first

Author: tarTech23

articles/defender-for-iot/organizations/alert-engine-messages.md

@@ -79,6 +79,11 @@ Each alert has one of the following categories:
 
 Policy engine alerts describe detected deviations from learned baseline behavior.
 
+| Title  | Description | Severity | Category | MITRE ATT&CK <br> Tactics and techniques |Learnable| Aggregated |
+|--|--|--|--|--|--|--|
+| **Beckhoff Software Changed** | Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. | Medium | Firmware Change | **Tactics:** <br> - Inhibit Response Function <br> - Persistence <br><br> **Techniques:** <br> - T0857: System Firmware | Learnable |
+| **Database Login Failed** | A failed sign-in attempt was detected from a source device to a destination server. This might be the result of human error, but could also indicate a malicious attempt to compromise the server or data on it. <br><br> Threshold: 2 sign-in failures in 5 minutes | Medium | Authentication | **Tactics:** <br> - Lateral Movement <br> - Collection <br><br> **Techniques:** <br> - T0812: Default Credentials <br> - T0811: Data from Information Repositories| Not learnable | Aggregated with violations |
+
 | Title  | Description | Severity | Category | MITRE ATT&CK <br> Tactics and techniques |Learnable|
 |--|--|--|--|--|--|
 | **Beckhoff Software Changed** | Firmware was updated on a source device. This might be authorized activity, for example a planned maintenance procedure. | Medium | Firmware Change | **Tactics:** <br> - Inhibit Response Function <br> - Persistence <br><br> **Techniques:** <br> - T0857: System Firmware | Learnable |

articles/defender-for-iot/organizations/alerts.md

@@ -51,11 +51,15 @@ For more information, see:
 Alert options also differ depending on your location and user role. For more information, see [Azure user roles and permissions](roles-azure.md) and [On-premises users and roles](roles-on-premises.md).
 
 <!-- placing here for initial ease and finding - where should this really go?-->
-## Alert grouping
+## Aggregated alerts / Alert grouping
 
-Multiple alerts, from the same alert category, that have the same parameters, ie. the same source and destination IP addresses, are aggregated into one alert report, instead of each alert being displayed individually.
+Alert fatigue caused by excessive number of identical alerts could lead to your team failing to see or remediate vital alerts. Alert grouping reduces the number of alerts reported by listing identical alert types that have the same parameters as one alert report. The matching parameters differ depending on the type of alert. For example, the alert *Unpermitted Usage of Modbus Function Code* needs to have the same source and destination IP addresses.
 
-The alert has a violations parameter added to show how many alerts of this type are generated. They can all be remediated simaltaneously using the Learn and Actions recommended, which will apply to all versions of this alert. The alerts can be viewed individually within their respective devices.
+The alert grouping includes alerts with different alert codes and these will be shown in the **Violations** tab of the alert details. The full list of alerts can be downloaded as a CSV file, displaying the relevant parameters and functions. Each set of aggregated alerts is remediated as a group using the **Learn** button and therefore the **Violations** feature only applies to alerts which have the same remediation process. Alerts can still be viewed individually within their respective devices.
+
+The alerts that can be grouped are listed in the [Alert reference](alert-engine-messages.md) tables under the **Aggregated heading.
+
+Alert grouping appears in both the OT sensor console and the Azure portal. For more information, see [alert grouping in Sensor console](how-to-view-alerts.md#remediate-aggregated-alerts) and [alert grouping in Azure portal](how-to-manage-cloud-alerts.md#remediate-aggregated-alerts)
 
 ## Focused alerts in OT/IT environments
 

articles/defender-for-iot/organizations/how-to-manage-cloud-alerts.md

@@ -145,6 +145,10 @@ You might want to export a selection of alerts to a CSV file for offline sharing
 
 The file is generated, and you're prompted to save it locally.
 
+## Remediate aggregated alerts
+
+hjkhjk
+
 ## Next steps
 
 > [!div class="nextstepaction"]

articles/defender-for-iot/organizations/how-to-view-alerts.md

@@ -177,6 +177,10 @@ If your admin has [created custom comments](how-to-accelerate-alert-incident-res
 
 For more information, see [Accelerating OT alert workflows](alerts.md#accelerating-ot-alert-workflows).
 
+## Remediate aggregated alerts
+
+jkjljl
+
 ## Next steps
 
 > [!div class="nextstepaction"]

articles/defender-for-iot/organizations/whats-new.md

@@ -24,9 +24,9 @@ Features released earlier than nine months ago are described in the [What's new
 |---------|---------|
 | **OT networks** | - [Group multiple alerts with the same parameters](#group-multiple-alerts-with-the-same-parameters)|
 
-### Group multiple alerts with the same parameters
+### Aggregate/ Group multiple alerts with the same parameters
 
-To reduce alert fatigue, multiple versions of an alert from the same category and the same parameters are grouped together, the number of alerts are listed and the appropriate remediation or Learn actions are listed. For more information, see [Group multiple alerts with the same parameters](alerts.md#alert-grouping)
+To reduce alert fatigue, multiple versions of the same alert and with the same parameters are grouped together and listed in the alerts table as one item. The alert details lists the each of the identical alerts as **violations** and the appropriate remediation or Learn actions are listed. For more information, see [Group multiple alerts with the same parameters](alerts.md#aggregated-alerts--alert-grouping). <!-- fix this when the title is chosen -->
 
 ## October 2024