Merge branch 'main' into Mal-chrisda

Author: chrisda

defender-for-cloud/breadcrumb/toc.yml

@@ -0,0 +1,7 @@
+- name: 'Microsoft Defender'
+  tocHref: /defender/
+  topicHref: /defender/index
+  items:
+    - name: 'Microsoft Defender for Cloud'
+      tocHref: /defender-for-cloud/
+      topicHref: /defender-for-cloud/index

defender-for-iot/TOC.yml

@@ -1,2 +1,44 @@
-- name: Index
-  href: index.md
+###- name: Index
+###  href: index.md
+- name: Microsoft Defender for IoT
+  href: index.yml
+  expanded: true
+  items:
+    - name: Overview
+      items:
+      - name: What is Microsoft Defender for IoT in the Defender portal?
+        href: microsoft-defender-iot.md      
+      - name: Site security
+        href: site-security-overview.md      
+    - name: Get started
+      items:
+      - name: Prerequisites
+        href: prerequisites.md            
+      - name: Get started
+        href: get-started.md  
+      - name: Set up sites
+        href: set-up-sites.md
+    - name: Monitor site security
+      items:
+      - name: Monitor site security
+        href: monitor-site-security.md  
+    - name: Discover devices
+      items:
+      - name: Overview
+        href: device-discovery.md
+      - name: Discover and manage devices
+        href: manage-devices-inventory.md
+    - name: Prioritize and remediate vulnerabilities       
+      items:
+      - name: Overview
+        href: discover-vulnerabilities-overview.md
+      - name: Prioritize and remediate vulnerabilities
+        href: prioritize-vulnerabilities.md
+    - name: Investigate and remediate threats
+      items:
+      - name: Investigate incidents and alerts
+        href: investigate-threats.md
+    - name: Manage
+      items:
+      - name: Manage sites
+        href: manage-sites.md           

defender-for-iot/breadcrumb/toc.yml

@@ -0,0 +1,7 @@
+- name: 'Microsoft Defender'
+  tocHref: /defender/
+  topicHref: /defender/index
+  items:
+    - name: 'Microsoft Defender for IoT'
+      tocHref: /defender-for-iot/
+      topicHref: /defender-for-iot/index

defender-for-iot/device-discovery.md

@@ -0,0 +1,69 @@
+---
+title: Device discovery for Microsoft Defender for IoT in the Defender portal
+description: This article describes device discovery for Microsoft Defender for IoT in the Defender portal.
+ms.service: defender-for-iot
+author: limwainstein
+ms.author: lwainstein
+ms.localizationpriority: medium
+ms.date: 06/19/2024
+ms.topic: conceptual
+---
+
+# Overview of device discovery
+
+To protect your environment, you need to take inventory of the devices in your network. However, mapping these devices can often be expensive, challenging, and time-consuming.
+
+Microsoft Defender for IoT in the Microsoft Defender portal integrates with [Microsoft Defender for Endpoint device discovery](/defender-endpoint/machines-view-overview#device-inventory-overview), allowing you to discover devices connected to your operational technologies (OT) network without using extra appliances or complex process changes. Defender for IoT uses onboarded endpoints to collect, probe, or scan your network to discover devices.
+
+This article describes the benefits and capabilities of device discovery in Defender for IoT.
+
+Learn how to [discover and manage your IoT/OT devices](manage-devices-inventory.md) in the device inventory.
+
+[!INCLUDE [defender-iot-preview](../includes/defender-for-iot-defender-public-preview.md)]
+
+## Device inventory: initial view
+
+If you don't yet have a Defender for IoT license, the **Device inventory** page detects your OT devices and lists them with regular device data, but without security data. For example, the device name, IP, and category are visible, while the risk level isn't visible. The device inventory also displays a note at the top of the page that indicates the number of unprotected OT devices.
+ 
+In this case, [onboard Defender for IoT](get-started.md) to get security value for your OT devices.
+
+If you're seeing the message that indicates the number of unprotected OT devices, and you've already set up Defender for IoT, [set up a site](set-up-sites.md) and associate the relevant devices with it.
+
+## Device inventory page
+
+The **Device inventory** page helps you identify details about specific devices, such as manufacturer, type, serial number, firmware, and more. Using these details, you can track your devices, dive into device information, and identify potential threats or incompatibilities.
+
+Learn how to [discover and manage your IoT/OT devices](manage-devices-inventory.md) in the device inventory.
+
+Learn more about the [device inventory in Microsoft Defender for Endpoint](/defender-endpoint/machines-view-overview#device-inventory-overview).
+
+## Device discovery capabilities
+
+The key device discovery capabilities are:
+
+|Capability  |Description  |
+|---------|---------|
+|OT device management     |[Manage OT devices](manage-devices-inventory.md):<br>- Build an up-to-date inventory that includes all your managed and unmanaged devices.<br>- Classify critical devices to ensure that the most important assets in your organization are protected.​<br>- Add organization-specific information to emphasize your organization preferences. |
+|Device protection with risk-based approach  |Identify risks such as missing patches, vulnerabilities and prioritize fixes based on risk scoring and automated threat modeling. |
+|Device alignment with physical sites     |Allows contextual security monitoring. Use the **Site** filter to manage each site separately. Learn more about [filters](/defender-endpoint/machines-view-overview#use-filters-to-customize-the-device-inventory-views). |
+|Device groups     |Allows different teams in your organization to monitor and manage relevant assets only.​ Learn more about [creating a device group](/defender-endpoint/machine-groups.md#create-a-device-group). |
+|Device criticality     |Reflects how critical a device is for your organization and allows you to identify a device as a business critical asset. Learn more about [device criticality](/defender-endpoint/machines-view-overview#device-inventory-overview). |
+
+## Supported devices
+
+Defender for IoT's device inventory supports the following device classes:
+
+|Devices  |Example |
+|---------|---------|
+|**Manufacturing**| Industrial and operational devices, such as pneumatic devices,  packaging systems, industrial packaging systems, industrial robots        |
+|**Building**     | Access panels,  surveillance devices, HVAC systems, elevators, smart lighting systems    |
+|**Health care**     |  Glucose meters, monitors       |
+|**Transportation / Utilities**     |  Turnstiles, people counters, motion sensors, fire and safety systems, intercoms       |
+|**Energy and resources**     |  DCS controllers, PLCs, historian devices, HMIs      |
+|**Endpoint devices**     |  Workstations, servers, or mobile devices        |
+| **Enterprise** | Smart devices, printers,  communication devices, or audio/video devices |
+| **Retail** | Barcode scanners, humidity sensor, punch clocks | 
+
+## Next steps
+
+[Discover and manage devices](manage-devices-inventory.md)

defender-for-iot/discover-vulnerabilities-overview.md

@@ -0,0 +1,48 @@
+---
+title: Overview of vulnerability management with Microsoft Defender for IoT in the Defender portal
+description: This article describes the features and benefits of Microsoft Defender for IoT vulnerability management.
+ms.service: defender-for-iot
+author: limwainstein
+ms.author: lwainstein
+ms.localizationpriority: medium
+ms.date: 06/24/2024
+ms.topic: conceptual
+---
+
+# Overview of vulnerability management
+
+With vulnerability management, Microsoft Defender for IoT in the Defender portal provides extended coverage for OT networks, gathers OT device data into one place, and displays the data with the other devices on your network.
+
+The OT security administrator proactively manages network risks based on the vulnerability details and recommended remediation actions.
+
+[!INCLUDE [defender-iot-preview](../includes//defender-for-iot-defender-public-preview.md)]
+
+## Vulnerability management capabilities
+
+The key vulnerability management capabilities are:
+
+|Capability |Description |
+|----|----|
+|Extended vulnerability coverage| Defender for IoT uses detailed OT device firmware information and discovers the device vendor, model, and version to identify known vulnerabilities. |
+|[Security recommendations page](/defender-vulnerability-management/tvm-security-recommendation)|Offers actionable steps to update and mitigate vulnerable products. |
+|[Weaknesses page](/defender-vulnerability-management/tvm-weaknesses)|Includes a detailed list of vulnerabilities like zero-days and known exploits. |
+|[Management](/defender-vulnerability-management/tvm-weaknesses#view-common-vulnerabilities-and-exposures-cve-entries-in-other-places)|You can manage and control the vulnerabilities globally, per tenant or device group, per device from the device page, or per vulnerable product through the Inventory page. |
+|[Exception handling](/defender-vulnerability-management/tvm-security-recommendation#file-for-exception)| Create exceptions for recommendations that can't be patched.|
+|[Customizable Vulnerability Notifications](/defender-endpoint/configure-vulnerability-email-notifications)| Alert key stakeholders with customizable notifications.|
+|[Reporting Inaccuracies](/defender-vulnerability-management/tvm-weaknesses#report-inaccuracy)| Users can report inaccuracies on discovered CVEs or request support for new vulnerabilities.|
+
+## Weaknesses page
+
+The Microsoft Defender portal displays Microsoft Defender for IoT security vulnerabilities in the **Endpoints > Weaknesses** page.
+
+Vulnerabilities are listed based on their publicly registered Common Vulnerability and Exposures(CVEs) ID.
+
+The **Weaknesses** page lists the detected security vulnerabilities across all devices, endpoints, applications and other sources on your network. The data can be filtered according to device groups based on the created sites.
+
+The OT security administrator uses the list of detected vulnerabilities in the **Weaknesses** page to send a remediation request for the relevant team to handle.
+
+Learn more about the [Weaknesses page in the Microsoft Defender Vulnerability Management](/defender-vulnerability-management/tvm-weaknesses).
+
+## Next steps
+
+[Prioritize and investigate vulnerabilities](prioritize-vulnerabilities.md) in Microsoft Defender for IoT.

