MicrosoftDocs
diff --git a/‎articles/defender-for-iot/organizations/TOC.yml
Lines changed: 143 additions & 70 deletions b/‎articles/defender-for-iot/organizations/TOC.yml
Lines changed: 143 additions & 70 deletions
diff --git a/‎articles/defender-for-iot/organizations/alerts.md
Lines changed: 3 additions & 1 deletion b/‎articles/defender-for-iot/organizations/alerts.md
Lines changed: 3 additions & 1 deletion
diff --git a/‎articles/defender-for-iot/organizations/architecture-connections.md
Lines changed: 1 addition & 2 deletions b/‎articles/defender-for-iot/organizations/architecture-connections.md
Lines changed: 1 addition & 2 deletions
diff --git a/‎articles/defender-for-iot/organizations/architecture.md
Lines changed: 4 additions & 1 deletion b/‎articles/defender-for-iot/organizations/architecture.md
Lines changed: 4 additions & 1 deletion
@@ -51,20 +51,89 @@
       displayName: Microsoft Defender for Endpoint, MDE
     - name: Azure security baseline for Defender for IoT
       href: /security/benchmark/azure/baselines/microsoft-defender-for-iot-security-baseline?bc=%2fazure%2defender-for-iot%2fbreadcrumb%2ftoc.json&toc=%2fazure%2fdefender-for-iot%2fTOC.json       
-    - name: OT monitoring appliance catalog
-      items:
-      - name: Which appliances do I need?
-        href: ot-appliance-sizing.md
-      - name: Pre-configured appliances
-        href: ot-pre-configured-appliances.md
-      - name: OT monitoring with virtual appliances
-        href: ot-virtual-appliances.md 
 - name: Deploy
   items:
+  - name: Deploy OT monitoring
+    items:
+    - name: OT deployment path
+      href: ot-deploy/ot-deploy-path.md
+    - name: Plan and prepare for an OT deployment
+      items:    
+      - name: Plan your OT monitoring system
+        items:
+        - name: Overview
+          href: best-practices/plan-corporate-monitoring.md
+        - name: Azure connection methods
+          href: architecture-connections.md
+        - name: SSL/TLS certificate requirements
+          href: best-practices/certificate-requirements.md
+      - name: Prepare an OT site
+        items:
+        - name: Overview
+          href: best-practices/plan-prepare-deploy.md
+        - name: Defender for IoT and your network architecture
+          href: best-practices/understand-network-architecture.md
+        - name: Choose a traffic mirroring method
+          href: best-practices/traffic-mirroring-methods.md
+          displayName: SPAN port, TAP
+        - name: OT monitoring appliance catalog
+          items:
+          - name: Which appliances do I need?
+            href: ot-appliance-sizing.md
+          - name: Pre-configured appliances
+            href: ot-pre-configured-appliances.md
+          - name: OT monitoring with virtual appliances
+            href: ot-virtual-appliances.md 
+        - name: Create SSL/TLS certificates
+          href: ot-deploy/create-ssl-certificates.md  
+    - name: Onboard OT sensors to Azure
+      href: onboard-sensors.md
+    - name: Site networking setup
+      items:
+      - name: Configure traffic mirroring
+        items:
+        - name: Overview
+          href: traffic-mirroring/traffic-mirroring-overview.md
+        - name: Configure a switch SPAN port
+          href: traffic-mirroring/configure-mirror-span.md
+        - name: Configure a remote SPAN (RSPAN)
+          href: traffic-mirroring/configure-mirror-rspan.md
+        - name: Configure active or passive aggregation (TAP)
+          href: best-practices/traffic-mirroring-methods.md#active-or-passive-aggregation-tap
+        - name: Configure ERSPAN mirroring
+          href: traffic-mirroring/configure-mirror-erspan.md
+        - name: Configure mirroring with an ESXi vSwitch
+          href: traffic-mirroring/configure-mirror-esxi.md
+        - name: Configure mirroring with a Hyper-V vSwitch
+          href: traffic-mirroring/configure-mirror-hyper-v.md
