Merge pull request #221128 from Shereen-Bhar/sensor-forensic-data

forensics data stored by the sensor

Author: v-dirichards

articles/defender-for-iot/organizations/how-to-manage-individual-sensors.md

@@ -41,7 +41,7 @@ A unique activation file is uploaded to each sensor that you deploy. For more in
 
 Locally connected sensors are associated with an Azure subscription. The activation file for your locally connected sensors contains an expiration date. One month before this date, a warning message appears in the System Messages window in the top-right corner of the console. The warning remains until after you've updated the activation file.
 
-You can continue to work with Defender for IoT features even if the activation file has expired. 
+You can continue to work with Defender for IoT features even if the activation file has expired.
 
 ### About activation files for cloud-connected sensors
 
@@ -51,9 +51,9 @@ Sensors that are cloud connected aren't limited by time periods for their activa
 
 You might need to upload a new activation file for an onboarded sensor when:
 
-- An activation file expires on a locally connected sensor. 
+- An activation file expires on a locally connected sensor.
 
-- You want to work in a different sensor management mode. 
+- You want to work in a different sensor management mode.
 
 - For sensors connected via an IoT Hub ([legacy](architecture-connections.md)), you want to assign a new Defender for IoT hub to a cloud-connected sensor.
 
@@ -97,7 +97,7 @@ You'll receive an error message if the activation file couldn't be uploaded. The
 
 ## Manage certificates
 
-Following sensor installation, a local self-signed certificate is generated and used to access the sensor web application. When logging in to the sensor for the first time, Administrator users are prompted to provide an SSL/TLS certificate. 
+Following sensor installation, a local self-signed certificate is generated and used to access the sensor web application. When logging in to the sensor for the first time, Administrator users are prompted to provide an SSL/TLS certificate.
 
 Sensor Administrators may be required to update certificates that were uploaded after initial login. This may happen, for example,  if a certificate expired.
 
@@ -138,7 +138,7 @@ This section describes how to ensure connection between the sensor and the on-pr
 
 3. In the **Sensor Setup – Connection String** section, copy the automatically generated connection string.
 
-   :::image type="content" source="media/how-to-manage-individual-sensors/connection-string-screen.png" alt-text="Copy the connection string from this screen."::: 
+   :::image type="content" source="media/how-to-manage-individual-sensors/connection-string-screen.png" alt-text="Copy the connection string from this screen.":::
 
 4. Sign in to the sensor console.
 
@@ -157,6 +157,7 @@ Continue with additional settings, such as [adding users](how-to-create-and-mana
 ## Change the name of a sensor
 
 You can change the name of your sensor console. The new name will appear in:
+
 - The sensor console web browser
 - Various console windows
 - Troubleshooting logs
@@ -233,6 +234,7 @@ System backup is performed automatically at 3:00 AM daily. The data is saved on
 You can automatically transfer this file to the internal network.
 
 > [!NOTE]
+>
 > - The backup and restore procedure can be performed between the same versions only.
 > - In some architectures, the backup is disabled. You can enable it in the `/var/cyberx/properties/backup.properties` file.
 
@@ -272,7 +274,7 @@ Sensor backup files are automatically named through the following format: `<sens
 
 4. Edit and create credentials to share for the SMB server:
 
-    `sudo nano /etc/samba/user` 
+    `sudo nano /etc/samba/user`
 
 5. Add:
 
@@ -299,30 +301,30 @@ You can restore a sensor from a backup file using the sensor console or the CLI.
 To restore a backup from the sensor console, the backup file must be accessible from the sensor.
 
 - **To download a backup file:**
-    
+
     1. Access the sensor using an SFTP client.
-    
+
     1. Sign in to an administrative account and enter the sensor IP address.
-    
+
     1. Download the backup file from your chosen location and save it. The default location for system backup files is `/var/cyberx/backups`.
-    
+
 - **To restore the sensor**:
-    
+
      1. Sign in to the sensor console and go to **System settings** > **Sensor management** > **Backup & restore** > **Restore**. For example:
-     
+
         :::image type="content" source="media/how-to-manage-individual-sensors/restore-sensor-screen.png" alt-text="Screenshot of Restore tab in sensor console.":::
-    
-    1. Select **Browse** to select your downloaded backup file. The sensor will start to restore from the selected backup file.
-    
-    1. When the restore process is complete, select **Close**.
+
+     1. Select **Browse** to select your downloaded backup file. The sensor will start to restore from the selected backup file.
+
+     1. When the restore process is complete, select **Close**.
 
