Merge pull request #219114 from batamig/sentinel-concept-improvements

Sentinel concept improvements

Author: PMEds28

.openpublishing.redirection.json

@@ -1,5 +1,15 @@
 {
     "redirections": [
+        {
+            "source_path_from_root": "/articles/sentinel/iot-solution.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/iot-solution",
+            "redirect_document_id": false
+        }, 
+        {
+            "source_path_from_root": "/articles/sentinel/iot-advanced-threat-monitoring.md",
+            "redirect_url": "/azure/defender-for-iot/organizations/iot-advanced-threat-monitoring",
+            "redirect_document_id": false
+        },
         {
             "source_path_from_root": "/articles/backup/backup-center-community.md",
             "redirect_url": "/azure/backup/backup-center-overview",

articles/defender-for-iot/organizations/TOC.yml

@@ -29,9 +29,9 @@
   - name: Integrate with Microsoft Sentinel
     items:
     - name: Connect Defender for IoT data to Microsoft Sentinel
-      href: ../../sentinel/iot-solution.md?toc=/azure/defender-for-iot/organizations/toc.json&bc=/azure/defender-for-iot/breadcrumb/toc.json
+      href: iot-solution.md
     - name: Investigate Defender for IoT incidents with Microsoft Sentinel
-      href: ../../sentinel/iot-advanced-threat-monitoring.md?toc=/azure/defender-for-iot/organizations/toc.json&bc=/azure/defender-for-iot/breadcrumb/toc.json
+      href: iot-advanced-threat-monitoring.md
 - name: Concepts
   items:
     - name: Subscription billing
@@ -60,8 +60,10 @@
       href: concept-supported-protocols.md
     - name: Monitoring OT threats in enterprise SOCs
       href: concept-sentinel-integration.md
+      displayName: Microsoft Sentinel, modernize SOC
     - name: Securing IoT devices in the enterprise
       href: concept-enterprise.md
+      displayName: Microsoft Defender for Endpoint, MDE
 - name: How-to guides
   items:
   - name: Visualize devices

articles/defender-for-iot/organizations/concept-sentinel-integration.md

@@ -15,49 +15,54 @@ Together with the new responsibilities, SOC teams deal with new challenges, incl
 
 - **Siloed or inefficient communication and processes** between OT and SOC organizations.
 
-- **Limited technology and tools**, including:
+- **Limited technology and tools**, such as lack of visibility or automated security remediation for OT networks. You'll need to evaluate and link information across data sources for OT networks, and integrations with existing SOC solutions may be costly.
 
-    - Lack of visibility and insight into OT networks.
+However, without OT telemetry, context and integration with existing SOC tools and workflows, OT security and operational threats may be handled incorrectly, or even go unnoticed.
 
-    - Limited insight about events across enterprise IT/OT networks, including tools that don't allow SOC teams to evaluate and link information across data sources in IT/OT environments.
+## Integrate Defender for IoT and Microsoft Sentinel
 
-    - Low level of automated security remediation for OT networks.
+Microsoft Sentinel is a scalable cloud service for security information event management (SIEM) security orchestration automated response (SOAR).  SOC teams can use the integration between Microsoft Defender for Iot and Microsoft Sentinel to collect data across networks, detect and investigate threats, and respond to incidents.
 
-    - Costly and time-consuming effort needed to integrate OT security solutions into existing SOC solutions.
+In Microsoft Sentinel, the Defender for IoT data connector and solution brings out-of-the-box security content to SOC teams, helping them to view, analyze and respond to OT security alerts, and understand the generated incidents in the broader organizational threat contents.
 
-Without OT telemetry, context and integration with existing SOC tools and workflows, OT security and operational threats may be handled incorrectly, or even go unnoticed.
+Install the Defender for IoT data connector alone to stream your OT network alerts to Microsoft Sentinel. Then, also install the **Microsoft Defender for IoT** solution the extra value of IoT/OT-specific analytics rules, workbooks, and SOAR playbooks, as well as incident mappings to [MITRE ATT&CK for ICS](https://collaborate.mitre.org/attackics/index.php/Overview).
 