+      - name: Provision for cloud management
+        href: ot-deploy/provision-cloud-management.md
+    - name: Deploy OT network sensors
+      items:
+      - name: Install sensor software
+        href: ot-deploy/install-software-ot-sensor.md
+      - name: Validate after installation
+        href: ot-deploy/post-install-validation-ot-software.md
+      - name: Activate and set up an OT sensor
+        href: ot-deploy/activate-deploy-sensor.md
+        displayName: SSL, TLS, certificate
+      - name: Configure proxy settings
+        href: connect-sensors.md
+    - name: Calibrate and fine-tune OT monitoring
+      items:
+      - name: Control OT traffic monitoring
+        href: how-to-control-what-traffic-is-monitored.md
+        displayName: VLAN, port name, subnets, DHCP
+      - name: Update detected device properties
+        href: ot-deploy/update-device-inventory.md
+      - name: Create a learned baseline of OT alerts
+        href: ot-deploy/create-learned-baseline.md
   - name: Deploy air-gapped OT sensor management
     items:
     - name: Air-gapped management deployment path
       href: ot-deploy/air-gapped-deploy.md
+    - name: Prepare an appliance
+      href: ot-deploy/prepare-management-appliance.md
     - name: Install an on-premises management console
       href: ot-deploy/install-software-on-premises-management-console.md
     - name: Activate and set up an on-premises management console
@@ -281,72 +350,76 @@
         href: how-to-troubleshoot-on-premises-management-console.md
 - name: Reference
   items:
-  - name: Sample connectivity models
-    href: best-practices/sample-connectivity-models.md
-  - name: Networking requirements
-    href: networking-requirements.md
-  - name: OT monitoring appliances
-    items:
-    - name: Overview
-      href: appliance-catalog/index.yml
-      displayName: appliance catalog
-    - name: Corporate environments
-      items:
-      - name: HPE ProLiant DL360
-        href: appliance-catalog/hpe-proliant-dl360.md
-    - name: Large enterprises
-      items:
-      - name: HPE ProLiant DL20 Gen10 Plus (4SFF)
-        href: appliance-catalog/hpe-proliant-dl20-plus-enterprise.md
-      - name: Dell Edge 5200 (Rugged MIL-STD-810G)
-        href: appliance-catalog/dell-edge-5200.md
-      - name: Dell PowerEdge R350
-        href: appliance-catalog/dell-poweredge-r350-e1800.md
-    - name: Production line
-      items:
-      - name: HPE ProLiant DL20 Gen10 Plus (NHP 2LFF)
-        href: appliance-catalog/hpe-proliant-dl20-plus-smb.md
-      - name: YS-techsystems YS-FIT2 (Rugged MIL-STD-810G)
-        href: appliance-catalog/ys-techsystems-ys-fit2.md
-    - name: Virtual appliances
-      items:
-      - name: OT sensor (VMware ESXi) 
-        href: appliance-catalog/virtual-sensor-vmware.md
-      - name: OT sensor (Hyper-V)
-        href: appliance-catalog/virtual-sensor-hyper-v.md
-      - name: On-premises management console (VMware ESXi)
-        href: appliance-catalog/virtual-management-vmware.md
-      - name: On-premises management console (Microsoft Hyper-V)
-        href: appliance-catalog/virtual-management-hyper-v.md
-    - name: Legacy appliances
-      items:
-      - name: HPE ProLiant DL20 Gen10 (E1800)
-        href: appliance-catalog/hpe-proliant-dl20-legacy.md
-      - name: Dell PowerEdge R340 XL (E1800)
-        href: appliance-catalog/dell-poweredge-r340-xl-legacy.md
-      - name: HPE Edgeline EL300 (L500 Rugged)
-        href: appliance-catalog/hpe-edgeline-el300.md
-      - name: HPE ProLiant DL20 Gen10 (L500 Rugged)
-        href: appliance-catalog/hpe-proliant-dl20-smb-legacy.md
-      - name: Neousys Nuvo-500LP (L100 Rugged)
-        href: appliance-catalog/neousys-nuvo-5006lp.md
   - name: Supported protocols
     href: concept-supported-protocols.md
   - name: Alert reference
     href: alert-engine-messages.md
     displayName: alerts
-  - name: Sensor health message reference
