Merge pull request #220552 from batamig/alert-redux

Alert-redux

Author: PMEds28

.openpublishing.redirection.defender-for-iot.json

@@ -1,5 +1,10 @@
 {
     "redirections": [
+        {
+            "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-manage-the-alert-event.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/how-to-view-alerts",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/defender-for-iot/organizations/how-to-install-software.md",
             "redirect_url": "/azure/defender-for-iot/organizations/ot-deploy/install-software-ot-sensor",

articles/defender-for-iot/organizations/TOC.yml

@@ -66,6 +66,8 @@
         href: ot-virtual-appliances.md
     - name: Supported OT protocols
       href: concept-supported-protocols.md
+    - name: Defender for IoT alerts
+      href: alerts.md
     - name: Monitoring OT threats in enterprise SOCs
       href: concept-sentinel-integration.md
       displayName: Microsoft Sentinel, modernize SOC
@@ -94,17 +96,13 @@
     - name: Azure portal
       href: how-to-manage-cloud-alerts.md
     - name: Sensor console
-      items:
-      - name: View alerts from a sensor console
-        href: how-to-view-alerts.md
-      - name: Manage alerts from a sensor console
-        href: how-to-manage-the-alert-event.md
-      - name: Manage alert workflows from a sensor console
-        href: how-to-accelerate-alert-incident-response.md
-      - name: Forward alert data from a sensor console
-        href: how-to-forward-alert-information-to-partners.md
+      href: how-to-view-alerts.md
     - name: On-premises management console
       href: how-to-work-with-alerts-on-premises-management-console.md
+    - name: Accelerate on-premises alert workflows
+      href: how-to-accelerate-alert-incident-response.md
+    - name: Forward on-premises alert data
+      href: how-to-forward-alert-information-to-partners.md
   - name: Visualize and monitor data
     items:
     - name: Visualize data with workbooks

articles/defender-for-iot/organizations/alert-engine-messages.md

@@ -19,6 +19,18 @@ Several alerts are disabled by default, as indicated by asterisks (*) in the tab
 
 If you disable alerts that are referenced in other places, such as [alert forwarding rules](how-to-forward-alert-information-to-partners.md), make sure to update those references as needed.
 
+## Alert severities
+
+Defender for IoT alerts use the following severity levels:
+
+- **Critical**: Indicates a malicious attack that should be handled immediately.
+
+- **Major**: Indicates a security threat that's important to address.
+
+- **Minor**: Indicates some deviation from the baseline behavior that might contain a security threat.
+
+- **Warning**: Indicates some deviation from the baseline behavior with no security threats.
+
 ## Supported alert types
 
 | Alert type | Description |
@@ -311,7 +323,6 @@ Operational engine alerts describe detected operational incidents, or malfunctio
 For more information, see:
 
 - [View and manage alerts on the Defender for IoT portal (Preview)](how-to-manage-cloud-alerts.md)
-- [Manage alerts](how-to-manage-the-alert-event.md)
 - [View alerts on your sensor](how-to-view-alerts.md)
 - [Accelerate alert workflows](how-to-accelerate-alert-incident-response.md)
 - [Forward alert information](how-to-forward-alert-information-to-partners.md)

