-LetΓÇÖs say your HR system has an attribute `BusinessTitle`. As part of recent job title changes, your company wants to update anyone with the business title ΓÇ£Product DeveloperΓÇ¥ to ΓÇ£Software EngineerΓÇ¥.

-* **oldValue**: ΓÇ£Product DeveloperΓÇ¥

-* **replacementValue**: ΓÇ£Software EngineerΓÇ¥

-LetΓÇÖs say you want to always generate login id in the format `<username>@contoso.com`. There is a source attribute called **UserID** and you want that value to be used for the `<username>` portion of the login id.

-* **source:** `[UserID]` = ΓÇ£jsmithΓÇ¥

-* **oldValue:** ΓÇ£`<username>`ΓÇ¥

-* **template:** ΓÇ£`<username>@contoso.com`ΓÇ¥

-* **Expression output:** ΓÇ£jsmith@contoso.comΓÇ¥

-LetΓÇÖs say you have a source attribute `telephoneNumber` that has components `country code` and `phone number` separated by a space character. E.g. `+91 9998887777`

-* **source:** `[telephoneNumber]` = ΓÇ£+91 9998887777ΓÇ¥

-* **regexPattern:** ΓÇ£`\\+(?<isdCode>\\d* )(?<phoneNumber>\\d{10})`ΓÇ¥

-* **replacementValue:** ΓÇ£`${phoneNumber}`ΓÇ¥

-* **source:** `[mobile] = ΓÇ£+1 (999) 888-7777ΓÇ¥`

-* **regexPattern:** ΓÇ£`[()\\s-]+`ΓÇ¥

-* **replacementValue:** ΓÇ£ΓÇ¥ (empty string)

-LetΓÇÖs say your source system has an attribute AddressLineData with two components street number and street name. As part of a recent move, letΓÇÖs say the street number of the address changed and you want to update only the street number portion of the address line.

-Then in this case, you can use the following expression in your attribute mapping to extract the 10 digit phone number.

-* **source:** `[AddressLineData]` = ΓÇ£545 Tremont StreetΓÇ¥

-* **regexPattern:** ΓÇ£`(?<streetNumber>^\\d*)`ΓÇ¥

-* **regexGroupName:** ΓÇ£streetNumberΓÇ¥

-* **replacementValue:** ΓÇ£888ΓÇ¥

-* **source:** `[userPrincipalName]` = ΓÇ£jsmith@contoso.comΓÇ¥

-* **regexPattern:** ΓÇ£`(?<Suffix>@(.)*)`ΓÇ¥

-* **regexGroupName:** ΓÇ£SuffixΓÇ¥

-* **replacementValue:** ΓÇ£ΓÇ¥ (empty string)

-**Example 5:** Using **regexPattern**, **regexGroupName** and **replacementAttributeName** to handle scenarios when the source attribute is empty or doesnΓÇÖt have a value.

-LetΓÇÖs say your source system has an attribute telephoneNumber. If telephoneNumber is empty, you want to extract the 10 digits of the mobile number attribute.

-* **source:** `[telephoneNumber]` = ΓÇ£ΓÇ¥ (empty string)

-* **regexPattern:** ΓÇ£`\\+(?<isdCode>\\d* )(?<phoneNumber>\\d{10})`ΓÇ¥

-* **regexGroupName:** ΓÇ£phoneNumberΓÇ¥

-* **replacementAttributeName:** `[mobile]` = ΓÇ£+91 8887779999ΓÇ¥

-# Create and manage downloadable access review history report (Preview) in Azure AD access reviews

-Being legacy, the application lacks any form of modern protocols to support a direct integration with Azure AD. Modernizing the app is also costly, requires careful planning, and introduces risk of potential downtime.

-One option would be to consider [Azure AD Application Proxy](../app-proxy/application-proxy.md), to gate remote access to the application.

-Another approach is to use an F5 BIG-IP Application Delivery Controller (ADC), as it too provides the protocol transitioning required to bridge legacy applications to the modern ID control plane.

-Having a BIG-IP in front of the application enables us to overlay the service with Azure AD pre-authentication and header-based SSO, significantly improving the overall security posture of the application for both remote and local access.

-5. Review the list of configuration steps and select Next

-3. Enter the **Tenant Id**, **Client ID**, and **Client Secret** you noted down during tenant registration

-For more information, visit this F5 knowledge article [Configuring LDAP remote authentication for Active Directory](https://support.f5.com/csp/article/K11072). ThereΓÇÖs also a great BIG-IP reference table to help diagnose LDAP-related issues in this F5 knowledge article on [LDAP Query](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/5.html).

-Being legacy, the application lacks modern protocols to support a direct integration with Azure AD. Modernizing the app would be ideal, but is costly, requires careful planning, and introduces risk of potential downtime.

-One option would be to consider using [Azure AD Application Proxy](../app-proxy/application-proxy.md), as it provides the protocol transitioning required to bridge the legacy application to the modern identity control plane. Or for our scenario, we'll achieve this using F5's BIG-IP Application Delivery Controller (ADC).

-Having a BIG-IP in front of the application enables us to overlay the service with Azure AD pre-authentication and header-based SSO, significantly improving the overall security posture of the application for remote and local access.

-3. Enter the **Tenant Id, Client ID,** and **Client Secret** you noted down during tenant registration

-Before you select **Next**, confirm that BIG-IP can successfully connect to your tenant.

-See [BIG-IP APM variable assign examples]( https://devcentral.f5.com/s/articles/apm-variable-assign-examples-1107) and [F5 BIG-IP session variables reference]( https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-access-policy-manager-visual-policy-editor/session-variables.html) for more info.

-3. Enter the **Tenant Id**, **Client ID**, and **Client Secret** you noted down during tenant registration

-For more information, visit this F5 knowledge article [Configuring LDAP remote authentication for Active Directory](https://support.f5.com/csp/article/K11072). ThereΓÇÖs also a great BIG-IP reference table to help diagnose LDAP-related issues in this F5 knowledge article on [LDAP Query](https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-11-5-0/5.html).

-3. Enter the **Tenant Id, Client ID**, and **Client Secret** you noted down from your registered application

-4. Before you select **Next**, confirm that BIG-IP can successfully connect to your tenant.

-4. Before you select **Next**, confirm that BIG-IP can successfully connect to your tenant.

-# Tutorial: Azure Active Directory integration with Clarity

-4. On the **Set up Single Sign-On with SAML** page, perform the following steps:

- > This value is not real. Update this value with the actual Identifier. Contact [Clarity Client support team](mailto:catechnicalsupport@ca.com) to get this value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

-To configure single sign-on on **Clarity** side, you need to send the downloaded **Certificate (Base64)** and appropriate copied URLs from Azure portal to [Clarity support team](mailto:catechnicalsupport@ca.com). They set this setting to have the SAML SSO connection set properly on both sides.

-In this section, you create a user called B.Simon in Clarity. Work with [Clarity support team](mailto:catechnicalsupport@ca.com) to add the users in the Clarity platform. Users must be created and activated before you use single sign-on.

-# Tutorial: Azure Active Directory integration with Peakon

-In this tutorial, you learn how to integrate Peakon with Azure Active Directory (Azure AD).

-Integrating Peakon with Azure AD provides you with the following benefits:

-* You can control in Azure AD who has access to Peakon.

-* You can enable your users to be automatically signed-in to Peakon (Single Sign-On) with their Azure AD accounts.

-* You can manage your accounts in one central location - the Azure portal.

-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.

-To configure Azure AD integration with Peakon, you need the following items:

-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)

-* Peakon single sign-on enabled subscription

-* Peakon supports **SP** and **IDP** initiated SSO

-## Adding Peakon from the gallery

-**To add Peakon from the gallery, perform the following steps:**

-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.

- 

-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.

- 

-3. To add new application, click **New application** button on the top of dialog.

- 

-4. In the search box, type **Peakon**, select **Peakon** from result panel then click **Add** button to add the application.

- 

-## Configure and test Azure AD single sign-on

-In this section, you configure and test Azure AD single sign-on with Peakon based on a test user called **Britta Simon**.

-For single sign-on to work, a link relationship between an Azure AD user and the related user in Peakon needs to be established.

-To configure and test Azure AD single sign-on with Peakon, you need to complete the following building blocks:

-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.

-2. **[Configure Peakon Single Sign-On](#configure-peakon-single-sign-on)** - to configure the Single Sign-On settings on application side.

-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.

-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.

-5. **[Create Peakon test user](#create-peakon-test-user)** - to have a counterpart of Britta Simon in Peakon that is linked to the Azure AD representation of user.

-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.

-### Configure Azure AD single sign-on

-In this section, you enable Azure AD single sign-on in the Azure portal.

-To configure Azure AD single sign-on with Peakon, perform the following steps:

-1. In the [Azure portal](https://portal.azure.com/), on the **Peakon** application integration page, select **Single sign-on**.

- 

-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.

- 

-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.

- 

- 

- 

- In the **Sign-on URL** text box, type a URL:

- a. Login URL

- b. Azure AD Identifier

- c. Logout URL

-### Configure Peakon Single Sign-On

- 

- 

- 

- 

- f. Click **Save**

-### Create an Azure AD test user

-The objective of this section is to create a test user in the Azure portal called Britta Simon.

-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.

- 

-2. Select **New user** at the top of the screen.

- 

-3. In the User properties, perform the following steps.

- 

- a. In the **Name** field enter **BrittaSimon**.

-

- b. In the **User name** field type **brittasimon@yourcompanydomain.extension**

- For example, BrittaSimon@contoso.com

- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.

- d. Click **Create**.

-### Assign the Azure AD test user

-In this section, you enable Britta Simon to use Azure single sign-on by granting access to Peakon.

-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **Peakon**.

- 

-2. In the applications list, select **Peakon**.

- 

-3. In the menu on the left, select **Users and groups**.

- 

-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.

- 

-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.

-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.

-7. In the **Add Assignment** dialog click the **Assign** button.

- 

- 

- 

-### Test single sign-on

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Peakon tile in the Access Panel, you should be automatically signed in to the Peakon for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional Resources

-# Tutorial: Azure Active Directory integration with ScreenSteps

-In this tutorial, you learn how to integrate ScreenSteps with Azure Active Directory (Azure AD).

-Integrating ScreenSteps with Azure AD provides you with the following benefits:

-* You can control in Azure AD who has access to ScreenSteps.

-* You can enable your users to be automatically signed-in to ScreenSteps (Single Sign-On) with their Azure AD accounts.

-* You can manage your accounts in one central location - the Azure portal.

-If you want to know more details about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/) before you begin.

-To configure Azure AD integration with ScreenSteps, you need the following items:

-* An Azure AD subscription. If you don't have an Azure AD environment, you can get one-month trial [here](https://azure.microsoft.com/pricing/free-trial/)

-* ScreenSteps single sign-on enabled subscription

-* ScreenSteps supports **SP** initiated SSO

-## Adding ScreenSteps from the gallery

-To configure the integration of ScreenSteps into Azure AD, you need to add ScreenSteps from the gallery to your list of managed SaaS apps.

-**To add ScreenSteps from the gallery, perform the following steps:**

-1. In the **[Azure portal](https://portal.azure.com)**, on the left navigation panel, click **Azure Active Directory** icon.

- 

-2. Navigate to **Enterprise Applications** and then select the **All Applications** option.

- 

-3. To add new application, click **New application** button on the top of dialog.

- 

-4. In the search box, type **ScreenSteps**, select **ScreenSteps** from result panel then click **Add** button to add the application.

- 

-## Configure and test Azure AD single sign-on

-In this section, you configure and test Azure AD single sign-on with ScreenSteps based on a test user called **Britta Simon**.

-For single sign-on to work, a link relationship between an Azure AD user and the related user in ScreenSteps needs to be established.

-To configure and test Azure AD single sign-on with ScreenSteps, you need to complete the following building blocks:

-1. **[Configure Azure AD Single Sign-On](#configure-azure-ad-single-sign-on)** - to enable your users to use this feature.

-2. **[Configure ScreenSteps Single Sign-On](#configure-screensteps-single-sign-on)** - to configure the Single Sign-On settings on application side.

-3. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with Britta Simon.

-4. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable Britta Simon to use Azure AD single sign-on.

-5. **[Create ScreenSteps test user](#create-screensteps-test-user)** - to have a counterpart of Britta Simon in ScreenSteps that is linked to the Azure AD representation of user.

-6. **[Test single sign-on](#test-single-sign-on)** - to verify whether the configuration works.

-### Configure Azure AD single sign-on

-In this section, you enable Azure AD single sign-on in the Azure portal.

-To configure Azure AD single sign-on with ScreenSteps, perform the following steps:

-1. In the [Azure portal](https://portal.azure.com/), on the **ScreenSteps** application integration page, select **Single sign-on**.

- 

-2. On the **Select a Single sign-on method** dialog, select **SAML/WS-Fed** mode to enable single sign-on.

- 

-3. On the **Set up Single Sign-On with SAML** page, click **Edit** icon to open **Basic SAML Configuration** dialog.

- 

-4. On the **Basic SAML Configuration** section, perform the following steps:

- 

- a. Login URL

- b. Azure AD Identifier

- c. Logout URL

-### Configure ScreenSteps Single Sign-On

- 

- 

- 

- 

- 

- 

-### Create an Azure AD test user

-The objective of this section is to create a test user in the Azure portal called Britta Simon.

-1. In the Azure portal, in the left pane, select **Azure Active Directory**, select **Users**, and then select **All users**.

- 

-2. Select **New user** at the top of the screen.

- 

-3. In the User properties, perform the following steps.

- 

- a. In the **Name** field enter **BrittaSimon**.

-

- b. In the **User name** field type **brittasimon@yourcompanydomain.extension**

- For example, BrittaSimon@contoso.com

- c. Select **Show password** check box, and then write down the value that's displayed in the Password box.

- d. Click **Create**.

-### Assign the Azure AD test user

-In this section, you enable Britta Simon to use Azure single sign-on by granting access to ScreenSteps.

-1. In the Azure portal, select **Enterprise Applications**, select **All applications**, then select **ScreenSteps**.

- 

-2. In the applications list, select **ScreenSteps**.

- 

-3. In the menu on the left, select **Users and groups**.

- 

-4. Click the **Add user** button, then select **Users and groups** in the **Add Assignment** dialog.

- 

-5. In the **Users and groups** dialog select **Britta Simon** in the Users list, then click the **Select** button at the bottom of the screen.

-6. If you are expecting any role value in the SAML assertion then in the **Select Role** dialog select the appropriate role for the user from the list, then click the **Select** button at the bottom of the screen.

-7. In the **Add Assignment** dialog click the **Assign** button.

-### Test single sign-on

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the ScreenSteps tile in the Access Panel, you should be automatically signed in to the ScreenSteps for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional Resources

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Trelica

-In this tutorial, you learn how to integrate Trelica with Azure Active Directory (Azure AD).

-With this integration, you can:

-To learn more about software as a service (SaaS) app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-* After you configure Trelica, you can enforce session control. This control protects exfiltration and infiltration of your organization's sensitive data in real time. Session control extends from conditional access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-## Adding Trelica from the gallery

-1. Sign in to the [Azure portal](https://portal.azure.com) by using either a work or school account, or a personal Microsoft account.

-## Configure and test Azure AD single sign-on for Trelica

-To configure and test Azure AD SSO with Trelica, complete the following building blocks:

-1. In the [Azure portal](https://portal.azure.com/), on the **Trelica** application integration page, go to the **Manage** section. Select **Single sign-on**.

-1. On the **Set up Single Sign-on with SAML** page, enter the following values:

- 1. In the **Identifier** box, enter the URL **https://app.trelica.com**.

- 1. In the **Reply URL** box, enter a URL having the pattern

- 

- 

-In this section, you test your Azure AD single sign-on configuration by using the My Apps portal.

-When you select the Trelica tile in the My Apps portal, you're automatically signed in to the Trelica for which you set up SSO. For more information about the My Apps portal, see [Introduction to the My Apps portal](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional resources

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with TruNarrative

-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-* TruNarrative supports **SP** initiated SSO

-* Once you configure TruNarrative you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-## Adding TruNarrative from the gallery

-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.

-## Configure and test Azure AD single sign-on for TruNarrative

-To configure and test Azure AD SSO with TruNarrative, complete the following building blocks:

- * **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

- * **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

- * **[Create TruNarrative test user](#create-trunarrative-test-user)** - to have a counterpart of B.Simon in TruNarrative that is linked to the Azure AD representation of user.

-1. In the [Azure portal](https://portal.azure.com/), on the **TruNarrative** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

-1. On the **Basic SAML Configuration** section, enter the values for the following fields:

- a. In the **Sign-on URL** text box, type a URL using the following pattern:

- b. In the **Identifier** box, type a URL using the following pattern:

- `https://<SUBDOMAIN>.trunarrative.cloud`

- c. In the **Reply URL** text box, type a URL using the following pattern:

- > These values are not real. Update these values with the actual Sign-On URL, Identifier and Reply URL. Contact [TruNarrative Client support team](mailto:helpdesk@trunarrative.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

- 

- 

-In this section, you create a user called B.Simon in TruNarrative. Work with TruNarrative support team to add the users in the TruNarrative platform. Users must be created and activated before you use single sign-on.

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the TruNarrative tile in the Access Panel, you should be automatically signed in to the TruNarrative for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional resources

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Verme

-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-* Once you configure Verme you can enforce session control, which protect exfiltration and infiltration of your organizationΓÇÖs sensitive data in real-time. Session control extend from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-## Adding Verme from the gallery

-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.

-## Configure and test Azure AD single sign-on for Verme

-To configure and test Azure AD SSO with Verme, complete the following building blocks:

-1. In the [Azure portal](https://portal.azure.com/), on the **Verme** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

- b. In the **Relay State** text box, type the URL:

- 

- 

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Verme tile in the Access Panel, you should be automatically signed in to the Verme for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional resources

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Vocoli

-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-* Vocoli supports **IDP** initiated SSO

-## Adding Vocoli from the gallery

-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.

-## Configure and test Azure AD single sign-on for Vocoli

-To configure and test Azure AD SSO with Vocoli, complete the following building blocks:

- 1. **[Create an Azure AD test user](#create-an-azure-ad-test-user)** - to test Azure AD single sign-on with B.Simon.

- 1. **[Assign the Azure AD test user](#assign-the-azure-ad-test-user)** - to enable B.Simon to use Azure AD single sign-on.

- 1. **[Create Vocoli test user](#create-vocoli-test-user)** - to have a counterpart of B.Simon in Vocoli that is linked to the Azure AD representation of user.

-1. In the [Azure portal](https://portal.azure.com/), on the **Vocoli** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

- 

- 

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Vocoli tile in the Access Panel, you should be automatically signed in to the Vocoli for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional resources

-# Tutorial: Azure Active Directory single sign-on (SSO) integration with Zengine

-To learn more about SaaS app integration with Azure AD, see [What is application access and single sign-on with Azure Active Directory](../manage-apps/what-is-single-sign-on.md).

-* Zengine supports **SP** initiated SSO

-* Once you configure Zengine you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Defender for Cloud Apps](/cloud-app-security/proxy-deployment-any-app).

-## Adding Zengine from the gallery

-1. Sign in to the [Azure portal](https://portal.azure.com) using either a work or school account, or a personal Microsoft account.

-To configure and test Azure AD SSO with Zengine, complete the following building blocks:

-1. In the [Azure portal](https://portal.azure.com/), on the **Zengine** application integration page, find the **Manage** section and select **single sign-on**.

-1. On the **Set up single sign-on with SAML** page, click the edit/pen icon for **Basic SAML Configuration** to edit the settings.

-1. On the **Basic SAML Configuration** section, enter the values for the following fields:

- a. In the **Sign on URL** text box, type a URL using the following pattern:

- `https://auth.zenginehq.com/saml2/v1/sls/<ENVIRONMENT_NAME>`

- b. In the **Identifier (Entity ID)** text box, type a URL using the following pattern:

- > These values are not real. Update these values with the actual Sign on URL and Identifier. Contact [Zengine Client support team](mailto:support@wizehive.com) to get these values. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.

- 

- 

-In this section, you test your Azure AD single sign-on configuration using the Access Panel.

-When you click the Zengine tile in the Access Panel, you should be automatically signed in to the Zengine for which you set up SSO. For more information about the Access Panel, see [Introduction to the Access Panel](https://support.microsoft.com/account-billing/sign-in-and-start-apps-from-the-my-apps-portal-2f3b1bae-0e5a-4a86-a33e-876fbd2a4510).

-## Additional resources

-This article shows you how to restore an app in [Azure App Service](../app-service/overview.md) from a snapshot. You can restore your app to a previous state, based on one of your app's snapshots. You do not need to enable snapshots, the platform automatically saves a snapshot of all apps for data recovery purposes.

-Snapshots are incremental shadow copies of your App Service app. When your app is in Premium tier or higher, App Service takes periodic snapshots of both the app's content and its configuration. They offer several advantages over [standard backups](manage-backup.md):

-Restoring from snapshots is available to apps running in **Premium** tier or higher. For information about scaling

-up your app, see [Scale up an app in Azure](manage-scale-up.md).

-## Limitations

-## Restore an app from a snapshot

-1. On the **Settings** page of your app in the [Azure portal](https://portal.azure.com), click **Backups** to display the **Backups** page. Then click **Restore** under the **Snapshot(Preview)** section.

- 

- 

-3. Specify the destination for the app restore in **Restore destination**.

- 

- > [!WARNING]

- > As a best practice we recommend restoring to a new slot then performing a swap. If you choose **Overwrite**, all existing data in your app's current file system is erased and overwritten. Before you click **OK**, make sure that it is what you want to do.

- >

- > [!Note]

- > Due to current technical limitations, you can only restore to apps in the same scale unit. This limitation will be removed in a future release.

- >

- >

-

- You can select **Existing App** to restore to a slot. Before you use this option, you should have already created a slot in your app.

- 

-```console

-```console

-```console

-```console

-```console

-```console

-```console

-#az arcdata dc debug copy-logs --target-folder C:\temp\logs --exclude-dumps --skip-compress --resource-kind postgresql-12 --resource-name pg1 --use-k8s --k8s-namespace

-```powershell

-```powershell

-```console

-```powershell

-```console

-```console

-```console

-```console

-```console

-```console

- ```bash

- ```bash

-```console

- ```console

- ```console

- ```console

-```console

- ```console

- ```console

- ```console

- ```console

- ```console

-```console

- ```console

- ```console

- ```

- ```

- ```

-```

-```

-```

-```

-```

-```

- ```

- ```

-```console

-$ az connectedk8s connect -n AzureArcTest -g AzureArcTest

-$ az connectedk8s connect --resource-group AzureArc --name AzureArcCluster

-$ az connectedk8s connect --resource-group AzureArc --name AzureArcCluster

-```console

-$ az connectedk8s connect -n AzureArcTest -g AzureArcTest

-```console

-```console

-```console

-flux

-...

-```console

-```console

- ```console

- ```

-```console

-$ az connectedk8s proxy -n AzureArcTest -g AzureArcTest

-```console

-$ az connectedk8s proxy -n AzureArcTest -g AzureArcTest

- ```console

- ```console

- ```console

- ```console

- ```console

- ```console

-```console

-$ az k8s-configuration show --resource-group <resource group name> --cluster-name <connected cluster name> --name <configuration name> --cluster-type connectedClusters --query 'repositoryPublicKey'

- ```console

- ```console

- ```console

- ```console

-```console

-```console

-```console

-```console

-```console

-```console

-```console

-```console

-```console

-```console

-```console

-```console

-```console

-```console

-```console

-```console

-* Syslog

-* Windows events

-* ETW Events

-* IIS Logs

- public static IActionResult Index([HttpTrigger(AuthorizationLevel.Anonymous)]HttpRequest req, ExecutionContext context)

- public static SignalRConnectionInfo Negotiate(

- [SignalRConnectionInfo(HubName = "serverlessSample")] SignalRConnectionInfo connectionInfo)

- [SignalR(HubName = "serverlessSample")] IAsyncCollector<SignalRMessage> signalRMessages)

- var result = JsonConvert.DeserializeObject<GitResult>(await response.Content.ReadAsStringAsync());

- Arguments = new[] { $"Current star count of https://github.com/Azure/azure-signalr is: {result.StarCount}" }

-

-

-

- HttpRequest req = HttpRequest.newBuilder().uri(URI.create("https://api.github.com/repos/azure/azure-signalr")).header("User-Agent", "serverless").build();

- Gson gson = new Gson();

- GitResult result = gson.fromJson(res.body(), GitResult.class);

- return new SignalRMessage("newMessage", "Current star count of https://github.com/Azure/azure-signalr is:".concat(result.stargazers_count));

- headers: {'User-Agent': 'serverless'}

- var jbody = JSON.parse(body);

- "arguments": [ `Current star count of https://github.com/Azure/azure-signalr is: ${jbody['stargazers_count']}` ]

- }

- headers = {'User-Agent': 'serverless'}

- jres = res.json()

- 'arguments': [ 'Current star count of https://github.com/Azure/azure-signalr is: ' + str(jres['stargazers_count']) ]

- The "username" and "password" should be the username and password used to log in into the Customers database.

-| **File size** | **>=0 and <=128 GiB** | **>128 and <= 512 GiB** | **>0.5 and <=1 TiB** | **>1 and <=2 TiB** | **>2 and <=4 TiB** | **>4 and <=8 TiB** | **>8 and <=16 TiB** |

-|:--|:--|:--|:--|:--|:--|:--|:--|

-| IOPS per file | 500 | 2300 | 5000 | 7500 | 7500 | 12,500 | |

-| Throughput per file | 100 MiB/s | 150 MiB/s | 200 MiB/s | 250 MiB/s| 250 MiB/s | 480 MiB/s | |

-* [ASP.NET Core 3.1 or above](/aspnet/core)

-We'll use [ASP.NET Core](/aspnet/core) to host the web pages and handle incoming requests.

-2. Then add `app.UseStaticFiles();` before `app.UseRouting();` in `Startup.cs` to support static files. Remove the default `endpoints.MapGet` inside `app.UseEndpoints`.

- ```csharp

- public void Configure(IApplicationBuilder app, IWebHostEnvironment env)

- if (env.IsDevelopment())

- {

- app.UseDeveloperExceptionPage();

- }

- app.UseStaticFiles();

- app.UseRouting();

- app.UseEndpoints(endpoints =>

- {

- });

- }

- <body>

- <h1>Azure Web PubSub Chat</h1>

- </body>

-2. Add a `SampleChatHub` class to handle hub events. And DI the service middleware and service client inside `ConfigureServices()`. Don't forget to replace `<connection_string>` with the one of your services.

- public void ConfigureServices(IServiceCollection services)

- services.AddWebPubSub(o => o.ServiceEndpoint = new ServiceEndpoint("<connection_string>"))

- .AddWebPubSubServiceClient<SampleChatHub>();

- public void Configure(IApplicationBuilder app, IWebHostEnvironment env)

- {

- if (env.IsDevelopment())

- {

- app.UseDeveloperExceptionPage();

- }

- app.UseStaticFiles();

- app.UseRouting();

- app.UseEndpoints(endpoints =>

- {

- });

- }

- private sealed class SampleChatHub : WebPubSubHub

- `AddWebPubSubServiceClient<THub>()` is used to inject the service client `WebPubSubServiceClient<THub>`, with which we can use in negotiation step to generate client connection token and in hub methods to invoke service REST APIs when hub events are triggered.

-3. Add a `/negotiate` API to the server inside `app.UseEndpoints` to generate the token.

- {

- endpoints.MapGet("/negotiate", async context =>

- {

- var id = context.Request.Query["id"];

- if (id.Count != 1)

- {

- context.Response.StatusCode = 400;

- await context.Response.WriteAsync("missing user id");

- return;

- }

- var serviceClient = context.RequestServices.GetRequiredService<WebPubSubServiceClient<SampleChatHub>>();

- await context.Response.WriteAsync(serviceClient.GetClientAccessUri(userId: id).AbsoluteUri);

- });

- This token generation code is similar to the one we used in the [publish and subscribe message tutorial](./tutorial-pub-sub-messages.md), except we pass one more argument (`userId`) when generating the token. User ID can be used to identify the identity of client so when you receive a message you know where the message is coming from.

- You can test this API by running `dotnet run --urls http://localhost:8080` and accessing `http://localhost:8080/negotiate?id=<user-id>` and it will give you the full url of the Azure Web PubSub with an access token.

-4. Then update `https://docsupdatetracker.net/index.html` to include the following script to get the token from server and connect to service.

- If you are using Chrome, you can test it by opening the home page, input your user name. Press F12 to open the Developer Tools window, switch to **Console** table and you'll see `connected` being printed in browser console.

-1. Add event handlers inside `UseEndpoints`. Specify the endpoint path for the events, let's say `/eventhandler`.

- private sealed class SampleChatHub : WebPubSubHub

-Implement the `OnMessageReceivedAsync()` method in `SampleChatHub`.

- private sealed class SampleChatHub : WebPubSubHub

- This event handler uses `WebPubSubServiceClient.SendToAllAsync()` to broadcast the received message to all clients. You can see in the end we returned `UserEventResponse`, which contains a message directly to the caller and make the WebHook request success. If you have extra logic to validate and would like to break this call, you can throw an exception here. The middleware will deliver the exception message to service and service will drop current client connection.

-The complete code sample of this tutorial can be found [here][code-csharp].

- > ```powershell

- ```powershell

- ```powershell

- ```powershell

- ```powershell

- ```powershell

- ```powershell

-```powershell

-```powershell

-```powershell

-```powershell

-A backup policy is associated with at least one retention policy. A retention policy defines how long a recovery point is kept before it's deleted. You can configure backups with daily, weekly, monthly, or yearly retention.

-```powershell

-```powershell

-```powershell

-```powershell

-```powershell

-```powershell

-```powershell

->```powershell

-```powershell

-```powershell

-2. Search for Cosmos and select the Azure Cosmos DB's API for MongoDB connector.

-2. Search for Cosmos and select the Azure Cosmos DB (SQL API) connector.

-2. Search for Data Lake and select the Azure Data Lake Storage Gen2 connector.

-2. Search for and select the Azure Data Lake Storage Gen1 connector.

-* If you receive an error message about running SSIS packages, which can generate a long queue, go to the [Azure-SSIS Package Execution Troubleshooting Guide](ssis-integration-runtime-ssis-activity-faq.yml) and [Integration Runtime Management Troubleshooting Guide.](ssis-integration-runtime-management-troubleshoot.md)

-#### Symptoms

-An OutOfMemoryException (OOM) error occurs when you try to run a lookup activity with a linked IR or a self-hosted IR.

-#### Cause

-A new activity can throw an OOM error if the IR machine experiences momentary high memory usage. The issue might be caused by a large volume of concurrent activity, and the error is by design.

-#### Resolution

-Check the resource usage and concurrent activity execution on the IR node. Adjust the internal and trigger time of activity runs to avoid too much execution on a single IR node at the same time.

-#### Symptoms

-When you try to increase the concurrent jobs limit from UI, the process hangs in *Updating* status.

-Example scenario: The maximum concurrent jobs value is currently set to 24, and you want to increase the count so that your jobs can run faster. The minimum value that you can enter is 3, and the maximum value is 32. You increase the value from 24 to 32 and then select the **Update** button. The process gets stuck in *Updating* status, as shown in the following screenshot. You refresh the page, and the value is still displayed as 24. It hasn't been updated to 32 as you had expected.

-#### Cause

-The limit on the number of concurrent jobs depends on the computer's logic core and memory. Try to adjust the value downward to a value such as 24, and then view the result.

-> [!TIP]

-> - To learn more about logic core count and to determine your machine's logic core count, see [Four ways to find the number of cores in your CPU on Windows 10](https://www.top-password.com/blog/find-number-of-cores-in-your-cpu-on-windows-10/).

-> - To learn how to calculate the math.log, go to the [Logarithm calculator](https://www.rapidtables.com/calc/math/Log_Calculator.html).

-#### Symptoms

-The self-hosted IR work node has reported the following error:

-"Failed to pull shared states from primary node net.tcp://abc.cloud.corp.Microsoft.com:8060/ExternalService.svc/. Activity ID: XXXXX The X.509 certificate CN=abc.cloud.corp.Microsoft.com, OU=test, O=Microsoft chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. The revocation function was unable to check revocation because the revocation server was offline."

-#### Cause

-When you handle cases that are related to an SSL/TLS handshake, you might encounter some issues related to certificate chain verification.

-#### Resolution

-

- 1. Export the certificate, which needs to be verified. To do so, do the following:

- a. In Windows, select **Start**, start typing **certificates**, and then select **Manage computer certificates**.

-

- b. In File Explorer, on the left pane, search for the certificate that you want to check, right-click it, and then select **All tasks** > **Export**.

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/export-tasks.png" alt-text="Screenshot of the &quot;All Tasks&quot; > &quot;Export&quot; control for a certificate on the &quot;Manage computer certificates&quot; pane.":::

- 2. Copy the exported certificate to the client machine.

- 3. On the client side, in a Command Prompt window, run the following command. Be sure to replace *\<certificate path>* and *\<output txt file path>* with the actual paths.

- ```

- Certutil -verify -urlfetch <certificate path> > <output txt file path>

- ```

- For example:

- ```

- Certutil -verify -urlfetch c:\users\test\desktop\servercert02.cer > c:\users\test\desktop\Certinfo.txt

- ```

- 4. Check for errors in the output TXT file. You can find the error summary at the end of the TXT file.

- For example:

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/error-summary.png" alt-text="Screenshot of an error summary at the end of the TXT file.":::

- If you don't see an error at the end of the log file, as shown in the following screenshot, you can consider that the certificate chain has been built successfully on the client machine.

-

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/log-file.png" alt-text="Screenshot of a log file showing no errors.":::

-

- 1. Get this information by checking the certificate details, as shown in the following screenshot:

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/certificate-detail.png" alt-text="Screenshot of certificate details.":::

- 1. Run the following command. Be sure to replace *\<certificate path>* with the actual path of the certificate.

- ```

- Certutil -URL <certificate path>

- ```

- The URL Retrieval tool opens.

- 1. To verify certificates with AIA, CDP, and OCSP file name extensions, select **Retrieve**.

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/retrieval-button.png" alt-text="Screenshot of the URL Retrieval Tool and the Retrieve button.":::

-

- You've built the certificate chain successfully if the certificate status from AIA is *Verified* and the certificate status from CDP or OCSP is *Verified*.

- If you fail when you try to retrieve AIA or CDP, work with your network team to get the client machine ready to connect to the target URL. It will be enough if either the HTTP path or the Lightweight Directory Access Protocol (LDAP) path can be verified.

-#### Symptoms

-You get the following error message:

-"Could not load file or assembly 'XXXXXXXXXXXXXXXX, Version=4.0.2.0, Culture=neutral, PublicKeyToken=XXXXXXXXX' or one of its dependencies. The system cannot find the file specified. Activity ID: 92693b45-b4bf-4fc8-89da-2d3dc56f27c3"

-

-Here is a more specific error message:

-"Could not load file or assembly 'System.ValueTuple, Version=4.0.2.0, Culture=neutral, PublicKeyToken=XXXXXXXXX' or one of its dependencies. The system cannot find the file specified. Activity ID: 92693b45-b4bf-4fc8-89da-2d3dc56f27c3"

-#### Cause

-In Process Monitor, you can view the following result:

-> [!TIP]

-> In Process Monitor, you can set filters as shown in following screenshot.