-## Integrate Defender for IoT and Microsoft Sentinel
+### Integrated detection and response
 
-Microsoft Sentinel is a scalable cloud solution for security information event management (SIEM) security orchestration automated response (SOAR).  SOC teams can use Microsoft Sentinel to collect data across networks, detect and investigate threats, and respond to incidents.
+The following table shows how both the OT team, on the Defender for IoT side, and the SOC team, on the Microsoft Sentinel side, can detect and respond to threats fast across the entire attack timeline.
 
-The Defender for IoT and Microsoft Sentinel integration delivers out-of-the-box capabilities to SOC teams. This helps them to efficiently and effectively view, analyze, and respond to OT security alerts, and the incidents they generate in a broader organizational threat context.
+|Microsoft Sentinel  |Step  |Defender for IoT  |
+|---------|---------|---------|
+|     |      **OT alert triggered**   |  High confidence OT alerts, powered by Defender for IoT's *Section 52* security research group, are triggered based on data ingested to Defender for IoT.      |
+|Analytics rules automatically open incidents *only* for relevant use cases, avoiding OT alert fatigue     |  **OT incident created**       |         |
+|SOC teams map business impact, including data about the site, line, compromised assets, and OT owners     |   **OT incident business impact mapping**      |         |
+|SOC teams move the incident to *Active* and start investigating, using network connections and events, workbooks, and the OT device entity page     |  **OT incident investigation**       |    Alerts are moved to *Active*, and OT teams investigate using PCAP data, detailed reports, and other device details     |
+|SOC teams respond with OT playbooks and notebooks     |  **OT incident response**       |  OT teams either suppress the alert or learn it for next time, as needed       |
+|After the threat is mitigated, SOC teams close the incident     |  **OT incident closure**       | After the threat is mitigated, OT teams close the alert        |
 
-Bring Defender for IoT's rich telemetry into Microsoft Sentinel to bridge the gap between OT and SOC teams with the Microsoft Sentinel data connector for Defender for IoT and the **Microsoft Defender for IoT** solution.
+## Microsoft Sentinel incidents for Defender for IoT
 
-The **Microsoft Defender for IoT** solution installs out-of-the-box security content to your Microsoft Sentinel, including analytics rules to automatically open incidents, workbooks to visualize and monitor data, and playbooks to automate response actions.
+After you've configured the Defender for IoT data connector and have IoT/OT alert data streaming to Microsoft Sentinel, use one of the following methods to create incidents based on those alerts:
 
-Once Defender for IoT data is ingested into Microsoft Sentinel, security experts can work with IoT/OT-specific analytics rules, workbooks, and SOAR playbooks, as well as incident mappings to [MITRE ATT&CK for ICS](https://collaborate.mitre.org/attackics/index.php/Overview).
+|Method  |Description  |
+|---------|---------|
+|**Use the default data connector rule**     | Use the default, **Create incidents based on all alerts generated in Microsoft Defender for IOT** analytics rule provided with the data connector. This rule creates a separate incident in Microsoft Sentinel for each alert streamed from Defender for IoT.        |
+|**Use out-of-the-box solution rules**     |  Enable some or all of the [out-of-the-box analytics rules](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforot?tab=Overview) provided with the **Microsoft Defender for IoT** solution.<br><br>    These analytics rules help to reduce alert fatigue by creating incidents only in specific situations. For example, you might choose to create incidents for excessive login attempts, but for multiple scans detected in the network.       |
+|**Create custom rules**     | Create custom analytics rules to create incidents based only on your specific needs. You can use the out-of-the-box analytics rules as a starting point, or create rules from scratch.   <br><br>Add the following filter to prevent duplicate incidents for the same alert ID: `| where TimeGenerated <= ProcessingEndTime + 60m`     |
 
-### Workbooks
+Regardless of the method you choose to create alerts, only one incident should be created for each Defender for IoT alert ID.
+
+## Microsoft Sentinel workbooks for Defender for IoT
 
 To visualize and monitor your Defender for IoT data, use the workbooks deployed to your Microsoft Sentinel workspace as part of the **Microsoft Defender for IoT** solution.
 
 Defender for IoT workbooks provide guided investigations for OT entities based on open incidents, alert notifications, and activities for OT assets. They also provide a hunting experience across the MITRE ATT&CK® framework for ICS, and are designed to enable analysts, security engineers, and MSSPs to gain situational awareness of OT security posture.
 
