full draft

Author: batamig

articles/defender-for-iot/organizations/integrate-overview.md

@@ -112,16 +112,5 @@ Integrate Microsoft Defender for Iot with partner services to view partner data
 
 ## Next steps
 
-For more information, see:
-
-**Device inventory**:
-
-- [Use the Device inventory in the Azure portal](how-to-manage-device-inventory-for-organizations.md)
-- [Use the Device inventory in the OT sensor](how-to-investigate-sensor-detections-in-a-device-inventory.md)
-- [Use the Device inventory in the on-premises management console](how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md)
-
-**Alerts**:
-
-- [View alerts in the Azure portal](how-to-manage-cloud-alerts.md)
-- [View alerts in the OT sensor](how-to-view-alerts.md)
-- [View alerts in the on-premises management console](how-to-work-with-alerts-on-premises-management-console.md)
+> [!div class="nextstepaction"]
+> [Stream Defender for IoT cloud alerts to a partner SIEM](integrations/send-cloud-data-to-partners.md)

articles/defender-for-iot/organizations/integrations/send-cloud-data-to-partners.md

@@ -11,15 +11,12 @@ As more businesses convert OT systems to digital IT infrastructures, security op
 
 We recommend using Microsoft Defender for IoT's out-of-the-box [data connector](../iot-solution.md) and [solution](../iot-advanced-threat-monitoring.md) to integrate with Microsoft Sentinel and bridge the gap between the IT and OT security challenge.
 
-However, if you have other security information and event management (SIEM) systems, you can also use Microsoft Sentinel to forward Defender for IoT alerts on to that partner SIEM, via an Event Hub.
+However, if you have other security information and event management (SIEM) systems, you can also use Microsoft Sentinel to forward Defender for IoT cloud alerts on to that partner SIEM, via Microsoft Sentinel and an Event Hub.
 
-This article describes how to use Microsoft Sentinel to forward Defender for IoT alert data on to partner SIEMs. While this article uses Splunk as an example, you can use this process with any SIEM that supports Event Hub ingestion, such as  IBM QRadar.
+While this article uses Splunk as an example, you can use the process described below with any SIEM that supports Event Hub ingestion, such as IBM QRadar.
 
 > [!IMPORTANT]
-> Using Event Hub and a Log Analytics export rule may incur additional charges. For more information, see Event Hubs pricing and Log Data Export pricing
-
-> [!TIP]
-> This process described in this article supports alerts generated by cloud-connected sensors only. If you're working on-premises, such as in air-gapped environments, you may be able to create a forwarding alert rule to forward alert data directly from an OT sensor or on-premises management console. For more information, see [Integrations with Microsoft and partner services](../integrate-overview.md).
+> Using Event Hub and a Log Analytics export rule may incur additional charges. For more information, see [Event Hubs pricing](https://azure.microsoft.com/pricing/details/event-hubs/) and [Log Data Export pricing](https://azure.microsoft.com/pricing/details/monitor/).
 
 ## Prerequisites
 
@@ -31,89 +28,88 @@ For more information, see [Tutorial: Connect Microsoft Defender for IoT with Mic
 
 ## Register an application in Azure Active Directory
 
-You'll need Azure Active Directory (Azure AD) to defined as a service principal for the [Splunk Add-on for Microsoft Cloud Services](https://splunkbase.splunk.com/app/3110/). To do this, you'll need an Azure AD application with specific permissions.
+You'll need Azure Active Directory (Azure AD) defined as a service principal for the [Splunk Add-on for Microsoft Cloud Services](https://splunkbase.splunk.com/app/3110/). To do this, you'll need to create an Azure AD application with specific permissions.
 
 **To register an Azure AD application and define permissions**:
 
-1. In [Azure AD](/azure/active-directory/), register a new application and add a new client secret for the service principal.
+1. In [Azure AD](/azure/active-directory/), register a new application. On the **Certificates & secrets** page, add a new client secret for the service principal.
 
     For more information, see [Register an application with the Microsoft identity platform](/azure/active-directory/develop/quickstart-register-app)
 
 1. In your app's **API permissions** page, grant API permissions to read data from your app.
 
-    1. Select to add a permission and then select **Microsoft Graph** > **Application permissions** > **SecurityEvents.ReadWrite.All**.
+    1. Select to add a permission and then select **Microsoft Graph** > **Application permissions** > **SecurityEvents.ReadWrite.All** > **Add permissions**.
 
-    1. Make sure that admin consent is required for your permissions.
+    1. Make sure that admin consent is required for your permission.
 
     For more information, see [Configure a client application to access a web API](/azure/active-directory/develop/quickstart-configure-app-access-web-apis#add-permissions-to-access-your-web-api)
 
-1. From your app's **Overview** and **Certificates & secrets** pages, note the following values for your app:
+1. From your app's **Overview** page, note the following values for your app:
+
+    - **Display name**
+    - **Application (client) ID**
+    - **Directory (tenant) ID**
 
-    - Display name
-    - Application (Client) ID
-    - Application (Client) secret
-    - Directory (tenant) ID
 
+1. From the **Certificates & secrets** page, note the values of your client secret **Value** and *Secret ID**.
 
 ## Create an Azure Event Hub
 
 Create an Azure Event Hub to use as a bridge between Microsoft Sentinel and your partner SIEM. Start this step by creating an Azure Event Hub namespace, and then adding an Azure Event Hub.
 