articles/defender-for-iot/organizations/alerts.md

@@ -0,0 +1,132 @@
+---
+title: Microsoft Defender for IoT alerts
+description: Learn about Microsoft Defender for IoT alerts across the Azure portal, OT network sensors, and on-premises management consoles.
+ms.date: 12/12/2022
+ms.topic: how-to
+---
+
+# Microsoft Defender for IoT alerts
+
+Microsoft Defender for IoT alerts enhance your network security and operations with real-time details about events logged in your network. Alerts are triggered when OT or Enterprise IoT network sensors detect changes or suspicious activity in network traffic that needs your attention.
+
+For example:
+
+:::image type="content" source="media/how-to-view-manage-cloud-alerts/main-alert-page.png" alt-text="Screenshot of the Alerts page in the Azure portal." lightbox="media/how-to-view-manage-cloud-alerts/main-alert-page.png":::
+
+Use the details shown on the **Alerts** page, or on an alert details page, to investigate and take action that remediates any risk to your network, either from related devices or the network process that triggered the alert.
+
+> [!TIP]
+> Use alert remediation steps to help your SOC teams understand possible issues and resolutions. We recommend that you review recommended remediation steps before updating an alert status or taking action on the device or network.
+>
+
+## Alert management options
+
+Defender for IoT alerts are available in the Azure portal, OT network sensor consoles, and the on-premises management console.
+
+While you can view alert details, investigate alert context, and triage and manage alert statuses from any of these locations, each location also offers extra alert actions. The following table describes the alerts supported for each location and the extra actions available from that location only:
+
+|Location  |Description   | Extra alert actions |
+|---------|---------|---------|
+|**Azure portal**     | Alerts from all cloud-connected OT sensors and Enterprise IoT sensors         |    - View related MITRE ATT&CK tactics and techniques <br>- Use out-of-the-box workbooks for visibility into high priority alerts <br>- View alerts from Microsoft Sentinel and run deeper investigations with [Microsoft Sentinel playbooks and workbooks](concept-sentinel-integration.md).      |
+|**OT network sensor consoles**     |   Alerts generated by that OT sensor      |    - View the alert's source and destination in the **Device map** <br>- View related events on the **Event timeline**  <br>- Forward alerts directly to partner vendors  <br>- Create alert comments <br> - Create custom alert rules <br>- Unlearn alerts    |
+|**An on-premises management console**     |  Alerts generated by connected OT sensors          |  - Forward alerts directly to partner vendors <br> - Create alert exclusion rules      |
+
+For more information, see [Accelerating OT alert workflows](#accelerating-ot-alert-workflows) and [Alert statuses and triaging options](alerts.md#alert-statuses-and-triaging-options) below.
+
+Alert options also differ depending on your location and user role. For more information, see [Azure user roles and permissions](roles-azure.md) and [On-premises users and roles](roles-on-premises.md).
+
+### Enterprise IoT alerts and Microsoft Defender for Endpoint
+
+Alerts triggered by Enterprise IoT sensors are shown in the Azure portal only.
+
+If you have an [Enterprise IoT plan](eiot-defender-for-endpoint.md) with Microsoft Defender for Endpoint, alerts for Enterprise IoT devices detected by Microsoft Defender for Endpoint are available in Microsoft 365 Defender only.
+
+For more information, see [Securing IoT devices in the enterprise](concept-enterprise.md) and the [Alerts queue in Microsoft 365 Defender](/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response).
+
+## Managing OT alerts in a hybrid environment
+
+Users working in hybrid environments may be managing OT alerts in Defender for IoT on the Azure portal, the OT sensor, and an on-premises management console.
+
+Alert statuses are fully synchronized between the Azure portal and the OT sensor, and between the sensor and the on-premises management console. This means that regardless of where you manage the alert in Defender for IoT, the alert is updated in other locations as well.
+
+Setting an alert status to **Closed** or **Muted** on a sensor or on-premises management console updates the alert status to **Closed** on the Azure portal. On the on-premises management console, the **Closed** alert status is called **Acknowledged**.
+
+> [!TIP]
+> If you're working with Microsoft Sentinel, we recommend that you configure the integration to also  [synchronize alert status](concept-sentinel-integration.md#defender-for-iot-alerts-in-microsoft-sentinel) with Microsoft Sentinel, and then manage alert statuses together with the related Microsoft Sentinel incidents.
+>
+> For more information, see [Tutorial: Investigate and detect threats for IoT devices](iot-advanced-threat-monitoring.md).
+>
+
+## Accelerating OT alert workflows
+
+New alerts are automatically closed if no identical traffic is detected 90 days after the initial detection. If identical traffic is detected within those first 90 days, the 90-day count is reset.
+
+In addition to the default behavior, you may want to help your SOC and OT management teams triage and remediate alerts faster. Sign into an OT sensor or an on-premises management console as an **Admin** user to use the following options:
+
+- **Create custom alert rules**. OT sensors only.
+
+    Add custom alert rules to trigger alerts for specific activity on your network that's not covered by out-of-the-box functionality.
+
+    For example, for an environment running MODBUS, you might add a rule to detect any written commands to a memory register on a specific IP address and ethernet destination.
+
+    For more information, see [Create custom alert rules on an OT sensor](how-to-accelerate-alert-incident-response.md#create-custom-alert-rules-on-an-ot-sensor).
+
+- **Create alert comments**. OT sensors only.
+
+    Create a set of alert comments that other OT sensor users can add to individual alerts, with details like custom mitigation steps, communications to other team members, or other insights or warnings about the event.