-    href: sensor-health-messages.md
-  - name: CLI command reference
+  - name: Deployment references
     items:
-    - name: CLI users and access
-      href: references-work-with-defender-for-iot-cli-commands.md
-      displayName: shell, login, cli, command-line, commands, users, user
-    - name: OT sensor CLI reference
-      href: cli-ot-sensor.md
-      displayName: shell, login, cli, command-line, commands, users, user
-  - name: Data retention
-    href: references-data-retention.md
+    - name: Sample connectivity models
+      href: best-practices/sample-connectivity-models.md
+    - name: Networking requirements
+      href: networking-requirements.md
+    - name: OT monitoring appliances
+      items:
+      - name: Overview
+        href: appliance-catalog/index.yml
+        displayName: appliance catalog
+      - name: Corporate environments
+        items:
+        - name: HPE ProLiant DL360
+          href: appliance-catalog/hpe-proliant-dl360.md
+      - name: Large enterprises
+        items:
+        - name: HPE ProLiant DL20 Gen10 Plus (4SFF)
+          href: appliance-catalog/hpe-proliant-dl20-plus-enterprise.md
+        - name: Dell Edge 5200 (Rugged MIL-STD-810G)
+          href: appliance-catalog/dell-edge-5200.md
+        - name: Dell PowerEdge R350
+          href: appliance-catalog/dell-poweredge-r350-e1800.md
+      - name: Production line
+        items:
+        - name: HPE ProLiant DL20 Gen10 Plus (NHP 2LFF)
+          href: appliance-catalog/hpe-proliant-dl20-plus-smb.md
+        - name: YS-techsystems YS-FIT2 (Rugged MIL-STD-810G)
+          href: appliance-catalog/ys-techsystems-ys-fit2.md
+      - name: Virtual appliances
+        items:
+        - name: OT sensor (VMware ESXi) 
+          href: appliance-catalog/virtual-sensor-vmware.md
+        - name: OT sensor (Hyper-V)
+          href: appliance-catalog/virtual-sensor-hyper-v.md
+        - name: On-premises management console (VMware ESXi)
+          href: appliance-catalog/virtual-management-vmware.md
+        - name: On-premises management console (Microsoft Hyper-V)
+          href: appliance-catalog/virtual-management-hyper-v.md
+      - name: Legacy appliances
+        items:
+        - name: HPE ProLiant DL20 Gen10 (E1800)
+          href: appliance-catalog/hpe-proliant-dl20-legacy.md
+        - name: Dell PowerEdge R340 XL (E1800)
+          href: appliance-catalog/dell-poweredge-r340-xl-legacy.md
+        - name: HPE Edgeline EL300 (L500 Rugged)
+          href: appliance-catalog/hpe-edgeline-el300.md
+        - name: HPE ProLiant DL20 Gen10 (L500 Rugged)
+          href: appliance-catalog/hpe-proliant-dl20-smb-legacy.md
+        - name: Neousys Nuvo-500LP (L100 Rugged)
+          href: appliance-catalog/neousys-nuvo-5006lp.md
+  - name: System maintenance references
+    items:
+    - name: Sensor health message reference
+      href: sensor-health-messages.md
+    - name: Data retention
+      href: references-data-retention.md
+    - name: CLI command reference
+      items:
+      - name: CLI users and access
+        href: references-work-with-defender-for-iot-cli-commands.md
+        displayName: shell, login, cli, command-line, commands, users, user
+      - name: OT sensor CLI reference
+        href: cli-ot-sensor.md
+        displayName: shell, login, cli, command-line, commands, users, user
   - name: API reference
     items:
     - name: Working with Defender for IoT APIs
@@ -375,6 +448,8 @@
         href: api/management-inventory-apis.md
       - name: Partner integration
         href: api/management-integration-apis.md
+- name: Resources
+  items:
   - name: Frequently asked questions
     items:
     - name: General FAQ
@@ -383,8 +458,6 @@
       href: faqs-ot.md
     - name: Enterprise IoT networks FAQ
       href: faqs-eiot.md
-- name: Resources
-  items:
   - name: Custom columns sample script
     href: custom-columns-sample-script.md
   - name: Regional availability
 