 **To restore the latest backup file by using the CLI:**
 
 - Sign in to an administrative account and enter `cyberx-xsense-system-restore`.
 
 ## Configure SMTP settings
 
-Define SMTP mail server settings for the sensor so that you configure the sensor to send data to other servers. 
+Define SMTP mail server settings for the sensor so that you configure the sensor to send data to other servers.
 
 You'll need an SMTP mail server configured to enable email alerts about disconnected sensors, failed sensor backup retrievals, and SPAN monitoring port failures from the on-premises management console, and to set up mail forwarding and configure [forwarding alert rules](how-to-forward-alert-information-to-partners.md).
 
@@ -344,7 +346,7 @@ Make sure you can reach the SMTP server from the [sensor's management port](/azu
     |**SSL**     | Toggle on for secure connections from your sensor.        |
     |**Authentication**     | Toggle on and then enter a username and password for your email account.        |
     |**Use NTLM**     | Toggle on to enable [NTLM](/windows-server/security/kerberos/ntlm-overview). This option only appears when you have the **Authentication** option toggled on.        |
-        
+
 1. Select **Save** when you're done.
 
 ## Forward sensor failure alerts
@@ -415,7 +417,7 @@ To access system properties:
 
 ## Download a diagnostics log for support
 
-This procedure describes how to download a diagnostics log to send to support in connection with a specific support ticket. 
+This procedure describes how to download a diagnostics log to send to support in connection with a specific support ticket.
 
 This feature is supported for the following sensor versions:
 
@@ -434,6 +436,18 @@ This feature is supported for the following sensor versions:
 
 1. For a locally managed sensor, version 22.1.3 or higher, continue with [Upload a diagnostics log for support](how-to-manage-sensors-on-the-cloud.md#upload-a-diagnostics-log-for-support-public-preview).
 
+## Retrieve forensics data stored on the sensor
+
+Use Defender for IoT data mining reports on an OT network sensor to retrieve forensic data from that sensor’s storage. The following types of forensic data is stored locally on OT sensors, for devices detected by that sensor:
+
+- Device data
+- Alert data
+- Alert PCAP files
+- Event timeline data
+- Log files
+
+Each type of data has a different retention period and maximum capacity. For more information see [Create data mining queries](how-to-create-data-mining-queries.md).
+
 ## Clearing sensor data
 
 In cases where the sensor needs to be relocated or erased, the sensor can be reset.

articles/defender-for-iot/organizations/how-to-manage-sensors-from-the-on-premises-management-console.md

@@ -53,8 +53,6 @@ You can define the following sensor system settings from the management console:
 
 1. Select **Save**.
 
-
-
 ## Update threat intelligence packages
 
 The data package for threat intelligence is provided with each new Defender for IoT version, or if needed between releases. The package contains signatures (including malware signatures), CVEs, and other security content.
@@ -63,20 +61,19 @@ You can manually upload this file in the Azure portal and automatically update i
 
 [!INCLUDE [root-of-trust](includes/root-of-trust.md)]
 
-
 **To update the threat intelligence data:**
 
-1. Go to the Defender for IoT **Updates** page. 
+1. Go to the Defender for IoT **Updates** page.
 
 1. Download and save the file.
 
-1. Sign in to the management console. 
+1. Sign in to the management console.
 
-1. On the side menu, select **System Settings**. 
+1. On the side menu, select **System Settings**.
 
 1. Select the sensors that should receive the update in the **Sensor Engine Configuration** section.  
 
-1. In the **Select Threat Intelligence Data** section, select the plus sign (**+**). 
+1. In the **Select Threat Intelligence Data** section, select the plus sign (**+**).
 
 1. Upload the package that you downloaded from the Defender for IoT **Updates** page.
 
@@ -111,12 +108,24 @@ Sensors are protected by Defender for IoT engines. You can enable or disable the
 1. In the console's left pane, select **System Settings**.
 
 1. In the **Sensor Engine Configuration** section, select **Enable** or **Disable** for the engines.
- 	 	 
+
 1. Select **SAVE CHANGES**.
 
    A red exclamation mark appears if there's a mismatch of enabled engines on one of your enterprise sensors. The engine might have been disabled directly from the sensor.
 
