You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-iot/organizations/how-to-manage-individual-sensors.md
+6-8Lines changed: 6 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -218,19 +218,17 @@ You'd configured your OT sensor network configuring during [installation](ot-dep
218
218
219
219
### Turn off learning mode manually
220
220
<!-- Limor should most of this intro be moved to create-learned-baseline.md? that is a 'concept' page about learning mode-->
221
-
An OT network sensor starts monitoring your network automatically as soon as it's connected to your network and you've [signed in](ot-deploy/activate-deploy-sensor.md#sign-in-to-the-sensor-console-and-change-the-default-password). Network devices start appearing in your [device inventory](device-inventory.md), and [alerts](alerts.md) are triggered for any<!-- amit should 'any' be removed - not for polivy vio? --> security or operational incidents that occur in your network.
221
+
An OT network sensor starts monitoring your network automatically as soon as it's connected to your network and you've [signed in](ot-deploy/activate-deploy-sensor.md#sign-in-to-the-sensor-console-and-change-the-default-password). Network devices start appearing in your [device inventory](device-inventory.md), and [alerts](alerts.md) are triggered for any security or operational incidents that occur in your network.
222
222
223
-
There are three stages to the monitoring process controlled by three modes:<!-- Limor - capitals for mode titles?-->
223
+
There are three stages to the monitoring process. For more information, see [overview of the multi stage monitoring process](ot-deploy/create-learning-baseline.md).
224
224
225
-
1. In **Learning mode** the sensor monitors and assesses all network communication, including the devices and protocols in your network, and the regular file transfers that occur between specific devices. The sensor learns which communications are normal, safe traffic and which are suspicious, thereby creating a baseline of safe traffic which won't trigger alerts. Any regularly detected activity becomes your network's [baseline traffic](ot-deploy/create-learned-baseline.md). In learning mode you'll see alerts for malware, ..., or ...., however, no Policy Violation alerts are generated in learning mode.<!-- what doesnt happen in learning mode? Are there any policy violation alerts produced?? any other alerts not produced? What alerts are produced? -->
226
-
227
-
1. In **Dynamic mode** the sensor continues the monitoring process, ensuring that the baseline produced in the learning mode is accurate. Dynamic mode also starts to produce **Policy violation** alerts that detail important, suspicious traffic that needs to be remidated.
225
+
<!--1. In **Learning mode** the sensor monitors and assesses all network communication, including the devices and protocols in your network, and the regular file transfers that occur between specific devices. The sensor learns which communications are normal, safe traffic and which are suspicious, thereby creating a baseline of safe traffic which won't trigger alerts. Any regularly detected activity becomes your network's [baseline traffic](ot-deploy/create-learned-baseline.md). In learning mode you'll see alerts for malware, ..., or ...., however, no Policy Violation alerts are generated in learning mode.<!-- what doesnt happen in learning mode? Are there any policy violation alerts produced?? any other alerts not produced? What alerts are produced? -->
226
+
<!--1. In **Dynamic mode** the sensor continues the monitoring process, ensuring that the baseline produced in the learning mode is accurate. Dynamic mode also starts to produce **Policy violation** alerts that detail important, suspicious traffic that needs to be remidated.
228
227
229
228
1. In **Operational mode** the sensor monitors all network traffic, with a completed baseline, and triggers all alerts.
230
229
<!-- Limor- This was original text - included in the first para above :- Initially, this activity happens in *learning* mode, which instructs your OT sensor to learn your network's usual activity, including the devices and protocols in your network, and the regular file transfers that occur between specific devices. Any regularly detected activity becomes your network's [baseline traffic](ot-deploy/create-learned-baseline.md). The *Learning* mode monitors all of the network OT sensors with identical global settings to ensure that it tracks and identifies all types of network traffic. In learning mode you'll see alerts for malware, ..., or ...., however, no Policy Violation alerts are generated in learning mode. -->
231
-
Two to six weeks after deploying your sensor the detection levels should accurately reflect your network activity.<!-- what should this now look like? How much less than in the original first days? In other places we say that there is a drop off, im still unclear what that will look like? --> At this stage we recommend turning off learning mode. The sensor remains in *dynamic* mode, where it continues to monitor and assess the network traffic as though it was in learning mode, but slowly starts to generate **Policy Violation** alerts as well. Eventually, when the sensor recognises all normal types of network traffic it will automatically change to *Operational* mode.
232
-
233
-
This procedure describes how to manually turn off the learning mode if you feel that the alerts accurately reflect your network activity.
