first draft

Author: Shereen-Bhar

articles/defender-for-iot/organizations/how-to-create-data-mining-queries.md

@@ -51,7 +51,7 @@ Create your own custom data mining report if you have reporting needs not covere
     |---------|---------|
     | **Name** / **Description** | Enter a meaningful name for your report and an optional description. |
     | **Send to CM** | Select to send your report to the on-premises management console. |
-    | **Choose category** | Select the categories to include in your report. |
+    | **Choose category** | Select the categories to include in your report. <br><br> For example, select **Internet Domain Allowlist** under **DNS** to create a report of the allowed internet domains and their resolved IP addresses. |
     | **Order by** | Select to sort your data by category or by activity. |
     | **Filter by** | Define a filter for your report using any of the following parameters: <br><br> - **Results within the last**: Enter a number and then select **Minutes**, **Hours**, or **Days** <br> - **IP address / MAC address / Port**: Enter one or more IP addresses, MAC addresses, and ports to filter into your report. Enter a value and then select + to add it to the list.<br> - **Device group**: Select one or mode device groups to filter into your report. |
     | **Add filter type** | Select to add any of the following filter types into your report. <br><br> - Transport (GENERIC) <br> - Protocol (GENERIC) <br> - TAG (GENERIC) <br> - Maximum value (GENERIC) <br> - State (GENERIC) <br> - Minimum value (GENERIC) <br><br> Enter a value in the relevant field and then select + to add it to the list. |

articles/defender-for-iot/organizations/how-to-manage-individual-sensors.md

@@ -359,6 +359,34 @@ To restore a backup from the sensor console, the backup file must be accessible
 
 ---
 
+## Reduce DNS alerts
+
+*Learn* unauthorized internet alerts in bulk by FQDN - fully qualified domain names - to reduce the noise of triggered internet alerts in the OT network.
+
+By defining an FQDN allowlist, the system checks each instance of unauthorized internet connectivity attempt against it. If the FQDN is included in the allowlist, then the network will *learn* this alert automatically without triggering it. 
+
+The FQDN list will remain intact through version upgrades.
+
+**To define an FQDN allowlist:**
+
+- Sign in to your OT network sensor console as the **support** [user](references-work-with-defender-for-iot-cli-commands.md), then select **Support**.
+
+- In the search bar, search for "DNS", then look for "Internet Domain Allowlist" under **Description**.
+
+    :::image type="content" source="media/how-to-manage-individual-sensors/dns-edit-configuration.png" alt-text="Screenshot of how to edit configurations for DNS in the sensor console." lightbox="media/how-to-manage-individual-sensors/dns-edit-configuration.png":::
+
+- Select the :::image type="icon" source="media/how-to-generate-reports/manage-icon.png" border="false"::: icon under **Edit**.
+
+- In the **Edit configuration** pane, enter a domain name that you don't want the sensor to trigger alerts for, then select **Submit**.
+
+You can view to the FQDN allowlist in the advanced configurations and in a [data mining report](how-to-create-data-mining-queries.md). A custom Data mining report will present the FQDN, IP addresses, and last resolution time.
+
+**To view in a data mining report:**
+
+[Create a custom data mining report](how-to-create-data-mining-queries.md#create-an-ot-sensor-custom-data-mining-report) and make sure to select **Internet Domain Allowlist** under **DNS** when choosing a category in the **Create new report** pane.
+
+:::image type="content" source="media/how-to-manage-individual-sensors/data-mining-allowlist.png" alt-text="Screenshot of how to create a custom data mining report to show fqdn allowlist in the sensor console." lightbox="media/how-to-manage-individual-sensors/data-mining-allowlist.png":::
+
 ## Configure SMTP settings
 
 Define SMTP mail server settings for the sensor so that you configure the sensor to send data to other servers.