-   :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/red-exclamation-example.png" alt-text="Mismatch of enabled engines."::: 
+   :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/red-exclamation-example.png" alt-text="Mismatch of enabled engines.":::
+
+## Retrieve forensics data stored on the sensor
+
+Use Defender for IoT data mining reports on an OT network sensor to retrieve forensic data from that sensor’s storage. The following types of forensic data is stored locally on OT sensors, for devices detected by that sensor:
+
+- Device data
+- Alert data
+- Alert PCAP files
+- Event timeline data
+- Log files
+
+Each type of data has a different retention period and maximum capacity. For more information see [Create data mining queries](how-to-create-data-mining-queries.md).
 
 ## Define sensor backup schedules
 
@@ -130,53 +139,53 @@ By default, sensors are automatically backed up at 3:00 AM daily. The backup sch
 
 :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/sensor-backup-schedule-screen.png" alt-text="A view of the sensor backup screen.":::
 
-When the default sensor backup location is changed, the on-premises management console automatically retrieves the files from the new location on the sensor or an external location, provided that the console has permission to access the location. 
+When the default sensor backup location is changed, the on-premises management console automatically retrieves the files from the new location on the sensor or an external location, provided that the console has permission to access the location.
 
 When the sensors aren't registered with the on-premises management console, the **Sensor Backup Schedule** dialog box indicates that no sensors are managed.  
 
 The restore process is the same regardless of where the files are stored. For more information on how to restore a sensor, see [Restore sensors](how-to-manage-individual-sensors.md#restore-sensors).
 
 ### Backup storage for sensors
 
-You can use the on-premises management console to maintain up to nine backups for each managed sensor, provided that the backed-up files don't exceed the maximum backup space that's allocated. 
+You can use the on-premises management console to maintain up to nine backups for each managed sensor, provided that the backed-up files don't exceed the maximum backup space that's allocated.
 
-The available space is calculated based on the management console model you're working with: 
+The available space is calculated based on the management console model you're working with:
 
-- **Production model**: Default storage is 40 GB; limit is 100 GB. 
+- **Production model**: Default storage is 40 GB; limit is 100 GB.
 
-- **Medium model**: Default storage is 20 GB; limit is 50 GB. 
+- **Medium model**: Default storage is 20 GB; limit is 50 GB.
 
-- **Laptop model**: Default storage is 10 GB; limit is 25 GB. 
+- **Laptop model**: Default storage is 10 GB; limit is 25 GB.
 
-- **Thin model**: Default storage is 2 GB; limit is 4 GB. 
+- **Thin model**: Default storage is 2 GB; limit is 4 GB.
 
-- **Rugged model**: Default storage is 10 GB; limit is 25 GB. 
+- **Rugged model**: Default storage is 10 GB; limit is 25 GB.
 
-The default allocation is displayed in the **Sensor Backup Schedule** dialog box. 
+The default allocation is displayed in the **Sensor Backup Schedule** dialog box.
 
 :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/edit-mail-server-configuration.png" alt-text="The Edit Mail Server Configuration screen.":::
 
-There's no storage limit when you're backing up to an external server. You must, however, define an upper allocation limit in the **Sensor Backup Schedule** > **Custom Path** field. The following numbers and characters are supported: `/, a-z, A-Z, 0-9, and _`. 
+There's no storage limit when you're backing up to an external server. You must, however, define an upper allocation limit in the **Sensor Backup Schedule** > **Custom Path** field. The following numbers and characters are supported: `/, a-z, A-Z, 0-9, and _`.
 
 Here's information about exceeding allocation storage limits:
 
-- If you exceed the allocated storage space, the sensor isn't backed up. 
+- If you exceed the allocated storage space, the sensor isn't backed up.
 
 - If you're backing up more than one sensor, the management console tries to retrieve sensor files for the managed sensors.  
 
-- If the retrieval from one sensor exceeds the limit, the management console tries to retrieve backup information from the next sensor. 
+- If the retrieval from one sensor exceeds the limit, the management console tries to retrieve backup information from the next sensor.
 
 When you exceed the retained number of backups defined, the oldest backed-up file is deleted to accommodate the new one.
 
-Sensor backup files are automatically named in the following format: `<sensor name>-backup-version-<version>-<date>.tar`. For example: `Sensor_1-backup-version-2.6.0.102-2019-06-24_09:24:55.tar`. 
+Sensor backup files are automatically named in the following format: `<sensor name>-backup-version-<version>-<date>.tar`. For example: `Sensor_1-backup-version-2.6.0.102-2019-06-24_09:24:55.tar`.
 
