Merge pull request #233126 from yoninalmsft/define-subnets

prmerger-automator[bot] · web-flow · commit f2c0317f5124 · 2023-04-03T12:37:33.000Z
Define subnets and network location
diff --git a/articles/defender-for-iot/organizations/configure-sensor-settings-portal.md b/articles/defender-for-iot/organizations/configure-sensor-settings-portal.md
@@ -122,11 +122,19 @@ For a bandwidth cap, define the maximum bandwidth you want the sensor to use for
 
 ### Subnet
 
-To define your sensor's subnets, do any of the following:
+To focus the Azure device inventory on devices that are in your IoT/OT scope, you will need to manually edit the subnet list to include only the locally monitored subnets that are in your IoT/OT scope. Once the subnets have been configured, the network location of the devices is shown in the *Network location* (Public preview) column in the Azure device inventory. All of the devices associated with the listed subnets will be displayed as *local*, while devices associated with detected subnets not included in the list will be displayed as *routed*.
 
-- Select **Import subnets** to import a comma-separated list of subnet IP addresses and masks. Select **Export subnets** to export a list of currently configured data, or **Clear all** to start from scratch.
+**To configure your subnets in the Azure portal**:
 
-- Enter values in the **IP Address**, **Mask**, and **Name** fields to add subnet details manually. Select **Add subnet** to add more subnets as needed.
+1. In the Azure portal, go to **Sites and sensors** > **Sensor settings**.
+
+1. Under **Subnets**, review the detected subnets. To focus the device inventory and view local devices in the inventory, delete any subnets that are not in your IoT/OT scope by selecting the options menu (...) on any subnet you want to delete.
+
+1. To modify additional settings, select any subnet and then select **Edit** for the following options:
+
+    - Select **Import subnets** to import a comma-separated list of subnet IP addresses and masks. Select **Export subnets** to export a list of currently configured data, or **Clear all** to start from scratch.
+
+    - Enter values in the **IP Address**, **Mask**, and **Name** fields to add subnet details manually. Select **Add subnet** to add additional subnets as needed.
 
 ### VLAN naming
 
diff --git a/articles/defender-for-iot/organizations/device-inventory.md b/articles/defender-for-iot/organizations/device-inventory.md
@@ -104,6 +104,9 @@ Mark OT devices as *important* to highlight them for extra tracking. On an OT se
 
 The following table lists the columns available in the Defender for IoT device inventory on the Azure portal. Starred items **(*)** are also available from the OT sensor.
 
+> [!NOTE]
+> Noted features listed below are in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include other legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
 |Name  |Description
 |---------|---------|
 |**Authorization** *   |Editable. Determines whether or not the device is marked as *authorized*. This value may need to change as the device security changes.  |
@@ -124,6 +127,7 @@ The following table lists the columns available in the Defender for IoT device i
 | **MAC Address** * | The device's MAC address.  |
 |**Model**  *| Editable The device's hardware model. |
 |**Name** * | Mandatory, and editable. The device's name as the sensor discovered it, or as entered by the user. |
+|**Network location** (Public preview) | The device's network location. Displays whether the device is defined as *local* or *routed*, according to the configured subnets. |
 |**OS architecture** | Editable. The device's operating system architecture.  |
 |**OS distribution** | Editable. The device's operating system distribution, such as Android, Linux, and Haiku.   |
 |**OS platform** * | Editable. The device's operating system, if detected.  On the OT sensor, shown as **Operating System**. |
diff --git a/articles/defender-for-iot/organizations/how-to-control-what-traffic-is-monitored.md b/articles/defender-for-iot/organizations/how-to-control-what-traffic-is-monitored.md
@@ -27,33 +27,39 @@ This step is performed by your deployment teams.
 
