Merge pull request #221446 from Shereen-Bhar/data-retention

Data retention documentation

Author: Maggiemouse1

articles/defender-for-iot/organizations/how-to-investigate-all-enterprise-sensor-detections-in-a-device-inventory.md

@@ -12,14 +12,13 @@ Use the **Device inventory** page from an on-premises management console to mana
 
 For more information, see [What is a Defender for IoT committed device?](architecture.md#what-is-a-defender-for-iot-committed-device)
 
-
 > [!TIP]
 > Alternately, view your device inventory from a [the Azure portal](how-to-manage-device-inventory-for-organizations.md), or from an [OT sensor console](how-to-investigate-sensor-detections-in-a-device-inventory.md).
 >
 
 ## View the device inventory
 
-To view detected devices in the **Device Inventory** page in an on-premises management console, sign-in to your on-premises management console, and then select **Device Inventory**. 
+To view detected devices in the **Device Inventory** page in an on-premises management console, sign-in to your on-premises management console, and then select **Device Inventory**.
 
 For example:
 
@@ -160,9 +159,11 @@ The following table describes the device properties shown in the **Device invent
 | **Last Activity** | The last activity that the device performed. |
 | **Discovered** | When this device was first seen in the network. |
 | **PLC mode (preview)** | The PLC operating mode includes the Key state (physical) and run state (logical). Possible **Key** states include, Run, Program, Remote, Stop, Invalid, Programming Disabled.Possible Run. The possible **Run** states are Run, Program, Stop, Paused, Exception, Halted, Trapped, Idle, Offline. if both states are the same, only one state is presented. |
+
 ## Next steps
 
 For more information, see:
 
 - [Control what traffic is monitored](how-to-control-what-traffic-is-monitored.md)
 - [Detect Windows workstations and servers with a local script](detect-windows-endpoints-script.md)
+- [Device data retention periods](references-data-retention.md#device-data-retention-periods).

articles/defender-for-iot/organizations/how-to-investigate-sensor-detections-in-a-device-inventory.md

@@ -81,12 +81,13 @@ You may need to merge duplicate devices if the sensor has discovered separate ne
 Examples of this scenario might include a PLC with four network cards, a laptop with both WiFi and a physical network card, or a single workstation with multiple network cards.
 
 > [!NOTE]
+>
 > - You can only merge authorized devices.
 > - Device merges are irreversible. If you merge devices incorrectly, you'll have to delete the merged device and wait for the sensor to rediscover both devices.
 > - Alternately, merge devices from the [Device map](how-to-work-with-the-sensor-device-map.md) page.
 When merging, you instruct the sensor to combine the device properties of two devices into one. When you do this, the Device Properties window and sensor reports will be updated with the new device property details.
 
-For example, if you merge two devices, each with an IP address, both IP addresses will appear as separate interfaces in the Device Properties window. 
+For example, if you merge two devices, each with an IP address, both IP addresses will appear as separate interfaces in the Device Properties window.
 
 **To merge devices from the device inventory:**
 
@@ -98,7 +99,7 @@ For example, if you merge two devices, each with an IP address, both IP addresse
 
 ## View inactive devices
 
-You may want to view devices in your network that have been inactive and delete them. 
+You may want to view devices in your network that have been inactive and delete them.
 
 For example, devices may become inactive because of misconfigured SPAN ports, changes in network coverage, or by unplugging them from the network
 
@@ -178,3 +179,4 @@ For more information, see:
 
 - [Control what traffic is monitored](how-to-control-what-traffic-is-monitored.md)
 - [Detect Windows workstations and servers with a local script](detect-windows-endpoints-script.md)
+- [Device data retention periods](references-data-retention.md#device-data-retention-periods)

articles/defender-for-iot/organizations/how-to-manage-cloud-alerts.md

@@ -13,7 +13,7 @@ Microsoft Defender for IoT alerts enhance your network security and operations w
 
 - [Integrate with Microsoft Sentinel](iot-solution.md) to view Defender for IoT alerts in Microsoft Sentinel and manage them together with security incidents.
 
-- If you have an [Enterprise IoT plan](eiot-defender-for-endpoint.md) with Microsoft Defender for Endpoint, alerts for Enterprise IoT devices detected by Microsoft Defender for Endpoint are available in Defender for Endpoint only. 
+- If you have an [Enterprise IoT plan](eiot-defender-for-endpoint.md) with Microsoft Defender for Endpoint, alerts for Enterprise IoT devices detected by Microsoft Defender for Endpoint are available in Defender for Endpoint only.
 
     For more information, see [Securing IoT devices in the enterprise](concept-enterprise.md) and the [Alerts queue in Microsoft 365 Defender](/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response).
 
@@ -115,8 +115,8 @@ For more information, see [Alert statuses and triaging options](alerts.md#alert-
 
     In Defender for IoT in the Azure portal, select the **Alerts** page on the left, and then do one of the following:
 
-    - Select one or more learnable alerts in the grid and then select :::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/learn-icon.png" border="false"::: **Learn** in the toolbar.
-    - On an alert details page for a learnable alert, in the **Take Action** tab, select **Learn**.
+  - Select one or more learnable alerts in the grid and then select :::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/learn-icon.png" border="false"::: **Learn** in the toolbar.
+  - On an alert details page for a learnable alert, in the **Take Action** tab, select **Learn**.
 
 ## Access alert PCAP data
 
@@ -144,7 +144,6 @@ You may want to export a selection of alerts to a CSV file for offline sharing a
 
 The file is generated, and you're prompted to save it locally.
 
-
 ## Next steps
 
 > [!div class="nextstepaction"]
@@ -154,4 +153,7 @@ The file is generated, and you're prompted to save it locally.
 > [OT monitoring alert types and descriptions](alert-engine-messages.md)
 
 > [!div class="nextstepaction"]
-> [Microsoft Defender for IoT alerts](alerts.md)
+> [Microsoft Defender for IoT alerts](alerts.md)
+
+> [!div class="nextstepaction"]
+> [Data retention across Microsoft Defender for IoT](references-data-retention.md)

articles/defender-for-iot/organizations/how-to-manage-device-inventory-for-organizations.md

@@ -123,7 +123,6 @@ On the **Device inventory page**, select **Export** :::image type="icon" source=
 
 The device inventory is exported with any filters currently applied, and you can save the file locally.
 
-
 ## Delete a device
 
 If you have devices no longer in use, delete them from the device inventory so that they're no longer connected to Defender for IoT.
@@ -193,3 +192,4 @@ For more information, see:
 
 - [Control what traffic is monitored](how-to-control-what-traffic-is-monitored.md)
 - [Detect Windows workstations and servers with a local script](detect-windows-endpoints-script.md)
+- [Device data retention periods](references-data-retention.md#device-data-retention-periods).

articles/defender-for-iot/organizations/how-to-manage-individual-sensors.md

@@ -248,9 +248,9 @@ You can configure the sensor's time and region so that all the users see the sam
 
 ## Set up backup and restore files
 
-System backup is performed automatically at 3:00 AM daily. The data is saved on a different disk in the sensor. The default location is `/var/cyberx/backups`.
+System backup is performed automatically at 3:00 AM daily. The data is saved on a different disk in the sensor. The default location is `/var/cyberx/backups`. You can automatically transfer this file to the internal network.
 
-You can automatically transfer this file to the internal network.
+For more information, see [On-premises backup file capacity](references-data-retention.md#on-premises-backup-file-capacity).
 
 > [!NOTE]
 >
@@ -466,7 +466,7 @@ Use Defender for IoT data mining reports on an OT network sensor to retrieve for
 - Event timeline data
 - Log files
 
-Each type of data has a different retention period and maximum capacity. For more information see [Create data mining queries](how-to-create-data-mining-queries.md).
+Each type of data has a different retention period and maximum capacity. For more information see [Create data mining queries](how-to-create-data-mining-queries.md) and [Data retention across Microsoft Defender for IoT](references-data-retention.md).
 
 ## Clearing sensor data
 

articles/defender-for-iot/organizations/how-to-manage-sensors-from-the-on-premises-management-console.md

@@ -125,7 +125,7 @@ Use Defender for IoT data mining reports on an OT network sensor to retrieve for
 - Event timeline data
 - Log files
 
-Each type of data has a different retention period and maximum capacity. For more information see [Create data mining queries](how-to-create-data-mining-queries.md).
+Each type of data has a different retention period and maximum capacity. For more information see [Create data mining queries](how-to-create-data-mining-queries.md) and [Data retention across Microsoft Defender for IoT](references-data-retention.md).
 
 ## Define sensor backup schedules
 

articles/defender-for-iot/organizations/how-to-manage-sensors-on-the-cloud.md

@@ -87,7 +87,7 @@ Use Azure Monitor workbooks on an OT network sensor to retrieve forensic data fr
 - Event timeline data
 - Log files
 
-Each type of data has a different retention period and maximum capacity. For more information see [Visualize Microsoft Defender for IoT data with Azure Monitor workbooks](workbooks.md).
+Each type of data has a different retention period and maximum capacity. For more information see [Visualize Microsoft Defender for IoT data with Azure Monitor workbooks](workbooks.md) and [Data retention across Microsoft Defender for IoT](references-data-retention.md).
 
