Merge pull request #232130 from batamig/intro-concepts

 Deployment guide release: overview and concepts

Author: ttorble

articles/defender-for-iot/organizations/TOC.yml

@@ -15,14 +15,50 @@
       - name: Microsoft Sentinel solution versions
         href: release-notes-sentinel.md
 - name: Quickstarts
-  expanded: false
   items:
-  - name: Get started with OT security monitoring
+  - name: Add an OT plan to your Azure subscription
     href: getting-started.md
     displayName: onboard
-  - name: Enable Enterprise IoT security
-    href: eiot-defender-for-endpoint.md
-    displayName: onboard
+- name: Concepts
+  items:
+    - name: Defender for IoT system components
+      href: architecture.md
+      displayName: committed devices
+    - name: Subscription billing
+      href: billing.md
+    - name: Roles and permissions
+      items:
+      - name: Overview
+        href: manage-users-overview.md
+        displayName: users, user
+      - name: Azure roles for OT and Enterprise IoT monitoring
+        href: roles-azure.md
+        displayName: users, user
+      - name: On-premises roles for OT monitoring
+        href: roles-on-premises.md
+        displayName: users, user
+    - name: Device inventories
+      href: device-inventory.md
+    - name: Alerts
+      href: alerts.md
+    - name: Zero Trust and your OT/IoT networks
+      href: concept-zero-trust.md
+    - name: Defender for IoT and your SOC
+      href: concept-sentinel-integration.md
+      displayName: Microsoft Sentinel, modernize SOC
+    - name: Securing enterprise IoT devices
+      href: concept-enterprise.md
+      displayName: Microsoft Defender for Endpoint, MDE
+    - name: Azure security baseline for Defender for IoT
+      href: /security/benchmark/azure/baselines/microsoft-defender-for-iot-security-baseline?bc=%2fazure%2defender-for-iot%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fdefender-for-iot%2fTOC.json       
+    - name: OT monitoring appliance catalog
+      items:
+      - name: Which appliances do I need?
+        href: ot-appliance-sizing.md
+      - name: Pre-configured appliances
+        href: ot-pre-configured-appliances.md
+      - name: OT monitoring with virtual appliances
+        href: ot-virtual-appliances.md 
 - name: Deploy
   items:
   - name: Deploy air-gapped OT sensor management
@@ -64,60 +100,6 @@
       href: iot-advanced-threat-monitoring.md
   - name: Monitor with Zero Trust principles
     href: monitor-zero-trust.md
-- name: Concepts
-  items:
-    - name: Subscription billing
-      href: billing.md
-    - name: Roles and permissions
-      items:
-      - name: Overview
-        href: manage-users-overview.md
-        displayName: users, user
-      - name: Azure roles for OT and Enterprise IoT monitoring
-        href: roles-azure.md
-        displayName: users, user
-      - name: On-premises roles for OT monitoring
-        href: roles-on-premises.md
-        displayName: users, user
-    - name: OT system architecture
-      href: architecture.md
-      displayName: committed devices
-    - name: OT sensor cloud connection methods
-      href: architecture-connections.md
-    - name: OT network monitoring best practices
-      items:
-      - name: Understand your network architecture
-        href: best-practices/understand-network-architecture.md
-      - name: Plan your network connections
-        href: best-practices/plan-network-monitoring.md
-      - name: Sample connectivity models
-        href: best-practices/sample-connectivity-models.md
-      - name: Zero Trust and your OT/IoT networks
-        href: concept-zero-trust.md
-    - name: OT monitoring appliance catalog
-      items:
-      - name: Which appliances do I need?
-        href: ot-appliance-sizing.md
-      - name: Pre-configured appliances
-        href: ot-pre-configured-appliances.md
-      - name: OT monitoring with virtual appliances
-        href: ot-virtual-appliances.md
-    - name: Supported protocols
-      href: concept-supported-protocols.md
-    - name: Defender for IoT device inventory
-      href: device-inventory.md
-    - name: Defender for IoT alerts
-      href: alerts.md
-    - name: Monitoring OT threats in enterprise SOCs
-      href: concept-sentinel-integration.md
-      displayName: Microsoft Sentinel, modernize SOC
-    - name: Securing IoT devices in the enterprise
-      href: concept-enterprise.md
-      displayName: Microsoft Defender for Endpoint, MDE
-    - name: Security
-      items:
-      - name: Azure security baseline for Defender for IoT
-        href: /security/benchmark/azure/baselines/microsoft-defender-for-iot-security-baseline?bc=%2fazure%2defender-for-iot%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fdefender-for-iot%2fTOC.json        
 - name: How-to guides
   items:
   - name: Visualize devices

