Merge pull request #266183 from limwainstein/alert-detection-policy-new

Alert detection policies

Author: prmerger-automator[bot]

articles/defender-for-iot/organizations/alert-engine-messages.md

@@ -41,6 +41,8 @@ Alert severities on this page are listed by the severity as shown in the Azure p
 | **Malware alerts** | Triggered when the Malware engine detects malicious network activity. For example, the engine detects a known attack such as Conficker. |
 | **Anomaly alerts** | Triggered when the Anomaly engine detects a deviation. For example, a device is performing network scans but isn't defined as a scanning device. |
 
+Defender for IoT's alert detection policy steers the different alert engines to trigger alerts based on business impact and network context, and reduce low-value IT related alerts. For more information, see [Focused alerts in OT/IT environments](alerts.md#focused-alerts-in-otit-environments).
+
 ## Supported alert categories
 
 Each alert has one of the following categories:

articles/defender-for-iot/organizations/alerts.md

@@ -50,6 +50,16 @@ For more information, see:
 
 Alert options also differ depending on your location and user role. For more information, see [Azure user roles and permissions](roles-azure.md) and [On-premises users and roles](roles-on-premises.md).
 
+## Focused alerts in OT/IT environments
+
+Organizations where sensors are deployed between OT and IT networks deal with many alerts, related to both OT and IT traffic. The amount of alerts, some of which are irrelevant, can cause alert fatigue and affect overall performance. To address these challenges, Defender for IoT's detection policy steers its different [alert engines](alert-engine-messages.md#supported-alert-types) to focus on alerts with business impact and relevance to an OT network, and reduce low-value IT related alerts. For example, the **Unauthorized internet connectivity** alert is highly relevant in an OT network, but has relatively low value in an IT network.
+
+To focus the alerts triggered in these environments, all alert engines, except for the *Malware* engine, trigger alerts only if they detect a related OT subnet or protocol. 
+However, to maintain triggering of alerts that indicate critical scenarios: 
+
+- The *Malware* engine triggers malware alerts regardless of whether the alerts are related to OT or IT devices.
+- The other engines include exceptions for critical scenarios. For example, the *Operational* engine triggers alerts related to sensor traffic, regardless of whether the alert is related to OT or IT traffic.
+
 ## Managing OT alerts in a hybrid environment
 
 Users working in hybrid environments might be managing OT alerts in [Defender for IoT](https://portal.azure.com/#view/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/~/Getting_started) on the Azure portal, the OT sensor, and an on-premises management console.

articles/defender-for-iot/organizations/whats-new.md

@@ -20,7 +20,15 @@ Features released earlier than nine months ago are described in the [What's new
 
 |Service area  |Updates  |
 |---------|---------|
-| **OT networks** | [Alert ID now aligned on the Azure portal and sensor console](#alert-id-now-aligned-on-the-azure-portal-and-sensor-console) |
+| **OT networks** | - [Focused alerts in OT/IT environments](#focused-alerts-in-otit-environments)<br>- [Alert ID now aligned on the Azure portal and sensor console](#alert-id-now-aligned-on-the-azure-portal-and-sensor-console) |
+
+### Focused alerts in OT/IT environments
+
+Organizations where sensors are deployed between OT and IT networks deal with many alerts, related to both OT and IT traffic. The amount of alerts, some of which are irrelevant, can cause alert fatigue and affect overall performance. 
+
+To address these challenges, we've updated Defender for IoT's detection policy to automatically trigger alerts based on business impact and network context, and reduce low-value IT related alerts.  
+
+For more information, see [Focused alerts in OT/IT environments](alerts.md#focused-alerts-in-otit-environments).
 
 ### Alert ID now aligned on the Azure portal and sensor console