 ## Reactivate an OT sensor
 

articles/defender-for-iot/organizations/how-to-track-sensor-activity.md

@@ -9,7 +9,7 @@ ms.topic: how-to
 
 Activity that your sensor detects is recorded in the event timeline. Activity includes alerts and alert actions, network events, and user operations such as user sign in or user deletion.
 
-The event timeline provides a chronological view of events. Use the timeline during investigations, to understand and analyze the chain of events that preceded and followed an attack or incident. 
+The event timeline provides a chronological view of events. Use the timeline during investigations, to understand and analyze the chain of events that preceded and followed an attack or incident.
 
 ## Before you start
 
@@ -32,18 +32,19 @@ You need to have Administrator or Security Analyst permissions to perform the pr
     - **Date**: Search for events in a specific date range.
 1. Select **Apply* to set the filter.
 1. Select **Export** to export the event timeline to a CSV file.
- 
+
 ## Add an event
 
 In addition to viewing the events that the sensor has detected, you can manually add events to the timeline. This process is useful if an external system event impacts your network, and you want to record it on the timeline.
 
 1. Select **Create Event**.
-1. In the **Create Event** dialog, specify the event type (Info, Notice, or Alert) 
+1. In the **Create Event** dialog, specify the event type (Info, Notice, or Alert)
 1. Set a timestamp for the event, the device it should be connected with, and provide a description.
 1. Select **Save** to add the event to the timeline.
 
-
-
 ## Next steps
 
-For more information, see [View alerts](how-to-view-alerts.md).
+For more information, see:
+
+- [View alerts](how-to-view-alerts.md).
+- [OT event timeline retention](references-data-retention.md#ot-event-timeline-retention).

articles/defender-for-iot/organizations/how-to-view-alerts.md

@@ -107,8 +107,8 @@ For more information, see [Alert statuses and triaging options](alerts.md#alert-
 
     Sign into your OT sensor console and select the **Alerts** page on the left, and then do one of the following:
 
-    - Select one or more learnable alerts in the grid and then select :::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/learn-icon.png" border="false"::: **Learn** in the toolbar.
-    - On an alert details page, in the **Take Action** tab, select **Learn**.
+  - Select one or more learnable alerts in the grid and then select :::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/learn-icon.png" border="false"::: **Learn** in the toolbar.
+  - On an alert details page, in the **Take Action** tab, select **Learn**.
 
 - **To mute an alert**:
 
@@ -124,7 +124,6 @@ For more information, see [Alert statuses and triaging options](alerts.md#alert-
 
     After you unlearn or unmute an alert, alerts are re-triggered whenever the sensor senses the selected traffic combination.
 
-
 ## Access alert PCAP data
 
 You might want to access raw traffic files, also known as *packet capture files* or *PCAP* files as part of your investigation.
@@ -179,7 +178,6 @@ If your admin has [created custom comments](how-to-accelerate-alert-incident-res
 
 For more information, see [Accelerating OT alert workflows](alerts.md#accelerating-ot-alert-workflows).
 
-
 ## Next steps
 
 > [!div class="nextstepaction"]
@@ -198,4 +196,7 @@ For more information, see [Accelerating OT alert workflows](alerts.md#accelerati
 > [OT monitoring alert types and descriptions](alert-engine-messages.md)
 
 > [!div class="nextstepaction"]
-> [Microsoft Defender for IoT alerts](alerts.md)
+> [Microsoft Defender for IoT alerts](alerts.md)
+
+> [!div class="nextstepaction"]
+> [Data retention across Microsoft Defender for IoT](references-data-retention.md)

articles/defender-for-iot/organizations/how-to-work-with-alerts-on-premises-management-console.md

@@ -70,8 +70,6 @@ You may want to export a selection of alerts to a CSV file for offline sharing a
 
 The CSV file is generated, and you're prompted to save it locally.
 
-
-
 ## Next steps
 
 > [!div class="nextstepaction"]
@@ -87,4 +85,7 @@ The CSV file is generated, and you're prompted to save it locally.
 > [Forward alert information](how-to-forward-alert-information-to-partners.md)
 
 > [!div class="nextstepaction"]
-> [Microsoft Defender for IoT alerts](alerts.md)
+> [Microsoft Defender for IoT alerts](alerts.md)
+
+> [!div class="nextstepaction"]
+> [Data retention across Microsoft Defender for IoT](references-data-retention.md)