articles/defender-for-iot/organizations/alerts.md

@@ -8,7 +8,7 @@ ms.custom: enterprise-iot
 
 # Microsoft Defender for IoT alerts
 
-Microsoft Defender for IoT alerts enhance your network security and operations with real-time details about events logged in your network. Alerts are messages that a Defender for IoT engine triggers when OT or Enterprise IoT network sensors detect changes or suspicious activity in network traffic that needs your attention.
+Microsoft Defender for IoT alerts enhance your network security and operations with real-time details about events logged in your network. Alerts are triggered when OT or Enterprise IoT network sensors detect changes or suspicious activity in network traffic that needs your attention.
 
 For example:
 
@@ -119,6 +119,12 @@ Use the following table to learn more about each alert status and triage option.
 > For more information, see [Create alert exclusion rules on an on-premises management console](how-to-accelerate-alert-incident-response.md#create-alert-exclusion-rules-on-an-on-premises-management-console).
 >
 
+### Triage OT alerts during learning mode
+
+*Learning mode* refers to the initial period after an OT sensor is deployed, when your OT sensor learns your network's baseline activity, including the devices and protocols in your network, and the regular file transfers that occur between specific devices.
+
+Use learning mode to perform an initial triage on the alerts in your network, *learning* those you want to mark as authorized, expected activity. Learned traffic doesn't generate new alerts the next time the same traffic is detected.
+
 ## Next steps
 
 Review alert types and messages to help you understand and plan remediation actions and playbook integrations. For more information, see [OT monitoring alert types and descriptions](alert-engine-messages.md).

articles/defender-for-iot/organizations/architecture.md

@@ -1,11 +1,11 @@
 ---
-title: System architecture for OT monitoring - Microsoft Defender for IoT
+title: System architecture for OT/IoT monitoring - Microsoft Defender for IoT
 description: Learn about the Microsoft Defender for IoT system architecture and data flow.
-ms.topic: overview
-ms.date: 12/25/2022
+ms.topic: conceptual
+ms.date: 01/18/2023
 ---
 
-# System architecture for OT system monitoring
+# Microsoft Defender for IoT components
 
 The Microsoft Defender for IoT system is built to provide broad coverage and visibility from diverse data sources.
 
@@ -18,38 +18,35 @@ Defender for IoT connects to both cloud and on-premises components, and is built
 Defender for IoT includes the following OT security monitoring components:
 
 - **The Azure portal**, for cloud management and integration to other Microsoft services, such as Microsoft Sentinel.
-- **OT network sensors**, to detect OT devices across your network. OT network sensors are deployed on either a virtual machine or a physical appliance, and configured as cloud-connected sensors, or fully on-premises, locally managed sensors.
-- **An on-premises management console** for centralized OT site management in local, air-gapped environments.
 
-## What is a Defender for IoT committed device?
+- **Operational technology (OT) or Enterprise IoT network sensors**, to detect devices across your network. Defender for IoT network sensors are deployed on either a virtual machine or a physical appliance. OT sensors can be configured as cloud-connected sensors, or fully on-premises, locally managed sensors.
 
-[!INCLUDE [devices-inventoried](includes/devices-inventoried.md)]
+- **An on-premises management console** for centralized OT sensor management and monitoring for local, air-gapped environments.
 
-## OT network sensors
+## OT and Enterprise IoT network sensors
 
-OT network sensors discover and continuously monitor network traffic across your OT devices.
+Defender for IoT network sensors discover and continuously monitor network traffic across your network devices.
 
