Merge pull request #221274 from batamig/alert-sentinel

v-regandowner · web-flow · commit a5a45c9bba83 · 2022-12-13T10:13:01.000-05:00
adding sentinel synch status
diff --git a/articles/defender-for-iot/organizations/concept-sentinel-integration.md b/articles/defender-for-iot/organizations/concept-sentinel-integration.md
@@ -72,41 +72,48 @@ For example, use SOAR playbooks to:
 
 - Send an email to relevant stakeholders when suspicious activity is detected, for example unplanned PLC reprogramming. The mail may be sent to OT personnel, such as a control engineer responsible on the related production line.
 
-
-
 ## Comparing Defender for IoT events, alerts, and incidents
 
 This section clarifies the differences between Defender for IoT events, alerts, and incidents in Microsoft Sentinel. Use the listed queries to view a full list of the current events, alerts, and incidents for your OT networks.
 
 You'll typically see more Defender for IoT *events* in Microsoft Sentinel than *alerts*, and more Defender for IoT *alerts* than *incidents*.
 
+### Defender for IoT events in Microsoft Sentinel
+
+Each alert log that streams to Microsoft Sentinel from Defender for IoT is an *event*. If the alert log reflects a new or updated alert in Defender for IoT, a new record is added to the **SecurityAlert** table.
+
+To view all Defender for IoT events in Microsoft Sentinel, run the following query on the **SecurityAlert** table:
 
-- **Events**: Each alert log that streams to Microsoft Sentinel from Defender for IoT is an *event*. If the alert log reflects a new or updated alert in Defender for IoT, a new record is added to the **SecurityAlert** table. 
+```kql
+SecurityAlert
+| where ProviderName == 'IoTSecurity' or ProviderName == 'CustomAlertRule'
+Instead
+```
 
-    To view all Defender for IoT events in Microsoft Sentinel, run the following query on the **SecurityAlert** table:
+### Defender for IoT alerts in Microsoft Sentinel
 
-    ```kql
-    SecurityAlert
-    | where ProviderName == 'IoTSecurity' or ProviderName == 'CustomAlertRule'
-    Instead
-    ```
+Microsoft Sentinel creates alerts based on your current analytics rules and the alert logs listed in the **SecurityAlert** table. If you don't have any active analytics rules for Defender for IoT, Microsoft Sentinel considers each alert log as an *event*.
 
-- **Alerts**: Microsoft Sentinel creates alerts based on your current analytics rules and the alert logs listed in the **SecurityAlert** table. If you don't have any active analytics rules for Defender for IoT, Microsoft Sentinel considers each alert log as an *event*.
+To view alerts in Microsoft Sentinel, run the following query on the**SecurityAlert** table:
+```kql
+SecurityAlert
+| where ProviderName == 'ASI Scheduled Alerts' or ProviderName =='CustomAlertRule'
+```
 
-    To view alerts in Microsoft Sentinel, run the following query on the **SecurityAlert** table:
+After you've installed the Microsoft Defender for IoT solution and deployed the [AD4IoT-AutoAlertStatusSync](iot-advanced-threat-monitoring.md#update-alert-statuses-in-defender-for-iot) playbook, alert status changes are synchronized from Microsoft Sentinel to Defender for IoT. Alert status changes are *not* synchronized from Defender for IoT to Microsoft Sentinel.
 
-    ```kql
-    SecurityAlert
-    | where ProviderName == 'ASI Scheduled Alerts' or ProviderName == 'CustomAlertRule'
-    ```
+> [!IMPORTANT]
+> We recommend that you manage your alert statuses together with the related incidents in Microsoft Sentinel. For more information, see [Work with incident tasks in Microsoft Sentinel](/azure/sentinel/work-with-tasks).
+>
 
-- **Incidents**. Microsoft Sentinel creates incidents based on your analytics rules. You might have several alerts grouped in the same incident, or you may have analytics rules configured to *not* create incidents for specific alert types.
+### Defender for IoT incidents in Microsoft Sentinel
 
-    To view incidents in Microsoft Sentinel, run the following query:
+Microsoft Sentinel creates incidents based on your analytics rules. You might have several alerts grouped in the same incident, or you may have analytics rules configured to *not* create incidents for specific alert types.
 
-    ```kql
-    SecurityIncident
-    ```
+To view incidents in Microsoft Sentinel, run the following query:
+```kql
+SecurityIncident
+```
 
 ## Next steps
 
