Merge pull request #291219 from tarTech23/learman

prmerger-automator[bot] · web-flow · commit 5a9477d7c999 · 2025-01-08T20:04:45.000Z
manual update to learn setting change
diff --git a/articles/defender-for-iot/organizations/how-to-manage-individual-sensors.md b/articles/defender-for-iot/organizations/how-to-manage-individual-sensors.md
@@ -222,7 +222,7 @@ A Microsoft Defender for IoT OT network sensor starts monitoring your network au
 
 Initially, this activity happens in *learning* mode, which instructs your OT sensor to learn your network's usual activity, including the devices and protocols in your network, and the regular file transfers that occur between specific devices. Any regularly detected activity becomes your network's [baseline traffic](ot-deploy/create-learned-baseline.md).
 
-This procedure describes how to turn off learning mode manually if you feel that the current alerts accurately reflect your network activity.
+This procedure describes how to turn off learning mode manually when the current alerts accurately reflect your network activity.
 
 **To turn off learning mode**:
 
diff --git a/articles/defender-for-iot/organizations/ot-deploy/create-learned-baseline.md b/articles/defender-for-iot/organizations/ot-deploy/create-learned-baseline.md
@@ -17,7 +17,6 @@ An OT network sensor starts monitoring your network automatically after it's con
 
 Initially, this activity happens in *learning* mode, which instructs your OT sensor to learn your network's usual activity, including the devices and protocols in your network, and the regular file transfers that occur between specific devices. Any regularly detected activity becomes your network's baseline traffic.
 
-
 > [!TIP]
 > Use your time in learning mode to triage your alerts and *Learn* those that you want to mark as authorized, expected activity. Learned traffic doesn't generate new alerts the next time the same traffic is detected.
 >
@@ -27,9 +26,11 @@ For more information, see [Microsoft Defender for IoT alerts](../alerts.md).
 
 ### Learn mode timeline
 
-Creating your baseline of OT alerts can take anywhere from a few days to several weeks, depending on your network size and complexity. Learning mode automatically turns off when the sensor detects a decrease in newly detected traffic, which is typically between 2-6 weeks after deployment.
+Creating your baseline of OT alerts can take anywhere from a few days to several weeks, depending on your network size and complexity. We recommend that after 2-6 weeks, you manually change the Learning mode to Dynamic mode when the daily number of alerts decreases to a manageable level. In dynamic mode Defender for IoT continues to monitor the network for suspicious traffic, trigger alerts, and also automatically moves an alert category to operational mode if that alert isn't triggered for a specific length of time.
+
+In operational mode all alerts produced are listed in the inventory and must be remediated by following the actions listed in the alert details pane. If the alert was triggered by safe network traffic you'll need to use the **Learn** button to add this traffic to the baseline list so that the sensor doesn't produce an alert for this in the future.
 
-[Turn off learning mode manually before then](../how-to-manage-individual-sensors.md#turn-off-learning-mode-manually) if you feel that the current alerts accurately reflect your network activity.
+[Turn off learning mode manually](../how-to-manage-individual-sensors.md#turn-off-learning-mode-manually) when the level of alerts accurately reflect your network activity.
 
 ## Prerequisites
 
diff --git a/articles/defender-for-iot/organizations/ot-deploy/ot-deploy-path.md b/articles/defender-for-iot/organizations/ot-deploy/ot-deploy-path.md
@@ -179,7 +179,7 @@ Your OT sensors will remain in *Learning mode* for as long as new traffic is det
 When baseline learning ends, the OT monitoring deployment process is complete, and you'll continue on in operational mode for ongoing monitoring. In operational mode, any activity that differs from your baseline data will trigger an alert.
 
 > [!TIP]
-> [Turn off learning mode manually](../how-to-manage-individual-sensors.md#turn-off-learning-mode-manually) if you feel that the current alerts in Defender for IoT reflect your network traffic accurately, and learning mode hasn't already ended automatically.
+> [Turn off learning mode manually](../how-to-manage-individual-sensors.md#turn-off-learning-mode-manually) when the current alerts in Defender for IoT reflect your network traffic accurately.
 >
 
 ## Connect Defender for IoT data to your SIEM

Original file line number	Diff line number	Diff line change
`@@ -179,7 +179,7 @@ Your OT sensors will remain in Learning mode for as long as new traffic is det`
`179`	`179`	`When baseline learning ends, the OT monitoring deployment process is complete, and you'll continue on in operational mode for ongoing monitoring. In operational mode, any activity that differs from your baseline data will trigger an alert.`
`180`	`180`
`181`	`181`	`> [!TIP]`
`182`		`-> [Turn off learning mode manually](../how-to-manage-individual-sensors.md#turn-off-learning-mode-manually) if you feel that the current alerts in Defender for IoT reflect your network traffic accurately, and learning mode hasn't already ended automatically.`
	`182`	`+> [Turn off learning mode manually](../how-to-manage-individual-sensors.md#turn-off-learning-mode-manually) when the current alerts in Defender for IoT reflect your network traffic accurately.`
`183`	`183`	`>`
`184`	`184`
`185`	`185`	`## Connect Defender for IoT data to your SIEM`