You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-iot/organizations/alerts.md
+12-1Lines changed: 12 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ ms.date: 08/06/2023
5
5
ms.topic: how-to
6
6
ms.custom: enterprise-iot
7
7
---
8
-
8
+
<!-- should we reassess the order of this article, does it make sesne? Could the flow be better? -->
9
9
# Microsoft Defender for IoT alerts
10
10
11
11
Microsoft Defender for IoT alerts enhance your network security and operations with real-time details about events logged in your network. Alerts are triggered when OT network sensors detect changes or suspicious activity in network traffic that needs your attention.
@@ -49,11 +49,22 @@ For more information, see:
49
49
50
50
Alert options also differ depending on your location and user role. For more information, see [Azure user roles and permissions](roles-azure.md) and [On-premises users and roles](roles-on-premises.md).
51
51
52
+
## Aggregating alert violations
53
+
54
+
Alert fatigue caused by a high number of identical alerts could lead to your team failing to see or remediate vital alerts. Each alert listed in the Alerts page is a result of a network violation, for example the *Unpermitted Usage of Modbus Function Code*. Aggregating violations with the same parameters and remediation requirements into one single alert listing, reduces the number of alerts displayed on the Alerts page. The matching parameters differ depending on the alert type. For example, the *Unpermitted Usage of Modbus Function Code* alert needs to have the same source and destination IP addresses to produce an aggregated alert violation. The aggregated alert could include alerts with different violation codes, such as read and write codes.
55
+
56
+
You download the aggregated alert violation data, that lists each alert with the relevant parameters and functions, as a CSV file in the **Violations** tab of the alert details. This data can help teams to identify patterns, assess impact and prioritize responses more effectively based on the remediation suggestions in the **Take action** tab. Only alerts that have the same remediation process are aggregated into a single alert. However, individual violation events can still be viewed separately within their respective devices, providing additional clarity.
57
+
58
+
The alerts that can be aggregated are listed in the [Alert reference](alert-engine-messages.md#policy-engine-alerts) policy engine alerts tables under the **Aggregarted** heading.
59
+
60
+
Alert grouping appears in both the OT sensor console and the Azure portal. For more information, see [remediate aggregated alerts in Sensor console](how-to-view-alerts.md#remediate-aggregated-alert-violations) and [remediate aggregated alerts in Azure portal](how-to-manage-cloud-alerts.md#remediate-aggregated-alert-violations).
61
+
52
62
## Focused alerts in OT/IT environments
53
63
54
64
Organizations where sensors are deployed between OT and IT networks deal with many alerts, related to both OT and IT traffic. The amount of alerts, some of which are irrelevant, can cause alert fatigue and affect overall performance. To address these challenges, Defender for IoT's detection policy steers its different [alert engines](alert-engine-messages.md#supported-alert-types) to focus on alerts with business impact and relevance to an OT network, and reduce low-value IT related alerts. For example, the **Unauthorized internet connectivity** alert is highly relevant in an OT network, but has relatively low value in an IT network.
55
65
56
66
To focus the alerts triggered in these environments, all alert engines, except for the *Malware* engine, trigger alerts only if they detect a related OT subnet or protocol.
67
+
57
68
However, to maintain triggering of alerts that indicate critical scenarios:
58
69
59
70
- The *Malware* engine triggers malware alerts regardless of whether the alerts are related to OT or IT devices.
Copy file name to clipboardExpand all lines: articles/defender-for-iot/organizations/how-to-manage-cloud-alerts.md
+20Lines changed: 20 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -145,6 +145,26 @@ You might want to export a selection of alerts to a CSV file for offline sharing
145
145
146
146
The file is generated, and you're prompted to save it locally.
147
147
148
+
## Remediate aggregated alert violations
149
+
150
+
To reduce alert fatigue, multiple versions of the same alert violation with identical parameters are listed as one alert item in the Alerts page. As you investigate alerts, an aggregated alert is identified by the *Multiple violations* message that appears under the Source device IP. Use the **Violations** tab to investigate further and the **Take action** tab to remediate the alerts.
