Merge pull request #200239 from v-dmankowitz/howto

v-ccolin · web-flow · commit 726f6561a161 · 2022-06-02T11:12:44.000+01:00
Howto
diff --git a/articles/defender-for-iot/device-builders/agent-based-recommendations.md b/articles/defender-for-iot/device-builders/agent-based-recommendations.md
@@ -10,7 +10,7 @@ ms.date: 03/28/2022
 Defender for IoT scans your Azure resources and IoT devices and provides security recommendations to reduce your attack surface.
 Security recommendations are actionable and aim to aid customers in complying with security best practices.
 
-In this article, you will find a list of recommendations, which can be triggered on your IoT devices.
+In this article, you'll find a list of recommendations, which can be triggered on your IoT devices.
 
 ## Agent based recommendations
 
@@ -31,7 +31,7 @@ Operational recommendations provide insights and suggestions to improve security
 | Severity | Name | Data Source | Description |
 |--|--|--|--|
 | Low | Agent sends unutilized messages | Legacy Defender-IoT-micro-agent | 10% or more of security messages were smaller than 4 KB during the last 24 hours. |
-| Low | Security twin configuration not optimal | Legacy Defender-IoT-micro-agent | Security twin configuration is not optimal. |
+| Low | Security twin configuration not optimal | Legacy Defender-IoT-micro-agent | Security twin configuration isn't optimal. |
 | Low | Security twin configuration conflict | Legacy Defender-IoT-micro-agent | Conflicts were identified in the security twin configuration. |
 
 ## Next steps
diff --git a/articles/defender-for-iot/device-builders/concept-agent-based-security-alerts.md b/articles/defender-for-iot/device-builders/concept-agent-based-security-alerts.md
@@ -11,7 +11,7 @@ Defender for IoT continuously analyzes your IoT solution using advanced analytic
 In addition, you can create custom alerts based on your knowledge of expected device behavior.
 An alert acts as an indicator of potential compromise, and should be investigated and remediated.
 
-In this article, you will find a list of built-in alerts, which can be triggered on your IoT devices.
+In this article, you'll find a list of built-in alerts, which can be triggered on your IoT devices.
 In addition to built-in alerts, Defender for IoT allows you to define custom alerts based on expected IoT Hub and/or device behavior.
 