-- Network sensors are purpose-built for OT networks and connect to a SPAN port or network TAP. OT network sensors can provide visibility into risks within minutes of connecting to the network.
+- Network sensors are purpose-built for OT/IoT networks and connect to a SPAN port or network TAP. Defender for IoT network sensors can provide visibility into risks within minutes of connecting to the network.
 
-- Network sensors use OT-aware analytics engines and Layer-6 Deep Packet Inspection (DPI) to detect threats, such as fileless malware, based on anomalous or unauthorized activity.
+- Network sensors use OT/IoT-aware analytics engines and Layer-6 Deep Packet Inspection (DPI) to detect threats, such as fileless malware, based on anomalous or unauthorized activity.
 
 Data collection, processing, analysis, and alerting takes place directly on the sensor, which can be ideal for locations with low bandwidth or high-latency connectivity. Only telemetry and insights are transferred on for management, either to the Azure portal or an on-premises management console.
 
-For more information, see [Onboard OT sensors to Defender for IoT](onboard-sensors.md).
 
 ### Cloud-connected vs. local OT sensors
 
 Cloud-connected sensors are sensors that are connected to Defender for IoT in Azure, and differ from locally managed sensors as follows:
 
-When you have a cloud connected OT network sensor:
+**When you have a cloud connected OT network sensor**:
 
 - All data that the sensor detects is displayed in the sensor console, but alert information is also delivered to Azure, where it can be analyzed and shared with other Azure services.
 
 - Microsoft threat intelligence packages can be automatically pushed to cloud-connected sensors.
 
 - The sensor name defined during onboarding is the name displayed in the sensor, and is read-only from the sensor console.
 
-In contrast, when working with locally managed sensors:
+**In contrast, when working with locally managed sensors**:
 
 - View any data for a specific sensor from the sensor console. For a unified view of all information detected by several sensors, use an on-premises management console.
 
@@ -69,15 +66,15 @@ For example, the **policy violation detection** engine models industry control s
 
 Since many detection algorithms were built for IT, rather than OT networks, the extra baseline for ICS networks helps to shorten the system's learning curve for new detections.
 
-Defender for IoT network sensors include the following analytics engines:
-
-|Name  |Description  |
-|---------|---------|
-|**Protocol violation detection engine**     |  Identifies the use of packet structures and field values that violate ICS protocol specifications. <br><br>For example, Modbus exceptions or the initiation of an obsolete function code alerts.       |
-|**Industrial malware detection engine**     |  Identifies behaviors that indicate the presence of known malware, such as Conficker, Black Energy, Havex, WannaCry, NotPetya, and Triton.       |
-|**Anomaly detection engine**     | Detects unusual machine-to-machine (M2M) communications and behaviors. <br><br>This engine models ICS networks and therefore requires a shorter learning period than analytics developed for IT. Anomalies are detected faster, with minimal false positives. <br><br>For example, Excessive SMB sign-in attempts, and PLC Scan Detected alerts.        |
-|**Operational incident detection**     |   Detects operational issues such as intermittent connectivity that can indicate early signs of equipment failure. <br><br> For example, the device might be disconnected (unresponsive), or the Siemens S7 stop PLC command was sent alerts.      |
+Defender for IoT network sensors include the following main analytics engines:
 
