Merge pull request #188746 from batamig/iot-feb-21-release

Aggregated IoT Feb 21 release

Author: ttorble

articles/defender-for-iot/organizations/alert-engine-messages.md

@@ -2,7 +2,7 @@
 title: What is agentless solution architecture
 description: Learn about Microsoft Defender for IoT agentless architecture and information flow.
 ms.topic: overview
-ms.date: 11/09/2021
+ms.date: 02/06/2022
 ---
 
 # Microsoft Defender for IoT architecture
@@ -87,7 +87,7 @@ Tightly integrated with your SOC workflows and run books, it enables easy priori
 
 - Control all sensors – configure and monitor all sensors from a single location.
 
-   :::image type="content" source="media/updates/alerts-and-site-management-v2.png" alt-text="Manage all of your alerts and information.":::
+   :::image type="content" source="media/architecture/initial-dashboard.png" alt-text="Screen shot of dashboard." lightbox="media/architecture/initial-dashboard.png":::
 
 ### Azure portal
 

articles/defender-for-iot/organizations/architecture.md

@@ -224,9 +224,9 @@ You can access console tools from the side menu.  Tools help you:
 
 | Tools| Description |
 |---|---|
-| Event timeline | View a timeline with information about alerts, network events, and user operations. For more information, see [Event timeline](how-to-track-sensor-activity.md#event-timeline).|
-| Data mining | Generate comprehensive and granular information about your network's devices at various layers. For more information, see [Sensor data mining queries](how-to-create-data-mining-queries.md#sensor-data-mining-queries).|
-| Trends and Statistics |  View trends and statistics about an extensive range of network traffic and activity.  As a small example, display charts and graphs showing top traffic by port, connectivity drops by hours, S7 traffic by control function, number of devices per VLAN, SRTP errors by day, or Modbus traffic by function. For more information, see [Sensor trends and statistics reports](how-to-create-trends-and-statistics-reports.md#sensor-trends-and-statistics-reports).
+| Event timeline | View a timeline with information about alerts, network events, and user operations. For more information, see [Track sensor activity](how-to-track-sensor-activity.md).|
+| Data mining | Generate comprehensive and granular information about your network's devices at various layers. For more information, see [Sensor data mining queries](how-to-create-data-mining-queries.md).|
+| Trends and Statistics |  View trends and statistics about an extensive range of network traffic and activity.  As a small example, display charts and graphs showing top traffic by port, connectivity drops by hours, S7 traffic by control function, number of devices per VLAN, SRTP errors by day, or Modbus traffic by function. For more information, see [Sensor trends and statistics reports](how-to-create-trends-and-statistics-reports.md).
 | Risk Assessment | Proactively address vulnerabilities,  identify risks such as missing patches or unauthorized applications. Detect changes to device configurations, controller logic, and firmware. Prioritize fixes based on risk scoring and automated threat modeling.  For more information, see [Risk assessment reporting](how-to-create-risk-assessment-reports.md#risk-assessment-reporting).|
 | Attack Vector |  Display a graphical representation of a vulnerability chain of exploitable devices. These vulnerabilities can give an attacker access to key network devices. The Attack Vector Simulator calculates attack vectors in real time and analyzes all attack vectors for a specific target. For more information, see [Attack vector reporting](how-to-create-attack-vector-reports.md#attack-vector-reporting).|
 

articles/defender-for-iot/organizations/how-to-activate-and-set-up-your-sensor.md

@@ -48,7 +48,7 @@ The Programming Analysis window displays both authorized and unauthorized progra
 
 Access the Programming Analysis window from the:
 
-- [Event Timeline](#event-timeline)
+- [Event Timeline](how-to-track-sensor-activity.md)
 
 - [Unauthorized Programming Alerts](#unauthorized-programming-alerts)
 

articles/defender-for-iot/organizations/how-to-analyze-programming-details-changes.md

@@ -1,78 +1,34 @@
 ---
-title: Configure Windows endpoint monitoring
-description: Enrich data resolved on devices by working with Windows endpoint monitoring (WMI).
-ms.date: 11/09/2021
+title: Configure Windows endpoint monitoring for Defender for IoT devices
+description: Set up Windows endpoint monitoring (WMI) for Windows information on devices.
+ms.date: 02/01/2022
 ms.topic: how-to
 ---
 
 
 # Configure Windows endpoint monitoring (WMI)
 
-With the Windows endpoint monitoring capability, you can configure Microsoft Defender for IoT to selectively probe Windows systems. This provides you with more focused and accurate information about your devices, such as service pack levels.
+Use WMI to scan Windows systems for focused and accurate device information, such as service pack levels. You can scan specific IP address ranges and hosts. You can perform scheduled or manual scans. When a scan is finished, you can view the results in a CSV log file. The log contains all the IP addresses that were probed, and success and failure information for each address. There's also an error code, which is a free string derived from the exception.  Note that:
 
-You can configure probing with specific ranges and hosts, and configure it to be performed only as often as desired. You accomplish selective probing by using the Windows Management Instrumentation (WMI), which is Microsoft's standard scripting language for managing Windows systems.
+- You can run only one scan at a time.
+- You get the best results with users who have domain or local administrator privileges.
+- Only the scan of the last log is kept in the system.
 
-> [!NOTE]
-> - You can run only one scan at a time.
-> - You get the best results with users who have domain or local administrator privileges.
-> - Before you begin the WMI configuration, configure a firewall rule that opens outgoing traffic from the sensor to the scanned subnet by using UDP port 135 and all TCP ports above 1024.
 
-When the probe is finished, a log file with all the probing attempts is available from the option to export a log. The log contains all the IP addresses that were probed. For each IP address, the log shows success and failure information. There's also an error code, which is a free string derived from the exception. The scan of the last log only is kept in the system.
+## Set up a firewall rule
 
-You can perform scheduled scans or manual scans. When a scan is finished, you can view the results in a CSV file.
+Before you begin scanning, create a firewall rule that allows outgoing traffic from the sensor to the scanned subnet by using UDP port 135 and all TCP ports above 1024.
 
-**Prerequisites**
 
-Configure a firewall rule that opens outgoing traffic from the sensor to the scanned subnet by using UDP port 135 and all TCP ports above 1024.
+## Set up scanning
 
-## Perform an automatic scan
+1. In Defender for Cloud select **System Settings**.
+1. Under **Network monitoring**, select **Windows Endpoint Monitoring (WMI)**
+1. In the **Windows Endpoint Monitoring (WMI) dialog, select **Add ranges**. You can also import and export ranges.
+1. Specify the IP address range you want to scan. You can add multiple ranges.
+1. Add your user name and password, and ensure that **Enable** is toggled on.
+1. In **Scan will run**, specify when you want the automatic scan to run. You can set an hourly interval between scans, or a specific scan time.
+1. If you want to run a scan immediately with the configured settings, select **Manually scan**.
+1. Select **Save** to save the automatic scan settings.
+1. When the scan is finished, select to view/export scan results.
 
-This section describes how to perform an automatic scan
-
-**To perform an automatic scan:**
-
-1. On the side menu, select **System Settings**.
-
-2. Select **Windows Endpoint Monitoring** :::image type="icon" source="media/how-to-control-what-traffic-is-monitored/windows-endpoint-monitoring-icon-v2.png" border="false":::.
-
-    :::image type="content" source="media/how-to-control-what-traffic-is-monitored/windows-endpoint-monitoring-screen-v2.png" alt-text="Screenshot that shows the selection of Windows Endpoint Monitoring.":::
-
-3. On the **Scan Schedule** pane, configure options as follows:
-
-      - **By fixed intervals (in hours)**: Set the scan schedule according to intervals in hours.
-
-      - **By specific times**: Set the scan schedule according to specific times and select **Save Scan**.
-
-    :::image type="content" source="media/how-to-control-what-traffic-is-monitored/schedule-a-scan-screen-v2.png" alt-text="Screenshot that shows the Save Scan button.":::
-
-4. To define the scan range, select **Set scan ranges**.
-
-5. Set the IP address range and add your user and password.
-
-    :::image type="content" source="media/how-to-control-what-traffic-is-monitored/edit-scan-range-screen.png" alt-text="Screenshot that shows adding a user and password.":::
-
-6. To exclude an IP range from a scan, select **Disable** next to the range.
-
-7. To remove a range, select :::image type="icon" source="media/how-to-control-what-traffic-is-monitored/remove-scan-icon.png" border="false"::: next to the range.
-
-8. Select **Save**. The **Edit Scan Ranges Configuration** dialog box closes, and the number of ranges appears in the **Scan Ranges** pane.
-
-## Perform a manual scan
-
-**To perform a manual scan:**
-
-1. On the side menu, select **System Settings**.
-
-2. Select **Windows Endpoint Monitoring** :::image type="icon" source="media/how-to-control-what-traffic-is-monitored/windows-endpoint-monitoring-icon-v2.png" border="false":::.
-
-    :::image type="content" source="media/how-to-control-what-traffic-is-monitored/windows-endpoint-monitoring-screen-v2.png" alt-text="Screenshot that shows the Windows Endpoint Monitoring setup screen.":::
-
-3. In the **Actions** pane, select **Start scan**. A status bar appears on the **Actions** pane and shows the progress of the scanning process.
-
-    :::image type="content" source="media/how-to-control-what-traffic-is-monitored/started-scan-screen-v2.png" alt-text="Screenshot that shows the Start scan button.":::
-
-## View scan results
-
-**To view scan results:**
-
-1. When the scan is finished, on the **Actions** pane, select **View Scan Results**. The CSV file with the scan results is downloaded to your computer.

articles/defender-for-iot/organizations/how-to-configure-windows-endpoint-monitoring.md

@@ -11,7 +11,7 @@ This article describes how to create and manage users of sensors and the on-prem
 
 Features are also available to track user activity and enable Active Directory sign in.
 
-By default, each sensor and on-premises management console is installed with a *cyberx and support* user. These users have access to advanced tools for troubleshooting and setup. Administrator users should sign in with these user credentials, create an admin user, and then create extra users for Security Analysts and Read-only users.
+By default, each sensor and on-premises management console is installed with a *cyberx, support* and *cyberx_host* user. These users have access to advanced tools for troubleshooting and setup. Administrator users should sign in with these user credentials, create an admin user, and then create extra users for security analysts and read-only users.
 
 ## Role-based permissions
 The following user roles are available: