You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/defender-for-iot/organizations/how-to-accelerate-alert-incident-response.md
-34Lines changed: 0 additions & 34 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -239,40 +239,6 @@ Disable custom alert rules to prevent them from running without deleting them al
239
239
240
240
In the **Custom alert rules** page, select one or more rules, and then select **Disable**, **Enable**, or **Delete** in the toolbar as needed.
241
241
242
-
## Allow internet connections on an OT network
243
-
244
-
Decrease the number of unauthorized internet alerts by creating an allowlist of domain names on your OT sensor. When a DNS allowlist is configured, the sensor checks each unauthorized internet connectivity attempt against the list before triggering an alert. If the domain's FQDN is included in the allowlist, the sensor doesn’t trigger the alert and allows the traffic automatically.
245
-
246
-
All OT sensor users can view a currently configured list of domains in a [data mining report](how-to-create-data-mining-queries.md), including the FQDNs, resolved IP addresses, and the last resolution time.
247
-
248
-
249
-
**To define a DNS allowlist:**
250
-
251
-
1. Sign into your OT sensor as the *admin* user and select the **Support** page.
252
-
253
-
1. In the search box, search for **DNS** and then locate the engine with the **Internet Domain Allowlist** description.
254
-
255
-
1. Select **Edit** :::image type="icon" source="media/how-to-generate-reports/manage-icon.png" border="false"::: for the **Internet Domain Allowlist** row. For example:
256
-
257
-
:::image type="content" source="media/how-to-accelerate-alert-incident-response/dns-edit-configuration.png" alt-text="Screenshot of how to edit configurations for DNS in the sensor console." lightbox="media/how-to-accelerate-alert-incident-response/dns-edit-configuration.png":::
258
-
259
-
1. In the **Edit configuration** pane > **Fqdn allowlist** field, enter one or more domain names. Separate multiple domain names with commas. Your sensor won't generate alerts for unauthorized internet connectivity attempts on the configured domains.
260
-
261
-
1. Select **Submit** to save your changes.
262
-
263
-
264
-
**To view the current allowlist in a data mining report:**
265
-
266
-
When selecting a category in your [custom data mining report](how-to-create-data-mining-queries.md#create-an-ot-sensor-custom-data-mining-report), make sure to select **Internet Domain Allowlist** under the **DNS** category.
267
-
268
-
For example:
269
-
270
-
:::image type="content" source="media/how-to-accelerate-alert-incident-response/data-mining-allowlist.png" alt-text="Screenshot of how to generate a custom data mining report for the allowlist in the sensor console." lightbox="media/how-to-accelerate-alert-incident-response/data-mining-allowlist.png":::
271
-
272
-
The generated data mining report shows a list of the allowed domains and each IP address that’s being resolved for those domains. The report also includes the TTL, in seconds, during which those IP addresses won't trigger an internet connectivity alert. For example:
273
-
274
-
:::image type="content" source="media/how-to-accelerate-alert-incident-response/data-mining-report-allowlist.png" alt-text="Screenshot of data mining report of allowlist in the sensor console." lightbox="media/how-to-accelerate-alert-incident-response/data-mining-report-allowlist.png":::
275
-
276
242
## Create alert exclusion rules on an on-premises management console
277
243
278
244
Create alert exclusion rules to instruct your sensors to ignore specific traffic on your network that would otherwise trigger an alert.
0 commit comments