MicrosoftDocs
diff --git a/‎articles/defender-for-iot/organizations/how-to-accelerate-alert-incident-response.md
Lines changed: 164 additions & 9 deletions b/‎articles/defender-for-iot/organizations/how-to-accelerate-alert-incident-response.md
Lines changed: 164 additions & 9 deletions
diff --git a/‎articles/defender-for-iot/organizations/how-to-manage-cloud-alerts.md
Lines changed: 5 additions & 2 deletions b/‎articles/defender-for-iot/organizations/how-to-manage-cloud-alerts.md
Lines changed: 5 additions & 2 deletions
diff --git a/‎articles/defender-for-iot/organizations/media/how-to-accelerate-alert-incident-response/export.png
824 Bytes b/‎articles/defender-for-iot/organizations/media/how-to-accelerate-alert-incident-response/export.png
824 Bytes
diff --git a/‎articles/defender-for-iot/organizations/media/how-to-accelerate-alert-incident-response/migrate-icon.png
641 Bytes b/‎articles/defender-for-iot/organizations/media/how-to-accelerate-alert-incident-response/migrate-icon.png
641 Bytes
diff --git a/‎articles/defender-for-iot/organizations/media/how-to-accelerate-alert-incident-response/suppression-rules.png
1.33 KB b/‎articles/defender-for-iot/organizations/media/how-to-accelerate-alert-incident-response/suppression-rules.png
1.33 KB
diff --git a/‎articles/defender-for-iot/organizations/release-notes.md
Lines changed: 6 additions & 2 deletions b/‎articles/defender-for-iot/organizations/release-notes.md
Lines changed: 6 additions & 2 deletions
@@ -1,31 +1,186 @@
 ---
-title: Accelerate on-premises OT alert workflows - Microsoft Defender for IoT
+title: Accelerate OT alert workflows - Microsoft Defender for IoT
 description: Learn how to improve Microsoft Defender for IoT OT alert workflows on an OT network sensor or the on-premises management console.
-ms.date: 12/20/2023
+ms.date: 01/31/2024
 ms.topic: how-to
 ---
 
+# Accelerate OT alert workflows
 
-# Accelerate on-premises OT alert workflows
+> [!NOTE]
+> Noted features are in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
 Microsoft Defender for IoT alerts enhance your network security and operations with real-time details about events logged in your network. OT alerts are triggered when OT network sensors detect changes or suspicious activity in network traffic that needs your attention.
 
 This article describes the following methods for reducing OT network alert fatigue in your team:
 
+- **Create suppression rules** from the Azure portal to reduce the alerts triggered by your sensors. If you're working in an air-gapped environment, do this by creating alert exclusion rules on the on-premises management console.
+
 - **Create alert comments** for your teams to add to individual alerts, streamlining communication and record-keeping across your alerts.
 
 - **Create custom alert rules** to identify specific traffic in your network
 
-- **Create alert exclusion rules** to reduce the alerts triggered by your sensors
-
 ## Prerequisites
 