 ## Define OT and IoT subnets
 
-Subnet configurations affect how devices are displayed in the sensor's [device maps](how-to-work-with-the-sensor-device-map.md). In the device maps, IT devices are automatically aggregated by subnet, where you can expand and collapse each subnet view to drill down as needed.
+After [onboarding](onboard-sensors.md) a new OT network sensor to Microsoft Defender for IoT, define the sensor's subnet settings directly on the OT sensor console to determine how devices are displayed in the sensor's [device map](how-to-work-with-the-sensor-device-map.md) and the [Azure device inventory](device-inventory.md).
 
-While the OT network sensor automatically learns the subnets in your network, we recommend confirming the learned settings and updating them as needed to optimize your map views.
+- **In the device map**, IT devices are automatically aggregated by subnet, where you can expand and collapse each subnet view to drill down as needed.
+- **In the Azure device inventory**, once the subnets have been configured, use the *Network location* (Public preview) filter to view *local* or *routed* devices as defined in your subnets list. All of the devices associated with the listed subnets will be displayed as *local*, while devices associated with detected subnets not included in the list will be displayed as *routed*.
 
-Any subnets not listed as subnets are treated as external networks.
+> [!TIP]
+> When you're ready to start managing your OT sensor settings at scale, define subnets from the Azure portal. Once you apply settings from the Azure portal, settings on the sensor console are read-only. For more information, see [Configure OT sensor settings from the Azure portal (Public preview)](configure-sensor-settings-portal.md).
+
+While the OT network sensor automatically learns the subnets in your network, we recommend confirming the learned settings and updating them as needed to optimize your map views and device inventory. Any subnets not listed as subnets are treated as external networks.
 
 > [!NOTE]
-> For cloud-connected sensors, you may eventually start configuring OT sensor settings from the Azure portal. Once you start configuring settings from the Azure portal, the **Subnets** pane on the OT sensor is read-only. For more information, see [Configure OT sensor settings from the Azure portal](configure-sensor-settings-portal.md).
+> If sensor settings have already been applied from the Azure portal, the subnet settings on the individual sensor will be read-only and are managed from the Azure portal.
+
+**To configure your subnets on a locally managed sensor**:
 
-**To define subnets**:
+1. Sign into your OT sensor as an Admin user and select **System settings** > **Basic** > **Subnets**.
 
-1. Sign into your OT sensor as an **Admin** user and select **System settings > Basic > Subnets**.
+1. Disable the **Auto subnet learning** setting to manually edit the subnets.
 
-1. Confirm the current subnets listed and modify settings as needed.
+1. Review the discovered subnets list and delete any subnets unrelated to your IoT/OT network scope. We recommend giving each subnet a meaningful name to specify the network role. Subnet names can have up to 60 characters.
 
-    We recommend giving each subnet a meaningful name to differentiate between IT and OT networks. Subnet names can have up to 60 characters.
+    Once the **Auto subnet learning** setting is disabled and the subnet list has been edited to include only the locally monitored subnets that are in your IoT/OT scope, you can filter the Azure device inventory by *Network location* to view only the devices defined as *local*.
 
 1. Use any of the following options to help you optimize your subnet settings:
 
     |Name  |Description  |
     |---------|---------|
-    |**Import subnets**     | Import a .CSV file of subnet definitions        |
+    |**Import subnets**     | Import a .CSV file of subnet definitions. The subnet information is updated with the information that you imported. If you import an empty field, you'll lose the data in that field.       |
     |**Export subnets**     |  Export the currently listed subnets to a .CSV file.       |
-    |**Clear all**     |  Clear all currently defined subnets        |
-    |**Auto subnet learning**     |  Selected by default. Clear this option to define your subnets manually instead of having them be automatically detected by your OT sensor as new devices are detected.     |
+    |**Clear all**     |  Clear all currently defined subnets.      |
+    |**Auto subnet learning**     |  Selected by default. Clear this option to define your subnets manually instead of having them automatically detected by your OT sensor as new devices are detected.     |
     |**Resolve all Internet traffic as internal/private**     | Select to consider all public IP addresses as private, local addresses. If selected, public IP addresses are treated as local addresses, and alerts aren't sent about unauthorized internet activity.  <br><br>This option reduces notifications and alerts received about external addresses.      |
-    |**ICS Subnet**     | Select to define a specific subnet as a separate OT subnet. Selecting this option helps you collapse device maps to a minimum of IT network elements.     |
+    |**ICS subnet**     |   Read-only. ICS/OT subnets are marked automatically when the system recognizes OT activity or protocols.  |
     |**Segregated**     |   Select to show this subnet separately when displaying the device map according to Purdue level.  |
 