+
+    Team members can reuse these custom comments as they triage and manage alert statuses. Alert comments are shown in a comments area on an alert details page. For example:
+
+    :::image type="content" source="media/alerts/alert-comments.png" alt-text="Screenshot of the alert comments area.":::
+
+    For more information, see [Create alert comments on an OT sensor](how-to-accelerate-alert-incident-response.md#create-alert-comments-on-an-ot-sensor).
+
+- **Create alert exclusion rules**: On-premises management consoles only.
+
+    If you're working with an on-premises management console, define *alert exclusion rules* to ignore events across multiple sensors that meet specific criteria. For example, you might create an alert exclusion rule to ignore all events that would trigger irrelevant alerts during a specific maintenance window.
+
+    Alerts ignored by exclusion rules aren't shown on the Azure portal, sensor, or on-premises management console, or in the event logs.
+
+    For more information, see [Create alert exclusion rules on an on-premises management console](how-to-accelerate-alert-incident-response.md#create-alert-exclusion-rules-on-an-on-premises-management-console).
+
+- **Forward alert data to partner systems** to partner SIEMs, syslog servers, specified email addresses and more.
+
+    Supported from both OT sensors and on-premises management consoles. For more information, see [Forward alert information](how-to-forward-alert-information-to-partners.md).
+
+## Alert statuses and triaging options
+
+Use the following alert statuses and triaging options to manage alerts across Defender for IoT.
+
+When triaging an alert, consider that some alerts might reflect valid network changes, such as an authorized device attempting to access a new resource on another device.
+
+While triaging options from the OT sensor and the on-premises management console are available for OT alerts only, options available on the Azure portal are available for both OT and Enterprise IoT alerts.
+
+Use the following table to learn more about each alert status and triage option.
+
+
+|Status / triage action  |Available on  |Description  |
+|---------|---------|---------|
+|**New**     |  - Azure portal <br><br>- OT network sensors <br><br>- On-premises management console       |   *New* alerts are alerts that haven't yet been triaged or investigated by the team. New traffic detected for the same devices doesn't generate a new alert, but is added to the existing alert. <br><br>On the on-premises management console, *New* alerts are called *Unacknowledged*.<br><br>**Note**: You might see multiple, *New* or *Unacknowledged* alerts with the same name. In such cases, each separate alert is triggered by separate traffic, on different sets of devices.  |
+|**Active**     |    - Azure portal only     |   Set an alert to *Active* to indicate that an investigation is underway, but that the alert can't yet be closed or otherwise triaged. <br><br>This status has no effect elsewhere in Defender for IoT.      |
+|**Closed**     | - Azure portal <br><br>- OT network sensors <br><br>- On-premises management console        | Close an alert to indicate that it's fully investigated, and you want to be alerted again the next time the same traffic is detected.<br><br>Closing an alert adds it to the sensor event timeline.<br><br>On the on-premises management console, *New* alerts are called *Acknowledged*.   |
+|**Learn**     | - Azure portal <br><br>- OT network sensors <br><br>- On-premises management console <br><br>*Unlearning* an alert is available only on the OT sensor.       |   Learn an alert when you want to close it and add it as allowed traffic, so that you aren't alerted again the next time the same traffic is detected. <br><br>For example, when the sensor detects firmware version changes following standard maintenance procedures, or when a new, expected device is added to the network. <br><br>Learning an alert closes the alert and adds an item to the sensor event timeline. Detected traffic is included in data mining reports, but not when calculating other OT sensor reports. <br><br>Learning alerts is available for selected alerts only, mostly those triggered by *Policy* and *Anomaly* engine alerts. |
+|**Mute**     |  - OT network sensors <br><br>- On-premises management console      <br><br>*Unmuting* an alert is available only on the OT sensor.  |  Mute an alert when you want to close it and not see again for the same traffic, but without adding the alert allowed traffic. <br><br>For example, when the Operational engine triggers an alert indicating that the PLC Mode was changed on a device. The new mode may indicate that the PLC isn't secure, but after investigation, it's determined that the new mode is acceptable. <br><br>Muting an alert closes it, but doesn't add an item to the sensor event timeline. Detected traffic is included in data mining reports, but not when when calculating data for other sensor reports. <br><br>Muting an alert is available for selected alerts only, mostly those triggered by the *Anomaly*, *Protocol Violation*, or *Operational* engines.  |
+
+> [!TIP]
+> If you know ahead of time which events are irrelevant for you, such as during a maintenance window, or if you don't want to track the event in the event timeline, create an alert exclusion rule on an on-premises management console instead.
+>
+> For more information, see [Create alert exclusion rules on an on-premises management console](how-to-accelerate-alert-incident-response.md#create-alert-exclusion-rules-on-an-on-premises-management-console).
+>
+
+## Next steps
+
+Review alert types and messages to help you understand and plan remediation actions and playbook integrations. For more information, see [OT monitoring alert types and descriptions](alert-engine-messages.md).
+
+> [!div class="nextstepaction"]
+> [View and manage alerts from the Azure portal](how-to-manage-cloud-alerts.md)
+
+> [!div class="nextstepaction"]
+> [View and manage alerts on your OT sensor](how-to-view-alerts.md)
+
+> [!div class="nextstepaction"]
+> [View and manage alerts on the on-premises management console](how-to-work-with-alerts-on-premises-management-console.md)

