final changes

Author: tarTech23

articles/defender-for-iot/organizations/how-to-manage-individual-sensors.md

@@ -216,19 +216,13 @@ You'd configured your OT sensor network configuring during [installation](ot-dep
 
 1. Select **Save** to save your changes.
 
-### Turn off learning mode manually
-<!-- Limor should most of this intro be moved to create-learned-baseline.md? that is a 'concept' page about learning mode-->
+## Turn off learning mode manually
+
 An OT network sensor starts monitoring your network automatically as soon as it connects to your network and you [sign in](ot-deploy/activate-deploy-sensor.md#sign-in-to-the-sensor-console-and-change-the-default-password). Network devices start appearing in your [device inventory](device-inventory.md), and [alerts](alerts.md) are triggered for any security or operational incidents that occur in your network.
 
 There are three stages to the monitoring process. For more information, see [overview of the multi stage monitoring process](ot-deploy/create-learned-baseline.md).
 
-<!--1. In **Learning mode** the sensor monitors and assesses all network communication, including the devices and protocols in your network, and the regular file transfers that occur between specific devices. The sensor learns which communications are normal, safe traffic and which are suspicious, thereby creating a baseline of safe traffic which won't trigger alerts. Any regularly detected activity becomes your network's [baseline traffic](ot-deploy/create-learned-baseline.md).  In learning mode you'll see alerts for malware, ..., or ...., however, no Policy Violation alerts are generated in learning mode.<!-- what doesnt happen in learning mode? Are there any policy violation alerts produced?? any other alerts not produced? What alerts are produced? -->
-<!--1. In **Dynamic mode** the sensor continues the monitoring process, ensuring that the baseline produced in the learning mode is accurate. Dynamic mode also starts to produce **Policy violation** alerts that detail important, suspicious traffic that needs to be remidated.
-
-1. In **Operational mode** the sensor monitors all network traffic, with a completed baseline, and triggers all alerts.
-<!-- Limor- This was original text - included in the first para above :- Initially, this activity happens in *learning* mode, which instructs your OT sensor to learn your network's usual activity, including the devices and protocols in your network, and the regular file transfers that occur between specific devices. Any regularly detected activity becomes your network's [baseline traffic](ot-deploy/create-learned-baseline.md). The *Learning* mode monitors all of the network OT sensors with identical global settings to ensure that it tracks and identifies all types of network traffic. In learning mode you'll see alerts for malware, ..., or ...., however, no Policy Violation alerts are generated in learning mode. -->
-Two to six weeks after deploying your sensor the detection levels should accurately reflect your network activity. At this stage we recommend turning off learning mode.<!-- The sensor remains in *dynamic* mode, where it continues to monitor and assess the network traffic as though it was in learning mode, but slowly starts to generate **Policy Violation** alerts as well. Eventually, when the sensor recognises all normal types of network traffic it will automatically change to *Operational* mode. -->
-<!--This procedure describes how to manually turn off the learning mode if you feel that the alerts accurately reflect your network activity.-->
+Two to six weeks after deploying your sensor the detection levels should accurately reflect your network activity. At this stage we recommend turning off learning mode.
 
 **To turn off learning mode**:
 

articles/defender-for-iot/organizations/ot-deploy/create-learned-baseline.md

@@ -17,36 +17,36 @@ An OT network sensor starts monitoring your network automatically after it conne
 
 Defender for IoT employs a three stage monitoring process that learns your network's normal traffic behavior. These three stages ensure accurate detection while reducing unnecessary alerts, are:
 
-1. Learning mode
-1. Dynamic mode
-1. Operational mode
+1. [Learning mode](#learning-mode)
+1. [Dynamic mode](#dynamic-mode)
+1. [Operational mode](#operational-mode)
+
+### Summary of the monitoring stages
+
+| Mode | Purpose | Trigger alerts | User actions needed |
+| --- | --- | --- | --- |
+| **[Learning](#learning-mode)** | Builds a baseline of normal network traffic | Malware alerts, anomaly alerts, operational alerts, protocol violation alerts | Turn off manually after 2–6 weeks or when baseline reflects accurate network activity |
+| **[Dynamic](#dynamic-mode)** | Refines the baseline while gradually introducing Policy Violations alerts to ensure accuracy and reduce alert noise | Policy Violation alerts are introduced | Optional: Adjust settings for specific scenarios (e.g. during POCs) |
+| **[Operational](#operational-mode)** | Monitors all network traffic with a stable baseline, triggering all alerts to reflect deviations or suspicious activity | All types of alerts | None. Automatically transitions when baseline stabilizes |
 
 ### Learning mode
 
 Initially, the sensor runs in *learning* mode to monitor all of your network traffic and build a baseline of all normal traffic patterns. This baseline includes all of the devices and protocols in your network, and the regular file transfers that occur between devices. This process normally takes between 2 and 6 weeks, depending on your network size and complexity. Additionally, any devices discovered later enter learning mode for 7 days in order to establish their network traffic baseline.
 
-In learning mode, the sensor monitors and protects your environment by triggering relevant security alerts, such as malware, anomaly and operational alerts. However, policy violation alerts, which indicate deviations from the baseline, aren't triggered while the system is in learning mode.
+In learning mode, the sensor monitors and protects your environment by triggering relevant security alerts, such as malware, anomaly and operational alerts. However, Policy Violation alerts, which indicate deviations from the baseline, aren't triggered while the system is in learning mode.
 
 ### Dynamic mode
 
-Once the discovery process and network traffic are stable, you should manually turn off learning mode. At this point, the sensor transitions to dynamic mode. In Dynamic mode the sensor continues to monitor your network, validating and refining the baseline. The sensor assesses each alert category and scenario individually, dynamically changing them to operational mode when their baselines are confirmed to be accurate. Alternatively, if the sensor detects significant changes in traffic, it might automatically extend the learning mode for specific alerts or scenarios.
+Once the discovery process and network traffic are stable, you should manually turn off learning mode. At this point, the sensor transitions to dynamic mode. In dynamic mode the sensor continues to monitor your network, validating and refining the baseline. The sensor assesses each alert category and scenario individually, dynamically changing them to operational mode when their baselines are confirmed to be accurate. Alternatively, if the sensor detects significant changes in traffic, it might automatically extend the learning mode for specific alerts or scenarios.
 
-In dynamic mode, policy violation alerts are gradually introduced and start to appear in the alert inventory.
+In dynamic mode, Policy Violation alerts are gradually introduced and start to appear in the alert inventory.
 
 ### Operational mode
 
 Once the sensor identifies that the baseline is stable and complete it automatically transitions into operational mode, monitoring all of the network traffic and triggering all alert types.
 
 The **Learn** action becomes relevant after learning mode is turned off, when the scenario transitions to operational mode, and you wish to mark specific operations as authorized or expected activity. Once learned, similar activity won't generate new alerts in the future.
 
-### Summary of the monitoring stages
-
-| Mode | Purpose | Trigger alerts | User actions needed |
-| --- | --- | --- | --- |
-| **Learning** | Builds a baseline of normal network traffic | Malware alerts, anomaly alerts, operational alerts, protocol violation alerts | Turn off manually after 2–6 weeks or when baseline reflects accurate network activity |
-| **Dynamic** | Refines the baseline while gradually introducing policy violations alerts to ensure accuracy and reduce alert noise | Policy Violation alerts are introduced | Optional: Adjust settings for specific scenarios (e.g. during POCs) |
-| **Operational** | Monitors all network traffic with a stable baseline, triggering all alerts to reflect deviations or suspicious activity | All types of alerts | None. Automatically transitions when baseline stabilizes |
-
 [Turn off learning mode manually before then](../how-to-manage-individual-sensors.md#turn-off-learning-mode-manually) if you feel that the current alerts accurately reflect your network activity.
 
 For more information, see [Microsoft Defender for IoT alerts](../alerts.md).