 For more information, see [customizable alerts](concept-customizable-security-alerts.md).
@@ -27,7 +27,7 @@ For more information, see [customizable alerts](concept-customizable-security-al
 | Port forwarding detection | High | Defender-IoT-micro-agent | Initiation of port forwarding to an external IP address detected. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. | IoT_PortForwarding |
 | Possible attempt to disable Auditd logging detected | High | Defender-IoT-micro-agent | Linux Auditd system provides a way to track security-relevant information on the system. The system records as much information about the events that are happening on your system as possible. This information is crucial for mission-critical environments to determine who violated the security policy and the actions they performed. Disabling Auditd logging may prevent your ability to discover violations of security policies used on the system. | Check with the device owner if this was legitimate activity with business reasons. If not, this event may be hiding activity by malicious actors. Immediately escalated the incident to your information security team. | IoT_DisableAuditdLogging |
 | Reverse shells | High | Defender-IoT-micro-agent | Analysis of host data on a device detected a potential reverse shell. Reverse shells are often used to get a compromised machine to call back into a machine controlled by a malicious actor. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. | IoT_ReverseShell |
-| Successful local login | High | Defender-IoT-micro-agent | Successful local sign in to the device detected | Make sure the signed in user is an authorized party. | IoT_SucessfulLocalLogin |
+| Successful local login | High | Defender-IoT-micro-agent | Successful local sign-in to the device detected | Make sure the signed in user is an authorized party. | IoT_SucessfulLocalLogin |
 | Web shell | High | Defender-IoT-micro-agent | Possible web shell detected. Malicious actors commonly upload a web shell to a compromised machine to gain persistence or for further exploitation. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. | IoT_WebShell |
 | Behavior similar to ransomware detected | High | Defender-IoT-micro-agent | Execution of files similar to known ransomware that may prevent users from accessing their system, or personal files, and may demand ransom payment to regain access. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. | IoT_Ransomware |
 | Crypto coin miner image | High | Defender-IoT-micro-agent | Execution of a process normally associated with digital currency mining detected. | Verify with the user that ran the command if this was legitimate activity on the device. If not, escalate the alert to the information security team. | IoT_CryptoMiner |
@@ -37,8 +37,8 @@ For more information, see [customizable alerts](concept-customizable-security-al
 | Name | Severity | Data Source | Description | Suggested remediation steps | Alert type |
 |--|--|--|--|--|--|
 | Behavior similar to common Linux bots detected | Medium | Defender-IoT-micro-agent | Execution of a process normally associated with common Linux botnets detected. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. | IoT_CommonBots |
-| Behavior similar to Fairware ransomware detected | Medium | Defender-IoT-micro-agent | Execution of rm -rf commands applied to suspicious locations detected using analysis of host data. Because rm -rf recursively deletes files, it is normally only used on discrete folders. In this case, it is being used in a location that could remove a large amount of data. Fairware ransomware is known to execute rm -rf commands in this folder. | Review with the user that ran the command this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. | IoT_FairwareMalware |
-| Crypto coin miner container image detected | Medium | Defender-IoT-micro-agent | Container detecting running known digital currency mining images. | 1. If this behavior is not intended, delete the relevant container image. <br> 2. Make sure that the Docker daemon is not accessible via an unsafe TCP socket. <br> 3. Escalate the alert to the information security team. | IoT_CryptoMinerContainer |
+| Behavior similar to Fairware ransomware detected | Medium | Defender-IoT-micro-agent | Execution of rm -rf commands applied to suspicious locations detected using analysis of host data. Because rm -rf recursively deletes files, it's normally only used on discrete folders. In this case, it's being used in a location that could remove a large amount of data. Fairware ransomware is known to execute rm -rf commands in this folder. | Review with the user that ran the command this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. | IoT_FairwareMalware |
+| Crypto coin miner container image detected | Medium | Defender-IoT-micro-agent | Container detecting running known digital currency mining images. | 1. If this behavior isn't intended, delete the relevant container image. <br> 2. Make sure that the Docker daemon isn't accessible via an unsafe TCP socket. <br> 3. Escalate the alert to the information security team. | IoT_CryptoMinerContainer |
 | Detected suspicious use of the nohup command | Medium | Defender-IoT-micro-agent | Suspicious use of the nohup command on host detected. Malicious actors commonly run the nohup command from a temporary directory, effectively allowing their executables to run in the background. Seeing this command run on files located in a temporary directory is not expected or usual behavior. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. | IoT_SuspiciousNohup |
 | Detected suspicious use of the useradd command | Medium | Defender-IoT-micro-agent | Suspicious use of the useradd command detected on the device. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. | IoT_SuspiciousUseradd |
 | Exposed Docker daemon by TCP socket | Medium | Defender-IoT-micro-agent | Machine logs indicate that your Docker daemon (dockerd) exposes a TCP socket. By default, Docker configuration, does not use encryption or authentication when a TCP socket is enabled. Default Docker configuration enables full access to the Docker daemon, by anyone with access to the relevant port. | Review with the user that ran the command if this was legitimate activity that you expect to see on the device. If not, escalate the alert to the information security team. | IoT_ExposedDocker |
diff --git a/articles/defender-for-iot/device-builders/concept-baseline.md b/articles/defender-for-iot/device-builders/concept-baseline.md
@@ -21,13 +21,13 @@ Baseline custom checks establish a custom list of checks for each device baselin
 
 1. In your IoT Hub, locate and select the device you wish to change.
 
-1. Click on the device, and then click the **azureiotsecurity** module.
+1. Select on the device, and then select the **azureiotsecurity** module.
 
-1. Click **Module Identity Twin**.
+1. Select **Module Identity Twin**.
 