 1. When you're done, select **Save** to save your updates.
diff --git a/articles/defender-for-iot/organizations/how-to-troubleshoot-sensor.md b/articles/defender-for-iot/organizations/how-to-troubleshoot-sensor.md
@@ -276,7 +276,7 @@ To connect a sensor controlled by the management console to NTP:
 Sometimes ICS devices are configured with external IP addresses. These ICS devices aren't shown on the map. Instead of the devices, an internet cloud appears on the map. The IP addresses of these devices are included in the cloud image. Another indication of the same problem is when multiple internet-related alerts appear. Fix the issue as follows:
 
 1. Right-click the cloud icon on the device map and select **Export IP Addresses**.
-1. Copy the public ranges that are private, and add them to the subnet list. For more information, see [Define ICS or IoT and segregated subnets](how-to-control-what-traffic-is-monitored.md#define-ot-and-iot-subnets).
+1. Copy the public ranges that are private, and add them to the subnet list. For more information, see [Define OT and IoT subnets](how-to-control-what-traffic-is-monitored.md#define-ot-and-iot-subnets).
 1. Generate a new data-mining report for internet connections.
 1. In the data-mining report, enter the administrator mode and delete the IP addresses of your ICS devices.
 
diff --git a/articles/defender-for-iot/organizations/how-to-work-with-the-sensor-device-map.md b/articles/defender-for-iot/organizations/how-to-work-with-the-sensor-device-map.md
@@ -195,9 +195,9 @@ The following table lists available responses for each notification, and when we
 | Type | Description | Available responses | Auto-resolve|
 |--|--|--|--|
 | **New IP detected** | A new IP address is associated with the device. This may occur in the following scenarios: <br><br>- A new or additional IP address was associated with a device already detected, with an existing MAC address.<br><br> - A new IP address was detected for a device that's using a NetBIOS name. <br /><br /> - An IP address was detected as the management interface for a device associated with a MAC address. <br /><br /> - A new IP address was detected for a device that's using a virtual IP address. | - **Set Additional IP to Device**: Merge the devices <br />- **Replace Existing IP**: Replaces any existing IP address with the new address <br /> - **Dismiss**: Remove the notification. |**Dismiss** |
-| **No subnets configured** | No subnets are currently configured in your network. <br /><br /> We recommend configuring subnets for the ability to differentiate between OT and IT devices on the map. | - **Open Subnets Configuration** and [configure subnets](how-to-control-what-traffic-is-monitored.md#define-ot-and-iot-subnets). <br />- **Dismiss**: Remove the notification. |**Dismiss** |
+| **No subnets configured** | No subnets are currently configured in your network. <br /><br /> We recommend configuring subnets for the ability to differentiate between OT and IT devices on the map. | - **Open Subnet Configuration** and [configure subnets](how-to-control-what-traffic-is-monitored.md#define-ot-and-iot-subnets). <br />- **Dismiss**: Remove the notification. |**Dismiss** |
 | **Operating system changes** | One or more new operating systems have been associated with the device. | - Select the name of the new OS that you want to associate with the device.<br /> - **Dismiss**:  Remove the notification. |No automatic handling|
-| **New subnets** | New subnets were discovered. |-  **Learn**: Automatically add the subnet.<br />- **Open Subnet Configuration**: Add all missing subnet information.<br />- **Dismiss**<br />Remove the notification. |**Dismiss** |
+| **New subnets** | New subnets were discovered. |-  **Learn**: Automatically add the subnet.<br />- **Open Subnet Configuration**: Add all missing subnet information.<br />- **Dismiss**: <br />Remove the notification. |**Dismiss** |
 | **Device type changes** | A new device type has been associated with the device. | - **Set as {…}**: Associate the new type with the device.<br />- **Dismiss**: Remove the notification. |No automatic handling|
 