@@ -111,7 +111,7 @@ Use the following table to learn more about each alert status and triage option.
 |**Active**     |    - Azure portal only     |   Set an alert to *Active* to indicate that an investigation is underway, but that the alert can't yet be closed or otherwise triaged. <br><br>This status has no effect elsewhere in Defender for IoT.      |
 |**Closed**     | - Azure portal <br><br>- OT network sensors <br><br>- On-premises management console        | Close an alert to indicate that it's fully investigated, and you want to be alerted again the next time the same traffic is detected.<br><br>Closing an alert adds it to the sensor event timeline.<br><br>On the on-premises management console, *New* alerts are called *Acknowledged*.   |
 |**Learn**     | - Azure portal <br><br>- OT network sensors <br><br>- On-premises management console <br><br>*Unlearning* an alert is available only on the OT sensor.       |   Learn an alert when you want to close it and add it as allowed traffic, so that you aren't alerted again the next time the same traffic is detected. <br><br>For example, when the sensor detects firmware version changes following standard maintenance procedures, or when a new, expected device is added to the network. <br><br>Learning an alert closes the alert and adds an item to the sensor event timeline. Detected traffic is included in data mining reports, but not when calculating other OT sensor reports. <br><br>Learning alerts is available for selected alerts only, mostly those triggered by *Policy* and *Anomaly* engine alerts. |
-|**Mute**     |  - OT network sensors <br><br>- On-premises management console      <br><br>*Unmuting* an alert is available only on the OT sensor.  |  Mute an alert when you want to close it and not see again for the same traffic, but without adding the alert allowed traffic. <br><br>For example, when the Operational engine triggers an alert indicating that the PLC Mode was changed on a device. The new mode may indicate that the PLC isn't secure, but after investigation, it's determined that the new mode is acceptable. <br><br>Muting an alert closes it, but doesn't add an item to the sensor event timeline. Detected traffic is included in data mining reports, but not when when calculating data for other sensor reports. <br><br>Muting an alert is available for selected alerts only, mostly those triggered by the *Anomaly*, *Protocol Violation*, or *Operational* engines.  |
+|**Mute**     |  - OT network sensors <br><br>- On-premises management console      <br><br>*Unmuting* an alert is available only on the OT sensor.  |  Mute an alert when you want to close it and not see again for the same traffic, but without adding the alert allowed traffic. <br><br>For example, when the Operational engine triggers an alert indicating that the PLC Mode was changed on a device. The new mode may indicate that the PLC isn't secure, but after investigation, it's determined that the new mode is acceptable. <br><br>Muting an alert closes it, but doesn't add an item to the sensor event timeline. Detected traffic is included in data mining reports, but not when calculating data for other sensor reports. <br><br>Muting an alert is available for selected alerts only, mostly those triggered by the *Anomaly*, *Protocol Violation*, or *Operational* engines.  |
 
