You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-iot/organizations/concept-sentinel-integration.md
+5-4Lines changed: 5 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,7 +47,7 @@ After you've configured the Defender for IoT data connector and have IoT/OT aler
47
47
|Method |Description |
48
48
|---------|---------|
49
49
|**Use the default data connector rule**| Use the default, **Create incidents based on all alerts generated in Microsoft Defender for IOT** analytics rule provided with the data connector. This rule creates a separate incident in Microsoft Sentinel for each alert streamed from Defender for IoT. |
50
-
|**Use out-of-the-box solution rules**| Enable some or all of the out-of-the-box analytics rules provided with the **Microsoft Defender for IoT** solution.<br><br> These analytics rules help to reduce alert fatigue by creating incidents only in specific situations. For example, you might choose to create incidents for excessive login attempts, but for multiple scans detected in the network. |
50
+
|**Use out-of-the-box solution rules**| Enable some or all of the [out-of-the-box analytics rules](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforot?tab=Overview) provided with the **Microsoft Defender for IoT** solution.<br><br> These analytics rules help to reduce alert fatigue by creating incidents only in specific situations. For example, you might choose to create incidents for excessive login attempts, but for multiple scans detected in the network. |
51
51
|**Create custom rules**| Create custom analytics rules to create incidents based only on your specific needs. You can use the out-of-the-box analytics rules as a starting point, or create rules from scratch. <br><br>Add the following filter to prevent duplicate incidents for the same alert ID: `| where TimeGenerated <= ProcessingEndTime + 60m` |
52
52
53
53
Regardless of the method you choose to create alerts, only one incident should be created for each Defender for IoT alert ID.
@@ -87,12 +87,13 @@ You'll typically see more Defender for IoT *events* in Microsoft Sentinel than *
87
87
88
88
```kql
89
89
SecurityAlert
90
-
| where ProviderName != 'ASI Scheduled Alerts' and ProviderName != 'CustomAlertRule
90
+
| where ProviderName == 'IoTSecurity' or ProviderName == 'CustomAlertRule'
91
+
Instead
91
92
```
92
93
93
94
- **Alerts**: Microsoft Sentinel creates alerts based on your current analytics rules and the alert logs listed in the **SecurityAlert** table. If you don't have any active analytics rules for Defender for IoT, Microsoft Sentinel considers each alert log as an *event*.
94
95
95
-
To view all Defender for IoT alerts in Microsoft Sentinel, run the following query on the **SecurityAlert** table:
96
+
To view alerts in Microsoft Sentinel, run the following query on the **SecurityAlert** table:
96
97
97
98
```kql
98
99
SecurityAlert
@@ -101,7 +102,7 @@ You'll typically see more Defender for IoT *events* in Microsoft Sentinel than *
101
102
102
103
- **Incidents**. Microsoft Sentinel creates incidents based on your analytics rules. You might have several alerts grouped in the same incident, or you may have analytics rules configured to *not* create incidents for specific alert types.
103
104
104
-
To view all Defender for IoT incidents in Microsoft Sentinel, run the following query:
105
+
To view incidents in Microsoft Sentinel, run the following query:
0 commit comments