 1. Upload the **baseline custom checks** file to the device.
 
-1. Add baseline properties to the Defender-IoT-micro-agent and click **Save**.
+1. Add baseline properties to the Defender-IoT-micro-agent and select **Save**.
 
 ### Baseline custom check file example
 
diff --git a/articles/defender-for-iot/device-builders/concept-customizable-security-alerts.md b/articles/defender-for-iot/device-builders/concept-customizable-security-alerts.md
@@ -22,17 +22,17 @@ The following lists of Defender for IoT alerts are definable by you based on you
 | Custom alert - The number of cloud to device messages in AMQP protocol is outside the allowed range | Low | IoT Hub | The number of cloud to device messages (AMQP protocol) within a specific time window is outside the currently configured and allowable range. | IoT_CA_AmqpC2DMessagesNotInAllowedRange |
 | Custom alert - The number of rejected cloud to device messages in AMQP protocol is outside the allowed range | Low | IoT Hub | The number of cloud to device messages (AMQP protocol) rejected by the device, within a specific time window is outside the currently configured and allowable range. | IoT_CA_AmqpC2DRejectedMessagesNotInAllowedRange |
 | Custom alert - The number of device to cloud messages in AMQP protocol is outside the allowed range | Low | IoT Hub | The amount of device to cloud messages (AMQP protocol) within a specific time window is outside the currently configured and allowable range. | IoT_CA_AmqpD2CMessagesNotInAllowedRange |
-| Custom alert - The number of direct method invokes is outside the allowed range | Low | IoT Hub | The amount of direct method invokes within a specific time window is outside the currently configured and allowable range. | IoT_CA_DirectMethodInvokesNotInAllowedRange |
+| Custom alert - The number of direct method invokes are outside the allowed range | Low | IoT Hub | The amount of direct method invokes within a specific time window is outside the currently configured and allowable range. | IoT_CA_DirectMethodInvokesNotInAllowedRange |
 | Custom alert - The number of file uploads is outside the allowed range | Low | IoT Hub | The amount of file uploads within a specific time window is outside the currently configured and allowable range. | IoT_CA_FileUploadsNotInAllowedRange |
-| Custom alert - The number of cloud to device messages in HTTP protocol is outside the allowed range | Low | IoT Hub | The amount of cloud to device messages (HTTP protocol) in a time window is not in the configured allowed range | IoT_CA_HttpC2DMessagesNotInAllowedRange |
-| Custom alert - The number of rejected cloud to device messages in HTTP protocol is not in the allowed range | Low | IoT Hub | The amount of cloud to device messages (HTTP protocol) within a specific time window is outside the currently configured and allowable range. | IoT_CA_HttpC2DRejectedMessagesNotInAllowedRange |
+| Custom alert - The number of cloud to device messages in HTTP protocol is outside the allowed range | Low | IoT Hub | The amount of cloud to device messages (HTTP protocol) in a time window isn't in the configured allowed range | IoT_CA_HttpC2DMessagesNotInAllowedRange |
+| Custom alert - The number of rejected cloud to device messages in HTTP protocol isn't in the allowed range | Low | IoT Hub | The amount of cloud to device messages (HTTP protocol) within a specific time window is outside the currently configured and allowable range. | IoT_CA_HttpC2DRejectedMessagesNotInAllowedRange |
 | Custom alert - The number of device to cloud messages in HTTP protocol is outside the allowed range | Low | IoT Hub | The amount of device to cloud messages (HTTP protocol) within a specific time window is outside the currently configured and allowable range. | IoT_CA_HttpD2CMessagesNotInAllowedRange |
 | Custom alert - The number of cloud to device messages in MQTT protocol is outside the allowed range | Low | IoT Hub | The amount of cloud to device messages (MQTT protocol) within a specific time window is outside the currently configured and allowable range. | IoT_CA_MqttC2DMessagesNotInAllowedRange |
 | Custom alert - The number of rejected cloud to device messages in MQTT protocol is outside the allowed range | Low | IoT Hub | The amount of cloud to device messages (MQTT protocol) rejected by the device within a specific time window is outside the currently configured and allowable range. | IoT_CA_MqttC2DRejectedMessagesNotInAllowedRange |
 | Custom alert - The number of device to cloud messages in MQTT protocol is outside the allowed range | Low | IoT Hub | The amount of device to cloud messages (MQTT protocol) within a specific time window is outside the currently configured and allowable range. | IoT_CA_MqttD2CMessagesNotInAllowedRange |
 | Custom alert - The number of command queue purges that are outside of the allowed range | Low | IoT Hub | The amount of command queue purges within a specific time window is outside the currently configured and allowable range. | IoT_CA_QueuePurgesNotInAllowedRange |
-| Custom alert - The number of module twin updates is outside the allowed range | Low | IoT Hub | The amount of module twin updates within a specific time window is outside the currently configured and allowable range. | IoT_CA_TwinUpdatesNotInAllowedRange |
-| Custom alert - The number of unauthorized operations is outside the allowed range | Low | IoT Hub | The amount of unauthorized operations within a specific time window is outside the currently configured and allowable range. | IoT_CA_UnauthorizedOperationsNotInAllowedRange |
+| Custom alert - The number of module twin updates is outside the allowed range | Low | IoT Hub | The number of module twin updates within a specific time window is outside the currently configured and allowable range. | IoT_CA_TwinUpdatesNotInAllowedRange |
+| Custom alert - The number of unauthorized operations is outside the allowed range | Low | IoT Hub | The number of unauthorized operations within a specific time window is outside the currently configured and allowable range. | IoT_CA_UnauthorizedOperationsNotInAllowedRange |
 