->

-> The preceding error message says that the DLL System.ValueTuple is not located in the related *Global Assembly Cache* (GAC) folder, in the *C:\Program Files\Microsoft Integration Runtime\4.0\Gateway* folder, or in the *C:\Program Files\Microsoft Integration Runtime\4.0\Shared* folder.

->

-> Basically, the process loads the DLL first from the *GAC* folder, then from the *Shared* folder, and finally from the *Gateway* folder. Therefore, you can load the DLL from any path that's helpful.

-<br>

-#### Resolution

-You'll find the *System.ValueTuple.dll* file in the *C:\Program Files\Microsoft Integration Runtime\4.0\Gateway\DataScan* folder. To resolve the issue, copy the *System.ValueTuple.dll* file to the *C:\Program Files\Microsoft Integration Runtime\4.0\Gateway* folder.

-You can use the same method to resolve other missing file or assembly issues.

-#### More information about this issue

-The reason why you see the *System.ValueTuple.dll* under *%windir%\Microsoft.NET\assembly* and *%windir%\assembly* is that this is a .NET behavior.

-In the following error, you can clearly see that the *System.ValueTuple* assembly is missing. This issue arises when the application tries to check the *System.ValueTuple.dll* assembly.

-

-> "\<LogProperties>\<ErrorInfo>[{"Code":0,"Message":"The type initializer for 'Npgsql.PoolManager' threw an exception.","EventType":0,"Category":5,"Data":{},"MsgId":null,"ExceptionType":"System.TypeInitializationException","Source":"Npgsql","StackTrace":"","InnerEventInfos":[{"Code":0,"Message":"Could not load file or assembly 'System.ValueTuple, Version=4.0.2.0, Culture=neutral, PublicKeyToken=XXXXXXXXX' or one of its dependencies. The system cannot find the file specified.","EventType":0,"Category":5,"Data":{},"MsgId":null,"ExceptionType":"System.IO.FileNotFoundException","Source":"Npgsql","StackTrace":"","InnerEventInfos":[]}]}]\</ErrorInfo>\</LogProperties>"

-

-For more information about GAC, see [Global Assembly Cache](/dotnet/framework/app-domains/gac).

-#### Symptoms

-The self-hosted integration runtime suddenly goes offline without an Authentication Key, and the Event Log displays the following error message:

-"Authentication Key is not assigned yet"

-#### Cause

-#### Resolution

-If neither of the preceding causes applies, you can go to the *%programdata%\Microsoft\Data Transfer\DataManagementGateway* folder to see whether the *Configurations* file has been deleted. If it was deleted, follow the instructions in the Netwrix article [Detect who deleted a file from your Windows file servers](https://www.netwrix.com/how_to_detect_who_deleted_file.html).

-#### Symptoms

-After you create self-hosted IRs for both the source and destination datastores, you want to connect the two IRs to finish a copy activity. If the datastores are configured in different virtual networks, or the datastores can't understand the gateway mechanism, you receive either of the following errors:

-* "The driver of source cannot be found in destination IR"

-* "The source cannot be accessed by the destination IR"

-

-#### Cause

-The self-hosted IR is designed as a central node of a copy activity, not a client agent that needs to be installed for each datastore.

-In this case, you should create the linked service for each datastore with the same IR, and the IR should be able to access both datastore through the network. It doesn't matter whether the IR is installed at the source datastore or the destination datastore, or on a third machine. If two linked services are created with different IRs but used in the same copy activity, the destination IR is used, and you need to install the drivers for both datastores on the destination IR machine.

-#### Resolution

-Install drivers for both the source and destination datastores on the destination IR, and make sure that it can access the source datastore.

-

-If the traffic can't pass through the network between two datastores (for example, they're configured in two virtual networks), you might not finish copying in one activity even with the IR installed. If you can't finish copying in a single activity, you can create two copy activities with two IRs, each in a VENT:

-* Copy one IR from datastore 1 to Azure Blob Storage

-* Copy another IR from Azure Blob Storage to datastore 2.

-This solution could simulate the requirement to use the IR to create a bridge that connects two disconnected datastores.

-#### Symptoms

-If the data source credential "XXXXXXXXXX" is deleted from the current integration runtime node with payload, you receive the following error message:

-"When you delete the link service on Azure portal, or the task has the wrong payload, please create new link service with your credential again."

-#### Cause

-Your self-hosted IR is built in HA mode with two nodes, but the nodes aren't in a credentials sync state. This means that the credentials stored in the dispatcher node aren't synced to other worker nodes. If any failover happens from the dispatcher node to the worker node, and the credentials exist only in the previous dispatcher node, the task will fail when you're trying to access credentials, and you'll receive the preceding error.

-#### Resolution

-The only way to avoid this issue is to make sure that the two nodes are in credentials sync state. If they aren't in sync, you have to reenter the credentials for the new dispatcher.

-#### Symptoms

-* You've imported a PFX file to the certificate store.

-* When you selected the certificate through the IR Configuration Manager UI, you received the following error message:

- "Failed to change intranet communication encryption mode. It is likely that certificate '\<*certificate name*>' may not have a private key that is capable of key exchange or the process may not have access rights for the private key. Please see inner exception for detail."

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/private-key-missing.png" alt-text="Screenshot of the Integration Runtime Configuration Manager Settings pane, displaying a &quot;private key missing&quot; error message.":::

-#### Cause

-#### Resolution

-* To operate the UI, use an account with appropriate privileges for accessing the private key.

-* Import the certificate by running the following command:

- ```

- certutil -importpfx FILENAME.pfx AT_KEYEXCHANGE

- ```

-### Self-hosted integration runtime nodes out of the sync issue

-#### Symptoms

-Self-hosted integration runtime nodes try to sync the credentials across nodes but get stuck in the process and encounter the error message below after a while:

-"The Integration Runtime (Self-hosted) node is trying to sync the credentials across nodes. It may take several minutes."

->[!Note]

->If this error appears for over 10 minutes, please check the connectivity with the dispatcher node.

-#### Cause

-The reason is that the worker nodes do not have access to the private keys. This can be confirmed from the self-hosted integration runtime logs below:

-`[14]0460.3404::05/07/21-00:23:32.2107988 [System] A fatal error occurred when attempting to access the TLS server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.`

-You have no issue with the sync process when you use the service principal authentication in the linked service. However, when you switch the authentication type to account key, the syncing issue started. This is because the self-hosted integration runtime service runs under a service account (NT SERVICE\DIAHostService) and it need to be added to the private key permissions.

-#### Resolution

-To solve this issue, you need to add the self-hosted integration runtime service account (NT SERVICE\DIAHostService) to the private key permissions. You can apply the following steps:

-1. Open your Microsoft Management Console (MMC) Run Command.

- :::image type="content" source="./media/self-hosted-integration-runtime-troubleshoot-guide/management-console-run-command.png" alt-text="Screenshot that shows the MMC Run Command":::

-1. In the MMC pane, apply the following steps:

- :::image type="content" source="./media/self-hosted-integration-runtime-troubleshoot-guide/add-service-account-to-private-key-1.png" alt-text="Screenshot that shows the second step to add self-hosted IR service account to the private key permissions." lightbox="./media/self-hosted-integration-runtime-troubleshoot-guide/add-service-account-to-private-key-1-expanded.png":::

- 1. Select **File**.

- 1. Choose **Add/Remove Snap-in** in th drop-down menu.

- 1. Select **Certificates** in the "Available snap-ins" pane.

- 1. Select **Add**.

- 1. In the pop-up "Certificates snap-in" pane, choose **Computer account**.

- 1. Select **Next**.

- 1. In the "Select Computer" pane, choose **Local computer: the computer this console is running on**.

- 1. Select **Finish**.

- 1. Select **OK** in the "Add or Remove Snap-ins" pane.

-1. In the pane of MMC, move on with the following steps:

- :::image type="content" source="./media/self-hosted-integration-runtime-troubleshoot-guide/add-service-account-to-private-key-2.png" alt-text="Screenshot that shows the third step to add self-hosted IR service account to the private key permissions." lightbox="./media/self-hosted-integration-runtime-troubleshoot-guide/add-service-account-to-private-key-2-expanded.png":::

- 1. From the left folder list, select **Console Root -> Certificates (Local Computer) -> Personal -> Certificates**.

- 1. Right-click the **Microsoft Intune Beta MDM**.

- 1. Select **All Tasks** in the drop-down list.

- 1. Select **Manage Private Keys**.

- 1. Select **Add** under "Group or user names".

- 1. Select **NT SERVICE\DIAHostService** to grant it full control access to this certificate, apply and safe.

- 1. Select **Check Names** and then select **OK**.

- 1. In the "Permissions" pane, select **Apply** and then select **OK**.

-#### Symptoms

-When you try to copy content to Microsoft Azure by using a Java-based tool or program (for example, copying ORC or Parquet format files), you receive an error message that resembles the following:

-> ErrorCode=UserErrorJreNotFound,'Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=Java Runtime Environment is not found. Go to `http://go.microsoft.com/fwlink/?LinkId=808605` to download and install on your Integration Runtime (Self-hosted) node machine. Note 64-bit Integration Runtime requires 64-bit JRE and 32-bit Integration Runtime requires 32-bit JRE.,Source=Microsoft.DataTransfer.Common,''Type=System.DllNotFoundException,Message=Unable to load DLL 'jvm.dll': The specified module could not be found. (Exception from HRESULT: 0x8007007E),Source=Microsoft.DataTransfer.Richfile.HiveOrcBridge

-#### Cause

-This issue occurs for either of the following reasons:

-By default, Integration Runtime resolves the JRE path by using registry entries. Those entries should be automatically set during JRE installation.

-#### Resolution

-Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/topic/how-to-back-up-and-restore-the-registry-in-windows-855140ad-e318-2a13-2829-d428a2ab0692) in case problems occur.

-To fix this issue, follow these steps to verify the status of the JRE installation:

-1. Make sure that Integration Runtime (Diahost.exe) and JRE are installed on the same platform. Check the following conditions:

- - 64-bit JRE for 64-bit ADF Integration Runtime should be installed in the folder: `C:\Program Files\Java\`

- > [!NOTE]

- > The folder is not `C:\Program Files (x86)\Java\`

- - JRE 7 and JRE 8 are both compatible for this copy activity. JRE 6 and versions that are earlier than JRE 6 have not been validated for this use.

-2. Check the registry for the appropriate settings. To do this, follow these steps:

- 1. In the **Run** menu, type **Regedit**, and then press Enter.

- 1. In the navigation pane, locate the following subkey:<br/> `HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment`. <br/>

- In the **Details** pane, there should be a Current Version entry that shows the JRE version (for example, 1.8).

- :::image type="content" source="./media/self-hosted-integration-runtime-troubleshoot-guide/java-runtime-environment-image.png" alt-text="Screenshot showing the Java Runtime Environment.":::

- 1. In the navigation pane, locate a subkey that is an exact match for the version (for example 1.8) under the JRE folder. In the details pane, there should be a **JavaHome** entry. The value of this entry is the JRE installation path.

- :::image type="content" source="./media/self-hosted-integration-runtime-troubleshoot-guide/java-home-entry-image.png" alt-text="Screenshot showing a JavaHome entry.":::

-3. Locate the bin\server folder in the following path: <br/>

- `C:\Program Files\Java\jre1.8.0_74`

- :::image type="content" source="./media/self-hosted-integration-runtime-troubleshoot-guide/folder-of-jre.png" alt-text="Screenshot showing the JRE folder.":::

-1. Check whether this folder contains a jvm.dll file. If it does not, check for the file in the `bin\client` folder.

- :::image type="content" source="./media/self-hosted-integration-runtime-troubleshoot-guide/file-location-image.png" alt-text="Screenshot showing a jvm.dll file location.":::

-> [!NOTE]

-> - If any of these configurations are not as described in these steps, use the [JRE windows installer](https://java.com/en/download/manual.jsp) to fix the problems.

-> - If all the configurations in these steps are correct as described, there may be a VC++ runtime library missing in the system. You can fix this problem by installing the VC++ 2010 Redistributable Package.

-#### Symptoms

-You might occasionally want to run a self-hosted IR in a different account for either of the following reasons:

-After you change the service account on the service pane, you might find that the integration runtime stops working, and you get the following error message:

-"The Integration Runtime (Self-hosted) node has encountered an error during registration. Cannot connect to the Integration Runtime (Self-hosted) Host Service."

-#### Cause

-Many resources are granted only to the service account. When you change the service account to another account, the permissions of all dependent resources remain unchanged.

-#### Resolution

-Go to the integration runtime event log to check the error.

-* If the error in the event log is "UnauthorizedAccessException," do the following:

- 1. Check the *DIAHostService* logon service account in the Windows service panel.

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/logon-service-account.png" alt-text="Screenshot of the Logon service account properties pane.":::

- 1. Check to see whether the logon service account has read/write permissions for the *%programdata%\Microsoft\DataTransfer\DataManagementGateway* folder.

- - By default, if the service logon account hasn't been changed, it should have read/write permissions.

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/service-permission.png" alt-text="Screenshot of the service permissions pane.":::

- - If you've changed the service logon account, mitigate the issue by doing the following:

-

- a. Perform a clean uninstallation of the current self-hosted IR.

- b. Install the self-hosted IR bits.

- c. Change the service account by doing the following:

- i. Go to the self-hosted IR installation folder, and then switch to the *Microsoft Integration Runtime\4.0\Shared* folder.

- ii. Open a Command Prompt window by using elevated privileges. Replace *\<user>* and *\<password>* with your own username and password, and then run the following command:

- `dmgcmd.exe -SwitchServiceAccount "<user>" "<password>"`

- iii. If you want to change to the LocalSystem account, be sure to use the correct format for this account: `dmgcmd.exe -SwitchServiceAccount "NT Authority\System" ""`

- Do *not* use this format: `dmgcmd.exe -SwitchServiceAccount "LocalSystem" ""`

- iv. Optionally, because Local System has higher privileges than Administrator, you can also directly change it in "Services".

- v. You can use a local/domain user for the IR service logon account.

- d. Register the integration runtime.

-* If the error is "Service 'Integration Runtime Service' (DIAHostService) failed to start. Verify that you have sufficient privileges to start system services," do the following:

- 1. Check the *DIAHostService* logon service account in the Windows service panel.

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/logon-service-account.png" alt-text="Screenshot of the &quot;Log On&quot; pane for the service account.":::

- 1. Check to see whether the logon service account has **Log on as a service** permission to start the Windows service:

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/logon-as-service.png" alt-text="Screenshot of the &quot;Log on as service&quot; properties pane.":::

-#### More information

-If neither of the preceding two resolution patterns applies in your case, try to collect the following Windows event logs:

-#### Symptoms

-When you register a self-hosted IR, the **Register** button isn't displayed on the Configuration Manager pane.

-#### Cause

-As of the release of Integration Runtime 3.0, the **Register** button on existing integration runtime nodes has been removed to enable a cleaner and more secure environment. If a node has been registered to an integration runtime, whether it's online or not, re-register it to another integration runtime by uninstalling the previous node, and then install and register the node.

-#### Resolution

-1. In Control Panel, uninstall the existing integration runtime.

- > [!IMPORTANT]

- > In the following process, select **Yes**. Do not keep data during the uninstallation process.

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/delete-data.png" alt-text="Screenshot of the &quot;Yes&quot; button for deleting all user data from the integration runtime.":::

-1. If you don't have the integration runtime installer MSI file, go to [download center](https://www.microsoft.com/en-sg/download/details.aspx?id=39717) to download the latest integration runtime.

-1. Install the MSI file, and register the integration runtime.

-#### Symptoms

-You're unable to register the self-hosted IR on a new machine when you use get_LoopbackIpOrName.

-**Debug:**

-A runtime error has occurred.

-The type initializer for 'Microsoft.DataTransfer.DIAgentHost.DataSourceCache' threw an exception.

-A non-recoverable error occurred during a database lookup.

-

-**Exception detail:**

-System.TypeInitializationException: The type initializer for 'Microsoft.DataTransfer.DIAgentHost.DataSourceCache' threw an exception. > System.Net.Sockets.SocketException: A non-recoverable error occurred during a database lookup at System.Net.Dns.GetAddrInfo(String name).

-#### Cause

-The issue usually occurs when the localhost is being resolved.

-#### Resolution

-Use localhost IP address 127.0.0.1 to host the file and resolve the issue.

-#### Symptoms

-You're unable to uninstall an existing IR, install a new IR, or upgrade an existing IR to a new IR.

-#### Cause

-The integration runtime installation depends on the Windows Installer service. You might experience installation problems for the following reasons:

-#### Symptoms

-When you install a self-hosted IR via Microsoft Integration Runtime Configuration Manager, a certificate with a trusted certificate authority (CA) is generated. The certificate couldn't be applied to encrypt communication between two nodes, and the following error message is displayed:

-"Failed to change Intranet communication encryption mode: Failed to grant Integration Runtime service account the access of to the certificate '\<*certificate name*>'. Error code 103"

-#### Cause

-The certificate is using key storage provider (KSP) storage, which is not supported yet. To date, self-hosted IR supports only cryptographic service provider (CSP) storage.

-#### Resolution

-We recommend that you use CSP certificates in this case.

