Merge pull request #219618 from Shereen-Bhar/firewall-rule-risk

Import firewall rules

Author: v-ccolin

articles/defender-for-iot/organizations/api/sensor-vulnerability-apis.md

@@ -559,7 +559,7 @@ JSON object that represents recommended mitigation steps.
 |--|--|--|
 | **content** | String | Not nullable | Recommended mitigation steps for detected vulnerabilities  |
 | **scoreImprovement** | Integer | Nullable | Expected percentage of security improvement after mitigation steps are taken.  |
-| **details** | Table | Nullable | A table listing mitigation recommendations, such as would be generated in the **Risk assessment** report. Each recommendation includes details about possible security impact if the action is performed and more. For more information, see [Risk mitigation](../how-to-create-risk-assessment-reports.md#risk-mitigation). |
+| **details** | Table | Nullable | A table listing mitigation recommendations, such as would be generated in the **Risk assessment** report. Each recommendation includes details about possible security impact if the action is performed and more. For more information, see [Risk mitigation](../how-to-create-risk-assessment-reports.md#create-risk-assessment-reports). |
 
 > [!NOTE]
 > You might have multiple mitigation steps, with some returned in the `notifications` field, and others returned in the `mitigation` field. Items with `scoreImprovement` and `details` data is returned only in the `mitigation` field. Items without `scoreImprovement` and `details` data is returned only in the `notifications` field.

articles/defender-for-iot/organizations/how-to-activate-and-set-up-your-sensor.md

@@ -241,7 +241,7 @@ You can access console tools from the side menu.  Tools help you:
 | Event timeline | View a timeline with information about alerts, network events, and user operations. For more information, see [Track sensor activity](how-to-track-sensor-activity.md).|
 | Data mining | Generate comprehensive and granular information about your network's devices at various layers. For more information, see [Sensor data mining queries](how-to-create-data-mining-queries.md).|
 | Trends and Statistics |  View trends and statistics about an extensive range of network traffic and activity.  As a small example, display charts and graphs showing top traffic by port, connectivity drops by hours, S7 traffic by control function, number of devices per VLAN, SRTP errors by day, or Modbus traffic by function. For more information, see [Sensor trends and statistics reports](how-to-create-trends-and-statistics-reports.md).
-| Risk Assessment | Proactively address vulnerabilities,  identify risks such as missing patches or unauthorized applications. Detect changes to device configurations, controller logic, and firmware. Prioritize fixes based on risk scoring and automated threat modeling.  For more information, see [Risk assessment reporting](how-to-create-risk-assessment-reports.md#risk-assessment-reporting).|
+| Risk Assessment | Proactively address vulnerabilities,  identify risks such as missing patches or unauthorized applications. Detect changes to device configurations, controller logic, and firmware. Prioritize fixes based on risk scoring and automated threat modeling.  For more information, see [Risk assessment reporting](how-to-create-risk-assessment-reports.md#create-risk-assessment-reports).|
 | Attack Vector |  Display a graphical representation of a vulnerability chain of exploitable devices. These vulnerabilities can give an attacker access to key network devices. The Attack Vector Simulator calculates attack vectors in real time and analyzes all attack vectors for a specific target. For more information, see [Attack vector reporting](how-to-create-attack-vector-reports.md#attack-vector-reporting).|
 
 ### Manage

articles/defender-for-iot/organizations/how-to-create-risk-assessment-reports.md

@@ -1,104 +1,93 @@
 ---
-title: Create risk assessment reports
-description: Gain insight into network risks detected by individual sensors or an aggregate view of risks detected by all sensors.
-ms.date: 02/03/2022
+title: Create risk assessment reports on an OT sensor - Microsoft Defender for IoT
+description: Gain insight into network risks detected by individual Defender for IoT OT sensors or an aggregate view of risks detected by all OT sensors.
+ms.date: 12/01/2022
 ms.topic: how-to
 ---
 
-# Risk assessment reporting
+# Create risk assessment reports
 
-## About risk assessment reports
+Risk assessment reports provide details about security scores, vulnerabilities, and operational issues on detected devices as well as risks coming from imported firewall rules.
 
-Risk assessment reports provide:
+Each Defender for IoT network sensor can generate a risk assessment report, while the on-premises management console collects those reports from all connected sensors.
 
-- An overall security score for the devices detected by organizational sensors.
+## Prerequisites
 
-- A security score for each network device detected by an individual sensor.
+- You must be an **Admin** user to import firewall rules to an OT sensor or add backup and anti-virus server addresses.
 
-- A breakdown of the number of vulnerable devices, devices that need improvement and secure devices.
+- You must be an **Admin** or **Security Analyst** user to create or view risk assessment reports on the OT sensor or on-premises management console.
 
--  Insight into security and operational issues:
+## Generate risk assessment reports for a specific sensor
 
-    - Configuration issues
+Use an individual OT sensor to view reports generated for that sensor only.
 
-    - Device vulnerability prioritized by security level
+**To generate a report**:
 
-    - Network security issues
+1. Sign in to the sensor console and select **Risk assessment** > **Generate report**. The report is generated and appears in the **Reports list**, along with the timestamp and report size.
 
-    - Network operational issues
+    Reports are automatically named `risk-assessment-report-<integer>`, where the `<integer>` is incremented automatically.
 
-    - Connections to ICS networks
+1. Select the report name to download it and open it in your browser.
 