articles/defender-for-iot/organizations/api/management-alert-apis.md

@@ -257,7 +257,7 @@ The maintenance windows that define with the `maintenanceWindow` API appear in t
 
 
 > [!IMPORTANT]
-> This API is supported for maintenance purposes only and for a limited time period, and is not meant to be used instead of [alert exclusion rules](../how-to-work-with-alerts-on-premises-management-console.md#create-alert-exclusion-rules). Use this API for one-time, temporary maintenance operations only.
+> This API is supported for maintenance purposes only and for a limited time period, and is not meant to be used instead of [alert exclusion rules](../how-to-accelerate-alert-incident-response.md#create-alert-exclusion-rules-on-an-on-premises-management-console). Use this API for one-time, temporary maintenance operations only.
 
 **URI**: `/external/v1/maintenanceWindow`
 

articles/defender-for-iot/organizations/architecture.md

@@ -59,17 +59,17 @@ In contrast, when working with locally managed sensors:
 
 For more information, see [Manage OT sensors from the sensor console](how-to-manage-individual-sensors.md) and [Manage OT sensors from the management console](how-to-manage-sensors-from-the-on-premises-management-console.md).
 
-### Analytics engines on OT network sensors
+### Defender for IoT analytics engines
 
-OT network sensors analyze ingested data using built-in analytics engines, and trigger alerts based on both real-time and pre-recorded traffic.
+Defender for IoT network sensors analyze ingested data using built-in analytics engines, and trigger alerts based on both real-time and pre-recorded traffic.
 
 Analytics engines provide machine learning and profile analytics, risk analysis, a device database and set of insights, threat intelligence, and behavioral analytics.
 
 For example, the **policy violation detection** engine models industry control system (ICS) networks and alerts users of any deviation from baseline behavior. Deviations might include unauthorized use of specific function codes, access to specific objects, or changes to device configuration.
 
 Since many detection algorithms were built for IT, rather than OT networks, the extra baseline for ICS networks helps to shorten the system's learning curve for new detections.
 
-OT network sensors include the following analytics engines:
+Defender for IoT network sensors include the following analytics engines:
 
 |Name  |Description  |
 |---------|---------|

articles/defender-for-iot/organizations/concept-supported-protocols.md

@@ -76,5 +76,5 @@ To join the Horizon community, email us at: [[email protected]](ma
 
 For more information:
 
-- [Customize alert rules](how-to-accelerate-alert-incident-response.md#customize-alert-rules)
-- [About forwarded alert information](how-to-forward-alert-information-to-partners.md#about-forwarded-alert-information)
+- [Create custom alert rules on an OT sensor](how-to-accelerate-alert-incident-response.md#create-custom-alert-rules-on-an-ot-sensor)
+- [Forward OT alert information](how-to-forward-alert-information-to-partners.md)