-**Solution 1**

-To import the certificate, run the following command:

-`Certutil.exe -CSP "CSP or KSP" -ImportPFX FILENAME.pfx`

-**Solution 2**

-To convert the certificate, run the following commands:

-`openssl pkcs12 -in .\xxxx.pfx -out .\xxxx_new.pem -password pass: <EnterPassword>`

-`openssl pkcs12 -export -in .\xxxx_new.pem -out xxxx_new.pfx`

-Before and after conversion:

-#### Symptoms

-When you attempt to register the self-hosted integration runtime, Configuration Manager displays the following error message:

-"The Integration Runtime (Self-hosted) node has encountered an error during registration."

-#### Cause

-The self-hosted IR can't connect to the service back end. This issue is usually caused by network settings in the firewall.

-#### Resolution

-1. Check to see whether the integration runtime service is running. If it is, go to step 2.

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/integration-runtime-service-running-status.png" alt-text="Screenshot showing that the self-hosted IR service is running.":::

-1. If no proxy is configured on the self-hosted IR, which is the default setting, run the following PowerShell command on the machine where the self-hosted integration runtime is installed:

- ```powershell

- (New-Object System.Net.WebClient).DownloadString("https://wu2.frontend.clouddatahub.net/")

- ```

- > [!NOTE]

- > The service URL might vary, depending on the location of your data factory or Synapse workspace instance. To find the service URL, use the Manage page of the UI in your data factory or Azure Synapse instance to find **Integration runtimes** and click your self-hosted IR to edit it. There select the **Nodes** tab and click **View Service URLs**.

-

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/powershell-command-response.png" alt-text="Screenshot of the PowerShell command response.":::

-

-1. If you don't receive the response you had expected, use one of the following methods, as appropriate:

-

- * If you receive a "Remote name could not be resolved" message, there's a Domain Name System (DNS) issue. Contact your network team to fix the issue.

- * If you receive an "ssl/tls cert is not trusted" message, [check the certificate](https://wu2.frontend.clouddatahub.net/) to see whether it's trusted on the machine, and then install the public certificate by using Certificate Manager. This action should mitigate the issue.

- * Go to **Windows** > **Event viewer (logs)** > **Applications and Services Logs** > **Integration Runtime**, and check for any failure that's caused by DNS, a firewall rule, or company network settings. If you find such a failure, forcibly close the connection. Because every company has its own customized network settings, contact your network team to troubleshoot these issues.

-1. If "proxy" has been configured on the self-hosted integration runtime, verify that your proxy server can access the service endpoint. For a sample command, see [PowerShell, web requests, and proxies](https://stackoverflow.com/questions/571429/powershell-web-requests-and-proxies).

- ```powershell

- $user = $env:username

- $webproxy = (get-itemproperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet

- Settings').ProxyServer

- $pwd = Read-Host "Password?" -assecurestring

- $proxy = new-object System.Net.WebProxy

- $proxy.Address = $webproxy

- $account = new-object System.Net.NetworkCredential($user,[Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($pwd)), "")

- $proxy.credentials = $account

- $url = "https://wu2.frontend.clouddatahub.net/"

- $wc = new-object system.net.WebClient

- $wc.proxy = $proxy

- $webpage = $wc.DownloadData($url)

- $string = [System.Text.Encoding]::ASCII.GetString($webpage)

- $string

- ```

-The following is the expected response:

-

-> [!NOTE]

-> Proxy considerations:

-> * Check to see whether the proxy server needs to be put on the Safe Recipients list. If so, make sure [these domains](./data-movement-security-considerations.md#firewall-requirements-for-on-premisesprivate-network) are on the Safe Recipients list.

-> * Check to see whether SSL/TLS certificate "wu2.frontend.clouddatahub.net/" is trusted on the proxy server.

-> * If you're using Active Directory authentication on the proxy, change the service account to the user account that can access the proxy as "Integration Runtime Service."

-#### Cause

-The self-hosted integrated runtime node might have a status of **Inactive**, as shown in the following screenshot:

-This behavior occurs when nodes can't communicate with each other.

-#### Resolution

-1. Log in to the node-hosted virtual machine (VM). Under **Applications and Services Logs** > **Integration Runtime**, open Event Viewer, and filter the error logs.

-1. Check to see whether an error log contains the following error:

- ```

- System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://xxxxxxx.bwld.com:8060/ExternalService.svc/WorkerManager. The connection attempt lasted for a time span of 00:00:00.9940994. TCP error code 10061: No connection could be made because the target machine actively refused it 10.2.4.10:8060.

- System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it.

- 10.2.4.10:8060

- at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)

- at System.Net.Sockets.Socket.Connect(EndPoint remoteEP)

- at System.ServiceModel.Channels.SocketConnectionInitiator.Connect(Uri uri, TimeSpan timeout)

- ```

-

-1. If you see this error, run the following command in a Command Prompt window:

- ```

- telnet 10.2.4.10 8060

- ```

-

-1. If you receive the "Could not open connection to the host" command-line error that's shown in the following screenshot, contact your IT department for help to fix this issue. After you can successfully telnet, contact Microsoft Support if you still have issues with the integration runtime node status.

-

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/command-line-error.png" alt-text="Screenshot of the &quot;Could not open connection to the host&quot; command-line error.":::

-1. Check to see whether the error log contains the following entry:

- ```

- Error log: Cannot connect to worker

- ```

-1. To resolve the issue, try one or both of the following methods:

- - Put all the nodes in the same domain.

- - Add the IP to host mapping in all the hosted VM's host files.

-#### Symptoms

-You might occasionally need to troubleshoot certain connectivity issues between the self-hosted IR and your data factory or Azure Synapse instance, as shown in the following screenshot, or between the self-hosted IR and the data source or sink.

-In either instance, you might encounter the following errors:

-* "Copy failed with error:Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=Cannot connect to SQL Server: 'IP address'"

-* "One or more errors occurred. An error occurred while sending the request. The underlying connection was closed: An unexpected error occurred on a receive. Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. An existing connection was forcibly closed by the remote host Activity ID."

-#### Resolution

-When you encounter the preceding errors, troubleshoot them by following the instructions in this section.

- 1. You can set the filter to see a reset from the server to the client side. In the following example screenshot, you can see that the server side is the Data Factory server.

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/data-factory-server.png" alt-text="Screenshot of the Data factory server.":::

- 1. When you get the reset package, you can find the conversation by following Transmission Control Protocol (TCP).

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/find-conversation.png" alt-text="Screenshot of the TCP conversation.":::

- 1. Get the conversation between the client and the Data Factory server below by removing the filter.

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/get-conversation.png" alt-text="Screenshot of conversation details.":::

- Default TTL and Hop Limit values vary between different operating systems, as listed here:

- - Linux kernel 2.4 (circa 2001): 255 for TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP)

- - Linux kernel 4.10 (2015): 64 for TCP, UDP, and ICMP

- - Windows XP (2001): 128 for TCP, UDP, and ICMP

- - Windows 10 (2015): 128 for TCP, UDP, and ICMP

- - Windows Server 2008: 128 for TCP, UDP, and ICMP

- - Windows Server 2019 (2018): 128 for TCP, UDP, and ICMP

- - macOS (2001): 64 for TCP, UDP, and ICMP

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/ttl-61.png" alt-text="Screenshot showing a TTL value of 61.":::

- In the preceding example, the TTL is shown as 61 instead of 64, because when the network package reaches its destination, it needs to go through various hops, such as routers or network devices. The number of routers or network devices is deducted to produce the final TTL.

- In this case, you can see that a reset can be sent from the Linux System with TTL 64.

-

- *Network package from Linux System A with TTL 64 -> B TTL 64 minus 1 = 63 -> C TTL 63 minus 1 = 62 -> TTL 62 minus 1 = 61 self-hosted IR*

-

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/ttl-107.png" alt-text="Screenshot showing a TTL value of 107.":::

- Therefore, you need to engage the network team to check to see what the fourth hop is from the self-hosted IR. If it's the firewall, as with the Linux System, check any logs to see why that device resets the package after the TCP 3 handshake.

- If you're unsure where to investigate, try to get the Netmon trace from both the self-hosted IR and the firewall during the problematic time. This approach will help you figure out which device might have reset the package and caused the disconnection. In this case, you also need to engage your network team to move forward.

-#### Symptoms

-The self-hosted IR couldn't connect to the Azure Data Factory or Azure Synapse service.

-When you check the self-hosted IR event log or the client notification logs in the CustomLogEvent table, you'll find the following error message:

-"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure."

-The simplest way to check the server certificate of the service is to open the service URL in your browser. For example, open the [check server certificate link](https://eu.frontend.clouddatahub.net/) on the machine where the self-hosted IR is installed, and then view the server certificate information.

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/server-certificate.png" alt-text="Screenshot of the check server certificate pane of the Azure Data Factory service.":::

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/certificate-path.png" alt-text="Screenshot of the window for checking the server certification path.":::

-#### Cause

-There are two possible reasons for this issue:

-#### Resolution

-For more information about trusting certificates on Windows, see [Installing the trusted root certificate](/skype-sdk/sdn/articles/installing-the-trusted-root-certificate).

-#### Additional information

-We've rolled out a new SSL certificate, which is signed from DigiCert. Check to see whether the DigiCert Global Root G2 is in the trusted root CA.

- :::image type="content" source="media/self-hosted-integration-runtime-troubleshoot-guide/trusted-root-ca-check.png" alt-text="Screenshot showing the DigiCert Global Root G2 folder in the Trusted Root Certification Authorities directory.":::

-If it isn't in the trusted root CA, [download it here](http://cacerts.digicert.com/DigiCertGlobalRootG2.crt ).

-### Secure development environment

-The Horizon ODE enables development of custom or proprietary protocols that cannot be shared outside an organization. For example, because of legal regulations or corporate policies.

-Develop dissector plugins without:

-Contact <ms-horizon-support@microsoft.com> for information about developing protocol plugins.

-### Customization and localization

-The SDK supports various customization options, including:

- - Text for function codes.

- - Full localization text for alerts, events, and protocol parameters.

- :::image type="content" source="media/references-horizon-sdk/localization.png" alt-text="View fully localized alerts.":::

-## Horizon architecture

-The architectural model includes three product layers.

-### Defender for IoT platform layer

-Enables immediate integration and real-time monitoring of custom dissector plugins in the Defender for IoT platform, without the need to upgrade the Defender for IoT platform version.

-### Defender for IoT services layer

-Each service is designed as a pipeline, decoupled from a specific protocol, enabling more efficient, independent development.

-Each service is designed as a pipeline, decoupled from a specific protocol. Services listens for traffic on the pipeline. They interact with the plugin data and the traffic captured by the sensors to index deployed protocols and analyze the traffic payload, and enable a more efficient and independent development.

-### Custom dissector layer

-Enables creation of plugins using the Defender for IoT proprietary SDK (including C++ implementation and JSON configuration) to:

- :::image type="content" source="media/references-horizon-sdk/layers.png" alt-text="The built-in layers.":::

-Defender for IoT provides basic dissectors for common protocols. You can build your dissectors on top of these protocols.

-This article describes how to accelerate alert workflows by using alert comments, alert groups, and custom alert rules in Microsoft Defender for IoT. These tools help you:

-To add alert comments:

-1. On the side menu, select **System Settings**.

-2. In the **System Setting** window, select **Alert Comments**.

-3. In the **Add comments** box, enter the comment text. Use up to 50 characters. Commas are not permissible.

-4. Select **Add**.

-If the sensor detects the activity described in the rule, the alert is sent. information that individual sensors detect. For example, define a rule that instructs a sensor to trigger an alert based on a source IP, destination IP, or command (within a protocol). When the sensor detects the traffic defined in the rule, an alert or event is generated.

-1. Select the plus sign (**+**) to create a rule.

-1. Define a rule name.

-1. Select a category or protocol from the **Categories** pane.

-1. Define a specific source and destination IP or MAC address, or choose any address.

-1. Define one or several rule conditions. Two categories of conditions can be created:

- - Conditions based on unique values associated with the category selected. Select Add and define the values.

- - Conditions based on the when the activity was detected. In the Detections section, select a time period and day in which the detection must occur in order to send the alert. You can choose to send the alert if the activity is detected anytime, during or after working hours. Use the Define working hours option to instruct Defender for IoT working hours for your organization.

-1. Define rule actions:

- - Indicate if the rule triggers an **Alarm** or **Event**.

- - Assign a severity level to the alert.

- - Indicate if the alert will include a PCAP file.

-1. Select **Save**.

-The rule is added to the **Customized Alerts Rules** list, where you can review basic rule parameters, the last time the rule was triggered, and more. You can also enable and disable the rule from the list.

-### See also

-[View information provided in alerts](how-to-view-information-provided-in-alerts.md)

-# Activate and set up your on-premises management console

-1. Enter the username and password you received for the on-premises management console during the system installation.

- :::image type="content" source="media/how-to-manage-sensors-from-the-on-premises-management-console/multiple-subscriptions.png" alt-text="You can select multiple subscriptions to onboard your on-premises management console to.":::

-## Sign-in and activation for administrator users

-Administrators who sign in for the first time should verify that they have access to activation and password recovery files that were downloaded during sensor onboarding. If not, they need Azure security administrator, subscription contributor, or subscription owner permissions to generate these files via Defender for IoT in the Azure portal.

-### First-time sign-in and activation checklist

-Following sensor installation, a local self-signed certificate is generated and used to access the sensor console. After an administrator signs in to the console for the first time, that user is prompted to onboard an SSL/TLS certificate.

-See [Manage certificates](how-to-manage-individual-sensors.md#manage-certificates) for more information about working with certificates.

- :::image type="content" source="media/how-to-activate-and-set-up-your-sensor/azure-defender-for-iot-sensor-log-in-screen.png" alt-text="Microsoft Defender for IoT sensor.":::

-1. After you sign in, the **Activation** dialog box opens. Select **Upload** and go to the activation file that you downloaded during the sensor onboarding.

- :::image type="content" source="media/how-to-activate-and-set-up-your-sensor/activation-upload-screen-with-upload-button.png" alt-text="Select Upload and go to the activation file.":::

-1. Select the **Sensor Network Configuration** link if you want to change the sensor network configuration before activation. See [Update sensor network configuration before activation](#update-sensor-network-configuration-before-activation).

-1. Accept the terms and conditions.

-1. Select **Activate**. The SSL/TLS certificate dialog box opens.

-1. Define a certificate name.

-1. Upload the CRT and key files.

-1. Enter a passphrase and upload a PEM file if required.

-1. Select **Next**. The validation screen opens. By default, validation between the management console and connected sensors is enabled.

-1. Turn off the **Enable system-wide validation** toggle to disable validation. We recommend that you enable validation.

-1. Select **Save**.

-You might need to refresh your screen after uploading the CA-signed certificate.

-For information about uploading a new certificate, supported certificate parameters, and working with CLI certificate commands, see [Manage individual sensors](how-to-manage-individual-sensors.md).

-#### Update sensor network configuration before activation

-The sensor network configuration parameters were defined during the software installation, or when you purchased a preconfigured sensor. The following parameters were defined:

-You might want to update this information before activating the sensor. For example, you might need to change the preconfigured parameters defined by Arrow. You can also define proxy settings before activating your sensor.

-**To update sensor network configuration parameters:**

-1. Select the **Sensor Network Configuration** link form the **Activation** dialog box.

- :::image type="content" source="media/how-to-activate-and-set-up-your-sensor/editable-network-configuration-screen-v2.png" alt-text="Sensor Network Configuration.":::

-2. The parameters defined during installation are displayed. The option to define the proxy is also available. Update any settings as required and select **Save**.

-For users with versions prior to 10.0, your license may expire, and the following alert will be displayed.

-### Subsequent sign-ins

-After first-time activation, the Microsoft Defender for IoT sensor console opens after sign-in without requiring an activation file. You need only your sign-in credentials.

-After your sign in, the Microsoft Defender for IoT console opens.

-After your first sign-in, the Microsoft Defender for IoT sensor starts to monitor your network automatically. Network devices will appear in the device map and device inventory sections. Microsoft Defender for IoT will begin to detect and alert you on all security and operational incidents that occur in your network. You can then create reports and queries based on the detected information.

-Initially this activity is carried out in the Learning Mode, which instructs your sensor to learn your network's usual activity. For example, the sensor learns devices discovered in your network, protocols detected in the network, and file transfers that occur between specific devices. This activity becomes your network's baseline activity.

-### Disable learning mode

-After adjusting the system settings, you can let the Microsoft Defender for IoT sensor run in learning mode until you feel that system detections accurately reflect your network activity.

-The learning mode should run for about 2 to 6 weeks, depending on your network size and complexity. After you disable learning mode, any activity that differs from your baseline activity will trigger an alert.

-## First-time sign-in for security analysts and read-only users

-You access console tools from the side menu.

