the learned baseline network activity.
+* Deviations from the learned baseline network activity.
 
-- Malware detections.
+* Malware detections.
 
-- Detections based on suspicious operational changes.
+* Detections based on suspicious operational changes.
 
-- Network anomalies.
+* Network anomalies.
 
-- Protocol deviations from protocol specifications.
+* Protocol deviations from protocol specifications.
 
     :::image type="content" source="media/tutorial-splunk/address-scan.png" alt-text="A screen capture if an Address Scan Detected alert.":::
 
@@ -83,6 +84,8 @@ You can also configure Defender for IoT to send alerts to the Splunk server, whe
 
 To send alert information to the Splunk servers from Defender for IoT, you will need to create a Forwarding Rule.
 
+Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.
+
 **To create the forwarding rule**:
 
 1. Sign in to the sensor, and select **Forwarding** from the left side pane.
