You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-iot/organizations/how-to-accelerate-alert-incident-response.md
+6-7Lines changed: 6 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -86,9 +86,10 @@ In the **Custom alert rules** page, select one or more rules, and then select *
86
86
87
87
## Allow DNS traffic on an OT sensor
88
88
89
-
Allow unauthorized internet alerts in bulk by creating an allowlist of domain names on your OT sensor.
89
+
Decrease the number of unauthorized internet alerts by creating an allowlist of domain names on your OT sensor. When a DNS allowlist is configured, the sensor checks each unauthorized internet connectivity attempt against the list before triggering an alert. If the domain's FQDN is included in the allowlist, the sensor doesn’t trigger the alert and allows the traffic automatically.
90
+
91
+
All OT sensor users can view a currently configured list of domains in a [data mining report](how-to-create-data-mining-queries.md), including the FQDNs, resolved IP addresses, and the last resolution time.
90
92
91
-
When a DNS allowlist is configured, the sensor checks each unauthorized internet connectivity attempt against the list. If the domain's FQDN is included in the allowlist, the sensor allows the traffic automatically, without triggering an alert.
92
93
93
94
**To define a DNS allowlist:**
94
95
@@ -104,18 +105,16 @@ When a DNS allowlist is configured, the sensor checks each unauthorized internet
104
105
105
106
1. Select **Submit** to save your changes.
106
107
107
-
> [!TIP]
108
-
> All OT sensor users can view the currently configured list of domains in a data mining report, including the FQDNs, resolved IP addresses, and the last resolution time. For more information, see [Create data mining queries](how-to-create-data-mining-queries.md).
109
108
110
-
**To view in a data mining report:**
109
+
**To view the current allowlist in a data mining report:**
111
110
112
-
[Create a custom data mining report](how-to-create-data-mining-queries.md#create-an-ot-sensor-custom-data-mining-report) and make sure to select **Internet Domain Allowlist** under **DNS** when choosing a category in the **Create new report**pane.
111
+
When selecting a category in your [custom data mining report](how-to-create-data-mining-queries.md#create-an-ot-sensor-custom-data-mining-report), make sure to select **Internet Domain Allowlist** under the **DNS**category.
113
112
114
113
For example:
115
114
116
115
:::image type="content" source="media/how-to-accelerate-alert-incident-response/data-mining-allowlist.png" alt-text="Screenshot of how to generate a custom data mining report for the allowlist in the sensor console." lightbox="media/how-to-accelerate-alert-incident-response/data-mining-allowlist.png":::
117
116
118
-
The generated data mining report will then show a list of the allowed domains and each IP address that’s being resolved for those domains, as well as the TTL (in seconds) during which those IP addresses won't trigger an internet connectivity alert. For example:
117
+
The generated data mining report shows a list of the allowed domains and each IP address that’s being resolved for those domains. The report also includes the TTL, in seconds, during which those IP addresses won't trigger an internet connectivity alert. For example:
119
118
120
119
:::image type="content" source="media/how-to-accelerate-alert-incident-response/data-mining-report-allowlist.png" alt-text="Screenshot of data mining report of allowlist in the sensor console." lightbox="media/how-to-accelerate-alert-incident-response/data-mining-report-allowlist.png":::
0 commit comments