Merge pull request #224099 from yoninalmsft/event-timeline-revamp

event timeline revamp

Author: BCS2022

articles/defender-for-iot/organizations/TOC.yml

@@ -95,13 +95,13 @@
       items:
       - name: Azure portal
         href: how-to-manage-device-inventory-for-organizations.md
-        displayName: devices, assets, inventory
+        displayName: devices, assets, inventory, device
       - name: OT sensor console
         href: how-to-investigate-sensor-detections-in-a-device-inventory.md
-        displayName: devices, assets, inventory
+        displayName: devices, assets, inventory, device
       - name: On-premises management console
         href: how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md
-        displayName: devices, assets, inventory
+        displayName: devices, assets, inventory, device
     - name: View OT device mapping
       href: how-to-work-with-the-sensor-device-map.md
     - name: View OT devices per zone
@@ -291,8 +291,9 @@
         href: how-to-enhance-port-and-vlan-name-resolution.md
       - name: Import device information
         href: how-to-import-device-information.md
-    - name: Track sensor activity
+    - name: Track OT network and sensor activity
       href: how-to-track-sensor-activity.md
+      displayName: event timeline
     - name: Set up SNMP MIB monitoring
       href: how-to-set-up-snmp-mib-monitoring.md
     - name: Manage proprietary protocols (Horizon)

articles/defender-for-iot/organizations/how-to-track-sensor-activity.md

@@ -1,50 +1,119 @@
 ---
-title: Track sensor activity in Defender for IoT
-description: Track sensor activity in the event timeline.
-ms.date: 02/01/2022
+title: Track network and sensor activity with the event timeline in Microsoft Defender for IoT
+description: Track network and sensor activity in the event timeline.
+ms.date: 02/27/2023
 ms.topic: how-to
 ---
 
-# Track sensor activity
+# Track network and sensor activity with the event timeline
 
-Activity that your sensor detects is recorded in the event timeline. Activity includes alerts and alert actions, network events, and user operations such as user sign in or user deletion.
+Activity detected by your Microsoft Defender for IoT sensors is recorded in the event timeline. Activity includes alerts and alert management actions, network events, and user operations such as user sign-in or user deletion.
 
-The event timeline provides a chronological view of events. Use the timeline during investigations, to understand and analyze the chain of events that preceded and followed an attack or incident.
+The event timeline provides a chronological view and context of all network activity, to help determine the cause and effect of incidents. The timeline view makes it easy to extract information from network events, and more efficiently analyze alerts and events observed on the network. With the ability to store vast amounts of data, the event timeline view can be a valuable resource for security teams to perform investigations and gain a deeper understanding of network activity.
 
-## Before you start
+Use the event timeline during investigations, to understand and analyze the chain of events that preceded and followed an attack or incident. The centralized view of multiple security-related events on the same timeline helps to identify patterns and correlations, and enable security teams to quickly assess the impact of incidents and respond accordingly.
 
-You need to have Administrator or Security Analyst permissions to perform the procedures described in this article.
+Enhance your security analysis and incident investigations with the event timeline, with the following options:
+
+- [View events on the timeline](#view-the-event-timeline)
+
+- [Audit user activity](track-user-activity.md)
+
+- [View and manage alerts](how-to-view-alerts.md#view-details-and-remediate-a-specific-alert)
+
+- [Analyze programming details and changes](how-to-analyze-programming-details-changes.md)
+
+## Permissions
+
+Administrator or Security Analyst permissions are required to perform the procedures described in this article.
 