defender-for-iot/get-started.md

@@ -0,0 +1,48 @@
+---
+title: Get started with Microsoft Defender for IoT in the Defender portal
+description: This article describes how to set up Microsoft Defender for IoT in the Defender portal.
+ms.service: defender-for-iot
+author: lwainstein
+ms.author: lwainstein
+ms.localizationpriority: medium
+ms.date: 05/19/2024
+ms.topic: how-to
+---
+
+# Get started with Microsoft Defender for IoT in the Defender portal
+
+Microsoft Defender for IoT in the Microsoft Defender portal allows you to analyze OT data, generate alerts, and identify network risks. This article explains how to create a trial license for Defender for IoT in the Defender portal using your Microsoft tenant.
+
+One trial license is available per tenant. The trial license is limited to a maximum of 1,000 OT devices and lasts for 90 days. After you set up the trial license, you can access the Defender for IoT security insights available for your network.
+
+When you finish setting up the trial license, you can continue to [set up a site](set-up-sites.md) to monitor your OT devices at the production site level.
+
+[!INCLUDE [defender-iot-preview](../includes//defender-for-iot-defender-public-preview.md)]
+
+## Add a trial license
+
+To add a trial license for Microsoft Defender for IoT:
+
+1. Open the [Microsoft Defender for IoT - OT Site License (1000 max devices per site) Trial wizard](https://signup.microsoft.com/get-started/signup?products=d2bdd05f-4856-4569-8474-2f9ec298923b).
+
+    :::image type="content" source="media/get-started/trial-license-get-started.png" alt-text="Screenshot of the set up page for the Microsoft Defender for IoT trial license.":::
+
+1. In the **Email** field, type the email address you want to associate with the trial license, and select **Next**.
+
+1. Confirm that the email address is correct by selecting **Set up account**.
+
+1. In the **Tell us about yourself** page, type your details and select **Next**.
+
+1. Select whether you want the confirmation message to be sent to you via SMS or a phone call. Verify your phone number, and then select **Send verification code**.
+
+1. After receiving the code, type it in the **Enter your verification code** field.
+
+1. In the **How you'll sign in** page, type a username and password and select **Next**.
+
+1. In the **Confirmation details** page, note your order number and username, and select **Start using Microsoft Defender for IoT - OT Site License (1000 max devices per site) Trial** to continue.
+
+Once you have a trial license, [set up a new site](set-up-sites.md) so that Microsoft Defender for IoT can begin sending data to the Defender portal.
+
+## Public preview features
+
+We recommend that you also turn on and benefit from the available [Defender portal preview features](/defender-xdr/preview#turn-on-preview-features).

