edits

tarTech23 · tarTech23 · commit 8cea98c2ac1d · 2024-11-12T13:30:14.000+02:00
diff --git a/articles/defender-for-iot/organizations/alerts.md b/articles/defender-for-iot/organizations/alerts.md
@@ -50,23 +50,22 @@ For more information, see:
 
 Alert options also differ depending on your location and user role. For more information, see [Azure user roles and permissions](roles-azure.md) and [On-premises users and roles](roles-on-premises.md).
 
-<!-- placing here for initial ease and finding - where should this really go?-->
-## Aggregated alerts / Alert grouping
+## Aggregating alerts
 
-Alert fatigue caused by excessive number of identical alerts could lead to your team failing to see or remediate vital alerts. Alert grouping reduces the number of alerts reported by listing identical alert types that have the same parameters as one alert report. The matching parameters differ depending on the type of alert. For example, the alert *Unpermitted Usage of Modbus Function Code* needs to have the same source and destination IP addresses.
+Alert fatigue caused by excessive number of identical alerts could lead to your team failing to see or remediate vital alerts. Aggregating alerts reduces the number of alerts reported by listing identical alert types with the same parameter settings as one alert. The matching parameters differ depending on the type of alert. For example, the alert *Unpermitted Usage of Modbus Function Code* needs to have the same source and destination IP addresses.
 
-The alert grouping includes alerts with different alert codes and these will be shown in the **Violations** tab of the alert details. The full list of alerts can be downloaded as a CSV file, displaying the relevant parameters and functions. Each set of aggregated alerts is remediated as a group using the **Learn** button and therefore the **Violations** feature only applies to alerts which have the same remediation process. Alerts can still be viewed individually within their respective devices.
+The aggregated alert includes alerts with different alert codes, such as read and write codes. You access this data in the **Violations** tab of the alert details where you download it as a CSV file that lists the relevant parameters and functions. You can then remediate the alert. Only alerts that have the same remediation process are grouped. Alerts can still be viewed individually within their respective devices.
 
-The alerts that can be grouped are listed in the [Alert reference](alert-engine-messages.md) tables under the **Aggregated heading.
+The alerts that can be grouped are listed in the [Alert reference](alert-engine-messages.md) tables under the **Grouped** heading.
 
-Alert grouping appears in both the OT sensor console and the Azure portal. For more information, see [alert grouping in Sensor console](how-to-view-alerts.md#remediate-aggregated-alerts) and [alert grouping in Azure portal](how-to-manage-cloud-alerts.md#remediate-aggregated-alerts)
+Alert grouping appears in both the OT sensor console and the Azure portal. For more information, see [remediate aggregated alerts in Sensor console](how-to-view-alerts.md#remediate-aggregated-alerts) and [remediate aggregated alerts in Azure portal](how-to-manage-cloud-alerts.md#remediate-aggregated-alerts).
 
 ## Focused alerts in OT/IT environments
 
 Organizations where sensors are deployed between OT and IT networks deal with many alerts, related to both OT and IT traffic. The amount of alerts, some of which are irrelevant, can cause alert fatigue and affect overall performance. To address these challenges, Defender for IoT's detection policy steers its different [alert engines](alert-engine-messages.md#supported-alert-types) to focus on alerts with business impact and relevance to an OT network, and reduce low-value IT related alerts. For example, the **Unauthorized internet connectivity** alert is highly relevant in an OT network, but has relatively low value in an IT network.
 
-To focus the alerts triggered in these environments, all alert engines, except for the *Malware* engine, trigger alerts only if they detect a related OT subnet or protocol. 
-However, to maintain triggering of alerts that indicate critical scenarios: 
+To focus the alerts triggered in these environments, all alert engines, except for the *Malware* engine, trigger alerts only if they detect a related OT subnet or protocol.
+However, to maintain triggering of alerts that indicate critical scenarios:
 
 - The *Malware* engine triggers malware alerts regardless of whether the alerts are related to OT or IT devices.
 - The other engines include exceptions for critical scenarios. For example, the *Operational* engine triggers alerts related to sensor traffic, regardless of whether the alert is related to OT or IT traffic.
@@ -76,7 +75,7 @@ However, to maintain triggering of alerts that indicate critical scenarios:
 Users working in hybrid environments might be managing OT alerts in [Defender for IoT](https://portal.azure.com/#view/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/~/Getting_started) on the Azure portal, the OT sensor, and an on-premises management console.
 
 > [!NOTE]
-> While the sensor console displays an alert's **Last detection** field in real-time, Defender for IoT in the Azure portal may take up to one hour to display the updated time. This explains a scenario where the last detection time in the sensor console isn't the same as the last detection time in the Azure portal. 
+> While the sensor console displays an alert's **Last detection** field in real-time, Defender for IoT in the Azure portal may take up to one hour to display the updated time. This explains a scenario where the last detection time in the sensor console isn't the same as the last detection time in the Azure portal.
 