-- To create alert comments or custom alert rules on an OT network sensor, you must have an OT network sensor installed and access to the sensor as an **Admin** user.
+Before you use the procedures on this page, note the following prerequisites:
+
+|To ...  |You must have ...  |
+|---------|---------|
+|[Create alert suppression rules on the Azure portal](#create-alert-suppression-rules-on-the-azure-portal-public-preview)     | A Defender for IoT subscription with at least one cloud-connected OT sensor and  access as a [Security Admin](../../role-based-access-control/built-in-roles.md#security-admin), [Contributor](../../role-based-access-control/built-in-roles.md#contributor), or [Owner](../../role-based-access-control/built-in-roles.md#owner).       |
+|[Create a DNS allowlist on an OT sensor](#allow-internet-connections-on-an-ot-network)     |   An OT network sensor installed and access to the sensor as the default *Admin* user.      |
+|[Create alert comments on an OT sensor](#create-alert-comments-on-an-ot-sensor)     |    An OT network sensor installed and access to the sensor as any user with an **Admin** role.     |
+|[Create custom alert rules on an OT sensor](#create-custom-alert-rules-on-an-ot-sensor)     |    An OT network sensor installed and access to the sensor as any user with an **Admin** role.     |
+|[Create alert exclusion rules on an on-premises management console](#create-alert-exclusion-rules-on-an-on-premises-management-console)     |  An on-premises management console installed and access to the on-premises management console as any user with an **Admin** role.       |
+
+For more information, see:
+
+- [Install OT monitoring software on OT sensors](ot-deploy/install-software-ot-sensor.md)
+- [Azure user roles and permissions for Defender for IoT](roles-azure.md)
+- [On-premises users and roles for OT monitoring with Defender for IoT](roles-on-premises.md)
+
+## Suppress irrelevant alerts
+
+Configure your OT sensors to suppress alerts for specific traffic on your network that would otherwise trigger an alert. For example, if all the OT devices monitored by a specific sensor are going through maintenance procedures for two days, you might want to define a rule to suppress all alerts generated by that sensor during the maintenance period. 
+
+- For cloud connected OT sensors, create alert suppression rules on the Azure portal to ignore specified traffic on your network that would otherwise trigger an alert.
+
+- For locally managed sensors, create alert exclusion rules on the on-premises management console, either using the UI or the API.
+
+> [!IMPORTANT]
+> Rules configured on the Azure portal override any rules configured for the same sensor on the on-premises management console. If you're currently using alert exclusion rules on your on-premises management console, we recommend that you [migrate them to the Azure portal](#migrate-suppression-rules-from-an-on-premises-management-console-public-preview) as suppression rules before you start.
+>
+### Create alert suppression rules on the Azure portal (Public Preview)
+
+This section describes how to create an alert suppression rule on the Azure portal, and is supported for cloud-connected sensors only.
+
+**To create an alert suppression rule**:
+
+1. In [Defender for IoT](https://ms.portal.azure.com/#view/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/~/Getting_started) on the Azure portal, select **Alerts** > :::image type="icon" source="media/how-to-accelerate-alert-incident-response/suppression-rules.png" border="false"::: **Suppression rules**.
+
+1. On the **Suppression rules (Preview)** page, select **+ Create**.
+
+1. In the **Create suppression rule** pane **Details** tab, enter the following details:
+
+    1. Select your Azure subscription from the drop-down list.
+
+    1. Enter a meaningful name for your rule and an optional description.
+
+    1. Toggle on **Enabled** to have the rule start running as configured. You can also leave this option toggled off to start using the rule only later on.
+
+    1. In the **Suppress by time range** area, toggle on **Expiration date** to define a specific start and end date and time for your rule. Select **Add range** to add multiple time ranges.
+
+    1. In the **Apply on** area, select whether you want to apply the rule to all sensors on your subscription, or only on specific sites or sensors. If you select **Apply on custom selection**, select the sites and/or sensors where you want the rule to run.
+
+        When you select a specific site, the rule applies to all existing and future sensors associated with the site.
+
+    1. Select **Next** and confirm the override message.
+
+1. In the **Create suppression rule** pane **Conditions** tab:
+
+    1. In the **Alert name** dropdown list, select one or more alerts for your rule. Selecting the name of an alert engine instead of a specific rule name applies the rule to all existing and future alerts associated with that engine.
+
+    1. Optionally filter your rule further by defining additional conditions, such as for traffic coming from specific sources, to specific destinations, or on specific subnets.
+
+    1. When you're finished configuring your rule conditions, select **Next**.
+
+1. In the **Create suppression rule** pane **Review and create** tab, review the details of the rule you're creating and then select **Create**.
+
+Your rule is added to the list of suppression rules on the **Suppression rules (Preview)** page. Select a rule to edit or delete it as needed.
+
+> [!TIP]
+> If you need to export suppression rules, select the **Export** button from the toolbar. All rules configured are exported to a single .CSV file, which you can save locally.
+
+### Migrate suppression rules from an on-premises management console (Public Preview)
+
+If you're currently using an on-premises management console with cloud-connected sensors, we recommend that you migrate any exclusion rules to the Azure portal as suppression rules before you start creating new suppression rules. Any suppression rules configured on the Azure portal override alert exclusion rules that exist for the same sensors on the on-premises management console.
+
+**To export alert exclusion rules and import them to the Azure portal**:
+
+1. Sign into your on-premises management console and select **Alert Exclusion**.
+
+1. On the **Alert Exclusion** page, select :::image type="icon" source="media/how-to-accelerate-alert-incident-response/export.png" border="false"::: **Export** to export your rules to a .CSV file.
+
+1. In [Defender for IoT](https://ms.portal.azure.com/#view/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/~/Getting_started) on the Azure portal, select **Alerts** > **Suppression rules**.
+
+1. On the **Suppression rules (Preview)** page, select **Migrate local manager rules**, and then browse to and select the .CSV file you'd downloaded from the on-premises management console.
+
+1. In the **Migrate suppression rules** pane, review the uploaded list of suppression rules you're about to migrate, then select **Approve migration**.
+
+1. Confirm the override message.
+
+Your rules are added to the list of suppression rules on the **Suppression rules (Preview)** page. Select a rule to edit or delete it as needed.
+
+### Create alert exclusion rules on an on-premises management console
+
+We recommend creating alert exclusion rules on an on-premises management console only for locally managed sensors. For cloud-connected sensors, any suppression rules created on the Azure portal will override exclusion rules created on the on-premises management console for that sensor.
+
+**To create an alert exclusion rule**:
+
+1. Sign into your on-premises management console and select **Alert Exclusion** on the left-hand menu.
+
+1. On the **Alert Exclusion** page, select the **+** button at the top-right to add a new rule.
+
+1. In the **Create Exclusion Rule** dialog, enter the following details:
+
+    |Name  |Description  |
+    |---------|---------|
+    |**Name**     |  Enter a meaningful name for your rule. The name can't contain quotes (`"`).      |
+    |**By Time Period**     |   Select a time zone and the specific time period you want the exclusion rule to be active, and then select **ADD**. <br><br>Use this option to create separate rules for different time zones. For example, you might need to apply an exclusion rule between 8:00 AM and 10:00 AM in three different time zones. In this case, create three separate exclusion rules that use the same time period and the relevant time zone.      |
+    |**By Device Address**     |   Select and enter the following values, and then select **ADD**: <br><br>- Select whether the designated device is a source, destination, or both a source and destination device. <br>- Select whether the address is an IP address, MAC address, or subnet <br>- Enter the value of the IP address, MAC address, or subnet. |
+    |**By Alert Title**     |  Select one or more alerts to add to the exclusion rule and then select **ADD**. To find alert titles, enter all, or part of an alert title and select the one you want from the dropdown list.        |
+    |**By Sensor Name**     |  Select one or more sensors to add to the exclusion rule and then select **ADD**. To find sensor names, enter all or part of the sensor name and select the one you want from the dropdown list.         |
+
+    > [!IMPORTANT]
+    > Alert exclusion rules are `AND` based, which means that alerts are only excluded when all rule conditions are met.
+    > If a rule condition is not defined, all options are included. For example, if you don't include the name of a sensor in the rule, the rule is applied to all sensors.
+
+    A summary of the rule parameters is shown at the bottom of the dialog.
+
+1. Check the rule summary shown at the bottom of the **Create Exclusion Rule** dialog and then select **SAVE**
+
+**To create alert exclusion rules via API**:
+
+Use the [Defender for IoT API](references-work-with-defender-for-iot-apis.md) to create on-premises management console alert exclusion rules from an external ticketing system or other system that manage network maintenance processes.
+
+Use the [maintenanceWindow (Create alert exclusions)](api/management-alert-apis.md#maintenancewindow-create-alert-exclusions) API to define the sensors, analytics engines, start time, and end time to apply the rule.  Exclusion rules created via API are shown in the on-premises management console as read-only.
+
+For more information, see [Defender for IoT API reference](references-work-with-defender-for-iot-apis.md).
+
+
+## Allow internet connections on an OT network
+
+Decrease the number of unauthorized internet alerts by creating an allowlist of domain names on your OT sensor. When a DNS allowlist is configured, the sensor checks each unauthorized internet connectivity attempt against the list before triggering an alert. If the domain's FQDN is included in the allowlist, the sensor doesn’t trigger the alert and allows the traffic automatically.
+
+All OT sensor users can view a currently configured list of domains in a [data mining report](how-to-create-data-mining-queries.md), including the FQDNs, resolved IP addresses, and the last resolution time.
+
 
