adding icons, screenshots, and Batami's feedback

Author: Shereen-Bhar

articles/defender-for-iot/organizations/TOC.yml

@@ -111,14 +111,14 @@
       href: workbooks.md
     - name: Create OT sensor reports
       items:
-      - name: Create risk assessment reports
-        href: how-to-create-risk-assessment-reports.md
-      - name: Create attack vector reports
-        href: how-to-create-attack-vector-reports.md
       - name: Create data mining reports
         href: how-to-create-data-mining-queries.md
+      - name: Create risk assessment reports
+        href: how-to-create-risk-assessment-reports.md
       - name: Create trends and statistics reports
         href: how-to-create-trends-and-statistics-reports.md
+      - name: Create attack vector reports
+        href: how-to-create-attack-vector-reports.md
     - name: View OT threats by location from an OT sensor
       href: how-to-gain-insight-into-global-regional-and-local-threats.md
     - name: Analyze OT programming details and changes

articles/defender-for-iot/organizations/how-to-create-attack-vector-reports.md

@@ -7,13 +7,15 @@ ms.topic: how-to
 
 # Create attack vector reports
 
-Attack vector reports show a chain of vulnerable devices in a specified attack path. Simulate an attack on a specific target in your network to discover vulnerable devices and analyze attack vectors in real time.
+Attack vector reports show a chain of vulnerable devices in a specified attack path, for devices detected by a specific OT network sensor. Simulate an attack on a specific target in your network to discover vulnerable devices and analyze attack vectors in real time.
 
-Attack vector reports can also help evaluate mitigation activities to ensure that you're taking all required steps to reduce the risk to your network. For example, use an attack vector report to understand whether a system upgrade would disrupt the attacker's path, or if an alternate attack path still remains.
+Attack vector reports can also help evaluate mitigation activities to ensure that you're taking all required steps to reduce the risk to your network. For example, use an attack vector report to understand whether a software update would disrupt the attacker's path, or if an alternate attack path still remains.
 
 ## Prerequisites
 
-You must be an **Admin** or **Security Analyst** [user](roles-on-premises.md) to create an attack vector report.
+To create attack vector reports, you must be able to access the OT network sensor you want to generate data for, as an **Admin** or **Security Analyst** user.
+
+For more information, see [On-premises users and roles for OT monitoring with Defender for IoT](roles-on-premises.md)
 
 ## Generate an attack vector simulation
 
@@ -37,24 +39,37 @@ Generate an attack vector simulation so that you can view the resulting report.
     | **Exclude Subnets** | Select one or more subnets to exclude from the attack vector simulation.|
 
 1. Select **Save**. Your simulation is added to the list, with the number of attack paths indicated in parenthesis.
-1. Expand your simulation to view the list of possible attack vector, and select one to view more details on the right. For example:
+
+1. Expand your simulation to view the list of possible attack vectors, and select one to view more details on the right.
+
+    For example:
+
     :::image type="content" source="media/how-to-generate-reports/sample-attack-vectors.png" alt-text="Screen shot of Attack vectors report." lightbox="media/how-to-generate-reports/sample-attack-vectors.png":::
 
 ## View an attack vector in the Device Map
 
-The Device map provides, among [other things](how-to-work-with-the-sensor-device-map.md), a graphical representation of vulnerable devices detected in attack vector reports. To view an attack vector in the Device map:
+The Device map provides a graphical representation of vulnerable devices detected in attack vector reports. To view an attack vector in the Device map:
 
 1. In the **Attack vector** page, make sure your simulation has **Show in Device map** toggled on.
 1. Select **Device map** from the side menu.
-1. Select your simulation and then select an attack vector to visualize the devices in your map. For example:
+1. Select your simulation and then select an attack vector to visualize the devices in your map. 
+
+    For example:
+
     :::image type="content" source="media/how-to-generate-reports/sample-device-map.png" alt-text="Screen shot of Device map." lightbox="media/how-to-generate-reports/sample-device-map.png":::
 
+For more information, see [Investigate sensor detections in the Device map](how-to-work-with-the-sensor-device-map.md)
+
 ## Next steps
 
-Continue creating other reports for more security data from your OT sensor. For more information, see:
+- Enhance security posture with Azure security [recommendations](recommendations.md).
 
