Merge pull request #8 from batamig/patch-312

adding dns allowlist

Author: Shereen-Bhar

articles/defender-for-iot/organizations/how-to-accelerate-alert-incident-response.md

@@ -20,15 +20,10 @@ This article describes the following methods for reducing OT network alert fatig
 
 ## Prerequisites
 
-- To create alert comments or custom alert rules on an OT network sensor, you must have:
+- To create alert comments or custom alert rules on an OT network sensor, you must have an OT network sensor installed and access to the sensor as an **Admin** user.
 
-    - An OT network sensor installed
-    - Access to the sensor as an **Admin** user.
-
-- To create alert exclusion rules on an on-premises management console, you must have:
-
-    - An on-premises management console installed
-    - Access to the on-premises management console as an **Admin** user.
+- To create a DNS allowlist on an OT sensor, you must have an OT network sensor installed and access to the sensor as a **Support** user.
+- To create alert exclusion rules on an on-premises management console, you must have an on-premises management console installed and access to the on-premises management console as an **Admin** user.
 
 For more information, see [Install OT agentless monitoring software](how-to-install-software.md) and [On-premises users and roles for OT monitoring with Defender for IoT](roles-on-premises.md).
 
@@ -89,6 +84,29 @@ Disable custom alert rules to prevent them from running without deleting them al
 
 In the **Custom alert rules** page, select one or more rules, and then select  **Disable**, **Enable**, or **Delete** in the toolbar as needed.
 
+## Learn DNS traffic on an OT sensor
+
+*Learn* unauthorized internet alerts in bulk by creating an allowlist of domain names on your OT sensor. 
+
+When a DNS allowlist is configured, the sensor checks each unauthorized internet connectivity attempt against the list. If the domain's FQDN is included in the allowlist, the sensor learns the traffic automatically, without triggering an alert.
+
+**To define a DNS allowlist:**
+
+1. Sign into your OT sensor as the *support* user and select the **Support** page.
+
+1. In the search box, search for **DNS** and then locate the engine with the **Internet Domain Allowlist** description.
+
+1. Select **Edit** :::image type="icon" source="media/how-to-generate-reports/manage-icon.png" border="false"::: for the **Internet Domain Allowlist** row. For example:
+
+    :::image type="content" source="media/how-to-manage-individual-sensors/dns-edit-configuration.png" alt-text="Screenshot of how to edit configurations for DNS in the sensor console." lightbox="media/how-to-manage-individual-sensors/dns-edit-configuration.png":::
+
+1. In the **Edit configuration** pane > **Fqdn allowlist** field, enter one or more domain names. Separate multiple domain names with commas. Your sensor won't generate alerts for unauthorized internet connectivity attempts on the configured domains.
+
+1. Select **Submit** to save your changes.
+
+> [!TIP]
+> All OT sensor users can view the currently configured list of domains in a data mining report, including the FQDNs and resolved IP addresses, and the last resolution time. For more information, see [Create data mining queries](how-to-create-data-mining-queries.md). 
+
 ## Create alert exclusion rules on an on-premises management console
 
 Create alert exclusion rules to instruct your sensors to ignore specific traffic on your network that would otherwise trigger an alert.
@@ -146,4 +164,4 @@ For more information, see
 > [View and manage alerts on the the on-premises management console](how-to-work-with-alerts-on-premises-management-console.md)
 
 > [!div class="nextstepaction"]
-> [Microsoft Defender for IoT alerts](alerts.md)
+> [Microsoft Defender for IoT alerts](alerts.md)