You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-iot/organizations/how-to-manage-individual-sensors.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -220,31 +220,31 @@ You'd configured your OT sensor network configuring during [installation](ot-dep
220
220
221
221
An OT network sensor starts monitoring your network automatically as soon as it's connected to your network and you've [signed in](ot-deploy/activate-deploy-sensor.md#sign-in-to-the-sensor-console-and-change-the-default-password). Network devices start appearing in your [device inventory](device-inventory.md), and [alerts](alerts.md) are triggered for any<!-- amit should 'any' be removed - not for polivy vio? --> security or operational incidents that occur in your network.
222
222
223
-
There are three stages to the monitoring process controlled by three monitoring modes:
223
+
There are three stages to the monitoring process controlled by three monitoring modes:<!-- Limor - capitals for mode titles?-->
224
224
225
225
1. In **Learning mode** the sensor monitors and assesses all network communication, including the devices and protocols in your network, and the regular file transfers that occur between specific devices. The sensor learns which communications are normal, safe traffic and which are suspicious, thereby creating a baseline of safe traffic which won't trigger alerts. Any regularly detected activity becomes your network's [baseline traffic](ot-deploy/create-learned-baseline.md). In learning mode you'll see alerts for malware, ..., or ...., however, no Policy Violation alerts are generated in learning mode.<!-- what doesnt happen in learning mode? Are there any policy violation alerts produced?? any other alerts not produced? What alerts are produced? -->
226
226
227
-
1. In **Dynamic mode** the sensor continues the monitoring process, ensuring that the produced baseline is accurate but also starts to produce **Policy violation** alerts which detail important suspicious traffic that needs to be remidated.
227
+
1. In **Dynamic mode** the sensor continues the monitoring process, ensuring that the baseline produced in the learning mode is accurate. Dynamic mode also starts to produce **Policy violation** alerts that detail important, suspicious traffic that needs to be remidated.
228
228
229
229
1. In **Operational mode** the sensor monitors all network traffic, with a completed baseline, and triggers all alerts.
230
230
<!-- Limor- This was original text - included in the first para above :- Initially, this activity happens in *learning* mode, which instructs your OT sensor to learn your network's usual activity, including the devices and protocols in your network, and the regular file transfers that occur between specific devices. Any regularly detected activity becomes your network's [baseline traffic](ot-deploy/create-learned-baseline.md). The *Learning* mode monitors all of the network OT sensors with identical global settings to ensure that it tracks and identifies all types of network traffic. In learning mode you'll see alerts for malware, ..., or ...., however, no Policy Violation alerts are generated in learning mode.<!-- what doesnt happen in learning mode? Are there any policy violation alerts produced?? any other alerts not produced? What alerts are produced? -->
231
-
Within two to six weeks after deploying your sensor the detection levels should accurately reflect your network activity.<!-- what should this now look like? How much less than in the original first days? In other places we say that there is a drop off, im still unclear what that will look like? --> At this stage we recommend turning off learning mode. The sensor remains in *dynamic* mode, where it continues to monitor and assess the network traffic as though it was in learning mode, but slowly starts to generate **Policy Violation** alerts as well. Eventually, when the sensor recognises all normal types of network traffic it will automatically change to *Operational* mode.
231
+
Two to six weeks after deploying your sensor the detection levels should accurately reflect your network activity.<!-- what should this now look like? How much less than in the original first days? In other places we say that there is a drop off, im still unclear what that will look like? --> At this stage we recommend turning off learning mode. The sensor remains in *dynamic* mode, where it continues to monitor and assess the network traffic as though it was in learning mode, but slowly starts to generate **Policy Violation** alerts as well. Eventually, when the sensor recognises all normal types of network traffic it will automatically change to *Operational* mode.
232
232
233
-
This procedure describes how to turn off learning mode manually if you feel that the current alerts accurately reflect your network activity.
233
+
This procedure describes how to manually turn off the learning mode if you feel that the alerts accurately reflect your network activity.
234
234
235
235
**To turn off learning mode**:
236
236
237
237
1. Sign into your OT network sensor and select **System settings > Network monitoring > Detection engines and network modeling**.
238
238
239
-
1. In **Network modelling** toggle off **Learning**.
239
+
1. In **Network modelling**, toggle off **Learning**.
240
240
241
-
1.In the confirmation message, select **OK**, and then select **Close** to save your changes.
241
+
1.Select **OK** in the confirmation message, and then select **Close** to save your changes.
242
242
243
-
The updated mode setting for each **Policy Violation** alert can be found by selecting **Support** in the side menu.<!-- OR: Once learning mode has been turned off, you can check the mode status of a specific **Policy Violation** alert by selecting **Support** in the side menu.--> We recommend leaving the mode settings for each alert to automatically update from dynamic to operational. However, if for testing or other reasons, you could manually change the mode setting. This is not recommended as it can produce a large number of alerts.
243
+
Once learning mode has been turned off, the sensor starts to generate **Policy Violation**alerts and this setting is now available by selecting **Support** in the side menu. We recommend leaving the mode settings for each alert to automatically update from dynamic to operational. However, for testing or other reasons, you could manually change the mode setting. This is not recommended as it can produce a large number of alerts.<!-- keep or remove last sentence?-->
244
244
245
245
**Manually change a Policy Violations setting**:
246
246
247
-
1. In the main sensor menu, select **Support**. The **Engines** table displays the list all of the Defender for IoT alerts.
247
+
1. In the main sensor menu, select **Support**. The **Engines** table shows the list of all the Defender for IoT alerts.
248
248
249
249
1. In the **Learning Mode** column, change the mode for any **Policy Violation** alert by selecting **Learning**, **Dynamic** or **Operational** from the dropdown box.
0 commit comments