 Alert statuses are otherwise fully synchronized between the Azure portal and the OT sensor, and between the sensor and the on-premises management console. This means that regardless of where you manage the alert in Defender for IoT, the alert is updated in other locations as well.
 
diff --git a/articles/defender-for-iot/organizations/how-to-manage-cloud-alerts.md b/articles/defender-for-iot/organizations/how-to-manage-cloud-alerts.md
@@ -155,12 +155,14 @@ To reduce alert fatigue, multiple versions of the same alert with identical para
     :::image type="content" source="media/how-to-manage-cloud-alerts/alert-details-aggregated.png" alt-text="Screenshot of the alerts detail pane showing the aggregated alerts message, the ViolationsCount and the Violations tab.":::
 
 1. Select the **Violations** tab.
+
 1. Export the data to a CSV file using the **Export** button. Open the file and examine the data. For example:
 
     :::image type="content" source="media/how-to-manage-cloud-alerts/alert-details-aggregated-csv.png" alt-text="Screenshot of example data from the csv file containing the list of multiple alerts that make up the content of the aggregated alert listed in the alert detail pane.":::
 
 1. Select the **Take action** tab. Follow the **Remediation steps**.
-1. Select the **Learn** button, if appropriate, so that Defender for IoT learns that this network activity doesn't need to create an alert item in the future.
+
+1. Select **Learn**, if needed. For more information, see [learning an alert](alerts.md#alert-statuses-and-triaging-options).
 
 ## Next steps
 
diff --git a/articles/defender-for-iot/organizations/how-to-view-alerts.md b/articles/defender-for-iot/organizations/how-to-view-alerts.md
@@ -182,15 +182,19 @@ For more information, see [Accelerating OT alert workflows](alerts.md#accelerati
 To reduce alert fatigue, multiple versions of the same alert with identical parameters are listed as one item in the Alerts inventory. As you investigate alerts, an aggregated alert is identified by the *Multiple violations* message that appears under the Source device IP. Use the **Violations** tab to investigate further and the **Take action** tab to remediate the alerts.
 
 1. Sign into your OT sensor console and select the **Alerts** page on the left.
-1. For an Aggregated alert the *Multiple violations* message appears underneath the Source device IP address, and the **Violations** tab is displayed.
 
-    :::image type="content" source="media/how-to-manage-cloud-alerts/alert-details-aggregated.png" alt-text="Screenshot of the alerts detail pane showing the aggregated alerts message, the ViolationsCount and the Violations tab.":::
-<!-- change the image to one for an OT sensor -->
+    1. For an Aggregated alert the *Multiple violations* message appears underneath the Source device IP address, and the **Violations** tab is displayed.  <!-- add OT sensor image :::image type="content" source="media/how-to-manage-cloud-alerts/alert-details-aggregated.png" alt-text="Screenshot of the alerts detail pane showing the aggregated alerts message, the ViolationsCount and the Violations tab.":::-->
+
 1. Select the **Violations** tab.
-1. An inventory table displays the first 10 alerts from this aggregated alert group. Export the data to a CSV file using the **Export** button. Open the file and examine the data.
+
+    An inventory table displays the first 10 alerts from this aggregated alert group.
+
+1. Select **Export** to download the CSV data file. Open the file and examine the data.
+
 1. Select the **Take action** tab. Follow the **Remediation steps**.
-1. Select the **Learn** button, if appropriate, so that Defender for IoT learns that this network activity doesn't need to create an alert item in the future.
-<!-- go over this with the OT sensor and data that shows this feature and check this is correct -->
+
+1. Select **Learn**, if needed. For more information, see [learning an alert](alerts.md#alert-statuses-and-triaging-options).
+
 ## Next steps
 
 > [!div class="nextstepaction"]
diff --git a/articles/defender-for-iot/organizations/whats-new.md b/articles/defender-for-iot/organizations/whats-new.md
@@ -22,11 +22,11 @@ Features released earlier than nine months ago are described in the [What's new
 
 |Service area  |Updates  |
 |---------|---------|
-| **OT networks** | - [Group multiple alerts with the same parameters](#aggregate-group-multiple-alerts-with-the-same-parameters)|
+| **OT networks** | - [Aggregating multiple alerts with the same parameters](#aggregating-multiple-alerts-with-the-same-parameters)|
 
-### Aggregate/ Group multiple alerts with the same parameters
+### Aggregating multiple alerts with the same parameters
 
-To reduce alert fatigue, multiple versions of the same alert and with the same parameters are grouped together and listed in the alerts table as one item. The alert details lists the each of the identical alerts as **violations** and the appropriate remediation or Learn actions are listed. For more information, see [Group multiple alerts with the same parameters](alerts.md#aggregated-alerts--alert-grouping). <!-- fix this when the title is chosen -->
+To reduce alert fatigue, multiple versions of the same alert and with the same parameters are grouped together and listed in the alerts table as one item. The alert details lists the each of the identical alerts as **Violations** and the appropriate remediation actions are listed. For more information, see [aggregating alerts with the same parameters](alerts.md#aggregating-alerts).
 
 ## October 2024
 
