Merge pull request #189344 from batamig/release-notes-plus

release notes 22.1 ii

Author: tamarakhader

articles/defender-for-iot/organizations/getting-started.md

@@ -96,7 +96,7 @@ After you acquire your on-premises management console appliance:
 
 **To install and set up**:
 
-1. Go to [Defender for IoT: Getting Started](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started) in the Azure portal].
+1. Go to [Defender for IoT: Getting Started](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started) in the Azure portal.
 
 1. Select the **On-premises management console** tab.
 
@@ -118,7 +118,7 @@ Onboard a sensor by registering it with Microsoft Defender for IoT and downloadi
 
    - **Locally managed sensors**: Information that sensors detect is displayed in the sensor console. If you're working in an air-gapped network and want a unified view of all information detected by multiple locally managed sensors, work with the on-premises management console.
 
-1. Select a site to associate your sensor to within an IoT Hub. The IoT Hub will serve as a gateway between this sensor and Microsoft Defender for IoT. Define the display name, and zone. You can also add descriptive tags. The display name, zone, and tags are descriptive entries on the [Sites and Sensors page](how-to-manage-sensors-on-the-cloud.md#view-onboarded-sensors).
+1. Select a site to associate your sensor to within an IoT Hub. The IoT Hub will serve as a gateway between this sensor and Microsoft Defender for IoT. Define the display name, and zone. You can also add descriptive tags. The display name, zone, and tags are descriptive entries on the [Sites and Sensors page](how-to-manage-sensors-on-the-cloud.md#manage-on-boarded-sensors).
 
 1. Select **Register**.
 

articles/defender-for-iot/organizations/how-to-create-data-mining-queries.md

@@ -24,22 +24,27 @@ The following predefined reports are available. These queries are generated in r
 - **Programming commands**: Devices that send industrial programming.
 - **Remote access**: Devices that communicate through remote session protocols.
 - **Internet activity**: Devices that are connected to the internet.
-- - **CVEs**: A list of devices detected with known vulnerabilities within the last 24 hours.
+- **CVEs**: A list of devices detected with known vulnerabilities within the last 24 hours.
 - **Excluded CVEs**: A list of all the CVEs that were manually excluded. To achieve more accurate results in VA reports and attack vectors, you can customize the CVE list manually by including and excluding CVEs.
 - **Nonactive devices**: Devices that have not communicated for the past seven days.
 - **Active devices**: Active network devices within the last 24 hours.
 
-Find these reports in Analyze** > **Data Mining*. Reports are available for users with Administrator and Security Analyst permissions. Read only users can't access these reports.
+Find these reports in **Analyze** > **Data Mining**. Reports are available for users with Administrator and Security Analyst permissions. Read only users can't access these reports.
 
 ## Create a report
+To create a data-mining report:
 
-1. In Defender for IoT, **Data mining**.
-1. Select **Create report**.
-1. In the **Create new report** dialog, specify a report name and optional description.
-1. In **Choose category**, select the type of report you want to create. You can choose all, standard categories (generic) or specific settings.
-1. In **Order by**, order the report by category or activity.
-1. If you want to filter report results, you can specify a time range (minutes, days, and  hours), and IP or MAC address, port, or device group (as defined in the device map).
-4. Select **Save**. Report results open on the **Data Mining** page.
+1. Select **Data Mining** from the side menu. Predefined suggested reports appear automatically.
+
+1. Select **Create report** and then enter the following values:
+
+    - **Name** / **Description**. Enter a meaningful name for your report and an optional description.
+    - **Send to CM**. Toggle this option on to send your report to your on-premises management console.
+    - **Choose category**. Select the categories to include in your report.
+    - **Order by**. Select to sort your data by category or by activity.
+    - **Filter by**. Define a filter for your report, using dates, IP address, MAC address, port, or device group.
+
+1. Select **Save** to save your report and display results on the **Data Mining** page.
 
 Reports are dynamically updated each time you open them. For example:
 - If you create a report for firmware versions on devices on June 1 and open the report again on June 10, this report will be updated with information that's accurate for June 10.
@@ -59,8 +64,6 @@ The on-premises management console lets you generate reports for each sensor tha
 - **Programming Commands**: Presents a list of devices that sent programming commands within the last 24 hours.
 - **Remote Access**: Presents a list of devices that remote sources accessed within the last 24 hours.
 
-:::image type="content" source="media/how-to-generate-reports/reports-view.png" alt-text="Screenshot of the reports view.":::
-
 When you choose the sensor from the on-premises management console, all the custom reports configured on that sensor appear in the list of reports. For each sensor, you can generate a default report or a custom report configured on that sensor.
 
