Merge pull request #294800 from tarTech23/queryup

prmerger-automator[bot] · web-flow · commit 2868735e9b18 · 2025-02-20T14:26:53.000Z
Update to queries and remove note
diff --git a/articles/defender-for-iot/organizations/alert-engine-messages.md b/articles/defender-for-iot/organizations/alert-engine-messages.md
@@ -331,5 +331,3 @@ For more information, see:
 - [Work with alerts on the on-premises management console](legacy-central-management/how-to-work-with-alerts-on-premises-management-console.md)
 - [Alert management API reference for on-premises management consoles](api/management-alert-apis.md)
 - [Alert management API reference for OT monitoring sensors](api/sensor-alert-apis.md)
-- [Forward alert information](how-to-forward-alert-information-to-partners.md)
-
diff --git a/articles/defender-for-iot/organizations/iot-solution.md b/articles/defender-for-iot/organizations/iot-solution.md
@@ -32,10 +32,6 @@ Before you start, make sure you have the following requirements on your workspac
 
 - A Defender for IoT plan on your Azure subscription with data streaming into Defender for IoT. For more information, see [Quickstart: Get started with Defender for IoT](getting-started.md).
 
-> [!IMPORTANT]
-> Currently, having both the Microsoft Defender for IoT and the [Microsoft Defender for Cloud](../../sentinel/data-connectors/microsoft-defender-for-cloud.md) data connectors enabled on the same Microsoft Sentinel workspace simultaneously may result in duplicate alerts in Microsoft Sentinel. We recommend that you disconnect the Microsoft Defender for Cloud data connector before connecting to Microsoft Defender for IoT.
->
-
 ## Connect your data from Defender for IoT to Microsoft Sentinel
 
 Start by enabling the [Defender for IoT data connector](../../sentinel/data-connectors/microsoft-defender-for-iot.md) to stream all your Defender for IoT events into Microsoft Sentinel.
@@ -63,54 +59,54 @@ After you've connected a subscription to Microsoft Sentinel, you'll be able to v
     **To see all alerts generated by Defender for IoT**:
 
     ```kusto
-    SecurityAlert | where ProductName == "Azure Security Center for IoT"
+    SecurityAlert | where ProviderName == "IoTSecurity"
     ```
 
     **To see specific sensor alerts generated by Defender for IoT**:
 
     ```kusto
     SecurityAlert
-    | where ProductName == "Azure Security Center for IoT"
+    | where ProviderName == "IoTSecurity"
     | where tostring(parse_json(ExtendedProperties).SensorId) == “<sensor_name>”
     ```
 
     **To see specific OT engine alerts generated by Defender for IoT**:
 
     ```kusto
     SecurityAlert
-    | where ProductName == "Azure Security Center for IoT"
+    | where ProviderName == "IoTSecurity"
     | where ProductComponentName == "MALWARE"
 
     SecurityAlert
-    | where ProductName == "Azure Security Center for IoT"
+    | where ProviderName == "IoTSecurity"
     | where ProductComponentName == "ANOMALY"
 
     SecurityAlert
-    | where ProductName == "Azure Security Center for IoT"
+    | where ProviderName == "IoTSecurity"
     | where ProductComponentName == "PROTOCOL_VIOLATION"
 
     SecurityAlert
-    | where ProductName == "Azure Security Center for IoT"
+    | where ProviderName == "IoTSecurity"
     | where ProductComponentName == "POLICY_VIOLATION"
 
     SecurityAlert
-    | where ProductName == "Azure Security Center for IoT"
+    | where ProviderName == "IoTSecurity"
     | where ProductComponentName == "OPERATIONAL"
     ```
 
     **To see high severity alerts generated by Defender for IoT**:
 
     ```kusto
     SecurityAlert
-    | where ProductName == "Azure Security Center for IoT"
+    | where ProviderName == "IoTSecurity"
     | where AlertSeverity == "High"
     ```
 
     **To see specific protocol alerts generated by Defender for IoT**:
 
     ```kusto
     SecurityAlert
-    | where ProductName == "Azure Security Center for IoT"
+    | where PProviderName == "IoTSecurity"
     | where tostring(parse_json(ExtendedProperties).Protocol) == "<protocol_name>"
     ```
 
@@ -138,16 +134,16 @@ For more information, see [View alerts on the Defender for IoT portal](how-to-ma
 
 ### Understand multiple records per alert
 
-Defender for IoT alert data is streamed to the Microsoft Sentinel and stored in your Log Analytics workspace, in the [SecurityAlert]() table.
+Defender for IoT alert data is streamed to the Microsoft Sentinel and stored in your Log Analytics workspace, in the [SecurityAlert](/azure/sentinel/security-alert-schema) table.
 
 Records in the **SecurityAlert** table are created each time an alert is generated or updated in Defender for IoT. Sometimes a single alert will have multiple records, such as when the alert was first created and then again when it was updated.
 
 In Microsoft Sentinel, use the following query to check the records added to the **SecurityAlert** table for a single alert:
 
 ```kql
 SecurityAlert
-|  where ProductName == "Azure Security Center for IoT"
-|  where VendorOriginalId == "Defender for IoT Alert ID"
+|  where ProviderName == "IoTSecurity"
+|  where VendorOriginalId == "<Defender for IoT Alert ID>"
 | sort by TimeGenerated desc
 ```
 