-**Navigation**

-| Window | Icon | Description |

-| --|--|--|

-| Dashboard | :::image type="icon" source="media/concept-sensor-console-overview/dashboard-icon-azure.png" border="false"::: | View an intuitive snapshot of the state of the network's security. |

-| Device map | :::image type="icon" source="media/concept-sensor-console-overview/asset-map-icon-azure.png" border="false"::: | View the network devices, device connections, and device properties in a map. Various zooms, highlight, and filter options are available to display your network. |

-| Device inventory | :::image type="icon" source="media/concept-sensor-console-overview/asset-inventory-icon-azure.png" border="false"::: | The device inventory displays a list of device attributes that this sensor detects. Options are available to: <br /> - Sort, or filter the information according to the table fields, and see the filtered information displayed. <br /> - Export information to a CSV file. <br /> - Import Windows registry details.|

-| Alerts | :::image type="icon" source="media/concept-sensor-console-overview/alerts-icon-azure.png" border="false"::: | Display alerts when policy violations occur, deviations from the baseline behavior occur, or any type of suspicious activity in the network is detected. |

-| Reports | :::image type="icon" source="media/concept-sensor-console-overview/reports-icon-azure.png" border="false"::: | View reports that are based on data-mining queries. |

-**Analysis**

-| Window| Icon | Description |

-||||

-| Event timeline | :::image type="icon" source="media/concept-sensor-console-overview/event-timeline-icon-azure.png" border="false"::: | View a timeline with information about alerts, network events (informational), and user operations, such as user sign-ins and user deletions.|

-**Navigation**

-| Window | Icon | Description |

-||||

-| Data mining | :::image type="icon" source="media/concept-sensor-console-overview/data-mining-icon-azure.png" border="false"::: | Generate comprehensive and granular information about your network's devices at various layers. |

-| Investigation | :::image type="icon" source="media/concept-sensor-console-overview/trends-and-statistics-icon-azure.jpg" border="false"::: | View trends and statistics in an extensive range of widgets. |

-| Risk Assessment | :::image type="icon" source="media/concept-sensor-console-overview/vulnerabilities-icon-azure.png" border="false"::: | Display the **Vulnerabilities** window. |

-**Admin**

-| Window | Icon | Description |

-||||

-| Users | :::image type="icon" source="media/concept-sensor-console-overview/users-icon-azure.png" border="false"::: | Define users and roles with various access levels. |

-| Forwarding | :::image type="icon" source="medi) for details. |

-| System settings | :::image type="icon" source="media/concept-sensor-console-overview/system-settings-icon-azure.png" border="false"::: | Configure the system settings. For example, define DHCP settings, provide mail server details, or create port aliases. |

-| Import settings | :::image type="icon" source="medi) for details. |

-| Window| Icon | Description |

-|-|||

-| Support | :::image type="icon" source="media/concept-sensor-console-overview/support-icon-azure.png" border="false"::: | Contact [Microsoft Support](https://support.microsoft.com/) for help. |

-[Threat intelligence research and packages #](how-to-work-with-threat-intelligence-packages.md)

-description: Create and manage users of sensors and the on-premises management console. Users can be assigned the role of administrator, security analyst, or read-only user.

-This article describes how to create and manage users of sensors and the on-premises management console. User roles include administrator, security analyst, or read-only user. Each role is associated with a range of permissions to tools for the sensor or on-premises management console. Roles are designed to facilitate granular, secure access to Microsoft Defender for IoT.

-Features are also available to track user activity and enable Active Directory sign-in.

-By default, each sensor and on-premises management console is installed with a *cyberx and support* user. These users have access to advanced tools for troubleshooting and setup. Administrator users should sign in with these user credentials, create an admin user, and then create extra users for security analysts and read-only users.

-This section describes permissions available to administrators, security analysts, and read-only users for the on-premises management console.

-| Permission | Read only | Security analyst | Administrator |

-| Session timeout when users are not active | 30 minutes | 30 minutes | 30 minutes |

-Administrators can enhance user access control in Defender for IoT by assigning users to specific *access groups*. Access groups are assigned to zones, sites, regions, and business units where a sensor is located. By assigning users to access groups, administrators gain specific control over where users manage and analyze device detections.

-This section describes permissions available to sensor administrators, security analysts, and read-only users.

-| Permission | Read only | Security analyst | Administrator |

-1. On the **Create User** pane, define the following parameters:

- - **Role**: Define the user's role. See [Role-based permissions](#role-based-permissions).

- - **Access Group**: If you're creating a user for the on-premises management console, define the user's access group. See [Define global access control](how-to-define-global-user-access-control.md).

- - **Local User**: Define a password for the user of a sensor or an on-premises management console. The password must include at least six characters and must include letters and numbers.

- - **Active Directory User**: You can allow users to sign in to the sensor or management console by using Active Directory credentials. Defined Active Directory groups can be associated with specific permission levels. For example, configure a specific Active Directory group and assign all users in the group to the read-only user type.

-If users are not active at the keyboard or mouse for a specific time, they're signed out of their session and must sign in again.

-When users have not worked with their console mouse or keyboard for 30 minutes, a session sign-out is forced.

-1. Sign in to the sensor.

-1. In the event timeline, enable the **User Operations** option.

- :::image type="content" source="media/how-to-create-azure-for-defender-users-and-roles/User-login-attempts.png" alt-text="View a user's activity.":::

-### Active Directory and Defender for IoT permissions

-You can associate Active Directory groups defined here with specific permission levels. For example, configure a specific Active Directory group and assign Read Only permissions to all users in the group.

-**To configure Active Directory**:

-1. From the left pane, select **System Settings**.

- :::image type="content" source="media/how-to-setup-active-directory/ad-system-settings-v2.png" alt-text="View your Active Directory system settings.":::

-1. On the **System Settings** pane, select **Active Directory**.

- :::image type="content" source="media/how-to-setup-active-directory/ad-configurations-v2.png" alt-text="Edit your Active Directory configurations.":::

-1. In the **Edit Active Directory Configuration** dialog box, select **Active Directory Integration Enabled** > **Save**. The **Edit Active Directory Configuration** dialog box expands, and you can now enter the parameters to configure Active Directory.

- :::image type="content" source="media/how-to-setup-active-directory/ad-integration-enabled-v2.png" alt-text="Enter the parameters to configure Active Directory.":::

-> [!NOTE]

-> - You must define the LDAP parameters here exactly as they appear in Active Directory.

-> - For all the Active Directory parameters, use lowercase only. Use lowercase even when the configurations in Active Directory use uppercase.

-> - You can't configure both LDAP and LDAPS for the same domain. You can, however, use both for different domains at the same time.

- | Active Directory groups | Enter the group names that are defined in your Active Directory configuration on the LDAP server. |

-#### ActiveDirectory Groups for the On-premises management console

-If you are creating Active Directory groups for on-premises management console users, you must create an Access Group rule for each Active Directory group. On-premises management console Active Directory credentials will not work if an Access Group rule does not exists for the Active Directory user group. See [Define global access control](how-to-define-global-user-access-control.md).

-The Administrator can change the password for the Security Analyst, and Read Only role. The Administrator role user can't change their own password and must contact a higher-level role. The Security Analyst, and Read Only roles canΓÇÿt reset their, or any other role's passwords. The Security Analyst, and Read Only roles need to contact a user with a higher role level to have their passwords reset. The CyberX role can change the password for all user roles. The Support role can change the password for a Support, Administrator, Security Analyst, and Read Only user's role.

-1. Log in to the sensor using a user with the role Administrator, Support, or CyberX.

- :::image type="content" source="media/password-recovery-images/sensor-page.png" alt-text="Select the user option from the left side pane.":::

-1. Locate the user and select **Edit** from the **Actions** dropdown menu.

- :::image type="content" source="media/password-recovery-images/edit.png" alt-text="select edit from the actions dropdown menu.":::

-1. Enter the new password in the **New Password**, and **Confirm New Password** fields.

-1. Log in to the on-premises management console using a user with the role Administrator, Support, or CyberX.

- :::image type="content" source="media/password-recovery-images/console-page.png" alt-text="On the left panel select the user's option.":::

-1. Locate your user and select the edit icon :::image type="icon" source="media/password-recovery-images/edit-icon.png" border="false":::.

-1. On the sign in screen of either the on-premises management console, or the sensor select **Password recovery**. The **Password recovery** screen opens.

- :::image type="content" source="media/how-to-create-and-manage-users/password-recovery.png" alt-text="Select Password recovery from the sign in screen of either the on-premises management console, or the sensor.":::

- :::image type="content" source="media/how-to-create-and-manage-users/enter-identifier.png" alt-text="Enter the unique identifier and then select recover.":::

-A .pem file containing the certificates of all the certificate authorities in the chain of trust that led to your certificate.ΓÇ»

-| PLC mode (preview) | The PLC operating mode includes the Key state (physical) and run state (logical). Possible **Key** states include, Run, Program, Remote, Stop, Invalid, Programming Disabled.Possible Run. The possible **Run** states are Run, Program, Stop, Paused, Exception, Halted, Trapped, Idle, Offline. if both states are the same, only oe state is presented. |

- :::image type="content" source="media/how-to-inventory-sensor/save-views.png" alt-text="Screen capture shows the saved Device inventory filter":::

-1. Select **System Settings** > **Import Settings**> **Windows Information**.

- :::image type="content" source="media/how-to-inventory-sensor/save-filter.png" alt-text="Screen capture shows last activity filter in Inventory":::

-1. In the confirmation dialog box that opens, enter the reason for the deletion and select **Delete**. All devices detected within the range of the filter will be deleted. If you delete a large number of devices, the delete process may take a few minutes.

-You can export device inventory information to .csv file.

-Locally connected sensors are associated with an Azure subscription. The activation file for your locally connected sensors contains an expiration date. One month before this date, a warning message appears at the top of the sensor console. The warning remains until after you've updated the activation file.

-1. Go to the **Sensor Management** page.

-2. Select the sensor for which you want to upload a new activation file.

-3. Delete it.

-4. Onboard the sensor again from the **Onboarding** page in the new mode or with a new Defender for IoT hub.

-5. Download the activation file from the **Download Activation File** page.

- :::image type="content" source="media/how-to-manage-individual-sensors/download-activation-file.png" alt-text="Download the activation file from the Defender for IoT hub.":::

-8. In the sensor console, select **System Settings** > **Reactivation**.

- :::image type="content" source="media/how-to-manage-individual-sensors/reactivation.png" alt-text="Reactivation selection on the System Settings screen.":::

- :::image type="content" source="media/how-to-manage-individual-sensors/upload-the-file.png" alt-text="Upload the file you saved.":::

-1. Select **System Settings**.

-1. Select **SSL/TLS Certificates.**

-To connect:

-To change the configuration:

-To configure the sensor time:

-1. On the side menu, select **System Settings**.

-2. In the **System Settings** window, select **Time & Regional**.

-To configure backup:

-To restore the latest backup file:

-To save the backup to an external SMB server:

-[Manage sensors from the management console](how-to-manage-sensors-from-the-on-premises-management-console.md)

-description: Manage alert events detected in your network.

-# Manage alert events

-The following options are available for managing alert events:

- | **Learn** | Authorize the detected event. For more information, see [About learning and unlearning events](#about-learning-and-unlearning-events). |

- | **Acknowledge** | Hide the alert once for the detected event. The alert will be triggered again if the event is detected again. For more information, see [About acknowledging and unacknowledging events](#about-acknowledging-and-unacknowledging-events). |

- | **Mute** | Continuously ignore activity with identical devices and comparable traffic. For more information, see [About muting and unmuting events](#about-muting-and-unmuting-events). |

-

-You can also export alert information.

-## About learning and unlearning events

-Events that indicate deviations of the learned network might reflect valid network changes. When you want to approve these changes, you can instruct Defender for IoT to *learn* the behavior. Examples might include:

-**To learn an event**:

-1. Navigate to the **Alerts** tab.

- :::image type="content" source="media/how-to-work-with-alerts-sensor/alerts-tab.png" alt-text="Select the Alerts tab from the navigation bar on the left side of the screen.":::

-1. Select an alert from the list of alerts.

-1. Select **Learn**.

- :::image type="content" source="media/how-to-work-with-alerts-sensor/learn.png" alt-text="The Address Detected Scan window.":::

-Activity reflected in alerts is calculated when you generate Data Mining, Risk Assessment, and Attack Vector reports. When you manage these events, the sensor updates the reports accordingly.

-When you select **Learn**, the sensor considers traffic, configurations, or activity valid. The alert will no longer be triggered for the event. It also means the event won't be calculated when the sensor generates risk assessment, attack vector, and other reports.

-Learned events can be unlearned. When the sensor unlearns events, it will retrigger alerts related to this event.

-**To unlearn an event**

-1. Navigate to the **Alerts** tab.

- :::image type="content" source="media/how-to-work-with-alerts-sensor/alerts-tab.png" alt-text="Select the Alerts tab from the navigation bar on the left side of the screen.":::

-1. From the view drop-down menu, select **Acknowledged**.

- :::image type="content" source="media/how-to-work-with-alerts-sensor/view-acknowledged.png" alt-text="Select acknowledged from the view section drop-down menu." lightbox="media/how-to-work-with-alerts-sensor/view-acknowledged-expanded.png":::

-1. Select an alert from the list of alerts.

-1. Select **Unlearn**.

- :::image type="content" source="media/how-to-work-with-alerts-sensor/unlearn.png" alt-text="Select Unlearn to unlearn an event.":::

-After an event is unlearned, it will move back to the Main View page.

-**To see if an alert was learned, or acknowledged**:

-1. Navigate to the Event Timeline tab :::image type="icon" source="media/how-to-work-with-alerts-sensor/event-timeline.png" border="false":::

-1. Locate the alert in the timeline.

- :::image type="content" source="media/how-to-work-with-alerts-sensor/event-timeline-acknowledged.png" alt-text="You can locate the acknowledged events in the event timeline.":::

- You will see in the alert's window, if the alert was learned, or acknowledged.

-

-## About acknowledging and unacknowledging events

-In certain situations, you might not want a sensor to learn a detected event, or the option might not be available. Instead, the incident might require mitigation. For example:

-After you carry out mitigation or investigation, you can instruct the sensor to hide the alert by selecting **Acknowledge**. If the event is detected again, the alert will be retriggered.

-To clear the alert:

- - Select **Acknowledge**.

-To view the alert again:

- - Access the alert and select **Unacknowledge**.

-Unacknowledge alerts if further investigation is required.

-## About muting and unmuting events

- - The **Anomaly** engine triggers an alert on a spike in bandwidth between two devices, but the spike is valid for these devices.

- - The **Protocol Violation** engine triggers an alert on a protocol deviation detected between two devices, but the deviation is valid between the devices.

-In these situations, learning is not available. When learning can't be carried out and you want to suppress the alert and remove the device when calculating risks and attack vectors, you can mute the alert event instead.

-> [!NOTE]

-> You can't mute events in which an internet device is defined as the source or destination.

-### What alert activity is muted?

-The device or devices being muted will be displayed as an image in the alert. If two devices are shown, the specific alerted traffic between them will be muted.

-**Example 1**

-When an event is muted, it's ignored anytime the primary (source) sends the secondary (destination) an illegal function code as defined by the vendor.

-**Example 2**

-When an event is muted, it's ignored anytime the source sends an HTTP header with illegal content, regardless of the destination.

-**After an event is muted:**

- :::image type="content" source="media/how-to-work-with-alerts-sensor/muted-event-notification-screenshot.png" alt-text="Event detected and muted.":::

-**To mute and unmute an alert:**

-**To view muted alerts:**

-1. Select the **Acknowledged** option form the **Alerts** main screen.

-2. Hover over an alert to see if it's muted.

-Export alert information to a .csv file. You can export information of all alerts detected or export information based on the filtered view. The following information is exported:

-To export:

-1. Select Alerts from the side menu.

-1. Select Export.

-1. Select Export Extended Alerts to export alert information in separate rows for each alert that covers multiple devices. When Export Extended Alerts is selected, the .csv file will create a duplicate row of the alert event with the unique items in each row. Using this option makes it easier to investigate exported alert events.

-[Alert types and descriptions](alert-engine-messages.md)

-[Control what traffic is monitored](how-to-control-what-traffic-is-monitored.md)

-description: Learn about solution architecture, network preparation, prerequisites, and other information needed to ensure that you successfully set up your network to work with Azure Defender for IoT appliances.

-[About the Defender for IoT installation](how-to-install-software.md)

-description: View alerts according to various categories, and uses search features to help you find alerts of interest.

-# Filter and manage alerts from the Alerts page

-This article describes how to view alerts triggered by your sensor and manage them with alert tools.

-You can view alerts based on various categories, such as alerts that have been archived or pinned. You also can search for alerts of interest, such as alerts based on an IP or MAC address.

-You can also view alerts from the sensor dashboard.

-To view alerts:

- :::image type="content" source="media/how-to-work-with-alerts-sensor/alerts-screen.png" alt-text="View of the Alerts screen.":::

-## View alerts by category

-You can view alerts according to various categories from the **Alerts** main view. Select an alert to review details and manage the event.

-| Sort by type | Description |

-| **Important Alerts** | Alerts sorted by importance. |

-| **Pinned Alerts** | Alerts that the user pinned for further investigation. Pinned alerts are not archived and are stored for 14 days in the pinned folder. |

-| **Recent Alerts** | Alerts sorted by time. |

-| **Acknowledged Alerts** | Alerts that were acknowledged and unhandled, or that were muted, and unmuted. |

-| **Archived Alerts** | Alerts that the system archived automatically. By default, alerts are archived 14 days after the alert was triggered. Only the administrator user can access them. |

-## Search for alerts of interest

-The Alerts main view provides various search features to help you find alerts of interest.

-### Text search

-Use the Free Search option to search for alerts by text, numbers, or characters.

-To search:

-To clear the search:

-### Device group or device IP address search

-Search for alerts that reference specific IP addresses or device groups. Device groups are created in the device map.

-To use advanced filters:

-1. Select **Advanced Filters** from the **Alerts** main view.

-2. Choose a device group or a device.

-3. Select **Confirm**.

-4. To clear the search, select **Clear All**.

-### Security versus operational alert search

-Switch between viewing operational and security alerts:

-When none of the options are selected, all the alerts are displayed.

-## Alert page options

-Alert messages provide the following actions:

-## Alert pop-up window options

-description: Select an alert from the Alerts window to review details.

-# About alert messages

-Select an alert from the **Alerts** window to review alert details. Details include the following information:

-## Alert metadata

-Alert details include the following alert metadata:

- - Alert ID

- - Policy engine that triggered the alert

- - Date and time that the alert was triggered

-## Information about devices, traffic, and the event

-The alert message provides information about:

- - The detected devices.