 > [!TIP]
 > If you know ahead of time which events are irrelevant for you, such as during a maintenance window, or if you don't want to track the event in the event timeline, create an alert exclusion rule on an on-premises management console instead.
@@ -125,6 +125,8 @@ Use the following table to learn more about each alert status and triage option.
 
 Use learning mode to perform an initial triage on the alerts in your network, *learning* those you want to mark as authorized, expected activity. Learned traffic doesn't generate new alerts the next time the same traffic is detected.
 
+For more information, see [Create a learned baseline of OT alerts](ot-deploy/create-learned-baseline.md).
+
 ## Next steps
 
 Review alert types and messages to help you understand and plan remediation actions and playbook integrations. For more information, see [OT monitoring alert types and descriptions](alert-engine-messages.md).
 
@@ -7,7 +7,6 @@ ms.date: 02/23/2023
 
 # Methods for connecting sensors to Azure
 
-<!--fix according to recipes doc-->
 This article is one in a series of articles describing the [deployment path](ot-deploy/ot-deploy-path.md) for OT monitoring with Microsoft Defender for IoT.
 
 Use the content below to learn about the architectures and methods supported for connecting Defender for IoT sensors to the Azure portal in the cloud.
@@ -18,7 +17,7 @@ Network sensors connect to Azure to provide data about detected devices, alerts,
 
 All connection methods provide:
 
-- **Improved security**, without additional security configurations. Connect to Azure using specific and secure endpoints, without the need for any wildcards.
+- **Improved security**, without additional security configurations. [Connect to Azure using specific and secure endpoints](networking-requirements.md#sensor-access-to-azure-portal), without the need for any wildcards.
 
 - **Encryption**, Transport Layer Security (TLS1.2/AES-256) provides encrypted communication between the sensor and Azure resources.
 
 
@@ -33,6 +33,7 @@ Defender for IoT network sensors discover and continuously monitor network traff
 
 Data collection, processing, analysis, and alerting takes place directly on the sensor, which can be ideal for locations with low bandwidth or high-latency connectivity. Only telemetry and insights are transferred on for management, either to the Azure portal or an on-premises management console.
 
+For more information, see [Defender for IoT OT deployment path](ot-deploy/ot-deploy-path.md).
 
 ### Cloud-connected vs. local OT sensors
 
@@ -74,7 +75,7 @@ Defender for IoT network sensors include the following main analytics engines:
 | **Policy Violation** | A policy violation occurs with a deviation from baseline behavior defined in learned or configured settings. | An *"Unauthorized HTTP User Agent"* alert indicates that an application that wasn't learned or approved by policy is used as an HTTP client on a device. This might be a new web browser or application on that device.|
 |**Industrial malware detection engine**     |  Identifies behaviors that indicate the presence of malicious network activity via known malware, such as Conficker, Black Energy, Havex, WannaCry, NotPetya, and Triton. | A *"Suspicion of Malicious Activity (Stuxnet)"* alert indicates that the sensor detected suspicious network activity known to be related to the Stuxnet malware. This malware is an advanced persistent threat aimed at industrial control and SCADA networks.     |
 |**Anomaly detection engine**     | Detects unusual machine-to-machine (M2M) communications and behaviors. <br><br>This engine models ICS networks and therefore requires a shorter learning period than analytics developed for IT. Anomalies are detected faster, with minimal false positives. | A *"Periodic Behavior in Communication Channel"* alert reflects periodic and cyclic behavior of data transmission, which is common in industrial networks.   <br>Other examples include excessive SMB sign-in attempts, and PLC scan detected alerts.    |
-|**Operational incident detection**     |   Detects operational issues such as intermittent connectivity that can indicate early signs of equipment failure.  | A *"Device is Suspected to be Disconnected (Unresponsive)"* alert is triggered when a device isn't responding to any kind of request for a predefined period. This alert might indicate a device shutdown, disconnection, or malfunction.  <br>Another example might be the that Siemens S7 stop PLC command was sent alerts.   |
+|**Operational incident detection**     |   Detects operational issues such as intermittent connectivity that can indicate early signs of equipment failure.  | A *"Device is Suspected to be Disconnected (Unresponsive)"* alert is triggered when a device isn't responding to any kind of request for a predefined period. This alert might indicate a device shutdown, disconnection, or malfunction.  <br>Another example might be if the Siemens S7 stop PLC command was sent alerts.   |
 
 ## Management options
 
@@ -94,6 +95,8 @@ Defender for IoT provides hybrid network support using the following management
 
     The software version on your on-premises management console must be equal to that of your most up-to-date sensor version. Each on-premises management console version is backwards compatible to older, supported sensor versions, but cannot connect to newer sensor versions.
 
+    For more information, see [Air-gapped OT sensor management deployment path](ot-deploy/air-gapped-deploy.md).
+
 ## What is a Defender for IoT committed device?
 
 [!INCLUDE [devices-inventoried](includes/devices-inventoried.md)]