 **To create your Event Hub namespace and Event Hub**:
 
+1. In Azure Event Hubs, create a new Event Hubs namespace. In your new namespace, create a new Azure event hub.
 
-1. In Azure Event Hubs, create a new Event Hubs namespace and then create an Azure event hub within the namespace.
-
-    Make sure to define the **Partition Count** and **Message Retention** settings.
+    In your event hub, make sure to define the **Partition Count** and **Message Retention** settings.
 
     For more information, see [Create an event hub using the Azure portal](/azure/event-hubs/event-hubs-create).
 
-1. In your Event Hubs namespace, select the **Access control (IAM)** page and add a new role assignment. Add the Azure AD service principle that you'd created earlier, and define the delegate as **Azure Event Hubs Data Receiver**.
+1. In your Event Hubs namespace, select the **Access control (IAM)** page and add a new role assignment.
+
+    Select to use the **Azure Event Hubs Data Receiver** role, and add the Azure AD service principle app that you'd created [earlier](#register-an-application-in-azure-active-directory) as a member.
 
-    For more information, see:
+    For more information, see: [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal).
 
-1. In your Event Hubs namespace, make a note of the following values:
+1. In your Event Hubs namespace's **Overview** page, make a note of the namespace's **Host name** value.
 
-    - Host name
-    - Azure Event Hub name
+1. In your Event Hubs namespace's **Event Hubs** page, make a note of your event hub's name.
 
 ## Forward Microsoft Sentinel incidents to your Event Hub
 
-To forward Microsoft Sentinel incidents or alerts to Azure Event Hub, you’ll need to define your Microsoft Sentinel workspace with a data export rule.
+To forward Microsoft Sentinel incidents or alerts to Azure Event Hub, create a data export from Azure Log Analytics.
 
+In your rule, make sure to define the following settings:
 
-In the Azure Portal, navigate to Log Analytics > select the workspace name related to Microsoft Sentinel > Data Export > New export rule.
-thumbnail image 8 of blog post titled 
+- Configure the **Source** as **SecurityIncident**
+- Configure the **Destination** as **Event Type**, using the Event Hub namespace and Event Hub name you'd recorded earlier.
 
-Name the rule, configure the Source as SecurityIncident and the Destination as Event Type utilizing the Event Hub Namespace and Event Hub Name configured previously. Click on Create.
-thumbnail image 9 of blog post titled 
+For more information, see [Log Analytics workspace data export in Azure Monitor](/azure/azure-monitor/logs/logs-data-export?tabs=portal#create-or-update-a-data-export-rule).
 
 ## Configure Splunk to consume Microsoft Sentinel incidents
 
+Once you have your event hub and export rule configured, configure Splunk to consume Microsoft Sentinel incidents from the event hub.
 
-5. Configure Splunk to consume Microsoft Sentinel Incidents from Azure Event Hub
-For Microsoft Defender for IoT alerts to be ingested into Azure Event Hub, install the Splunk Add-on for Microsoft Cloud Services app.
+1. Install the [Splunk Add-on for Microsoft Cloud Services](https://splunkbase.splunk.com/app/3110/) app.
 
+1. In the Splunk Add-on for Microsoft Cloud Services app, add an Azure App account.
 
-For the installation, open the Splunk portal and navigate to Apps > Find More Apps. For the dashboard find the Splunk Add-on for Microsoft Cloud Services app and Install.
-thumbnail image 10 of blog post titled 
+    1. Enter a meaningful name for the account.
+    1. Enter the client ID, client secret, and tenant ID details that you'd recorded earlier.
+    1. Define the account class type as **Azure Public Cloud**.
 
-To add the Azure AD Service Principal, open the Splunk app and navigate to Azure App Account > Add. Use the details you’d noted earlier:
-Define a Name for the Azure App Account
+1. Go to the Splunk Add-on for Microsoft Cloud Services inputs, and create a new input for your Azure event hub.
 
-Add the Client ID, Client Secret, Tenant ID
+    1. Enter a meaningful name for your input.
+    1. Select the Azure App Account that you'd just created in the Splunk Add-on for Microsoft Services app.
+    1. Enter your event hub namespace FQDN and event hub name.
 
-Choose Azure Public Cloud as Account Class Type
+    Leave other settings as their defaults.
 
-Click Update to save and close the configuration.
-thumbnail image 11 of blog post titled 
+Once data starts getting ingested into Splunk from your event hub, query the data by using the following value in your search field: `sourcetype="mscs:azure:eventhub"`
 
-Now navigate to Inputs within the Splunk Add-on for Microsoft Cloud Services app and select Azure Event Hub in Create New Input selection. 
+## Next steps
 
-Define a Name for the Azure Event Hub as Input, select the Azure App Account created before, define the Event Hub Namespace (FQDN), Event Hub Name, let the other settings as default and click Update to save and close the configuration.
-thumbnail image 12 of blog post titled 
-	
-Once the ingestion is processed, you can query the data by using sourcetype="mscs:azure:eventhub" in search field.
-thumbnail image 13 of blog post titled 
-	
+This article describes how to forward alerts generated by cloud-connected sensors only. If you're working on-premises, such as in air-gapped environments, you may be able to create a forwarding alert rule to forward alert data directly from an OT sensor or on-premises management console. 
 
+For more information, see [Integrations with Microsoft and partner services](../integrate-overview.md).