-- [Risk assessment reporting](how-to-create-risk-assessment-reports.md)
+- View additional reports based on cloud-connected sensors in the Azure portal. For more information, see [Visualize Microsoft Defender for IoT data with Azure Monitor workbooks](workbooks.md)
 
-- [Sensor data mining queries](how-to-create-data-mining-queries.md)
+- Continue creating other reports for more security data from your OT sensor. For more information, see:
 
-- [Create trends and statistics dashboards](how-to-create-trends-and-statistics-reports.md)
+    - [Risk assessment reporting](how-to-create-risk-assessment-reports.md)
+    
+    - [Sensor data mining queries](how-to-create-data-mining-queries.md)
+    
+    - [Create trends and statistics dashboards](how-to-create-trends-and-statistics-reports.md)

articles/defender-for-iot/organizations/how-to-create-data-mining-queries.md

@@ -7,91 +7,100 @@ ms.topic: how-to
 
 # Create data mining queries
 
-Running data mining queries provides dynamic and detailed information about your network devices. This includes information for specific time periods, internet connectivity, ports and protocols, firmware versions, programming commands, and device state.
+Run data mining queries to view details about the network devices detected by your OT sensor, like internet connectivity, ports and protocols, firmware versions, programming commands, and device state.
 
-Data mining information is saved and stored continuously, except for when a device is deleted. Data mining results can be exported and stored externally to a secure server. In addition, the sensor performs automatic daily backups to ensure system continuity and preservation of data.
+Defender for IoT OT network sensors provide a series of out-of-the-box reports for you to use. Both out-of-the-box and custom data mining reports always show information that’s correct for the day you’re viewing the report, rather than the day the report or query was created.
+
+Data mining query data continuously is saved until a device is deleted, and is automatically backed on a daily basis to ensure system continuity.
 
 ## Prerequisites
 
-You must be an **Admin** or **Security Analyst** [user](roles-on-premises.md) to access predefined data mining reports.
+To create data mining reports, you must be able to access the OT network sensor you want to generate data for as an **Admin** or **Security Analyst** user.
+
+For more information, see [On-premises users and roles for OT monitoring with Defender for IoT](roles-on-premises.md)
+
+## View an OT sensor predefined data mining report
+
+To view current data on a predefined, out-of-the-box data mining report, sign into the OT sensor and select **Data Mining** on the left.
+
+The following out-of-the-box reports are listed in the **Recommended** area, ready for you to use:
+
+| Report | Description |
+|---------|---------|
+| **Programming Commands** | Lists all detected devices that send industrial programming commands. |
+| **Internet Activity** | Lists all detected devices that are connected to the internet. |
+| **Excluded CVEs** | Lists all detected devices that have CVEs that were manually excluded from the **CVEs** report. |
+| **Active Devices (Last 24 Hours)** | Lists all detective devices that have had active traffic within the last 24 hours. |
+| **Remote Access** | Lists all detected devices that communicate through remote session protocols. |
+| **CVEs** | Lists all detected devices with known vulnerabilities, along with CVSSv2 risk scores.
+Select **Edit** to delete and exclude specific CVEs from the report. <br><br> **Tip**: Delete CVEs to exclude them from the list to have your attack vector reports to reflect your network more accurately. |
+| **Nonactive Devices (Last 7 Days)** | Lists all detected devices that haven't communicated for the past seven days. |
 
-## Create a report
+Select a report to view today’s data. Use the :::image type="icon" source="media/how-to-generate-reports/refresh-icon.png" border="false"::: **Refresh**, :::image type="icon" source="media/how-to-generate-reports/expand-all-icon.png" border="false"::: **Expand all**, and :::image type="icon" source="media/how-to-generate-reports/collapse-all-icon.png" border="false"::: **Collapse all** options to update and change your report views.
 