-- To create a DNS allowlist on an OT sensor, you must have an OT network sensor installed and access to the sensor as a **Support** user.
-- To create alert exclusion rules on an on-premises management console, you must have an on-premises management console installed and access to the on-premises management console as an **Admin** user.
+**To define a DNS allowlist:**
+
+1. Sign into your OT sensor as the *admin* user and select the **Support** page.
+
+1. In the search box, search for **DNS** and then locate the engine with the **Internet Domain Allowlist** description.
+
+1. Select **Edit** :::image type="icon" source="media/how-to-generate-reports/manage-icon.png" border="false"::: for the **Internet Domain Allowlist** row. For example:
+
+    :::image type="content" source="media/how-to-accelerate-alert-incident-response/dns-edit-configuration.png" alt-text="Screenshot of how to edit configurations for DNS in the sensor console." lightbox="media/how-to-accelerate-alert-incident-response/dns-edit-configuration.png":::
+
+1. In the **Edit configuration** pane > **Fqdn allowlist** field, enter one or more domain names. Separate multiple domain names with commas. Your sensor won't generate alerts for unauthorized internet connectivity attempts on the configured domains.
+
+1. Select **Submit** to save your changes.
+
+
+**To view the current allowlist in a data mining report:**
+
+When selecting a category in your [custom data mining report](how-to-create-data-mining-queries.md#create-an-ot-sensor-custom-data-mining-report), make sure to select **Internet Domain Allowlist** under the **DNS** category. 
+
+For example:
+
+:::image type="content" source="media/how-to-accelerate-alert-incident-response/data-mining-allowlist.png" alt-text="Screenshot of how to generate a custom data mining report for the allowlist in the sensor console." lightbox="media/how-to-accelerate-alert-incident-response/data-mining-allowlist.png":::
+
+The generated data mining report shows a list of the allowed domains and each IP address that’s being resolved for those domains. The report also includes the TTL, in seconds, during which those IP addresses won't trigger an internet connectivity alert. For example:
+
+:::image type="content" source="media/how-to-accelerate-alert-incident-response/data-mining-report-allowlist.png" alt-text="Screenshot of data mining report of allowlist in the sensor console." lightbox="media/how-to-accelerate-alert-incident-response/data-mining-report-allowlist.png":::
 