 **To back up sensors:**
 
 1. Select **Schedule Sensor Backup** from the **System Settings** window. Sensors that your on-premises management console manages appear in the **Sensor Backup Schedule** dialog box.  
 
 1. Enable the **Collect Backups** toggle.  
 
-1. Select a calendar interval, date, and time zone. The time format is based on a 24-hour clock. For example, enter 6:00 PM as **18:00**. 
+1. Select a calendar interval, date, and time zone. The time format is based on a 24-hour clock. For example, enter 6:00 PM as **18:00**.
 
 1. In the **Backup Storage Allocation** field, enter the storage that you want to allocate for your backups. You're notified if you exceed the maximum space.
 
@@ -186,27 +195,27 @@ Sensor backup files are automatically named in the following format: `<sensor na
 
    - To back up to the on-premises management console, disable the **Custom Path** toggle. The default location is `/var/cyberx/sensor-backups`.  
 
-   - To back up to an external server, enable the **Custom Path** toggle and enter a location. The following numbers and characters are supported: `/, a-z, A-Z, 0-9, and, _`. 
+   - To back up to an external server, enable the **Custom Path** toggle and enter a location. The following numbers and characters are supported: `/, a-z, A-Z, 0-9, and, _`.
 
-1. Select **Save**. 
+1. Select **Save**.
 
 **To back up immediately:**
 
-- Select **Back Up Now**. The on-premises management console creates and collects sensor backup files. 
+- Select **Back Up Now**. The on-premises management console creates and collects sensor backup files.
 
-### Receiving backup notifications for sensors 
+### Receiving backup notifications for sensors
 
 The **Sensor Backup Schedule** dialog box and the backup log automatically list information about backup successes and failures.  
 
 :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/sensor-location.png" alt-text="View your sensors and where they're located and all relevant information.":::
 
-Failures might occur because:    
+Failures might occur because:
 
-- No backup file is found. 
+- No backup file is found.
 
 - A file was found but can't be retrieved.  
 
-- There's a network connection failure. 
+- There's a network connection failure.
 
 - There's not enough room allocated to the on-premises management console to complete the backup.  
 
@@ -216,17 +225,17 @@ You can send an email notification, syslog updates, and system notifications whe
 
 **To set up an SMB server so you can save a sensor backup to an external drive:**
 
-1. Create a shared folder in the external SMB server. 
+1. Create a shared folder in the external SMB server.
 
-1. Get the folder path, username, and password required to access the SMB server. 
+1. Get the folder path, username, and password required to access the SMB server.
 
-1. In Defender for IoT, make a directory for the backups: 
+1. In Defender for IoT, make a directory for the backups:
 
     ```bash
     sudo mkdir /<backup_folder_name_on_server> 
 
     sudo chmod 777 /<backup_folder_name_on_server>/
-    ``` 
+    ```
 
 1. Edit fstab:  
 
@@ -235,14 +244,12 @@ You can send an email notification, syslog updates, and system notifications whe
 
     add - //<server_IP>/<folder_path> /<backup_folder_name_on_cyberx_server> cifs rw,credentials=/etc/samba/user,vers=3.0,uid=cyberx,gid=cyberx,file_mode=0777,dir_mode=0777 0 0
     ```
-   
 
-1. Edit or create credentials to share. These are the credentials for the SMB server: 
+1. Edit or create credentials to share. These are the credentials for the SMB server:
 
     ```bash
     sudo nano /etc/samba/user
     ```
-    
 
 1. Add:  
 
@@ -251,21 +258,18 @@ You can send an email notification, syslog updates, and system notifications whe
 
     password=<password>
     ```
-    
 
-1. Mount the directory: 
+1. Mount the directory:
 
     ```bash
     sudo mount -a
     ```
-    
 
 1. Configure a backup directory to the shared folder on the Defender for IoT sensor:  
 
     ```bash
     sudo nano /var/cyberx/properties/backup.properties 
     ```
-   
 
 1. Set `Backup.shared_location` to `<backup_folder_name_on_cyberx_server>`.
 
@@ -281,4 +285,3 @@ For more information, see:
 - [Manage sensors with Defender for IoT in the Azure portal](how-to-manage-sensors-on-the-cloud.md)
 - [Threat intelligence research and packages](how-to-work-with-threat-intelligence-packages.md)
 - [Troubleshoot the sensor and on-premises management console](how-to-troubleshoot-the-sensor-and-on-premises-management-console.md)
-