-Reports are dynamically updated each time you open them. The report shows information that's accurate for the date of viewing the report, rather than the date of creating the report.
+## Create an OT sensor custom data mining report
 
-**To generate a report**:
+Create your own custom data mining report if you have reporting needs not covered by the out-of-the-box reports. Once created, custom data mining reports are visible to all users.
 
-1. Select **Data Mining** from the side menu. Predefined suggested reports appear automatically.
+**To create a custom data mining report**:
 
-1. Select **Create report** and then enter the following values:
+1. Sign into the OT sensor and select **Data Mining** > **Create report**.
 
-    | Parameter | Description |
+1. In the **Create new report** pane on the right, enter the following values:
+
+    | Name | Description |
     |---------|---------|
     | **Name** / **Description** | Enter a meaningful name for your report and an optional description. |
-    | **Send to CM** | Toggle this option on to send your report to your on-premises management console. |
+    | **Send to CM** | Select to send your report to the on-premises management console. |
     | **Choose category** | Select the categories to include in your report. |
     | **Order by** | Select to sort your data by category or by activity. |
-    | **Filter by** | Define a filter for your report, using dates, IP address, MAC address, port, or device group. |
-
-1. Select **Save** to save your report and display results on the **Data Mining** page.
+    | **Filter by** | Define a filter for your report using any of the following parameters: <br><br> - **Results within the last**: Enter a number and then select **Minutes**, **Hours**, or **Days** <br> - **IP address / MAC address / Port**: Enter one or more IP addresses, MAC addresses, and ports to filter into your report. Enter a value and then select + to add it to the list.<br> - **Device group**: Select one or mode device groups to filter into your report. |
+    | **Add filter type** | Select to add any of the following filter types into your report. <br><br> - Transport (GENERIC) <br> -	Protocol (GENERIC) <br> - TAG (GENERIC) <br> - Maximum value (GENERIC) <br> - State (GENERIC) <br> - Minimum value (GENERIC) <br><br> Enter a value in the relevant field and then select + to add it to the list. |
 
-## Custom data mining reports
+1. Select **Save**. Your data mining report is shown in the **My reports** area. For example:
 
-Customize your data mining queries, using the different parameters in the **Create new report** pane, to:
-
-| Purpose | Description |
-|---------|---------|
-| **SOC incident response** | Generate a report in real time to help deal with immediate incident response. For example, Data Mining can generate a report for a list of devices that might require patching. |
-| **Forensics** | Generate a report based on historical data for investigative reports. |
-| **Network security** | Generate a report that helps improve overall network security. For example, generate a report that lists devices with weak authentication credentials. |
-| **Visibility** | Generate a report that covers all query items to view all baseline parameters of your network. |
-| **PLC security** | Improve security by detecting PLCs in unsecure states, such as Program and Remote states. |
+    :::image type="content" source="media/how-to-generate-reports/custom-data-mining-reports.png" alt-text="Screenshot of a list of customized data mining reports." lightbox="media/how-to-generate-reports/custom-data-mining-reports.png":::
 
-## Predefined data mining reports
+## Manage OT sensor data mining report data
 
-The following predefined reports are available in the **Data Mining** page. These queries are generated in real time.
+Each data mining report on an OT sensor has the following options for managing your data:
 