- - The traffic detected between the devices, such as protocols and function codes.

- - Insights into the implications of the event.

-You can use this information when deciding how to manage the alert event.

-## Links to connected devices in the device map

-To learn more about devices connected to the detected devices, you can select a device image in the alert and view connected devices in the map.

-The map filters to the device that you selected, and other devices connected to it. The map also displays the **Quick Properties** dialog box for the devices detected in the alerts.

-## Comments defined by security analysts and administrators

-Alerts might include a list of predefined comments. For example, comments can be instructions for mitigation actions to take, or names of individuals to contact about the event.

-When you're managing an alert event, you can choose the comment or comments that best reflect the event status or the steps you've taken to investigate the alert.

-Selected comments are saved in the alert message. Working with comments enhances communication between individuals and teams during the investigation of an alert event. As a result, comments can accelerate incident response time.

-An administrator or security analyst predefines comments. Selected comments are not forwarded to partner systems defined in the forwarding rules.

-After you review the information in an alert, you can carry out various forensic steps to guide you in managing the alert event. For example:

-## PCAP files

-In some cases, you can access a PCAP file from the alert message. This might be useful if you want more detailed information about the associated network traffic.

-To download a PCAP file, select :::image type="content" source="media/how-to-work-with-alerts-sensor/download-pcap.png" alt-text="Download icon."::: at the upper right of the **Alert details** dialog box.

-## Recommendations for investigating an event

-The **Recommendation** area of an alert displays information that might help you better understand an event. Review this information before managing the alert event or taking action on the device or the network.

-## See also

-[Accelerate Alert workflows](how-to-accelerate-alert-incident-response.md)

-[Manage the alert event](how-to-manage-the-alert-event.md)

-# Work with alerts on the on-premises management console

-You can do the following from the **Alerts** window in the management console:

- :::image type="content" source="media/how-to-work-with-alerts-on-premises-management-console/alert-information.png" alt-text="Screenshot of alert information.":::

- - Device IP address, MAC address, or subnet address that you want to exclude.

- - Traffic direction for the excluded devices, source, and destination.

-[Work with alerts on your sensor](how-to-work-with-alerts-on-your-sensor.md).

-Review the [Defender for IoT Engine alerts](alert-engine-messages.md).

-description: Work with alerts to help you enhance the security and operation of your network.

-# About sensor alerts

-Alerts help you enhance the security and operation of your network. Alerts provide you with information about:

-Alert management options let users:

-Additional tools are available that help you enhance and expedite the alert investigation. For example:

- - Add instructional comments for alert reviewers.

- - Create alert groups for display at SOC solutions.

- - Search for specific alerts; review related PCAP files; view the detected devices and other connected devices in the device map or send alert details to partner systems.

- - Forward alerts to partner vendors: SIEM systems, MSSP systems, and more.

-## Alerts and engines

-Alerts are triggered when sensor engines detect changes in network traffic and behavior that need your attention. This article describes the kind of alerts that each engine triggers.

-| Alert type | Description |

-|-|-|

-| Policy violation alerts | Triggered when the Policy Violation engine detects a deviation from traffic previously learned. For example: <br /> - A new device is detected. <br /> - A new configuration is detected on a device. <br /> - A device not defined as a programming device carries out a programming change. <br /> - A firmware version changed. |

-| Protocol violation alerts | Triggered when the Protocol Violation engine detects packet structures or field values that don't comply with the protocol specification. |

-| Operational alerts | Triggered when the Operational engine detects network operational incidents or a device malfunctioning. For example, a network device was stopped through a Stop PLC command, or an interface on a sensor stopped monitoring traffic. |

-| Malware alerts | Triggered when the Malware engine detects malicious network activity. For example, the engine detects a known attack such as Conficker. |

-| Anomaly alerts | Triggered when the Anomaly engine detects a deviation. For example, a device is performing network scans but is not defined as a scanning device. |

-Tools are available to enable and disable sensor engines. Alerts are not triggered from engines that are disabled. See [Control what traffic is monitored](how-to-control-what-traffic-is-monitored.md).

-## Alerts and sensor reporting

-Activity reflected in alerts is calculated when you're generating Data Mining, Risk Assessment, and Attack Vector reports. When you manage these events, the sensor updates the reports accordingly.

-For example:

- - Unauthorized connectivity between a device in a defined subnet and devices located outside the subnet (public) will appear in the Data Mining *Internet Activity* report and the Risk Assessment *Internet Connections* section. After these devices are authorized (learned), they're calculated in generating these reports.

- - Malware events detected on network devices are reported in Risk Assessment reports. When alerts about malware events are *muted*, affected devices won't be calculated in the Risk Assessment report.

-## Next steps

-[Learning and Smart IT Learning modes](how-to-control-what-traffic-is-monitored.md#learning-and-smart-it-learning-modes)

-[View information provided in alerts](how-to-view-information-provided-in-alerts.md)

-[Manage the alert event](how-to-manage-the-alert-event.md)

-[Accelerate alert workflows](how-to-accelerate-alert-incident-response.md)

-[Alert types and descriptions](alert-engine-messages.md)

-description: The Device Map provides a graphical representation of network devices detected. Use the map to analyze, and manage device information, network slices and generate reports.

-# Investigate sensor detections in the Device Map

-The Device Map provides a graphical representation of network devices detected. Use the map to:

-To access the map:

- - Select **Device Map** from the console main screen.

-The following tools are used to working in the map.

-| Symbol | Description |

-|||

-| :::image type="icon" source="media/how-to-work-with-maps/search-bar-icon-v2.png" border="false":::| Search by IP address or MAC address for a specific device. Enter the IP address or MAC address in the text box. The map displays the device that you searched for with devices connected to it. |

-| Group Highlight and Filters <br /> :::image type="content" source="media/how-to-work-with-maps/group-highlight-and-filters-v2.png" alt-text="Screenshot of the group highlights and filters."::: | Filter or highlight the map based on default and custom device groups. |

-| :::image type="icon" source="media/how-to-work-with-maps/collapse-view-icon.png" border="false"::: | IT Collapse view, to enable a focused view on OT devices, and group IT devices. |

-| :::image type="icon" source="media/how-to-work-with-maps/device-management-icon.png" border="false"::: | Maintain current device arrangement in the map. For example, if you drag devices to new locations on the map, the devices will remain in these locations when exiting the map. |

-| :::image type="icon" source="media/how-to-work-with-maps/fit-to-screen-icon.png" border="false"::: | Fit to screen |

-| :::image type="icon" source="media/how-to-work-with-maps/layer-icon.png" border="false"::: :::image type="icon" source="media/how-to-work-with-maps/layouts-icon-v2.png" border="false"::: | - View the Purdue layer identified for this device, including automatic, process control, supervisory, and enterprise <br /> - View connections between devices.|

-| :::image type="icon" source="media/how-to-work-with-maps/broadcast-icon.png" border="false"::: | Show or hide between broadcast and multicast. |

-| :::image type="icon" source="media/how-to-work-with-maps/time-icon.png" border="false"::: | Filter the devices on the map according to the time they last communicating with other devices. |

-| :::image type="icon" source="media/how-to-work-with-maps/notifications-icon.png" alt-text="notifications" border="false"::: | View notifications about a device. For example, if a new IP was detected for a device using an existing MAC address |

-| :::image type="icon" source="media/how-to-work-with-maps/export-import.png" alt-text="Export" border="false"::: | Export/Import device information. |

-| :::image type="icon" source="media/how-to-work-with-maps/properties-icon.png" alt-text="properties" border="false"::: | View basic device properties for selected devices. |

-| :::image type="icon" source="media/how-to-work-with-maps/zoom-in-icon-v2.png" alt-text="Zoom In" border="false"::: or :::image type="icon" source="media/how-to-work-with-maps/zoom-out-icon-v2.png" alt-text="Zoom Out" border="false"::: | Zoom in or out of devices in the map. |

-## View OT elements only

-By default, IT devices are automatically aggregated by subnet, so that the map view is focused on OT and ICS networks. The presentation of the IT network elements is collapsed to a minimum, which reduces the total number of the devices presented on the map and provides a clear picture of the OT and ICS network elements.

-Each subnet is presented as a single entity on the device map, including an interactive collapsing and expanding capability to look at the details of an IT subnet and back.

-The figure below shows a collapsed IT subnet with 27 IT network elements.

-To enable the IT networks collapsing capability:

-To expand an IT subnet:

-1. To differentiate between the IT and OT networks, from the System Settings screen, select **Subnets**.

- > [!NOTE]

- > It is recommended to name each subnet with meaningful names at the user can easily identify in order to differentiate between IT and OT networks.

- :::image type="content" source="media/how-to-work-with-maps/subnet-list.png" alt-text="Subnets Configuration":::

-2. In the **Edit Subnets Configuration** window, clear the **ICS Subnet** checkbox for each subnet that you want to define as an IT subnet. The IT subnets appear collapsed in the device map with the notifications for ICS devices, such as a controller or PLC, in IT networks.

- :::image type="content" source="media/how-to-work-with-maps/edit-config.png" alt-text="Edit Subnets Configuration":::

-3. To expand the IT network on the map, in the Devices window, right-click it and select **Expand Network**.

- :::image type="content" source="media/how-to-work-with-maps/expand-network.png" alt-text="Expand your view of your network.":::

-4. A confirmation box appears, notifying you that the layout change cannot be redone.

-5. Select **OK**. The IT subnet elements appear on the map.

- :::image type="content" source="media/how-to-work-with-maps/fixed-map.png" alt-text="OK":::

-To collapse an IT subnet:

-1. From the left pane, select **Devices**.

-2. In the Devices window, select the collapse icon. The number in red indicates how many expanded IT subnets currently appear on the map.

- :::image type="content" source="media/how-to-work-with-maps/devices-notifications.png" alt-text="Device window":::

-3. Select the subnet(s) that you want to collapse or select **Collapse All**. The selected subnet appears collapsed on the map.

- :::image type="content" source="media/how-to-work-with-maps/close-all-subnets.png" alt-text="Collapse All":::

-The collapse icon is updated with the updated number of expanded IT subnets.

-## View or highlight device groups

-You can customize the map display based on device Groups. For example, groups of devices associated with a specific OT Protocol, VLAN, or subnet. Predefined groups are available and custom groups can be created.

-View groups by:

- - **Highlighting:** Highlight the devices that belong to a specific group in blue.

- - **Filtering:** Display only devices that belong to a specific group.

-| **Pinned alerts** | Devices for which the user has pinned an alert. |

-| **Attack vector simulations** | Vulnerable devices detected in attack vector reports. In order to view these devices on the map, select the **Display on Device Map** checkbox when generating the Attack Vector. :::image type="content" source="media/how-to-work-with-maps/add-attack-v2.png" alt-text="Add Attack Vector Simulations":::. |

-To highlight or filter devices:

-1. Select **Device Map** on the side menu.

-2. Select the filter icon. :::image type="content" source="media/how-to-work-with-maps/menu-icon.png" alt-text="Menu":::

-3. From the Groups pane, select the group you want to highlight or filter devices.

-4. Select **Highlight** or **Filter**. Toggle the same selection to remove the highlight, or filter.

-## Define custom groups

-In addition to viewing predefined groups, you can define custom groups. The groups appear in the Device Map, Device Inventory, and Data Mining Reports.

-> [!NOTE]

-> You can also create groups from the Device Inventory.

-To create a group:

-1. Select **Devices** on the side menu. The Device Map is displayed.

-1. Select :::image type="content" source="media/how-to-work-with-maps/menu-icon.png" alt-text="Group Setting"::: to display the Groups settings.

-1. Select :::image type="content" source="media/how-to-work-with-maps/create-group-v2.png" alt-text="groups"::: to create a new custom group.

-1. Add the name of the group, use up to 30 characters.

-1. Select the relevant devices, as follows:

- - Add the devices from this menu by selecting them from the list (select on the arrow button),<br /> Or, <br />

- - Add the devices from this menu by copying them from a selected group (select on the arrow button)

-1. Select **Add group** to add existing groups to custom groups.

-### Add devices to a custom group

-You can add devices to a custom group or create a new custom group and the device.

-1. Right-click a device(s) on the map.

-1. Select **Add to group**.

-1. Enter a group name in the group field and select +. The new group appears. If the group already exists, it will be added to the existing custom group.

- :::image type="content" source="media/how-to-work-with-maps/groups-section-v2.png" alt-text="Group name":::

-1. Add devices to a group by repeating steps 1-3.

-## Map zoom views

- - [Detailed view](#detailed-view)

-This view presents devices represented as icons on the map in order to highlight devices with alerts, device types, and connected devices.

-The device type icon is shown with connected devices.

-### Detailed view

-The detailed view presents devices and device labels and indicators with the following information:

-### Control the zoom view

-The map view displayed depends on the map zoom-level. Switching between the map views is done by changing the zoom levels.

-### Enable simplified zoom views

-Administrators who want security analysts and RO users to access BirdΓÇÖs-eye and device and type connection views, should enable the simplified view option.

-To enable simplified map views:

- - Select **System Settings** and then toggle the **Simplified Map View** option.

-## Learn more about devices

-An extensive range of tools are available to learn more about devices form the Device Map:

-### Device labels and indicators

-The following labels and indicators may appear on devices on the map:

-| Device label | Description |

-|--|--|

-| :::image type="content" source="media/how-to-work-with-maps/host-v2.png" alt-text="IP host name"::: | IP address host name and IP address, or subnet addresses |

-| :::image type="content" source="media/how-to-work-with-maps/amount-alerts-v2.png" alt-text="Number of alerts"::: | Number of alerts associated with the device |

-| :::image type="icon" source="media/how-to-work-with-maps/type-v2.png" border="false"::: | Device type icon, for example storage, PLC or historian. |

-| :::image type="content" source="media/how-to-work-with-maps/grouped-v2.png" alt-text="devices grouped"::: | Number of devices grouped in a subnet in an IT network. In this example 8. |

-| :::image type="content" source="media/how-to-work-with-maps/not-authorized-v2.png" alt-text="device Learning period"::: | A device that was detected after the Learning period and was not authorized as a network device. |

-| Solid line | Logical connection between devices |

-| :::image type="content" source="media/how-to-work-with-maps/new-v2.png" alt-text="New device"::: | New device discovered after Learning is complete. |

-### Device quick views

-Access device properties and connections from the map.

-To open the quick properties menu:

- - Select the quick properties menu :::image type="content" source="media/how-to-work-with-maps/properties.png" alt-text="quick properties menu":::.

-#### Quick device properties

-Select a device or multiple devices while the Quick Properties screen is open to see the highlights of those devices:

-#### Quick connection properties

-Select a connection while the Quick Properties screen is open to see the protocols that are utilized in this connection and when they were last seen:

-## View and manage device properties

-You can view device proprieties for each device displayed on the map. For example, the device name, type or OS, or the firmware or vendor.

-The following information can be updated manually. Information manually entered will override information discovered by Defender for IoT.

- - Name

- - Type

- - OS

- - Purdue layer

- - Description

-| Basic Information | The basic information needed. |

-| Type | The device type detected by the sensor. <br /> For more information, see [View device types](#view-device-types). |

-| Purdue Layer | The Purdue layer identified by the sensor for this device, including: <br /> - Automatic <br /> - Process Control <br /> - Supervisory <br /> - Enterprise |

-| Settings | You can manually change device settings to prevent false positives: <br /> - **Authorized Device**: During the learning period, all the devices discovered in the network are identified as authorized devices. When a device is discovered after the learning period, it appears as an unauthorized device by default. You can change this definition manually. <br /> - **Known as Scanner**: Enable this option if you know that this device is known as scanner and there is no need to alert you about it. <br /> - **Programming Device**: Enable this option if you know that this device is known as a programming device and is used to make programming changes. Identifying it as a programming device will prevent alerts for programming changes originating from this asset. |

-| Custom Groups | The custom groups in the device map in which this device participates. |

-| State | The security and the authorization status of the device: <br /> - The status is `Secured` when there are no alerts <br /> - When there are alerts about the device, the number of alerts is displayed <br /> - The status `Unauthorized` is displayed for devices that were added to the network after the learning period. You can manually define the device as `Authorized Device` in the settings <br /> - In case the address of this device is defined as a dynamic address, `DHCP` is added to the status. |

-| Network | Description |

-|--|--|

-| Interfaces | The device interfaces. A RO field. |

-To view the device information:

-1. Select **Devices** on the side menu.

-2. Right-click a device and select **View Properties**. The Device Properties window is displayed.

-3. Select on the required alert at the bottom of this window to view detailed information about alerts for this device.

-### View device types

-The Device Type is automatically identified by the sensor during the device discovery process. You can change the type manually.

-The following table presents all the types in the system:

-| Category | Device Type |

-|--|--|

-| ICS | Engineering Station <br /> PLC <br />Historian <br />HMI <br />IED <br />DCS Controller <br />RTU <br />Industrial Packaging System <br />Industrial Scale <br />Industrial Robot <br />Slot <br />Meter <br />Variable Frequency Drive <br />Robot Controller <br />Servo Drive <br />Pneumatic Device <br />Marquee |

-| IT | Domain Controller <br />DB Server <br />Workstation <br />Server <br />Terminal Station <br />Storage <br />Smart Phone <br />Tablet <br />Backup Server |

-| IoT | IP Camera <br />Printer <br />Punch Clock <br />ATM <br />Smart TV <br />Game console <br />DVR <br />Door Control Panel <br />HVAC <br />Thermostat <br />Fire Alarm <br />Smart Light <br />Smart Switch <br />Fire Detector <br />IP Telephone <br />Alarm System <br />Alarm Siren <br />Motion Detector <br />Elevator <br />Humidity Sensor <br />Barcode Scanner <br />Uninterruptible Power Supply <br />People Counter System <br />Intercom <br />Turnstile |

-| Network | Wireless Access Point <br />Router <br />Switch <br />Firewall <br />VPN Gateway <br />NTP Server <br />Wifi Pineapple <br />Physical Location <br />I/O Adapter <br /> Protocol Converter |

-To view the device information:

-1. Select **Devices** on the side menu.

-2. Right-click a device and select **View Properties**. The Device Properties window is displayed.

-3. Select on the required alert to view detailed information about alerts for this device.

-### Backplane properties

-You can use the Backplane option to review multiple controllers/cards and their nested devices as one entity with a variety of definitions. Each slot in the Backplane view represents the underlying devices ΓÇô the devices that were discovered behind it.

-## View a timeline of events for the device

-View a timeline of events associated with a device.

-To view the timeline:

-1. Right-click a device from the map.

-2. Select **Show Events**. The Event Timeline window opens with information about events detected for the selected device.

-See [Event Timeline](#event-timeline) for details.

-## Analyze programming details and changes

-Enhance forensics by displaying programming events carried out on your network devices and analyzing code changes. This information helps you discover suspicious programming activity, for example:

- - Human error: An engineer is programming the wrong device.

- - Corrupted programming automation: Programming is erroneously carried out because of automation failure.

- - Hacked systems: Unauthorized users logged into a programming device.

-You can display a programmed device and scroll through various programming changes carried out on it by other devices.

-View code that was added, changed, removed, or reloaded by the programming device. Search for programming changes based on file types, dates, or times of interest.

-### When to review programming activity

-You may need to review programming activity:

- - After viewing an alert regarding unauthorized programming

- - After a planned update to controllers

- - When a process or machine is not working correctly (to see who carried out the last update and when)

-Other options let you:

- - Mark events of interest with a star.

- - Download a *.txt file with the current code.

-### About authorized vs unauthorized programming events

-Unauthorized programming events are carried out by devices that have not been learned or manually defined as programming devices. Authorized programming events are carried out by devices that were resolved or manually defined as programming devices.

-The Programming Analysis window displays both authorized and unauthorized programming events.

-### Accessing programming details and changes

-Access the Programming Analysis window from the:

-### Event timeline

-Use the event timeline to display a timeline of events in which programming changes were detected.

-### Unauthorized programming alerts

-Alerts are triggered when unauthorized programming devices carry out programming activities.

-> [!NOTE]

-> You can also view basic programming information in the Device Properties window and Device Inventory.

-### Working in the programming timeline window

-This section describes how to view programming files and compare versions. Search for specific files sent to a programmed device. Search for files based on:

- - Date

- - File type

-|Programming timeline type | Description |

-|--|--|

-| Programmed Device | Provides details about the device that was programmed, including the hostname and file. |

-| Recent Events | Displays the 50 most recent events detected by the sensor. <br />To highlight an event, hover over it and click the star. :::image type="icon" source="media/how-to-work-with-maps/star.png" border="false"::: <br /> The last 50 events can be viewed. |

-| Files | Displays the files detected for the chosen date and the file size on the programmed device. <br /> By default, the maximum number of files available for display per device is 300. <br /> By default, the maximum file size for each file is 15 MB. |

-| File status :::image type="icon" source="media/how-to-work-with-maps/status-v2.png" border="false"::: | File labels indicate the status of the file on the device, including: <br /> **Added**: the file was added to the endpoint on the date or time selected. <br /> **Updated**: The file was updated on the date or time selected. <br /> **Deleted**: This file was removed. <br /> **No label**: The file was not changed. |

-| Programming Device | The device that made the programming change. Multiple devices may have carried out programming changes on one programmed device. The hostname, date, or time of change and logged in user are displayed. |

-| :::image type="icon" source="media/how-to-work-with-maps/current.png" border="false"::: | Displays the current file installed on the programmed device. |

-| :::image type="icon" source="media/how-to-work-with-maps/download-text.png" border="false"::: | Download a text file of the code displayed. |

-| :::image type="icon" source="media/how-to-work-with-maps/compare.png" border="false"::: | Compare the current file with the file detected on a selected date. |

-### Choose a file to review

-This section describes how to choose a file to review.

-To choose a file to review:

-1. Select an event from the **Recent Events** pane

-2. Select a file form the File pane. The file appears in the Current pane.

-### Compare files

-This section describes how to compare programming files.

-To compare:

-1. Select an event from the Recent Events pane.

-2. Select a file from the File pane. The file appears in the Current pane. You can compare this file to other files.

-3. Select the compare indicator.

- :::image type="content" source="media/how-to-work-with-maps/compare.png" alt-text="Compare indicator":::

- The window displays all dates the selected file was detected on the programmed device. The file may have been updated on the programmed device by multiple programming devices.

- The number of differences detected appears in the upper right-hand corner of the window. You may need to scroll down to view differences.

- :::image type="content" source="media/how-to-work-with-maps/scroll.png" alt-text="scroll down to your selection":::

- The number is calculated by adjacent lines of changed text. For example, if eight consecutive lines of code were changed (deleted, updated, or added) this will be calculated as one difference.

- :::image type="content" source="media/how-to-work-with-maps/program-timeline.png" alt-text="Your programing timeline view.":::

-4. Select a date. The file detected on the selected date appears in the window.

-5. The file selected from the Recent Events/Files pane always appears on the right.

-### Device programming information: Other locations

-In addition to reviewing details in the Programming Timeline, you can access programming information in the Device Properties window and the Device Inventory.

-| Device type | Description |

-| Device properties | The device properties window provides information on the last programming event detected on the device\. :::image type="content" source="media/how-to-work-with-maps/information-from-device-v2.png" alt-text="Your device's properties"::: |

-| The device inventory | The device inventory indicates if the device is a programming device\. :::image type="content" source="media/how-to-work-with-maps/inventory-v2.png" alt-text="The inventory of devices"::: |

-## Manage device information from the map

-The sensor does not update or impact devices directly on the network. Changes made here only impact how analyzes the device.

-To delete a device from the device map:

-1. Select **Devices** on the side menu.

-2. Right-click a device and select **Delete**.

-You cannot undo a device merge. If you mistakenly merged two devices, delete the device and wait for The sensor to rediscover both.

-To merge devices:

-During the Learning period, all the devices discovered in the network are identified as authorized devices. The **Authorized** label does not appear on these devices in the Device Map.

-#### Unauthorized devices - attack vectors and risk assessment reports

- :::image type="content" source="media/how-to-work-with-maps/attack-vector-reports.png" alt-text="Vew your attack vector reports":::

- - Identified in Risk Assessment Reports

-To authorize or unauthorize devices manually:

-1. Right-click the device on the map and select **Unauthorize**

-### Important devices - attack vectors and risk assessment reports

-## Generate Activity reports from the map

-Generate an activity report for a selected device over the 1, 6, 12 or 24 hours. The following information is available:

- - Category: Basic detection information based on traffic scenarios.

- - Source and destination devices

- - Data: Additional information defected.

- - The time and date last seen.

-You can save the report as a Microsoft Excel or Word file.

-To generate an activity report for a device:

-1. Right-click a device from the Map.

-2. Select an Activity Report.

- :::image type="content" source="media/how-to-work-with-maps/activity-report.png" alt-text="View a report of your activity.":::

-## Generate Attack Vector reports from the map

-Simulate an Attack Vector report to learn if a device on the map you select is a vulnerable attack target.

-Attack Vector reports provide a graphical representation of a vulnerability chain of exploitable devices. These vulnerabilities can give an attacker access to key network devices. The Attack Vector simulator calculates attack vectors in real time and analyzes all attack vectors per a specific target.

-To view a device in an Attack Vector reports:

-1. Right-click a device from the map.

-2. Select **Simulate Attack Vectors**. The Attack Vector dialog box opens with the device you select as the attack target.

- :::image type="content" source="media/how-to-work-with-maps/simulation.png" alt-text="Add attack vector simulation":::

-3. Add the remaining parameters to the dialog box and select **Add Simulation**.

-## Export device information from the map

-Export the following device information from the Map.

- - Device details (Microsoft Excel)

- - A device summary (Microsoft Excel)

- - A word file with groups (Microsoft Word)

-To export:

-1. Select the Export icon from the Map.

-1. Select an export option.

-The following feature enhancements are available with version 10.5.2 of Azure Defender for IoT.

-If you would like to take a more conservative approach to updating your threat intelligence data, you can manually push packages from the Azure Defender for IoT portal to cloud connected sensors only when you feel it is required.

-Sensor and on-premises management console Administrative users can now recover passwords from the Azure Defender for IoT portal. Previously password recovery required intervention by the support team.

-Committed devices are defined during the onboarding process on the Azure Defender for IoT portal, where the activation file is generated.

-Pricing page lets you onboard new subscriptions to Azure Defender for IoT and define committed devices in your network.

-The Azure Defender for IoT data connector page in Azure Sentinel has been redesigned. The data connector is now based on subscriptions rather than IoT Hubs; allowing customers to better manage their configuration connection to Azure Sentinel.

-You can see how to [update your sensor network configuration before activation](how-to-activate-and-set-up-your-sensor.md#update-sensor-network-configuration-before-activation).

-| :::image type="icon" source="media/how-to-manage-proprietary-protocols/toggle-icon.png" border="false"::: | Toggle the plugin on or off. The sensor will not handle protocol traffic defined in the plugin when you toggle off the plugin. |

-| Errors | The number of packets that failed basic protocol validations that the packet matches the protocol definitions.  The Number displayed here indicates that n umber of errors detected in the past five seconds. |

-These alerts can be used to communicate information:  

-Alerts generated by Horizon custom alert rules are displayed in the sensor and management console Alerts window and in integrated partner systems when using Forwarding Rules. 

-[View information provided in alerts](how-to-view-information-provided-in-alerts.md)

-If you already have a subscription that is onboarded for Azure Defender for IoT for OT environments, you will need to create a new subscription. To learn how to onboard a subscription, see [Onboard a subscription](how-to-manage-subscriptions.md#onboard-a-subscription).

-There is a minimum security level needed to access different parts of Azure Defender for IoT. You must have a level of Security Owner, or a Subscription contributor of the subscription to onboard a subscription, and commit to a pricing. Security Reader level permissions to access the Defender for IoT user interface.

-The following table describes user access permissions to Azure Defender for IoT portal tools:

-[Manage your IoT devices with the device inventory for organizations](how-to-manage-device-inventory-for-organizations.md#manage-your-iot-devices-with-the-device-inventory-for-organizations)

-In case of schedule-based Autoscale scale-down, graceful decommission is not supported. This can cause job failures during a scale down operation, and it is recommended to plan schedules based on the anticipated job schedule patterns to include sufficient time for the ongoing jobs to conclude. You can set the schedules looking at historical spread of completion times so as to avoid job failures.

-Deploy the [Continuous patient monitoring application template](../../iot-central/healthcare/tutorial-continuous-patient-monitoring.md#create-continuous-patient-monitoring-application). This template includes two simulated devices producing real-time data to help you get started: **Smart Vitals Patch** and **Smart Knee Brace**.

-The response to this request looks like the following example:

-description: Azure IoT Central is an IoT application platform that simplifies the creation of IoT solutions. This guide describes how to manage your IoT Central application. Application management includes users, organization, and security.

-# IoT Central application management guide

-You use an *application template* to create an application. An application templates consist of:

-IoT Central uses a role-based access control system to manage user permissions within an application. IoT Central has three built-in roles for administrators, solution builders, and operators. An administrator can create custom roles with specific sets of permissions. An administrator is responsible for adding users to an application and assigning them to roles.

-To manage which users see which devices in your IoT Central application, use an _organization_ hierarchy. You define an organization in your application.

-The user's role in application determines their permissions over the devices they can see.

-Devices that connect to your IoT Central application typically use X.509 certificates or shared access signatures (SAS) as credentials. The administrator manages the group certificates or keys that these device credentials are derived from.

-To learn more, see [X.509 group enrollment](concepts-get-connected.md#x509-group-enrollment), [SAS group enrollment](concepts-get-connected.md#sas-group-enrollment), and [How to roll X.509 device certificates](how-to-connect-devices-x509.md).

-The administrator can also create and manage the API tokens that a client application uses to authenticate with your IoT Central application. Client applications use the REST API to interact with IoT Central.

-For data exports, the administrator can configure [managed identities](../../active-directory/managed-identities-azure-resources/overview.md) to secure the connections to the [export destinations](howto-export-data.md). To learn more, see:

-The administrator can configure the behavior and appearance of an IoT Central application. To learn more, see:

-An administrator can migrate an application to a newer version. Currently, a newly created application is a V3 application. An administrator may need to migrate a V2 application to a V3 application.

-To learn how to monitor your IoT Edge fleet remotely using Azure Monitor and built-in metrics integration, see [Collect and transport metrics](../../iot-edge/how-to-collect-and-transport-metrics.md).

-This article introduces you to Azure IoT Central UI. You can use the UI to create, manage, and use an IoT Central application and its connected devices.

-In the **Build** section you can browse the list of industry-relevant IoT Central templates, or start from scratch using a Custom app template.

-[Quickly deploy a new IoT Central application](quick-deploy-iot-central.md) and then customize it to your specific requirements. Application templates in Azure IoT Central are a tool to help you kickstart your IoT solution development. You can use app templates for everything from getting a feel for what is possible, to fully customizing your application to resell to your customers.

-1. In IoT Central, navigate to the **Devices** page and select **Create a device**:

-# Tutorial: Deploy and walk through the smart meter monitoring app template

-The smart meters not only enable automated billing, but also advanced metering use cases such as real-time readings and bi-directional communication. The smart meter app template enables utilities and partners to monitor smart meters status and data, define alarms and notifications. It provides sample commands, such as disconnect meter and update software. The meter data can be set up to egress to other business applications and to develop custom solutions.

-Use the IoT Central *smart meter monitoring* application template and the guidance in this article to develop an end-to-end smart meter monitoring solution.

- :::image type="content" source="media/tutorial-iot-central-smart-meter/smart-meter-app-architecture.png" alt-text="smart meter architecture.":::

-When you build an IoT solution, Azure IoT Central simplifies the build process and helps to reduce the burden and costs of IoT management, operations, and development. With IoT Central, you can easily connect, monitor, and manage your Internet of Things (IoT) assets at scale. After you connect your smart meters to IoT Central, the app template uses built-in features such as device models, commands, and dashboards. The app template also uses the IoT Central storage for warm path scenarios such as near real-time meter data monitoring, analytics, rules, and visualization.

-# Tutorial: Deploy and walk through the solar panel monitoring app template

-App's key functionalities:

-Use the IoT Central *solar panel monitoring* application template and the guidance in this article to develop an end-to-end solar panel monitoring solution.

- :::image type="content" source="media/tutorial-iot-central-solar-panel/solar-panel-app-architecture.png" alt-text="solar panel architecture.":::

-When you build an IoT solution, Azure IoT Central simplifies the build process and helps to reduce the burden and costs of IoT management, operations, and development. With IoT Central, you can easily connect, monitor, and manage your Internet of Things (IoT) assets at scale. After you connect your solar panels to IoT Central, the app template uses built-in features such as device models, commands, and dashboards. The app template also uses the IoT Central storage for warm path scenarios such as near real-time meter data monitoring, analytics, rules, and visualization.

-The IoT Central platform provides two extensibility options: Continuous Data Export (CDE) and APIs. The customers and partners can choose between these options based to customize their solutions for specific needs. For example, one of our partners configured CDE with Azure Data Lake Storage (ADLS). They're using ADLS for long-term data retention and other cold path storage scenarios, such batch processing, auditing, and reporting purposes.

-Connected Waste Management app is an IoT Central app template to help you kickstart your IoT solution development to enable smart cities to remotely monitor to maximize efficient waste collection.

-Use the IoT Central *connected waste management* application template and the guidance in this article to develop an end-to-end connected waste management solution.

-### Devices and connectivity

-### Extensibility and integrations

-### Business applications

-> * Use the Azure IoT Central *Connected waste management* template to create your app.

-> * Explore and customize the dashboard.

-The water consumption monitoring app is an IoT Central app template to help you kickstart your IoT solution development to enable water utilities and cities to remotely monitor and control water flow to reduce consumption.

-Use the IoT Central *water consumption monitoring* application template and the guidance in this article to develop an end-to-end water consumption monitoring solution.

-### Devices and connectivity

-### Extensibility and integrations

-### Business applications

-The water quality monitoring app is an IoT Central app template to help you kickstart your IoT solution development and enable water utilities to digitally monitor water quality in smart cities.

-Use the IoT Central *water quality monitoring* application template and the guidance in this article to develop an end-to-end water quality monitoring solution.

-### Devices and connectivity

-### Extensibility and integrations

-### Business applications

-# Tutorial: Deploy and walkthrough the continuous patient monitoring app template

-In the healthcare IoT space, Continuous Patient Monitoring is one of the key enablers of reducing the risk of readmissions, managing chronic diseases more effectively, and improving patient outcomes. Continuous Patient Monitoring can be split into two major categories:

-This application template can be used to build solutions for both categories of Continuous Patient Monitoring. The benefits include:

-## Bluetooth Low Energy (BLE) medical devices

-## Mobile phone gateway

-The mobile phone application's primary function is to collect BLE data from medical devices and communicate it to IoT Central. The app also guides patients through device setup and lets them view their personal health data. Other solutions could use a tablet gateway or a static gateway in a hospital room. An open-source sample mobile application is available for Android and iOS to use as a starting point for your application development. To learn more, see the [Continuous Patient Monitoring sample mobile app on GitHub](https://github.com/iot-for-all/iotc-cpm-sample).