-For more information, see [Install OT agentless monitoring software](how-to-install-software.md) and [On-premises users and roles for OT monitoring with Defender for IoT](roles-on-premises.md).
 
 ## Create alert comments on an OT sensor
 
 
@@ -1,7 +1,7 @@
 ---
 title: View and manage alerts on the Azure portal - Microsoft Defender for IoT
 description: Learn about viewing and managing alerts triggered by cloud-connected Microsoft Defender for IoT network sensors on the Azure portal.
-ms.date: 12/12/2022
+ms.date: 12/19/2023
 ms.topic: how-to
 ms.custom: enterprise-iot
 ---
@@ -27,7 +27,7 @@ Microsoft Defender for IoT alerts enhance your network security and operations w
 
 - **To view alerts on the Azure portal**, you must have access as a [Security Reader](../../role-based-access-control/built-in-roles.md#security-reader), [Security Admin](../../role-based-access-control/built-in-roles.md#security-admin), [Contributor](../../role-based-access-control/built-in-roles.md#contributor), or [Owner](../../role-based-access-control/built-in-roles.md#owner)
 
-- **To manage alerts on the Azure portal**, you must have access as a [Security Admin](../../role-based-access-control/built-in-roles.md#security-admin), [Contributor](../../role-based-access-control/built-in-roles.md#contributor), or [Owner](../../role-based-access-control/built-in-roles.md#owner). Alert management activities include modifying their statuses or severities, *Learning* an alert, or accessing PCAP data.
+- **To manage alerts on the Azure portal**, you must have access as a [Security Admin](../../role-based-access-control/built-in-roles.md#security-admin), [Contributor](../../role-based-access-control/built-in-roles.md#contributor), or [Owner](../../role-based-access-control/built-in-roles.md#owner). Alert management activities include modifying their statuses or severities, *Learning* an alert, accessing PCAP data, or using alert suppression rules.
 
 For more information, see [Azure user roles and permissions for Defender for IoT](roles-azure.md).
 
@@ -64,6 +64,9 @@ For more information, see [Azure user roles and permissions for Defender for IoT
         | **Category**| The [category](alert-engine-messages.md#supported-alert-categories) associated with the alert, such as *operational issues*, *custom alerts*, or *illegal commands*. |
         | **Type**| The  internal name of the alert. |
 
+> [!TIP]
+> If you're seeing more alerts than expected, you might want to create suppression rules to prevent alerts from being triggered for legitimate network activity. For more information, see [Suppress irrelevant alerts](how-to-accelerate-alert-incident-response.md#suppress-irrelevant-alerts).
+
 ### Filter alerts displayed
 
 Use the **Search** box, **Time range**, and **Add filter** options to filter the alerts displayed by specific parameters or to help locate a specific alert.
 
@@ -37,8 +37,8 @@ Cloud features may be dependent on a specific sensor version. Such features are
 
 | Version / Patch |  Release date | Scope     | Supported until |
 | ------- |  ------------ | ----------- | ------------------- |
-| **23.2** | | | |
-| 23.2.0 | 12/2023 | Major | 11/2024 |
+| **24.1** | | | |
+| 24.1.0  |02/2024 | Major |12/2024 |
 | **23.1** | | | |
 | 23.1.3 | 09/2023 | Patch | 08/2024 |
 | 23.1.2 | 07/2023 | Major | 06/2024 |
@@ -101,6 +101,10 @@ Version numbers are listed only in this article and in the [What's new in Micros
 
 To understand whether a feature is supported in your sensor version, check the relevant version section below and its listed features.
 
+## Versions 24.1.x
+
+### Version 24.1.0
+
 ## Versions 23.2.x
 
 ### Version 23.2.0