 ## View the event timeline
 
-1. In Defender for IoT, select **Event Timeline**.
-1. Review the events and filter as needed.
-1. Toggle **User Operations** to hide or show user events.
-1. Select **Add filter** to specify the events shown.
-1. In **Type** filter the events shown using a number of settings:
-    - **Event severity**: Show **Alerts Only**, **Alerts and Notices**, or **All Events**.
-    - **Device group**: Filter on specific devices defined in the device map.
-    - **Include devices**: Search for devices you want to include.
-    - **Exclude devices**: Search for devices you want to exclude.
-    - **Keywords**: Search for specific keywords.
-    - **Include Event Types**: Search for specific event types to include.
-    - **Exclude Event Types**: Search for specific event types to exclude.
-    - **Date**: Search for events in a specific date range.
-1. Select **Apply* to set the filter.
-1. Select **Export** to export the event timeline to a CSV file.
-
-## Add an event
+1. Sign in to the sensor console, and select **Event Timeline** from the left menu.
+
+1. Review and [filter the events](#filter-events-on-the-timeline) as needed.
+
+1. Select an event row to view the event details in a pane on the right, where you can also filter to view events of related devices.
+The **User Operations** filter is on by default, you can select to hide or show user events as needed.
+
+    For example:
+
+    :::image type="content" source="media/track-sensor-activity/event-timeline-view-events.png" alt-text="Screenshot of events on the event timeline." lightbox="media/track-sensor-activity/event-timeline-view-events.png":::
+
+You can also view the event timeline of a specific device from the **Device inventory**.
+
+**To view the event timeline of a specific device**:
+
+1. In the sensor console, go to **Device inventory**.
+
+1. Select the specific device to open the device details pane, and then select **View full details** to open the device properties page.
+
+1. Select the **Event timeline** tab to view all events associated with this device, and [filter the events](#filter-events-on-the-timeline) as needed.
+
+    For example:
+
+    :::image type="content" source="media/track-sensor-activity/device-properties-page-event-timeline.png" alt-text="Screenshot of event timeline tab in device properties page." lightbox="media/track-sensor-activity/device-properties-page-event-timeline.png":::
+
+## Filter events on the timeline
+
+1. On the event timeline page, select **Add filter** to specify the events shown.
+
+1. Select the filter **Type**. Use any of the following options to filter the devices shown:
+
+    |Type|Description|
+    |---|---|
+    |**User operations**|This filter is on by default, choose to show or hide user operation events.|
+    |**Date**|Search for events in a specific date range.|
+    |**Device group**|Filter specific devices by group as defined in the device map.|
+    |**Event severity**|Show **Alerts Only**, **Alerts and Notices**, or **All Events**.|
+    |**Exclude devices**|Search for and filter devices you want to exclude.|
+    |**Include devices**|Search for and filter devices you want to include.|
+    |**Exclude Event Types**|Search for and filter specific event types to exclude.|
+    |**Include Event Types**|Search for and filter  specific event types to include.|
+    |**Keywords**|Filter events by specific keywords.|
+
+1. Select **Apply** to set the filter.
+
+## Export the event timeline to CSV
+
+You can export the event timeline to a CSV file, the exported data is according to any filters applied when exporting.
+
+**To export the event timeline**:
+
+On the **Event timeline** page, select **Export** from the top menu to export the event timeline to a CSV file.
+ 
+## Create an event
 
 In addition to viewing the events that the sensor has detected, you can manually add events to the timeline. This process is useful if an external system event impacts your network, and you want to record it on the timeline.
 
-1. Select **Create Event**.
-1. In the **Create Event** dialog, specify the event type (Info, Notice, or Alert)
-1. Set a timestamp for the event, the device it should be connected with, and provide a description.
+1. On the **Event timeline** page, select **Create Event**.
+
+1. In the **Create Event** dialog, add the following event details:
+    
+    - **Type**. Specify the event type (Info, Notice, or Alert).
+    
+    - **Timestamp**. Set the date and time of the event.
+    
+    - **Device**. Select the device the event should be connected with.
+    
+    - **Description**. Provide a description of the event.
+
 1. Select **Save** to add the event to the timeline.
 
+For example:
+
+:::image type="content" source="media/track-sensor-activity/create-new-event.png" alt-text="Screenshot of creating a new event in the timeline." lightbox="media/track-sensor-activity/create-new-event.png":::
+
+## Event timeline capacity
+
+The amount of data that can be stored in the event timeline depends on various factors, such as the size of the network, the frequency of events, and the storage capacity of your sensor. The data stored in the event timeline can include information about network traffic, security events, and other relevant data points.
+
+The maximum number of events shown in the event timeline is dependent on [the hardware profile](ot-appliance-sizing.md) selected during sensor installation. Each hardware profile has a maximum capacity of events. For more information on the maximum event capacity for each hardware profile, see [OT event timeline retention](references-data-retention.md#ot-event-timeline-retention).
+
 ## Next steps
 
-For more information, see:
+[Audit user activity](track-user-activity.md)
+
+[View details and remediate a specific alert](how-to-view-alerts.md#view-details-and-remediate-a-specific-alert)
 
-- [View alerts](how-to-view-alerts.md).
-- [OT event timeline retention](references-data-retention.md#ot-event-timeline-retention).
+[Analyze programming details and changes](how-to-analyze-programming-details-changes.md)

articles/defender-for-iot/organizations/media/track-sensor-activity/create-new-event.png

@@ -31,14 +31,16 @@ Audit and track user activity on a sensor's **Event timeline**. The **Event time
     - Any **Admin** user
     - The *cyberx*, *support*, or *cyberx_host* user
 
-1. On the sensor, **Event Timeline** from the left-hand menu. Make sure that the filter is set to show **User Operations**.
+1. On the sensor, select **Event Timeline** from the left-hand menu. Make sure that the filter is set to show **User Operations**.
 
     For example:
 
     :::image type="content" source="media/manage-users-sensor/track-user-activity.png" alt-text="Screenshot of the Event Timeline on the sensor showing user activity.":::
 
 1. Use additional filters or search using **CTRL+F** to find the information of interest to you.
 
+    For more information on the event timeline, see [Track network and sensor activity with the event timeline](how-to-track-sensor-activity.md)
+
 ## Audit user activity on an on-premises management console
 
 To audit and track user activity on an on-premises management console, use the on-premises management console audit logs, which record key activity data at the time of occurrence. Use on-premises management console audit logs to understand changes that were made on the on-premises management console, when, and by whom.