-| Report | Description |
+| Option | Description |
 |---------|---------|
-| **Programming commands** | Devices that send industrial programming. |
-| **Remote access** | Devices that communicate through remote session protocols. |
-| **Internet activity** | Devices that are connected to the internet. |
-| **CVEs** | A list of devices detected with known vulnerabilities, along with CVSSv2 risk scores. |
-| **Excluded CVEs** | A list of all the CVEs that were manually excluded. Customize the CVE list manually if you want the VA reports and attack vectors to reflect your network more accurately. Customization includes excluding or including particular CVEs and updating the CVSSv2 score accordingly. |
-| **Nonactive devices** | Devices that haven't communicated for the past seven days. |
-| **Active devices** | Active network devices within the last 24 hours. |
+| :::image type="icon" source="media/how-to-generate-reports/export-icon.png" border="false"::: **Export to CSV** | Export the current report data to a CSV file. |
+| :::image type="icon" source="media/how-to-generate-reports/export-icon.png" border="false"::: **Export to PDF** | Export the current report data to a PDF file. |
+| :::image type="icon" source="media/how-to-generate-reports/snapshot-icon.png" border="false"::: **Snapshots** | Save the current report data as a snapshot you can return to later. |
+| :::image type="icon" source="media/how-to-generate-reports/manage-icon.png" border="false"::: **Manage report** | Update the values of an existing custom data mining report. |
+| :::image type="icon" source="media/how-to-generate-reports/edit-icon.png" border="false"::: **Edit mode** | Select to remove specific results from the saved report. |
 
-## Generate reports in on-premises management console
+For example:
 
-The on-premises management console lets you generate reports for each sensor that's connected to it. For each sensor, you can generate a default report or a custom report configured on that sensor. When you choose a sensor from the on-premises management console, all the custom reports configured on that sensor appear in the list of reports.
+:::image type="content" source="media/how-to-generate-reports/manage-report-pane.png" alt-text="Screenshot of the manage report pane." lightbox="media/how-to-generate-reports/manage-report-pane.png":::
 
-**To generate a report**:
+## View data mining reports for multiple sensors
 
-1. Select **Reports** from the side menu.
+Sign into an on-premises management console to view [out-of-the-box data mining reports](#view-an-ot-sensor-predefined-data-mining-report) and custom reports for any connected sensor.
 
-2. From the **Sensors** drop-down list, select the sensor for which you want to generate the report.
+**To view a data mining report from an on-premises management console**:
 
-3. From the **Select Report** drop-down list, select the report that you want to generate.
+Sign into your on-premises management console and select
 
-4. To create a PDF of the report results, select :::image type="icon" source="media/how-to-generate-reports/pdf-report-icon.png" border="false":::.
+1. **Reports** on the left.
 
-## Default reports in on-premises management console
+1. From the **Sensors** drop-down list, select the sensor for which you want to generate the report.
 
-Reports are based on sensor data-mining queries that are performed, and include:
+1. From the **Select Report** drop-down list, select the report that you want to generate.
 
-| Information  | Description  |
-|---------|---------|
-| **Active Devices (Last 24 Hours)** | Presents a list of devices that show network activity within a period of 24 hours. |
-| **Non-Active Devices (Last 7 Days)** | Presents a list of devices that show no network activity in the last seven days. |
-| **Programming Commands** | Presents a list of devices that sent programming commands within the last 24 hours. |
-| **Remote Access** | Presents a list of devices that remote sources accessed within the last 24 hours. |
+The page lists the current report data. Select :::image type="icon" source="media/how-to-generate-reports/pdf-report-icon.png" border="false"::: to export the data to a PDF file.
 
 ## Next steps
 
-Continue creating other reports for more security data from your OT sensor. For more information, see:
-
-- [Risk assessment reporting](how-to-create-risk-assessment-reports.md)
+- View additional reports based on cloud-connected sensors in the Azure portal. For more information, see [Visualize Microsoft Defender for IoT data with Azure Monitor workbooks](workbooks.md)
 
-- [Attack vector reporting](how-to-create-attack-vector-reports.md)
+- Continue creating other reports for more security data from your OT sensor. For more information, see:
 
-- [Create trends and statistics dashboards](how-to-create-trends-and-statistics-reports.md)
+    - [Risk assessment reporting](how-to-create-risk-assessment-reports.md)
+    
+    - [Attack vector reporting](how-to-create-attack-vector-reports.md)
+    
+    - [Create trends and statistics dashboards](how-to-create-trends-and-statistics-reports.md)