 ## Next steps
 
diff --git a/articles/defender-for-iot/device-builders/concept-data-processing.md b/articles/defender-for-iot/device-builders/concept-data-processing.md
@@ -7,7 +7,7 @@ ms.topic: conceptual
 
 # Data processing and residency
 
-Microsoft Defender for IoT is a separate service which adds an extra layer of threat protection to the Azure IoT Hub, IoT Edge, and your devices. Defender for IoT may process, and store your data within a different geographic location than your IoT Hub.
+Microsoft Defender for IoT is a separate service, which adds an extra layer of threat protection to the Azure IoT Hub, IoT Edge, and your devices. Defender for IoT may process, and store your data within a different geographic location than your IoT Hub.
 
 Mapping between the IoT Hub, and Microsoft Defender for IoT's regions is as follows:
 
diff --git a/articles/defender-for-iot/device-builders/concept-event-aggregation.md b/articles/defender-for-iot/device-builders/concept-event-aggregation.md
@@ -105,7 +105,7 @@ The data collected for each event is:
 | **os_version** | The version of the operating system. For example, `Windows 10`, or `Ubuntu 20.04.1`. |
 | **os_platform** | The OS of the device. |
 | **os_arch** | The architecture of the OS. For example, `x86_64`. |
-| **nics** | The network interface controller. The full list of properties are listed below. |
+| **nics** | The network interface controller. The full list of properties is listed below. |
 
 The **nics** properties are composed of the following;
 
diff --git a/articles/defender-for-iot/device-builders/concept-micro-agent-configuration.md b/articles/defender-for-iot/device-builders/concept-micro-agent-configuration.md
@@ -67,7 +67,7 @@ These configurations include process, and network activity collectors.
 
 | Setting Name | Setting options | Description | Default |
 |--|--|--|--|
-| **Devices** | A list of the network devices separated by a comma. <br><br>For example `eth0,eth1` | Defines the list of network devices (interfaces) that the agent will use to monitor the traffic. <br><br>If a network device isn't listed, the Network Raw events will not be recorded for the missing device.| `eth0` |
+| **Devices** | A list of the network devices separated by a comma. <br><br>For example `eth0,eth1` | Defines the list of network devices (interfaces) that the agent will use to monitor the traffic. <br><br>If a network device isn't listed, the Network Raw events won't be recorded for the missing device.| `eth0` |
 | | | | |
 
 ## Process collector specific-settings
diff --git a/articles/defender-for-iot/device-builders/tutorial-configure-agent-based-solution.md b/articles/defender-for-iot/device-builders/tutorial-configure-agent-based-solution.md
@@ -9,7 +9,7 @@ ms.topic: tutorial
 
 This tutorial will help you learn how to configure the Microsoft Defender for IoT agent-based solution.
 
