Merge pull request #232111 from Shereen-Bhar/integration-section

Integration section review

Author: ttorble

articles/defender-for-iot/organizations/concept-sentinel-integration.md

@@ -125,6 +125,7 @@ SecurityIncident
 
 For more information, see:
 
+- [Integrations with Microsoft and partner services](integrate-overview.md)
 - [Tutorial: Connect Microsoft Defender for IoT with Microsoft Sentinel](../../sentinel/iot-solution.md)
 - [Detect threats out-of-the-box with Defender for IoT data](../../sentinel/iot-advanced-threat-monitoring.md#detect-threats-out-of-the-box-with-defender-for-iot-data)
 - [Create custom analytics rules to detect threats](../../sentinel/detect-threats-custom.md)

articles/defender-for-iot/organizations/integrate-overview.md

@@ -18,7 +18,6 @@ Integrate Microsoft Defender for Iot with partner services to view partner data
 
 ## Axonius
 
-
 |Name  |Description  |Support scope  |Supported by  |Learn more |
 |---------|---------|---------|---------|---------|
 |**Axonius Cybersecurity Asset Management**      |    Import and manage device inventory discovered by Defender for IoT in your Axonius instance.      |  - OT networks<br>- Locally managed sensors and on-premises management consoles      |   Axonius      |  [Axonius documentation](https://docs.axonius.com/docs/azure-defender-for-iot)  |
@@ -106,7 +105,6 @@ Integrate Microsoft Defender for Iot with partner services to view partner data
 | **Splunk** | Send Defender for IoT alerts to Splunk | - OT networks <br>- Cloud connected sensors | Microsoft | [Stream Defender for IoT cloud alerts to a partner SIEM](integrations/send-cloud-data-to-partners.md) |
 |**Splunk**     |  Send Defender for IoT alerts to Splunk       |   - OT networks<br>- Locally managed sensors and on-premises management consoles       |  Microsoft       | [Integrate Splunk with Microsoft Defender for IoT](tutorial-splunk.md)   |
 
-
 ## Next steps
 
 > [!div class="nextstepaction"]

articles/defender-for-iot/organizations/integrations/arcsight.md

@@ -13,7 +13,7 @@ This article describes how to send Microsoft Defender for IoT alerts to ArcSight
 
 Before you begin, make sure that you have the following prerequisites:
 
-- Access to a Defender for IoT OT sensor as an Admin user.
+- Access to a Defender for IoT OT sensor as an Admin user. For more information, see [On-premises users and roles for OT monitoring with Defender for IoT](../roles-on-premises.md).
 
 ## Configure the ArcSight receiver type
 
@@ -28,32 +28,38 @@ For more information, see the [ArcSight SmartConnectors Documentation](https://w
 
 This procedure describes how to create a forwarding rule from your OT sensor to send Defender for IoT alerts from that sensor to ArcSight.
 
-Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.
+Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created aren't affected by the rule.
 
 For more information, see [Forward alert information](../how-to-forward-alert-information-to-partners.md).
 
-1. Sign in to your OT sensor console and select **Forwarding** on the left.
+1. Sign in to your OT sensor console and select **Forwarding**.
 
-1. Enter a meaningful name for your rule, and then define your rule details, including:
+1. Select **+ Create new rule**.
 
-    - The minimal alert level. For example, if you select Minor, you are notified about all minor, major and critical incidents.
-    - The protocols you want to include in the rule.
-    - The traffic you want to include in the rule.
+1. In the **Add forwarding rule** pane, define the rule parameters:
+
+    :::image type="content" source="../media/integrate-arcsight/create-new-forwarding-rule.png" alt-text="Screenshot of creating a new forwarding rule." lightbox="../media/integrate-arcsight/create-new-forwarding-rule.png":::
+
+    | Parameter  | Description  |
+    |---------|---------|
+    | **Rule name**     | Enter a meaningful name for your rule.        |
+    | **Minimal alert level**     | The minimal security level incident to forward. For example, if you select Minor, you're notified about all minor, major and critical incidents.        |
+    | **Any protocol detected**     |  Toggle off to select the protocols you want to include in the rule.       |
+    | **Traffic detected by any engine**     | Toggle off to select the traffic you want to include in the rule.       |
 
 1. In the **Actions** area, define the following values:
 
-    - **Server**: Select **ArcSight**
-    - **Host**: The ArcSight server address
-    - **Port**: The ArcSight server port
-    - **Timezone**: The timezone of the ArcSight server
+    | Parameter  | Description  |
+    |---------|---------|
+    | **Server** | Select **ArcSight**. |
+    | **Host** | The ArcSight server address. |
+    | **Port** | The ArcSight server port. |
+    | **Timezone** | Enter the timezone of the ArcSight server. |
 
 1. Select **Save** to save your forwarding rule.
 
 ## Next steps
 
-For more information, see:
-
-- [Integrations with partner services](../integrate-overview.md)
+- [Integrations with Microsoft and partner services](../integrate-overview.md)
 - [Forward alert information](../how-to-forward-alert-information-to-partners.md)
 - [Manage individual sensors](../how-to-manage-individual-sensors.md)
-

articles/defender-for-iot/organizations/integrations/logrhythm.md

@@ -13,32 +13,41 @@ This article describes how to send Microsoft Defender for IoT alerts to LogRhyth
 
 Before you begin, make sure that you have the following prerequisites:
 
-- Access to a Defender for IoT OT sensor as an Admin user.
+- Access to a Defender for IoT OT sensor as an Admin user. For more information, see [On-premises users and roles for OT monitoring with Defender for IoT](../roles-on-premises.md).
 
 ## Create a Defender for IoT forwarding rule
 
 This procedure describes how to create a forwarding rule from your OT sensor to send Defender for IoT alerts from that sensor to LogRhythm.
 
-Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.
+Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created aren't affected by the rule.
 
 For more information, see [Forward alert information](../how-to-forward-alert-information-to-partners.md).
 
-1. Sign in to your OT sensor console and select **Forwarding** on the left.
+1. Sign in to your OT sensor console and select **Forwarding**.
 
-1. Enter a meaningful name for your rule, and then define your rule details, including:
+1. Select **+ Create new rule**.
 
-    - The minimal alert level. For example, if you select Minor, you are notified about all minor, major and critical incidents.
-    - The protocols you want to include in the rule.
-    - The traffic you want to include in the rule.
+1. In the **Add forwarding rule** pane, define the rule parameters:
+
+    :::image type="content" source="../media/integrate-logrhythm/create-new-forwarding-rule.png" alt-text="Screenshot of creating a new forwarding rule." lightbox="../media/integrate-logrhythm/create-new-forwarding-rule.png":::
+
+    | Parameter  | Description  |
+    |---------|---------|
+    | **Rule name**     | Enter a meaningful name for your rule.        |
+    | **Minimal alert level**     | The minimal security level incident to forward. For example, if you select Minor, you're notified about all minor, major and critical incidents.        |
+    | **Any protocol detected**     |  Toggle off to select the protocols you want to include in the rule.       |
+    | **Traffic detected by any engine**     | Toggle off to select the traffic you want to include in the rule.       |
 
 1. In the **Actions** area, define the following values:
 
-    - **Server**: Select a SYSLOG server option, such as **SYSLOG Server (LEEF format)
-    - **Host**: The IP or hostname of your LogRhythm collector
-    - **Port**: Enter **514**
-    - **Timezone**: Enter your timezone
+    | Parameter  | Description  |
+    |---------|---------|
+    | **Server** | Select a SYSLOG server option, such as **SYSLOG Server (LEEF format)**. |
+    | **Host** | The IP or hostname of your LogRhythm collector |
+    | **Port** | Enter 514. |
+    | **Timezone** | Enter your timezone. |
 
-1. Select **Save** to save your forwarding rule.
+1. Select **Save**.
 
 ## Configure LogRhythm to collect logs
 
@@ -48,7 +57,5 @@ For more information, see the [LogRhythm documentation](https://docs.logrhythm.c
 
 ## Next steps
 
-For more information, see:
-
-- [Integrations with partner services](../integrate-overview.md)
+- [Integrations with Microsoft and partner services](../integrate-overview.md)
 - [Forward alert information](../how-to-forward-alert-information-to-partners.md)

articles/defender-for-iot/organizations/integrations/netwitness.md

@@ -13,39 +13,46 @@ This article describes how to send Microsoft Defender for IoT alerts to RSA NetW
 
 Before you begin, make sure that you have the following prerequisites:
 
-- Access to a Defender for IoT OT sensor as an Admin user.
+- Access to a Defender for IoT OT sensor as an Admin user. For more information, see [On-premises users and roles for OT monitoring with Defender for IoT](../roles-on-premises.md).
 
 - NetWitness configuration to collect events from sources that support Common Event Format (CEF). For more information, see the [CyberX Platform - RSA NetWitness CEF Parser Implementation Guide](https://community.netwitness.com//t5/netwitness-platform-integrations/cyberx-platform-rsa-netwitness-cef-parser-implementation-guide/ta-p/554364).
 
 ## Create a Defender for IoT forwarding rule
 
 This procedure describes how to create a forwarding rule from your OT sensor to send Defender for IoT alerts from that sensor to NetWitness.
 
-Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created are not affected by the rule.
+Forwarding alert rules run only on alerts triggered after the forwarding rule is created. Alerts already in the system from before the forwarding rule was created aren't affected by the rule.
 
 For more information, see [Forward alert information](../how-to-forward-alert-information-to-partners.md).
 
-1. Sign in to your OT sensor console and select **Forwarding** on the left.
+1. Sign in to your OT sensor console and select **Forwarding**.
 