230
+
Two to six weeks after deploying your sensor the detection levels should accurately reflect your network activity. At this stage we recommend turning off learning mode.<!-- The sensor remains in *dynamic* mode, where it continues to monitor and assess the network traffic as though it was in learning mode, but slowly starts to generate **Policy Violation** alerts as well. Eventually, when the sensor recognises all normal types of network traffic it will automatically change to *Operational* mode. -->
231
+
<!--This procedure describes how to manually turn off the learning mode if you feel that the alerts accurately reflect your network activity.-->
Copy file name to clipboardExpand all lines: articles/defender-for-iot/organizations/ot-deploy/create-learned-baseline.md
+30-6Lines changed: 30 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,24 +11,48 @@ This article is one in a series of articles describing the [deployment path](../
11
11
12
12
:::image type="content" source="../media/deployment-paths/progress-fine-tuning-ot-monitoring.png" alt-text="Diagram of a progress bar with Fine-tune OT monitoring highlighted." border="false" lightbox="../media/deployment-paths/progress-fine-tuning-ot-monitoring.png":::
13
13
14
-
## Understand learning mode
14
+
## Overview of the multi stage monitoring process
15
15
16
16
An OT network sensor starts monitoring your network automatically after it's connected to the network and you've [signed in](activate-deploy-sensor.md#sign-in-to-the-sensor-console-and-change-the-default-password). Network devices start appearing in your device inventory, and [alerts](../alerts.md) are triggered for any security or operational incidents that occur in your network.
17
17
18
-
Initially, this activity happens in *learning* mode, which instructs your OT sensor to learn your network's usual activity, including the devices and protocols in your network, and the regular file transfers that occur between specific devices. Any regularly detected activity becomes your network's baseline traffic.
18
+
Defender for IoT employs a three stage monitoring process that learns your network's normal traffic behavior. These three stages ensure accurate detection while reducing unnecessary alerts, are:
19
19
20
+
1. Learning mode
21
+
1. Dynamic mode
22
+
1. Operational mode
20
23
24
+
### Learning mode
25
+
26
+
Initially, the sensor runs in *learning* mode to monitor all of your network traffic and build a baseline of all normal traffic patterns. This baseline includes all of the devices and protocols in your network, and the regular file transfers that occur between devices. This process normally takes between 2 and 6 weeks, depending on your network size and complexity. Additionally, any devices discovered later enter learning mode for 7 days in order to establish their network traffic baseline.
27
+
28
+
In learning mode the malware, anomoly, operational and protocol violation alerts will appear in the alerts inventory, but policy violation alerts aren't created.
29
+
30
+
### Dynamic mode
31
+
32
+
After the learning period is completed, all of your devices are identified and the level of alerts matches the size of the network, you manually change the sensor to dynamic mode. Dynamic mode continues to monitor your network, verifying and refining the baseline. The sensor now monitors each alert category and scenario individually and when the sensor identifies that an individual alert baseline is accurate it dynamically changes it to operational mode. Alternatively, the sensor might dynamically extend the learning mode for a specific alert or scenario if it detects significant changes in traffic.
33
+
34
+
At this stage policy violation alerts are gradually introduced and start to appear in the alert inventory.
35
+
36
+
### Operational mode
37
+
38
+
Once the sensor identifies that the baseline is stable and complete it automatically transitions into operational mode, monitoring all of the network traffic and triggering all alert types.
|**Learning**| Builds a baseline of normal network traffic | Malware alerts, anomaly alerts, operational alerts, protocol violation alerts | Turn off manually after 2–6 weeks or when baseline reflects accurate network activity |
45
+
|**Dynamic**| Refines the baseline while gradually introducing policy violations alerts to ensure accuracy and reduce alert noise | Policy Violation alerts are introduced | Optional: Adjust settings for specific scenarios (e.g., during POCs) |
46
+
|**Operational**| Monitors all network traffic with a stable baseline, triggering all alerts to reflect deviations or suspicious activity | All types of alerts | None. Automatically transitions when baseline stabilizes |
47
+
48
+
<!-- Amit is the following tip accurate as well? I think not. there isnt triage in learning mode? -->
21
49
> [!TIP]
22
50
> Use your time in learning mode to triage your alerts and *Learn* those that you want to mark as authorized, expected activity. Learned traffic doesn't generate new alerts the next time the same traffic is detected.
23
51
>
24
52
> After learning mode is turned off, any activity that differs from your baseline data will trigger an alert.
25
53
26
54
For more information, see [Microsoft Defender for IoT alerts](../alerts.md).
27
55
28
-
### Learn mode timeline
29
-
30
-
Creating your baseline of OT alerts can take anywhere from a few days to several weeks, depending on your network size and complexity. Learning mode automatically turns off when the sensor detects a decrease in newly detected traffic, which is typically between 2-6 weeks after deployment.
31
-
32
56
[Turn off learning mode manually before then](../how-to-manage-individual-sensors.md#turn-off-learning-mode-manually) if you feel that the current alerts accurately reflect your network activity.
0 commit comments