 To generate a report:

articles/defender-for-iot/organizations/how-to-manage-cloud-alerts.md

@@ -17,7 +17,7 @@ Defender for IoT alerts lets you enhance the security and operation of your netw
 - Protocol and operational anomalies
 - Suspected malware traffic
 
-:::image type="content" source="media/how-to-view-manage-cloud-alerts/main-alert-page.png" alt-text="Main Alerts page in the Cloud":::
+:::image type="content" source="media/how-to-view-manage-cloud-alerts/main-alert-page.png" alt-text="Main Alerts page in the Cloud." lightbox="media/how-to-view-manage-cloud-alerts/main-alert-page.png":::
 
 Alerts triggered by Defender for IoT are displayed on the Alerts page in the Azure portal. Use the Alerts page to:
 
@@ -38,9 +38,9 @@ Alert details triggered by these sensors and aggregated in the Alerts page:
 
 ## Alert types and messages
 
-You can view alert messages you may receive. Reviewing alert types and messages ahead of time will help you plan remediation and integration with playbooks.  
-[Alert types and descriptions](alert-engine-messages.md#alert-types-and-descriptions).
+You can view alert messages you may receive. Reviewing alert types and messages ahead of time will help you plan remediation and integration with playbooks.
 
+For more information, see [Alert types and descriptions](alert-engine-messages.md#alert-types-and-descriptions).
 
 ## View alerts
 
@@ -56,7 +56,7 @@ This section describes the information available in the Alerts table.
     |--|--|
     | **Severity**|  A predefined alert severity assigned by the sensor. The severity can be updated. See [Manage alert status and severity](#manage-alert-status-and-severity) for details.
     | **Name** |  The alert title.
-    | **Site** |  The site associated  with the sensor. This site name is defined when you register a sensor with Microsoft  Defender for IoT on the Azure portal. The name can be viewed in the Sites and Sensors page on the portal. See [View onboarded sensors](how-to-manage-sensors-on-the-cloud.md#view-onboarded-sensors) for information on registered sensors. 
+    | **Site** |  The site associated  with the sensor. This site name is defined when you register a sensor with Microsoft  Defender for IoT on the Azure portal. The name can be viewed in the Sites and Sensors page on the portal. See [View onboarded sensors](how-to-manage-sensors-on-the-cloud.md#manage-on-boarded-sensors) for information on registered sensors. 
     | **Engine** | The sensor  engine that detected the Operational Technology (OT) traffic. To learn more about engines, see [Detection engines](how-to-control-what-traffic-is-monitored.md#detection-engines). For device builders, the term micro-agent will be displayed.
     | **Detection time** | The first time the alert was detected. The alert traffic may occur several times after the first detection. If the alert Status is **New**, the detection time won't change. If the alert is Closed and the traffic is seen again, a new detection time will be displayed.
     | **Status** | The alert status: New, Active, Closed

articles/defender-for-iot/organizations/how-to-manage-individual-sensors.md

@@ -288,30 +288,30 @@ The console will display restore failures.
 
 ## Update a standalone sensor version
 
-The following procedure describes how to update a standalone sensor by using the sensor console. The update process takes about 30 minutes.
+The following procedure describes how to update a standalone sensor by using the sensor console.
 
-1. Go to the [Azure portal](https://portal.azure.com/).
+1. In the Azure portal, go to **Defender for IoT** > **Getting started** > **Updates**.
 
-2. Go to Defender for IoT.
-
-3. Go to the **Updates** page.
+1. From the **Sensors** section, select **Download** for the sensor update, and save your `<legacy/upstream>-sensor-secured-patcher-<version number>.tar` file locally. For example:
 
    :::image type="content" source="media/how-to-manage-individual-sensors/updates-page.png" alt-text="Screenshot of the Updates page of Defender for IoT.":::
 
-4. Select **Download** from the **Sensors** section and save the file.
-
-5. In the sensor console's sidebar, select **System Settings**.
+1. On your sensor console, select **System Settings** > **Sensor management** > **Software Update**.
 
-6. On the **Version Update** pane, select **Update**.
+1. On the **Software Update** pane on the right, select **Upload file**, and then navigate to and select your downloaded `legacy-sensor-secured-patcher-<Version number>.tar` file.
 
     :::image type="content" source="media/how-to-manage-individual-sensors/upgrade-pane-v2.png" alt-text="Screenshot of the update pane.":::
 
-7. Select the file that you downloaded from the Defender for IoT **Updates** page.
+    The update process starts, and may take about 30 minutes. During your upgrade, the system is rebooted twice.
 
-8. The update process starts, during which time the system is rebooted twice. After the first reboot (before the completion of the update process), the system opens with the sign-in window. After you sign in, the upgrade version appears at the lower left of the sidebar.
+    Sign in when prompted, and then return to the **System Settings** > **Sensor management** > **Software Update** pane to confirm that the new version is listed.
 
     :::image type="content" source="media/how-to-manage-individual-sensors/defender-for-iot-version.png" alt-text="Screenshot of the upgrade version that appears after you sign in.":::
 
+If you're upgrading from version 10.5.x to version 22.x, make sure to reactivate your sensor. For more information, see [Reactivate a sensor for upgrades to version 22.x from a legacy version](how-to-manage-sensors-on-the-cloud.md#reactivate-a-sensor-for-upgrades-to-version-22x-from-a-legacy-version).
+
+After upgrading to version 22.1.x, the new upgrade log can be found at the following path, accessed via SSH and the *cyberx_host* user: `/opt/sensor/logs/legacy-upgrade.log`.
+
 ## Forward sensor failure alerts
 
 You can forward alerts to third parties to provide details about: