update after review and feedback

Shereen-Bhar · Shereen-Bhar · commit 24f3f0d3a0dc · 2023-01-02T10:58:27.000+02:00
diff --git a/articles/defender-for-iot/organizations/how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md b/articles/defender-for-iot/organizations/how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md
@@ -166,4 +166,4 @@ For more information, see:
 
 - [Control what traffic is monitored](how-to-control-what-traffic-is-monitored.md)
 - [Detect Windows workstations and servers with a local script](detect-windows-endpoints-script.md)
-- [Devices retention periods](references-data-retention.md#devices-retention-periods).
+- [Devices retention periods](references-data-retention.md#device-data-retention-periods).
diff --git a/articles/defender-for-iot/organizations/how-to-investigate-sensor-detections-in-a-device-inventory.md b/articles/defender-for-iot/organizations/how-to-investigate-sensor-detections-in-a-device-inventory.md
@@ -72,21 +72,20 @@ To export device inventory data, on the **Device inventory** page, select **Expo
 
 The device inventory is exported with any filters currently applied, and you can save the file locally.
 
-To learn about data retention for device inventory, see [Devices retention periods](references-data-retention.md#devices-retention-periods).
-
 ## Merge devices
 
 You may need to merge duplicate devices if the sensor has discovered separate network entities that are associated with a single, unique device.
 
 Examples of this scenario might include a PLC with four network cards, a laptop with both WiFi and a physical network card, or a single workstation with multiple network cards.
 
 > [!NOTE]
+>
 > - You can only merge authorized devices.
 > - Device merges are irreversible. If you merge devices incorrectly, you'll have to delete the merged device and wait for the sensor to rediscover both devices.
 > - Alternately, merge devices from the [Device map](how-to-work-with-the-sensor-device-map.md) page.
 When merging, you instruct the sensor to combine the device properties of two devices into one. When you do this, the Device Properties window and sensor reports will be updated with the new device property details.
 
-For example, if you merge two devices, each with an IP address, both IP addresses will appear as separate interfaces in the Device Properties window. 
+For example, if you merge two devices, each with an IP address, both IP addresses will appear as separate interfaces in the Device Properties window.
 
 **To merge devices from the device inventory:**
 
@@ -98,7 +97,7 @@ For example, if you merge two devices, each with an IP address, both IP addresse
 
 ## View inactive devices
 
-You may want to view devices in your network that have been inactive and delete them. 
+You may want to view devices in your network that have been inactive and delete them.
 
 For example, devices may become inactive because of misconfigured SPAN ports, changes in network coverage, or by unplugging them from the network
 
@@ -178,3 +177,4 @@ For more information, see:
 
 - [Control what traffic is monitored](how-to-control-what-traffic-is-monitored.md)
 - [Detect Windows workstations and servers with a local script](detect-windows-endpoints-script.md)
+- [Devices retention periods](references-data-retention.md#device-data-retention-periods)
diff --git a/articles/defender-for-iot/organizations/how-to-manage-device-inventory-for-organizations.md b/articles/defender-for-iot/organizations/how-to-manage-device-inventory-for-organizations.md
@@ -179,4 +179,4 @@ For more information, see:
 
 - [Control what traffic is monitored](how-to-control-what-traffic-is-monitored.md)
 - [Detect Windows workstations and servers with a local script](detect-windows-endpoints-script.md)
-- [Devices retention periods](references-data-retention.md#devices-retention-periods).
+- [Devices retention periods](references-data-retention.md#device-data-retention-periods).
diff --git a/articles/defender-for-iot/organizations/references-data-retention.md b/articles/defender-for-iot/organizations/references-data-retention.md
@@ -17,9 +17,9 @@ The following table lists how long device data in stored in each Defender for Io
 
 | Storage type | Details |
 |---------|---------|
-| **Azure portal** | 90 days from the date of the **Last activity** value.<br><br> For more information, see [Manage your device inventory from the Azure portal](how-to-manage-device-inventory-for-organizations.md). |
-| **OT network sensor** | Device inventory data is stored for 90 days, for all sensors from sensor version 22.3 minor and up. <br><br> For more information, see [Manage your OT device inventory from a sensor console](how-to-investigate-sensor-detections-in-a-device-inventory.md). |
-| **On-promises management console** | Device inventory data is stored for 90 days, depending on the sensor. <br><br> For more information, see [Manage your OT device inventory from an on-premises management console](how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md). |
+| **Azure portal** | 90 days from the date of the **Last activity** value. <br><br> For more information, see [Manage your device inventory from the Azure portal](how-to-manage-device-inventory-for-organizations.md). |
+| **OT network sensor** | Device inventory data is stored with no time limit. <br><br> For more information, see [Manage your OT device inventory from a sensor console](how-to-investigate-sensor-detections-in-a-device-inventory.md). |
+| **On-promises management console** | Device inventory data is stored with no time limit. <br><br> For more information, see [Manage your OT device inventory from an on-premises management console](how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md). |
 
 ## Alert data retention
 
@@ -33,24 +33,23 @@ The following table lists how long alert data in stored in each Defender for IoT
 
 ### OT alert PCAP data retention
 
-The following table lists how long PCAP data is stored in each Defender for IoT location. 
+The following table lists how long PCAP data is stored in each Defender for IoT location.
 
 | Storage type | Details |
 |---------|---------|
 | **Azure portal** | PCAP files are available for download from the Azure portal for as long as the OT network sensor stores them. <br><br> Once downloaded, the files are cached on the Azure portal for 48 hours. <br><br> For more information, see [Access alert PCAP data (Public preview)](how-to-manage-cloud-alerts.md#access-alert-pcap-data-public-preview). |
-| **OT network sensor** | 90 days, depending on the sensor's storage capacity <!--check this--><br><br>The maximum size of PCAP file storage is set by default to 133,120 MB. If a sensor exceeds this size, the oldest PCAP file is deleted to accommodate the new one. <!--how to change this default?--> <br><br> For more information, see [Download PCAP files](how-to-view-alerts.md#download-pcap-files). |
-| **On-promises management console** | PCAP files aren't stored on the on-premises management console and are only accessed from the on-premises management console via a direct link to the OT sensor.  |
+| **OT network sensor** | 90 days, depending on the sensor's storage capacity <br><br> The maximum size of PCAP file storage is set by default to 133,120 MB. If a sensor exceeds this size, the oldest PCAP file is deleted to accommodate the new one. <br><br> For more information, see [Download PCAP files](how-to-view-alerts.md#download-pcap-files). |
+| **On-promises management console** | PCAP files aren't stored on the on-premises management console and are only accessed from the on-premises management console via a direct link to the OT sensor. |
 
 ## Security recommendation retention
 
 Defender for IoT security recommendations are stored only on the Azure portal, for 90 days from when the recommendation is first detected.
 
-
 For more information, see [Enhance security posture with security recommendations](recommendations.md).
 
 ## OT event timeline retention
 
-OT event timeline data is stored on OT network sensors only, and differs depending on the sensor's [hardware profile](ot-appliance-sizing.md).
+OT event timeline data is stored on OT network sensors only, for as long as there's available storage space, which differs depending on the sensor's [hardware profile](ot-appliance-sizing.md).
 
 The following table lists the maximum number of events that can be stored for each hardware profile:
 
@@ -68,11 +67,13 @@ For more information, see [Track sensor activity](how-to-track-sensor-activity.m
 
 ## OT log file retention
 
-Only service and processing log files are stored on the Azure portal, and are retained for 30 days.
+Service and processing log files are stored on the Azure portal for 30 days from their creation date.
+
+Other OT monitoring log files are stored only on the OT network sensor and the on-premises management console.
 
-Other OT network monitoring log files are stored only on the OT network sensor and on-premises management console.
+On both OT sensors and the on-premises management console, files are stored for as long as there's available storage space. When the appliance's storage capacity reaches its maximum, the oldest log files are deleted to make room for the new ones.
 
-On both the OT sensor and the on-premises management console, older log files are overridden when the appliance's storage has reached its maximum capacity. Log file sizes differ depending on the amount of content, but the average size per log file is 100-150 MB.
+Log files sizes differ depending on the amount of content, but the average size per log file is 100-150 MB.
 
 For more information, see:
 
@@ -81,17 +82,17 @@ For more information, see:
 
 ## On-premises backup file capacity
 
-Both the OT network sensor and the on-premises management console have automated backups running daily. 
-The following table describes the default maximum sizes for each storage location. 
+Both the OT network sensor and the on-premises management console have automated backups running daily.
+The following table describes the default maximum sizes for each storage location.
 
-On both the OT sensor and the on-premises management console, older backup files are overridden when the configured storage capacity has reached its maxium.
+On both the OT sensor and the on-premises management console, older backup files are overridden when the configured storage capacity has reached its maximum.
 
  For more information, see [Set up backup and restore files](how-to-manage-individual-sensors.md#set-up-backup-and-restore-files
 
 | Storage type | Details |
 |---------|---------|
 | **OT network sensor** | The default maximum size of backup files stored on the OT sensor is 100 GB. If you're using an on-premises management console, each connected OT sensor also has its own, extra backup directory on the on-premises management console. |
-| **On-promises management console** | The default maximum size of backup files stored on an on-premises management console are: <br><br>- **On-premises management console backup file**: 10 GB <br> - **OT sensor backup files**, for any connected OT sensor: 40 GB.|
+| **On-promises management console** | The default maximum size of backup files stored on an on-premises management console is: <br><br>- **On-premises management console backup file**: 10 GB <br> - **OT sensor backup files**, for any connected OT sensor: 40 GB.|
 
 For more information, see:
 