-For example, workbooks can display alerts by any of the following dimensions:
-
-- Type, such as policy violation, protocol violation, malware, and so on
-- Severity
-- OT device type, such as PLC, HMI, engineering workstation, and so on
-- OT equipment vendor
-- Alerts over time
-
-Workbooks also show the result of mapping alerts to MITRE ATT&CK for ICS tactics, plus the distribution of tactics by count and time period. For example:
+Workbooks can display alerts by type, severity, OT device type or vendor, or alerts over time. Workbooks also show the result of mapping alerts to MITRE ATT&CK for ICS tactics, plus the distribution of tactics by count and time period. For example:
 
 :::image type="content" source="media/concept-sentinel-integration/mitre-attack.png" alt-text="Image of MITRE ATT&CK graph":::
 
-### SOAR playbooks
+## SOAR playbooks for Defender for IoT
 
 Playbooks are collections of automated remediation actions that can be run from Microsoft Sentinel as a routine. A playbook can help automate and orchestrate your threat response. It can be run manually or set to run automatically in response to specific alerts or incidents, when triggered by an analytics rule or an automation rule, respectively.
 
@@ -67,19 +72,41 @@ For example, use SOAR playbooks to:
 
 - Send an email to relevant stakeholders when suspicious activity is detected, for example unplanned PLC reprogramming. The mail may be sent to OT personnel, such as a control engineer responsible on the related production line.
 
-## Integrated incident timeline
 
-The following table shows how both the OT team, on the Defender for IoT side, and the SOC team, on the Microsoft Sentinel side, can detect and respond to threats fast across the entire attack timeline.
 
-|Microsoft Sentinel  |Step  |Defender for IoT  |
-|---------|---------|---------|
-|     |      **OT alert triggered**   |  High confidence OT alerts, powered by Defender for IoT's *Section 52* security research group, are triggered based on data ingested to Defender for IoT.      |
-|Analytics rules automatically open incidents *only* for relevant use cases, avoiding OT alert fatigue     |  **OT incident created**       |         |
-|SOC teams map business impact, including data about the site, line, compromised assets, and OT owners     |   **OT incident business impact mapping**      |         |
-|SOC teams move the incident to *Active* and start investigating, using network connections and events, workbooks, and the OT device entity page     |  **OT incident investigation**       |    Alerts are moved to *Active*, and OT teams investigate using PCAP data, detailed reports, and other device details     |
-|SOC teams respond with OT playbooks and notebooks     |  **OT incident response**       |  OT teams either suppress the alert or learn it for next time, as needed       |
-|After the threat is mitigated, SOC teams close the incident     |  **OT incident closure**       | After the threat is mitigated, OT teams close the alert        |
+## Comparing Defender for IoT events, alerts, and incidents
+
+This section clarifies the differences between Defender for IoT events, alerts, and incidents in Microsoft Sentinel. Use the listed queries to view a full list of the current events, alerts, and incidents for your OT networks.
+
+You'll typically see more Defender for IoT *events* in Microsoft Sentinel than *alerts*, and more Defender for IoT *alerts* than *incidents*.
+
+
+- **Events**: Each alert log that streams to Microsoft Sentinel from Defender for IoT is an *event*. If the alert log reflects a new or updated alert in Defender for IoT, a new record is added to the **SecurityAlert** table. 
+
+    To view all Defender for IoT events in Microsoft Sentinel, run the following query on the **SecurityAlert** table:
+
+    ```kql
+    SecurityAlert
+    | where ProviderName == 'IoTSecurity' or ProviderName == 'CustomAlertRule'
+    Instead
+    ```
+
+- **Alerts**: Microsoft Sentinel creates alerts based on your current analytics rules and the alert logs listed in the **SecurityAlert** table. If you don't have any active analytics rules for Defender for IoT, Microsoft Sentinel considers each alert log as an *event*.
+
+    To view alerts in Microsoft Sentinel, run the following query on the **SecurityAlert** table:
+
+    ```kql
+    SecurityAlert
+    | where ProviderName == 'ASI Scheduled Alerts' or ProviderName == 'CustomAlertRule'
+    ```
+
+- **Incidents**. Microsoft Sentinel creates incidents based on your analytics rules. You might have several alerts grouped in the same incident, or you may have analytics rules configured to *not* create incidents for specific alert types.
+
+    To view incidents in Microsoft Sentinel, run the following query:
 
+    ```kql
+    SecurityIncident
+    ```
 
 ## Next steps