 ## View a device map for a specific zone
diff --git a/articles/defender-for-iot/organizations/whats-new.md b/articles/defender-for-iot/organizations/whats-new.md
@@ -102,7 +102,7 @@ For more information, see [Tutorial: Investigate and detect threats for IoT devi
 
 |Service area  |Updates  |
 |---------|---------|
-| **OT networks** | **Cloud features**: <br>- [Microsoft Sentinel: Microsoft Defender for IoT solution version 2.0.2](#microsoft-sentinel-microsoft-defender-for-iot-solution-version-202) <br>- [Download updates from the Sites and sensors page (Public preview)](#download-updates-from-the-sites-and-sensors-page-public-preview) <br>- [Alerts page GA in the Azure portal](#alerts-ga-in-the-azure-portal) <br>- [Device inventory GA in the Azure portal](#device-inventory-ga-in-the-azure-portal) <br>- [Device inventory grouping enhancements (Public preview)](#device-inventory-grouping-enhancements-public-preview)  <br><br> **Sensor version 22.2.3**: [Configure OT sensor settings from the Azure portal (Public preview)](#configure-ot-sensor-settings-from-the-azure-portal-public-preview) |
+| **OT networks** | **Cloud features**: <br>- [Microsoft Sentinel: Microsoft Defender for IoT solution version 2.0.2](#microsoft-sentinel-microsoft-defender-for-iot-solution-version-202) <br>- [Download updates from the Sites and sensors page (Public preview)](#download-updates-from-the-sites-and-sensors-page-public-preview) <br>- [Alerts page GA in the Azure portal](#alerts-ga-in-the-azure-portal) <br>- [Device inventory GA in the Azure portal](#device-inventory-ga-in-the-azure-portal) <br>- [Device inventory grouping enhancements (Public preview)](#device-inventory-grouping-enhancements-public-preview) <br>- [Focused inventory in the Azure device inventory (Public preview)](#focused-inventory-in-the-azure-device-inventory-public-preview) <br><br> **Sensor version 22.2.3**: [Configure OT sensor settings from the Azure portal (Public preview)](#configure-ot-sensor-settings-from-the-azure-portal-public-preview) |
 | **Enterprise IoT networks** | **Cloud features**: [Alerts page GA in the Azure portal](#alerts-ga-in-the-azure-portal)  |
 
 ### Microsoft Sentinel: Microsoft Defender for IoT solution version 2.0.2
@@ -158,6 +158,10 @@ Rich security, governance and admin controls also provide the ability to assign
 
 The **Device inventory** page on the Azure portal supports new grouping categories. Now you can group your device inventory by *class*, *data source*, *location*, *Purdue level*, *site*, *type*, *vendor*, and *zone*. For more information, see [View full device details](how-to-manage-device-inventory-for-organizations.md#view-the-device-inventory).
 
+### Focused inventory in the Azure device inventory (Public preview)
+
+The **Device inventory** page on the Azure portal now includes a network location indication for your devices, to help focus your device inventory on the devices within your IoT/OT scope. See and filter which devices are defined as *local* or *routed*, according to your configured subnets. The *Network location* filter is on by default, and the *Network location* column can be added by editing the columns in the device inventory. For more information, see [Subnet](configure-sensor-settings-portal.md#subnet).
+
 ### Configure OT sensor settings from the Azure portal (Public preview)
 
 For sensor versions 22.2.3 and higher, you can now configure selected settings for cloud-connected sensors using the new **Sensor settings (Preview)** page, accessed via the Azure portal's **Sites and sensors** page. For example:
