Merge pull request #222383 from batamig/on-prem-sentinel-2

On prem sentinel 2

Author: Stacyrch140

articles/defender-for-iot/organizations/TOC.yml

@@ -28,7 +28,7 @@
     href: tutorial-onboarding.md
   - name: Integrate with Microsoft Sentinel
     items:
-    - name: Connect Defender for IoT data to Microsoft Sentinel
+    - name: Connect Defender for IoT cloud data to Microsoft Sentinel
       href: iot-solution.md
     - name: Investigate Defender for IoT incidents with Microsoft Sentinel
       href: iot-advanced-threat-monitoring.md
@@ -144,6 +144,8 @@
       href: integrations/logrhythm.md
     - name: Micro Focus ArcSight
       href: integrations/arcsight.md
+    - name: Microsoft Sentinel (on-premises data)
+      href: integrations/on-premises-sentinel.md
     - name: Palo Alto
       href: tutorial-palo-alto.md
     - name: RSA NetWitness

articles/defender-for-iot/organizations/integrate-overview.md

@@ -70,8 +70,8 @@ Integrate Microsoft Defender for Iot with partner services to view partner data
 
 |Name  |Description  |Support scope  |Supported by  |Learn more |
 |---------|---------|---------|---------|---------|
-|**Defender for IoT data connector in Sentinel**     |  Displays Defender for IoT data in Microsoft Sentinel, supporting end-to-end SOC investigations for Defender for IoT alerts.   |    - OT and Enterprise IoT networks <br>- Cloud-connected sensors       |    Microsoft       | [Integrate Microsoft Sentinel and Microsoft Defender for IoT](../../sentinel/iot-solution.md?tabs=use-out-of-the-box-analytics-rules-recommended)  |
-|**Microsoft Sentinel**     |  Send Defender for IoT alerts to Microsoft Sentinel.   |    - OT networks <br>- Locally managed sensors and on-premises management consoles       |  Microsoft       |  |
+|**Defender for IoT data connector in Microsoft Sentinel**     |  Displays Defender for IoT cloud data in Microsoft Sentinel, supporting end-to-end SOC investigations for Defender for IoT alerts.   |    - OT and Enterprise IoT networks <br>- Cloud-connected sensors       |    Microsoft       | [Integrate Microsoft Sentinel and Microsoft Defender for IoT](../../sentinel/iot-solution.md?tabs=use-out-of-the-box-analytics-rules-recommended)  |
+|**Microsoft Sentinel**     |  Send Defender for IoT alerts from on-premises resources to Microsoft Sentinel.   |    - OT networks <br>- Locally managed sensors and on-premises management consoles       |  Microsoft       | [Connect on-premises OT network sensors to Microsoft Sentinel](integrations/on-premises-sentinel.md) |
 
 
 ## Palo Alto

articles/defender-for-iot/organizations/integrations/on-premises-sentinel.md

@@ -0,0 +1,50 @@
+---
+title: How to connect on-premises Defender for IoT resources to Microsoft Sentinel
+description: Learn how to stream data into Microsoft Sentinel from an on-premises and locally-managed Microsoft Defender for IoT OT network sensor or an on-premises management console.
+ms.topic: how-to #Required; leave this attribute/value as-is.
+ms.date: 12/26/2022
+ms.custom: template-how-to-pattern #Required; leave this attribute/value as-is.
+---
+
+# Connect on-premises OT network sensors to Microsoft Sentinel
+
+You can [stream Microsoft Defender for IoT data into Microsoft Sentinel](../iot-solution.md) via the Azure portal, for any data coming from cloud-connected OT network sensors.
+
+However, if you're working either in a hybrid environment, or completely on-premises, you might want to stream data in from your locally-managed sensors to Microsoft Sentinel. To do this, create forwarding rules on either your OT network sensor, or for multiple sensors from an on-premises management console.
+
+Stream data into Microsoft Sentinel whenever you want to use Microsoft Sentinel's advanced threat hunting, security analytics, and automation features when responding to security incidents and threats across your network. For more information, see [Microsoft Sentinel documentation](/azure/sentinel/).
+
+## Prerequisites
+
+Before you start, make sure that you have the following prerequisites as needed:
+
+- Access to the OT network sensor or on-premises management console as an **Admin** user. For more information, see [On-premises users and roles for OT monitoring with Defender for IoT](../roles-on-premises.md).
+
+- A proxy machine prepared to send data to Microsoft Sentinel. For more information, see [Get CEF-formatted logs from your device or appliance into Microsoft Sentinel](/azure/sentinel/connect-common-event-format).
+
+- If you want to encrypt the data you send to Microsoft Sentinel using TLS, make sure to generate a valid TLS certificate from the proxy server to use in your forwarding alert rule.
+
+
+## Set up forwarding alert rules
+
+1. Sign into your OT network sensor or on-premises management console and create a forwarding rule. For more information, see [Forward on-premises OT alert information](../how-to-forward-alert-information-to-partners.md).
+
+1. When creating your forwarding rule, make sure to select **Microsoft Sentinel** as the **Server** value. For example, on the OT sensor:
+
+    :::image type="content" source="../media/integration-on-premises-sentinel/sensor-sentinel.png" alt-text="Screenshot of the Microsoft Sentinel option from the OT sensor." lightbox="../media/integration-on-premises-sentinel/sensor-sentinel.png":::
+
+1. If you're using TLS encryption, make sure to select **Enable encryption** and upload your certificate and key files.
+
+Select **Save** when you're done. Make sure to test the rule to make sure that it works as expected.
+
+> [!IMPORTANT]
+> To forward alert details to multiple Microsoft Sentinel instances, make sure to create a separate forwarding rule for each instance. Don't use the **Add server** option in the same forwarding rule to send data to multiple Microsoft Sentinel instances.
+
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> [Stream data from cloud-connected sensors](../iot-solution.md)
+
+> [!div class="nextstepaction"]
+> [Investigate in Microsoft Sentinel](/azure/sentinel/investigate-cases)