-    - Internet connections
+## Risk assessment report contents
 
-    - Industrial malware indicators
+Risk assessment reports include the following details:
 
-    - Protocol issues
+|Details  |Description  |
+|---------|---------|
+| **Security scores** | An overall security score for all detected devices, and a security score for each individual device. <br><br> Security scores are based on data learned from packet inspection, behavioral modeling engines, and a SCADA-specific state machine design, and are categorized as follows: <br><br> - **Secure Devices** are devices with a security score above 90%. <br> - **Devices Needing Improvement** are devices with a security score between 70 percent and 89%. <br> - **Vulnerable Devices** are devices with a security score below 70%. |
+| **Security and operational issues** | Insight into any of the following security and operational issues: <br><br> - Configuration issues <br> - Device vulnerability, prioritized by security level <br> - Network security issues <br> - Network operational issues <br> - Connections to ICS networks <br> - Internet connections <br> - Industrial malware indicators <br> - Protocol issues <br> - Attack vectors |
+| **Firewall rule risk** | The Risk Assessment report highlights if a rule isn't secure, or if there's a mismatch between the rule and the monitored network. |
 
-    - Attack vectors
+## Enrich the risk assessment report
 
-### Risk mitigation
+Enrich your sensor with extra data to provide fuller risk assessment reports:
 
-Reports provide recommendations to help you improve your security score. For example:
-- Install the latest security updates.
-- Upgrade firmware to the latest version.
-- Investigate PLCs in unsecure states.
+- Import firewall rules to have them assessed for risks in the report
+- Lower your risk by defining addresses for your backup and anti-virus server
 
-## About security scores
+### Import firewall rules to an OT sensor
 
-Overall network security score is generated in each report. The score represents the percentage of 100 percent security. For example, a score of 30% would indicate that your network 30% secure.
+Import firewall rules to your OT sensor for analysis in **Risk assessment** reports. Importing firewall rules is supported for Checkpoint, Fortinet, and Juniper firewalls.
 
-Risk Assessment scores are based on information learned from packet inspection, behavioral modeling engines, and a SCADA-specific state machine design.
+**To import firewall rules**:
 
-**Secure Devices** are devices with a security score above 90%.
+1. Sign in to your sensor as an **Admin** user and elect **System Settings** > **Import settings** > **Firewall rules**.
+1. In the **Firewall rules** pane:
 
-**Devices Needing Improvement**: Devices with a security score between 70 percent and 89%.
+    - Select a firewall type from the dropdown menu
+    - Select **+ Import file** to browse to and select the file you want to import.
 
-**Vulnerable Devices** are devices with a security score below 70%.
+For example:
 
-### About backup and anti-virus servers
+:::image type="content" source="media/how-to-create-risk-assessment-reports/import-firewall-rules.png" alt-text="Screenshot of how to import firewall rules." lightbox="media/how-to-create-risk-assessment-reports/import-firewall-rules.png":::
 
-The risk assessment score may be negatively impacted if you don't define backup and anti-virus server addresses in your sensor. Adding these addresses improves your score. By default these addresses aren't defined.
-The Risk Assessment report cover page will indicate if backup servers and anti-virus servers are not defined.
+### Define backup and anti-virus servers on an OT sensor
 
-**To add servers:**
+Backup and anti-virus servers aren't defined on your sensor by default. We recommend defining these addresses on your sensor to keep your network risk assessment low.
 
-1. Select **System Settings** and then select **System Properties**.
-1. Select **Vulnerability Assessment** and add the addresses to **backup_servers** and **AV_addresses** fields. Use commas to separate multiple addresses.  separated by commas.  
-1. Select **Save**.
+**To add backup and anti-virus server addresses**:
 
-## Create risk assessment reports
+1. Sign into your OT sensor and select **System Settings** > **System Properties** > **Vulnerability Assessment**.
+1. Add your backup and anti-virus server addresses to the **backup_servers** and **AV_addresses** fields, respectively. Use commas to separate multiple addresses.
+1. Select **Save** to save your changes.
 
-Create a risk assessment report based on detections made by the sensor you are logged into. The report name is automatically generated as risk-assessment-report-1.pdf. The number is updated for each new report you create.  The time and day of creation are displayed.
+## View risk assessment reports for multiple sensors
 
-**To create a report:**
+Use an on-premises management console to view risk assessment reports for all connected sensors.
 
-1. Sign in to the sensor console.
-1. Select **Risk assessment** on the side menu.
-1. Select **Generate report**. The report appears in the Saved Reports section.
-1. Select the report from the Saved Reports section to download it.
+**To generate a report**:
 
-**To import a company logo:**
+1. Sign in to your on-premises management console and select **Risk assessment**.
 
-1. Select **Import logo**.
-1. Choose a logo to add to the header of your Risk assessment reports.
+1. From the **Select Sensor** drop-down menu, select the sensor for which you want to generate the report, and then select **Generate Report**.
 
-### Create an on-premises management console risk assessment report
+    A new report is listed in the **Archived Reports** area, listed by the time and date it was created, and showing the security score and report size.
 
-Create a risk assessment report based on detections made by sensors that are managed by your on-premises management console.
-
-**To create a report:**
-
-1. Select **Risk Assessment** on the side menu.
-2. Select a sensor from the **Select sensor** drop-down list.
-3. Select **Generate Report**.
-4. Select **Download** from the **Archived Reports** section.
-
-**To import a company logo:**
-
-1. Select **Import logo**.
-1. Choose a logo to add to the header of your Risk assessment reports.
+1. Select **Download** to download a report and open it in your browser.
 
 ## Next steps
 
-For more information, see [Attack vector reporting](how-to-create-attack-vector-reports.md).
+Take action based on the recommendations provided in the risk assessment reports to improve your overall network security score. For example, you might install the latest security or firmware updates, or investigate any PLCs that are currently in unsecure states.
+
+For more information, see [Enhance security posture with security recommendations](recommendations.md).