+|Name  |Description  | Examples |
+|---------|---------|---------|
+|**Protocol violation detection engine**     |  Identifies the use of packet structures and field values that violate ICS protocol specifications. <br><br>Protocol violations occur when the packet structure or field values don't comply with the protocol specification.| An *"Illegal MODBUS Operation (Function Code Zero)"* alert indicates that a primary device sent a request with function code 0 to a secondary device. This action isn't allowed according to the protocol specification, and the secondary device might not handle the input correctly     |
+| **Policy Violation** | A policy violation occurs with a deviation from baseline behavior defined in learned or configured settings. | An *"Unauthorized HTTP User Agent"* alert indicates that an application that wasn't learned or approved by policy is used as an HTTP client on a device. This might be a new web browser or application on that device.|
+|**Industrial malware detection engine**     |  Identifies behaviors that indicate the presence of malicious network activity via known malware, such as Conficker, Black Energy, Havex, WannaCry, NotPetya, and Triton. | A *"Suspicion of Malicious Activity (Stuxnet)"* alert indicates that the sensor detected suspicious network activity known to be related to the Stuxnet malware. This malware is an advanced persistent threat aimed at industrial control and SCADA networks.     |
+|**Anomaly detection engine**     | Detects unusual machine-to-machine (M2M) communications and behaviors. <br><br>This engine models ICS networks and therefore requires a shorter learning period than analytics developed for IT. Anomalies are detected faster, with minimal false positives. | A *"Periodic Behavior in Communication Channel"* alert reflects periodic and cyclic behavior of data transmission, which is common in industrial networks.   <br>Other examples include excessive SMB sign-in attempts, and PLC scan detected alerts.    |
+|**Operational incident detection**     |   Detects operational issues such as intermittent connectivity that can indicate early signs of equipment failure.  | A *"Device is Suspected to be Disconnected (Unresponsive)"* alert is triggered when a device isn't responding to any kind of request for a predefined period. This alert might indicate a device shutdown, disconnection, or malfunction.  <br>Another example might be the that Siemens S7 stop PLC command was sent alerts.   |
 
 ## Management options
 
@@ -93,15 +90,15 @@ Defender for IoT provides hybrid network support using the following management
 
     :::image type="content" source="media/release-notes/new-interface.png" alt-text="Screenshot that shows the updated interface." lightbox="media/release-notes/new-interface.png":::
 
-- **The on-premises management console**. In air-gapped environments, the on-premises management console provides a centralized view and management options for devices and threats detected by connected OT network sensors. The on-premises management console also lets you organize your network into separate sites and zones to support a [Zero Trust](/security/zero-trust/) mindset, and provides extra maintenance tools and reporting features.
+- **The on-premises management console**. In air-gapped environments, you can get a central view of data from all of your sensors from an on-premises management console, using extra maintenance tools and reporting features.
 
-## Next steps
+    The software version on your on-premises management console must be equal to that of your most up-to-date sensor version. Each on-premises management console version is backwards compatible to older, supported sensor versions, but cannot connect to newer sensor versions.
 
-> [!div class="nextstepaction"]
-> [Understand OT sensor connection methods](architecture-connections.md)
+## What is a Defender for IoT committed device?
+
+[!INCLUDE [devices-inventoried](includes/devices-inventoried.md)]
 
-> [!div class="nextstepaction"]
-> [Connect OT sensors to Microsoft Defender for IoT](connect-sensors.md)
+## Next steps
 
-> [!div class="nextstepaction"]
-> [Frequently asked questions](resources-frequently-asked-questions.md)
+> [!div class="step-by-step"]
+> [Understand your network architecture »](architecture.md)

articles/defender-for-iot/organizations/concept-sentinel-integration.md

@@ -25,7 +25,7 @@ Microsoft Sentinel is a scalable cloud service for security information event ma
 
 In Microsoft Sentinel, the Defender for IoT data connector and solution brings out-of-the-box security content to SOC teams, helping them to view, analyze and respond to OT security alerts, and understand the generated incidents in the broader organizational threat contents.
 
-Install the Defender for IoT data connector alone to stream your OT network alerts to Microsoft Sentinel. Then, also install the **Microsoft Defender for IoT** solution the extra value of IoT/OT-specific analytics rules, workbooks, and SOAR playbooks, as well as incident mappings to [MITRE ATT&CK for ICS](https://collaborate.mitre.org/attackics/index.php/Overview).
+Install the Defender for IoT data connector alone to stream your OT network alerts to Microsoft Sentinel. Then, also install the **Microsoft Defender for IoT** solution the extra value of IoT/OT-specific analytics rules, workbooks, and SOAR playbooks, as well as incident mappings to [MITRE ATT&CK for ICS techniques](https://attack.mitre.org/techniques/ics/).
 
 ### Integrated detection and response