-In this tutorial you will learn how to:
+In this tutorial you'll learn how to:
 
 > [!div class="checklist"]
 > - Enable data collection
@@ -71,7 +71,7 @@ You can choose to add storage of an additional information type as `raw events`.
 
 1. Select a subscription from the drop-down menu.
 
-1. Select a workspace from the drop-down menu. If you do not already have an existing Log Analytics workspace, you can select **Create New Workspace** to create a new one.
+1. Select a workspace from the drop-down menu. If you don't already have an existing Log Analytics workspace, you can select **Create New Workspace** to create a new one.
 
 1. Verify that the **Access to raw security data** option is selected.  
 
diff --git a/articles/defender-for-iot/device-builders/tutorial-create-micro-agent-module-twin.md b/articles/defender-for-iot/device-builders/tutorial-create-micro-agent-module-twin.md
@@ -1,6 +1,6 @@
 ---
 title: Create a DefenderforIoTMicroAgent module twin (Preview)
-description: In this tutorial, you will learn how to create a DefenderIotMicroAgent module twin for new devices.
+description: In this tutorial, you'll learn how to create a DefenderIotMicroAgent module twin for new devices.
 ms.date: 01/16/2022
 ms.topic: tutorial
 ms.custom: mode-other
@@ -34,7 +34,7 @@ Defender for IoT uses the module twin mechanism, and maintains a Defender-IoT-mi
 
 To take full advantage of all Defender for IoT feature's, you need to create, configure, and use the Defender-IoT-micro-agent twins for every device in the service.
 
-In this tutorial you will learn how to:
+In this tutorial you'll learn how to:
 
 > [!div class="checklist"]
 > - Create a DefenderIotMicroAgent module twin
diff --git a/articles/defender-for-iot/device-builders/tutorial-investigate-security-alerts.md b/articles/defender-for-iot/device-builders/tutorial-investigate-security-alerts.md
@@ -9,7 +9,7 @@ ms.date: 01/13/2022
 
 This tutorial will help you learn how to investigate, and remediate the alerts issued by Defender for IoT. Remediating alerts is the best way to ensure compliance, and protection across your IoT solution.
 
-In this tutorial you will learn how to:
+In this tutorial you'll learn how to:
 
 > [!div class="checklist"]
 > - Investigate security alerts
diff --git a/articles/defender-for-iot/device-builders/tutorial-investigate-security-recommendations.md b/articles/defender-for-iot/device-builders/tutorial-investigate-security-recommendations.md
@@ -11,7 +11,7 @@ This tutorial will help you learn how to explore the information available in ea
 
 Timely analysis and mitigation of recommendations by Defender for IoT is the best way to improve security posture and reduce attack surface across your IoT solution.
 
-In this tutorial you will learn how to:
+In this tutorial you'll learn how to:
 
 > [!div class="checklist"]
 > - Investigate new recommendations
diff --git a/articles/defender-for-iot/device-builders/tutorial-standalone-agent-binary-installation.md b/articles/defender-for-iot/device-builders/tutorial-standalone-agent-binary-installation.md
diff --git a/articles/defender-for-iot/device-builders/upgrade-micro-agent.md b/articles/defender-for-iot/device-builders/upgrade-micro-agent.md
diff --git a/articles/defender-for-iot/organizations/how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md b/articles/defender-for-iot/organizations/how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md
diff --git a/articles/defender-for-iot/organizations/how-to-work-with-the-sensor-device-map.md b/articles/defender-for-iot/organizations/how-to-work-with-the-sensor-device-map.md