defender-for-iot/index.md

@@ -0,0 +1,67 @@
+### YamlMime:Landing
+
+title: Microsoft Defender for IoT in the Defender portal (Preview) documentation # < 60 chars
+summary: Microsoft Defender for IoT in the Defender portal (Preview) provides visibility and threat protection for IoT/OT environments while reducing cyber risk through continuous vulnerability discovery, risk-based prioritization, and remediation. # < 160 chars
+
+metadata:
+  title: Microsoft Defender for IoT in the Defender portal (Preview) documentation # Required; page title displayed in search results. Include the brand. < 60 chars.
+  description: Learn about Microsoft Defender for IoT in the Defender portal, and maximize the built-in security capabilities to protect devices, detect malicious activity, and remediate threats# Required; article description that is displayed in search results. < 160 chars.
+  services: office-365-security-compliance
+  ms.service: defender-for-iot
+  ms.topic: landing-page # Required
+  ms.custom: intro-hub-or-landing
+  author: limwainstein #Required; your GitHub user alias, with correct capitalization.
+  ms.author: lwainstein #Required; microsoft alias of author; optional team alias.
+  ms.date: 06/23/2024
+  ms.localizationpriority: high
+
+# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
+
+landingContent:
+# Cards and links should be based on top customer tasks or top subjects
+# Start card title with a verb
+  # Card (optional)
+  - title: Defender for IoT
+    linkLists:
+      - linkListType: overview
+        links:
+        - text: What is Microsoft Defender for IoT in the Defender portal?
+          url: microsoft-defender-iot.md
+      - linkListType: concept
+        links:        
+        - text: Site security
+          url: site-security-overview.md
+      - linkListType: how-to-guide
+        links:
+          - text: Manage sites
+            url: manage-sites.md
+
+# Card
+  - title: Get started
+    linkLists:
+      - linkListType: get-started
+        links:
+        - text: Prerequisites
+          url: prerequisites.md
+      - linkListType: get-started
+        links: 
+        - text: Get started
+          url: get-started.md
+      - linkListType: quickstart
+        links: 
+        - text: Set up sites
+          url: set-up-sites.md
+
+# Card
+  - title: How-to
+    linkLists:
+      - linkListType: how-to-guide
+        links:
+        - text: Monitor site security
+          url: monitor-site-security.md
+        - text: Prioritize and remediate vulnerabilities
+          url: prioritize-vulnerabilities.md
+        - text: Investigate incidents and alerts
+          url: investigate-threats.md
+        - text: Manage sites
+          url: manage-sites.md

defender-for-iot/index.yml

@@ -0,0 +1,62 @@
+---
+title: Investigate incidents and alerts in Microsoft Defender for IoT in the Defender portal
+description: This article describes how to investigate incidents and alerts in Microsoft Defender for IoT in the Defender portal.
+ms.service: defender-for-iot
+author: lwainstein
+ms.author: lwainstein
+ms.localizationpriority: medium
+ms.date: 06/26/2024
+ms.topic: how-to
+---
+
+# Investigate incidents and alerts
+
+Microsoft Defender for IoT in the Microsoft Defender portal displays incidents and alerts, which enhance your network security and operations with real-time details about events logged in your operational technology (OT) network. 
+
+Alerts are the basis of all incidents and indicate the occurrence of malicious or suspicious events in your environment. Within an incident, you analyze the alerts that affect your network, understand what they mean, and collate the evidence so that you can devise an effective remediation plan. 
+
+Learn more about [alerts](/defender-xdr/investigate-alerts) and [incidents](/defender-xdr/investigate-incidents) in the Defender portal.
+
+In this article, you learn how to investigate a Microsoft Defender for IoT incident and its associated alerts, and how to remediate the security issues raised by the alert.
+
+Alerts in the **Incidents** page uniquely combine IT and OT environment signals to detect potential threats and data leaks. The **Incidents** page displays: 
+
+- A history of the alerts connected to the incident and an incident graph. The graph shows other devices connected to the affected OT device that might also be compromised.
+- Alert descriptions, which explain the type of detected security issue.
+- Remediation options to solve the security problem. 
+
+> [!NOTE]
+> Incident and alert data for Defender for IoT only appear once you have a site set up and your devices are sending data to the Defender portal. Learn how to [set up a site](set-up-sites.md).
+
+[!INCLUDE [defender-iot-preview](../includes//defender-for-iot-defender-public-preview.md)]
+
+## Investigate alerts
+
+To investigate an alert:
+
+1. In the [Microsoft Defender portal](https://security.microsoft.com/machines) menu, select **Incidents & alerts > Incidents**.
+
+1. To display OT related incidents:
+
+    1. Select **Add filter**.
+    1. Select **Product name** and select **Add**.
+    1. Select the **Product names** tab that appears and type: *Defender for IoT*.
+    1. Select **Apply**.
+
+1. Locate and select an incident.
+
+    The specific incident page shows the attack story made up of the alert timeline, an incident graph and the incident details. The incident graph displays the OT device and the other IT or IoT devices connected to this alert, to show possible compromised connections.
+
+1. Select an alert from the alerts list.
+
+    The incident graph and incident details display specific data for this alert.
+
+1. In the **Incident** panel, review the information, read the **Alert description** and follow the **Alert recommended actions** to remediate the issue.
+
+## Defender for IoT alert
+
+Defender for IoT generates its own unique alert.
+
+| Name | Description |
+|----|----|
+|**Possible operational impact due to a compromised device** |A compromised device communicated with an operational technology (OT) asset. An attacker might be attempting to control or disrupt physical operations. |