-1. Enter a meaningful name for your rule, and then define your rule details, including:
+1. Select **+ Create new rule**.
 
-    - The minimal alert level. For example, if you select Minor, you are notified about all minor, major and critical incidents.
-    - The protocols you want to include in the rule.
-    - The traffic you want to include in the rule.
+1. In the **Add forwarding rule** pane, define the rule parameters:
+
+    :::image type="content" source="../media/integrate-netwitness/create-new-forwarding-rule.png" alt-text="Screenshot of creating a new forwarding rule." lightbox="../media/integrate-netwitness/create-new-forwarding-rule.png":::
+
+    | Parameter  | Description  |
+    |---------|---------|
+    | **Rule name**     | Enter a meaningful name for your rule.        |
+    | **Minimal alert level**     | The minimal security level incident to forward. For example, if you select Minor, you're notified about all minor, major and critical incidents.        |
+    | **Any protocol detected**     |  Toggle off to select the protocols you want to include in the rule.       |
+    | **Traffic detected by any engine**     | Toggle off to select the traffic you want to include in the rule.       |
 
 1. In the **Actions** area, define the following values:
 
-    - **Server**: Select **NetWitness**
-    - **Host**: The NetWitness hostname
-    - **Port**: The NetWitness port
-    - **Timezone**: Enter your NetWitness timezone
+    | Parameter  | Description  |
+    |---------|---------|
+    | **Server** | Select **NetWitness**. |
+    | **Host** | The NetWitness hostname. |
+    | **Port** | The NetWitness port. |
+    | **Timezone** | Enter your NetWitness timezone. |
 
 1. Select **Save** to save your forwarding rule.
 
 ## Next steps
 
-For more information, see:
-
 - [CyberX Platform - RSA NetWitness CEF Parser Implementation Guide](https://community.netwitness.com//t5/netwitness-platform-integrations/cyberx-platform-rsa-netwitness-cef-parser-implementation-guide/ta-p/554364)
-- [Integrations with partner services](../integrate-overview.md)
+- [Integrations with Microsoft and partner services](../integrate-overview.md)
 - [Forward alert information](../how-to-forward-alert-information-to-partners.md)

articles/defender-for-iot/organizations/integrations/on-premises-sentinel.md

@@ -24,7 +24,6 @@ Before you start, make sure that you have the following prerequisites as needed:
 
 - If you want to encrypt the data you send to Microsoft Sentinel using TLS, make sure to generate a valid TLS certificate from the proxy server to use in your forwarding alert rule.
 
-
 ## Set up forwarding alert rules
 
 1. Sign into your OT network sensor or on-premises management console and create a forwarding rule. For more information, see [Forward on-premises OT alert information](../how-to-forward-alert-information-to-partners.md).
@@ -40,11 +39,14 @@ Select **Save** when you're done. Make sure to test the rule to make sure that i
 > [!IMPORTANT]
 > To forward alert details to multiple Microsoft Sentinel instances, make sure to create a separate forwarding rule for each instance. Don't use the **Add server** option in the same forwarding rule to send data to multiple Microsoft Sentinel instances.
 
-
 ## Next steps
 
 > [!div class="nextstepaction"]
 > [Stream data from cloud-connected sensors](../iot-solution.md)
 
 > [!div class="nextstepaction"]
-> [Investigate in Microsoft Sentinel](../../../sentinel/investigate-cases.md)
+> [Investigate in Microsoft Sentinel](../../../sentinel/investigate-cases.md)
+
+For more information, see:
+> [!div class="nextstepaction"]
+> [Integrations with Microsoft and partner services](../integrate-overview.md)

articles/defender-for-iot/organizations/integrations/send-cloud-data-to-partners.md

@@ -48,7 +48,6 @@ You'll need Azure Active Directory (Azure AD) defined as a service principal for
     - **Application (client) ID**
     - **Directory (tenant) ID**
 
-
 1. From the **Certificates & secrets** page, note the values of your client secret **Value** and **Secret ID**.
 
 ## Create an Azure event hub
@@ -108,6 +107,7 @@ Once data starts getting ingested into Splunk from your event hub, query the dat
 
 ## Next steps
 
-This article describes how to forward alerts generated by cloud-connected sensors only. If you're working on-premises, such as in air-gapped environments, you may be able to create a forwarding alert rule to forward alert data directly from an OT sensor or on-premises management console. 
+This article describes how to forward alerts generated by cloud-connected sensors only. If you're working on-premises, such as in air-gapped environments, you may be able to create a forwarding alert rule to forward alert data directly from an OT sensor or on-premises management console.
 
-For more information, see [Integrations with Microsoft and partner services](../integrate-overview.md).
+> [!div class="nextstepaction"]
+> [Integrations with Microsoft and partner services](../integrate-overview.md).