151
+
152
+
1. On the **Alerts** page, select an alert in the grid to display more details in the pane on the right.
153
+
154
+
1. For an aggregated alert the *Multiple violations* message appears underneath the Source device IP address, and the **Violations** tab is displayed.
155
+
156
+
:::image type="content" source="media/how-to-manage-cloud-alerts/alert-details-aggregated.png" alt-text="Screenshot of the alerts detail pane showing the aggregated alerts message, the ViolationsCount and the Violations tab.":::
157
+
158
+
1. Select the **Violations** tab.
159
+
160
+
1. Select **Export** to download the CSV data file. Open the file and examine the data.
161
+
162
+
:::image type="content" source="media/how-to-manage-cloud-alerts/alert-details-aggregated-csv.png" alt-text="Screenshot of example data from the csv file containing the list of multiple alerts that make up the content of the aggregated alert listed in the alert detail pane.":::
163
+
164
+
1. Select the **Take action** tab. Follow the **Remediation steps**.
165
+
166
+
1. Select **Learn**, if needed. For more information, see [learning an alert](alerts.md#alert-statuses-and-triaging-options).
Copy file name to clipboardExpand all lines: articles/defender-for-iot/organizations/how-to-view-alerts.md
+18Lines changed: 18 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -177,6 +177,24 @@ If your admin has [created custom comments](how-to-accelerate-alert-incident-res
177
177
178
178
For more information, see [Accelerating OT alert workflows](alerts.md#accelerating-ot-alert-workflows).
179
179
180
+
## Remediate aggregated alert violations
181
+
182
+
To reduce alert fatigue, multiple versions of the same alert violation with identical parameters are listed as one alert item in the Alerts page. As you investigate alerts, an aggregated alert is identified by the *Multiple violations* message that appears under the Source device IP. Use the **Violations** tab to investigate further and the **Take action** tab to remediate the alerts.
183
+
184
+
1. Sign into your OT sensor console and select the **Alerts** page on the left.
185
+
186
+
1. For an aggregated alert the *Multiple violations* message appears underneath the Source device IP address, and the **Violations** tab is displayed. <!-- add OT sensor image :::image type="content" source="media/how-to-manage-cloud-alerts/alert-details-aggregated.png" alt-text="Screenshot of the alerts detail pane showing the aggregated alerts message, the ViolationsCount and the Violations tab.":::-->
187
+
188
+
1. Select the **Violations** tab.
189
+
190
+
An inventory table displays the first 10 alerts from this aggregated alert group.
191
+
192
+
1. Select **Export** to download the CSV data file. Open the file and examine the data.
193
+
194
+
1. Select the **Take action** tab. Follow the **Remediation steps**.
195
+
196
+
1. Select **Learn**, if needed. For more information, see [learning an alert](alerts.md#alert-statuses-and-triaging-options).
Copy file name to clipboardExpand all lines: articles/defender-for-iot/organizations/whats-new.md
+11Lines changed: 11 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,6 +22,16 @@ Features released earlier than nine months ago are described in the [What's new
22
22
23
23
The legacy on-premises management console won't be available for download after **January 1st, 2025**. We recommend transitioning to the new architecture using the full spectrum of on-premises and cloud APIs before this date. For more information, see [on-premises management console retirement](ot-deploy/on-premises-management-console-retirement.md).
24
24
25
+
## January 2025
26
+
27
+
|Service area |Updates |
28
+
|---------|---------|
29
+
|**OT networks**| - [Aggregating multiple alerts violations with the same parameters](#aggregating-multiple-alerts-violations-with-the-same-parameters)|
30
+
31
+
### Aggregating multiple alerts violations with the same parameters
32
+
33
+
To reduce alert fatigue, multiple versions of the same alert violation and with the same parameters are grouped together and listed in the alerts table as one item. The alert details pane lists each of the identical alert violations in the **Violations** tab and the appropriate remediation actions are listed in the **Take action** tab. For more information, see [aggregating alerts with the same parameters](alerts.md#aggregating-alert-violations).
34
+
25
35
## December 2024
26
36
27
37
|Service area |Updates |
@@ -32,6 +42,7 @@ The legacy on-premises management console won't be available for download after
32
42
33
43
Alert details now display up to 10 source devices involved in DDoS attack.
0 commit comments