-## Export to Azure API for FHIR&reg;

-## Machine learning

-## Provider dashboard

-## Create Continuous Patient Monitoring application

-1. Select **Create app** under **Continuous Patient Monitoring**.

-After deploying the app template, you'll first land on the **Lamna in-patient monitoring dashboard**. Lamna Healthcare is a fictitious hospital system that contains two hospitals: Woodgrove Hospital and Burkville Hospital. On the Woodgrove Hospital operator dashboard, you can:

-You will first need to set up a continuous data export from your Azure IoT Central app template to the Azure Event Hub in your subscription. You can do so by following the steps in this Azure IoT Central tutorial for [Exporting to Event Hubs](../core/howto-export-data.md). You will only need to export for the telemetry for the purposes of this tutorial.

-You can use the IoT Central in-store analytics condition monitoring application template to build an end-to-end solution. The application template lets you digitally connect to and monitor a retail store environment using different kinds of sensor devices. These sensor devices generate telemetry that you can convert into business insights to help the retailer reduce operating costs and create a great experience for their customers.

-Use the IoT Central *in-store analytics* application template and the guidance in this article to develop an end-to-end in-store analytics solution.

-1. Set of IoT sensors sending telemetry data to a gateway device.

-1. Gateway devices sending telemetry and aggregated insights to IoT Central.

-1. Continuous data export to the desired Azure service for manipulation.

-1. Data can be structured in the desired format and sent to a storage service.

-1. Business applications can query data and generate insights that power retail operations.

-## Condition monitoring sensors

-## Gateway devices

-## IoT Central application

-## Data transform

-The Azure IoT Central application within a solution can be configured to export raw or aggregated insights to a set of Azure PaaS (Platform-as-a Service) services that can perform data manipulation and enrich these insights before landing them in a business application.

-## Business application

->

-Use the application template and guidance in this article to develop an end-to-end *connected logistics solution*.

-1. IoT tags send telemetry data to a gateway device.

-2. Gateway devices send telemetry and aggregated insights to IoT Central.

-3. IoT Central routes data to an Azure service for manipulation.

-4. Services such as Azure Stream Analytics or Azure Functions can reformat data streams and send the data to storage accounts.

-5. End-user business applications can power business workflows.

-*IoT tags* provide physical, ambient, and environmental sensor capabilities such as temperature, humidity, shock, tilt, and light. IoT tags typically connect to gateway device through Zigbee (802.15.4). Tags are less expensive sensors and can be discarded at the end of a typical logistics journey to avoid challenges with reverse logistics.

-*Gateways* enable upstream Azure IoT cloud connectivity using cellular or Wi-Fi channels. Bluetooth, NFC, and 802.15.4 Wireless Sensor Network modes are used for downstream communication with IoT tags. Gateways provide end-to-end secure cloud connectivity, IoT tag pairing, sensor data aggregation, data retention, and the ability to configure alarm thresholds.

-The IoT Central platform provides rich extensibility options through data export and APIs. Business insights based on telemetry data processing or raw telemetry are typically exported to a preferred line-of-business application.

- :::image type="content" source="media/tutorial-iot-central-connected-logistics/connected-logistics-app-create.png" alt-text="Connected logistics app template":::

-Use the IoT Central *digital distribution center* application template and the guidance in this article to develop an end-to-end digital distribution center solution.

- :::image type="content" source="media/tutorial-iot-central-ddc/digital-distribution-center-architecture.png" alt-text="digital distribution center.":::

-1. Set of IoT sensors sending telemetry data to a gateway device.

-2. Gateway devices sending telemetry and aggregated insights to IoT Central.

-3. Data is routed to the desired Azure service for manipulation.

-4. Azure services like ASA or Azure Functions can be used to reformat data streams and send to the desired storage accounts.

-5. Processed data is stored in hot storage for near real-time actions or cold storage for more insight enhancements that is based on ML or batch analysis.

-6. Logic Apps can be used to power various business workflows in end-user business applications.

-### Video cameras

-Video cameras are the primary sensors in this digitally connected enterprise-scale ecosystem. Advancements in machine learning and artificial intelligence that allow video to be turned into structured data and process it at edge before sending to cloud. We can use IP cameras to capture images, compress them on the camera, and then send the compressed data over edge compute for video analytics pipeline or use GigE vision cameras to capture images on the sensor and then send these images directly to the Azure IoT Edge, which then compresses before processing in video analytics pipeline.

-### Azure IoT Edge Gateway

-### Device Management with IoT Central

-

-### Business Insights and actions using data egress

-Use the IoT Central *smart inventory management* application template and the guidance in this article to develop an end-to-end smart inventory management solution.

-1. Set of IoT sensors sending telemetry data to a gateway device.

-2. Gateway devices sending telemetry and aggregated insights to IoT Central.

-3. Data is routed to the desired Azure service for manipulation.

-4. Azure services like ASA or Azure Functions can be used to reformat data streams and send to the desired storage accounts.

-5. Processed data is stored in hot storage for near real-time actions or cold storage for additional insight enhancements that is based on ML or batch analysis.

-6. Logic Apps can be used to power various business workflows in end-user business applications.

-### Details

-Following section outlines each part of the conceptual architecture

-Telemetry ingestion from Radio-frequency identification (RFID), Bluetooth low energy (BLE) tags

-### RFID tags

-### BLE tags

-### RFID and BLE readers

-### Azure IoT Edge gateway

-### Device management with IoT Central

-### Business insights and actions using data egress

-> * walk through the application

-After successfully deploying the app template, your default dashboard is a smart inventory management operator focused portal. Northwind Trader is a fictitious smart inventory provider managing warehouse with Bluetooth low energy (BLE) and retail store with Radio-frequency identification (RFID). In this dashboard, you'll see two different gateways providing telemetry about inventory along with associated commands, jobs, and actions that you can perform.

-The IoT Central micro-fulfillment center application template enables you to monitor and manage all aspects of your fully automated fulfillment centers. The template includes a set of simulated condition monitoring sensors and robotic carriers to accelerate the solution development process. These sensor devices capture meaningful signals that can be converted into business insights allowing retailers to reduce their operating costs and create experiences for their customers.

-Use the IoT Central *micro-fulfillment center* application template and the guidance in this article to develop an end-to-end micro-fulfillment center solution.

-1. Set of IoT sensors sending telemetry data to a gateway device

-2. Gateway devices sending telemetry and aggregated insights to IoT Central

-3. Continuous data export to the desired Azure service for manipulation

-4. Data can be structured in the desired format and sent to a storage service

-5. Business applications can query data and generate insights that power retail operations

-### Robotic carriers

-### Condition monitoring sensors

-### Gateway devices

-### Data transform

-The Azure IoT Central application within a solution can be configured to export raw or aggregated insights to a set of Azure PaaS (Platform-as-a-Service) services that can perform data manipulation and enrich these insights before landing them in a business application.

-### Business application

-After successfully deploying the app template, you see the **Northwind Traders micro-fulfillment center dashboard**. Northwind Traders is a fictitious retailer that has a micro-fulfillment center being managed in this Azure IoT Central application. On this dashboard, you see information and telemetry about the devices in this template, along with a set of commands, jobs, and actions that you can take. The dashboard is logically split into two sections. On the left, you can monitor the environmental conditions within the fulfillment structure, and on the right, you can monitor the health of a robotic carrier within the facility.

-> [!NOTE]

-> The **Azure IoT SDK for Python** does not directly support **Jobs** functionality. Instead this tutorial offers an alternate solution utilizing asynchronous threads and timers. For further updates, see the **Service Client SDK** feature list on the [Azure IoT SDK for Python](https://github.com/Azure/azure-iot-sdk-python) page.

->

- from azure.iot.hub import IoTHubRegistryManager

- from azure.iot.hub.models import Twin, TwinProperties, CloudToDeviceMethod, CloudToDeviceMethodResult, QuerySpecification, QueryResult

- ```

-4. Add the following function that is used to query for devices:

- ```python

- def query_condition(iothub_registry_manager, device_id):

- query_spec = QuerySpecification(query="SELECT * FROM devices WHERE deviceId = '{}'".format(device_id))

- query_result = iothub_registry_manager.query_iot_hub(query_spec, None, 1)

- return len(query_result.items)

-5. Add the following methods to run the jobs that call the direct method and device twin:

- def device_method_job(job_id, device_id, wait_time, execution_time):

- time.sleep(wait_time)

- iothub_registry_manager = IoTHubRegistryManager(CONNECTION_STRING)

- if query_condition(iothub_registry_manager, device_id):

- deviceMethod = CloudToDeviceMethod(method_name=METHOD_NAME, payload=METHOD_PAYLOAD)

- response = iothub_registry_manager.invoke_device_method(DEVICE_ID, deviceMethod)

- print ( "" )

- print ( "Direct method " + METHOD_NAME + " called." )

- def device_twin_job(job_id, device_id, wait_time, execution_time):

- time.sleep(wait_time)

- iothub_registry_manager = IoTHubRegistryManager(CONNECTION_STRING)

- if query_condition(iothub_registry_manager, device_id):

- twin = iothub_registry_manager.get_twin(DEVICE_ID)

- twin_patch = Twin(properties= TwinProperties(desired=UPDATE_PATCH))

- twin = iothub_registry_manager.update_twin(DEVICE_ID, twin_patch, twin.etag)

- print ( "" )

- print ( "Device twin updated." )

- ```

-6. Add the following code to schedule the jobs and update job status. Also include the `main` routine:

- method_thr_id = uuid.uuid4()

- method_thr = threading.Thread(target=device_method_job, args=(method_thr_id, DEVICE_ID, 20, TIMEOUT), kwargs={})

- method_thr.start()

- print ( "Direct method called with Job Id: " + str(method_thr_id) )

- twin_thr_id = uuid.uuid4()

- twin_thr = threading.Thread(target=device_twin_job, args=(twin_thr_id, DEVICE_ID, 10, TIMEOUT), kwargs={})

- twin_thr.start()

- print ( "Device twin called with Job Id: " + str(twin_thr_id) )

- if method_thr.is_alive():

- print ( "...job " + str(method_thr_id) + " still running." )

- else:

- print ( "...job " + str(method_thr_id) + " complete." )

- if twin_thr.is_alive():

- print ( "...job " + str(twin_thr_id) + " still running." )

- else:

- print ( "...job " + str(twin_thr_id) + " complete." )

- status_counter = 0

- while status_counter <= WAIT_COUNT:

- time.sleep(1)

- status_counter += 1

- print ( "Unexpected error {0}" % ex )

-

-To continue getting started with IoT Hub and device management patterns such as end-to-end image-based update in [Device Update for Azure IoT Hub tutorial using the Raspberry Pi 3 B+ Reference Image](../iot-hub-device-update/device-update-raspberry-pi.md).

-The mode can be changed anytime the graphics binding object is available.

- To give your SecOps team the ability to use Logic Apps for Security Orchestration, Automation, and Response (SOAR) operations - that is, to create and run playbooks - in Microsoft Sentinel, you can assign Azure roles, either to specific members of your security operations team or to the whole team. The following describes the different available roles, and the tasks for which they should be assigned:

-Running them manually means that when you get an alert, you can choose to run a playbook on-demand as a response to the selected alert. Currently this feature is supported only for alerts, not for incidents.

- > **Microsoft Sentinel automation rules require permissions to run playbooks.**

- > To run a playbook from an automation rule, Microsoft Sentinel uses a service account specifically authorized to do so. The use of this account (as opposed to your user account) increases the security level of the service and enables the automation rules API to support CI/CD use cases.

- > This account must be granted explicit permissions (taking the form of the **Microsoft Sentinel Automation Contributor** role) on the resource group where the playbook resides. At that point, any automation rule will be able to run any playbook in that resource group.

-### Run a playbook manually on an alert

-Manual triggering is available from the Microsoft Sentinel portal in the following blades:

-1. Click on **View playbooks** for the chosen alert. You will get a list of all playbooks that start with an **When a Microsoft Sentinel Alert is triggered** and that you have access to.

-1. Click on **Run** on the line of a specific playbook to trigger it.

-1. Select the **Runs** tab to view a list of all the times any playbook has been run on this alert. It might take a few seconds for any just-completed run to appear in this list.

-1. Clicking on a specific run will open the full run log in Logic Apps.

-### Run a playbook manually on an incident

-Not supported yet.

-## Estimate Microsoft Sentinel costs

-If you're not yet using Microsoft Sentinel, you can use the [Microsoft Sentinel pricing calculator](https://azure.microsoft.com/pricing/calculator/?service=azure-sentinel) to estimate the potential cost of using Microsoft Sentinel. Enter *Microsoft Sentinel* in the Search box and select the resulting Microsoft Sentinel tile. The pricing calculator helps you estimate your likely costs based on your expected data ingestion and retention.

-For example, you can enter the GB of daily data you expect to ingest in Microsoft Sentinel, and the region for your workspace. The calculator provides the aggregate monthly cost across these components:

-> Integration with Microsoft Teams is is currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

- <a name="note5"></a>[Decision tree note #5](#decision-tree): We recommend that you have as few workspaces as possible. Use the [Azure pricing calculator](billing.md#estimate-microsoft-sentinel-costs) to estimate the cost and determine which regions you actually need, and combine workspaces for regions with low egress costs. Bandwidth costs may be only a small part of your Azure bill when compared with separate Microsoft Sentinel and Log Analytics ingestion costs.

-|Search behavior |Description |

-|**Search button color** |The color of the search button changes, depending on the types of parameters currently being used in the search. <br><br>- As long as only the default parameters are selected, the button is grey. <br>- As soon as different parameters are selected, such as advanced search parameters, the button turns blue. |

-|**Auto-refresh** | Using advanced search parameters prevents you from selecting to automatically refresh your results. |

-|**Entity parameters** |All entity parameters are supported for advanced searches. When searching in any entity parameter, the search runs in all entity parameters. |

-|**Search strings** | Searching for a string of words includes all of the words in the search query. Search strings are case sensitive. |

-|**Cross workspace support** | Advanced searches are not supported for cross-workspace views. |

-| | |

- - **SAP version 750 or later**: Install the SAP change request *NPLK900198*

- - **SAP version 740**: Install the SAP change request *NPLK900200*

-description: Learn about the SAP logs available from the Microsoft Sentinel SAP solution.

-# Microsoft Sentinel SAP solution logs reference (public preview)

-## ABAP Application log

-### ABAPAppLog_CL log schema

-## ABAP Change Documents log

-### ABAPChangeDocsLog_CL log schema

-## ABAP CR log

-### ABAPCRLog_CL log schema

-## ABAP DB table data log

-### ABAPTableDataLog_CL log schema

-## ABAP Gateway log

-### ABAPOS_GW_CL log schema

-## ABAP ICM log

-### ABAPOS_ICM_CL log schema

-## ABAP Job log

-### ABAPJobLog_CL log schema

-## ABAP Security Audit log

-### ABAPAuditLog_CL log schema

-## ABAP Spool log

-### ABAPSpoolLog_CL log schema

-## APAB Spool Output log

-### ABAPSpoolOutputLog_CL log schema

-## ABAP SysLog

-### ABAPOS_Syslog_CL log schema

-## ABAP Workflow log

-### ABAPWorkflowLog_CL log schema

-## ABAP WorkProcess log

-### ABAPOS_WP_CL log schema

-## HANA DB Audit Trail

-### Syslog log schema

-## JAVA files

-### JavaFilesLogsCL log schema

-|**SAP - Medium - Brute force attacks** | Identifies brute force attacks on the SAP system, according to failed sign-in attempts for the backend system. | Attempt to sign in from the same IP address to several systems/clients within the scheduled time interval. <br><br>**Data sources**: SAPcon - Audit Log | Credential Access |

-In every one of these steps, clicking on any field displays a panel with two menus: **Dynamic content** and **Expression**. From the **Dynamic content** menu, you can add references to the attributes of the alert or incident that was passed to the playbook, including the values and attributes of all the entities involved. From the **Expression** menu, you can choose from a large library of functions to add additional logic to your steps.

- > Microsoft Sentinel must be granted explicit permissions in order to run playbooks from automation rules. If a playbook appears "grayed out" in the drop-down list, it means Sentinel does not have permission to that playbook's resource group. Click the **Manage playbook permissions** link to assign permissions.

-You can also run a playbook on demand.

- > [!NOTE]

- > Only playbooks using the **alert trigger** can be run on-demand.

-To run a playbook on-demand:

-1. In the **Incidents** page, select an incident and click on **View full details**.

-2. In the **Alerts** tab, click on the alert you want to run the playbook on, and scroll all the way to the right and click **View playbooks** and select a playbook to **run** from the list of available playbooks on the subscription.

-1. To run this playbook, [set an automated response](automate-responses-with-playbooks.md#set-an-automated-response) or [run manually](automate-responses-with-playbooks.md#run-a-playbook-manually-on-an-alert) (alert trigger only).

-> The SBMP is only available for .NET Framework. AMQP is the default for .NET Standard.

-## Provide content feedback

-description: The core Azure Storage platform is Microsoft's cloud storage solution. Azure Storage provides storage for data objects that is highly available, secure, durable, massively scalable, and redundant.

-# Introduction to the core Azure Storage services

-The Azure Storage platform is Microsoft's cloud storage solution for modern data storage scenarios. Core storage services offer a massively scalable object store for data objects, disk storage for Azure virtual machines (VMs), a file system service for the cloud, a messaging store for reliable messaging, and a NoSQL store. The services are:

-## Review options for storage in Azure

-Azure provides a variety of storage tools and services, including Azure Storage. To determine which Azure technology is best suited for your scenario, see [Review your storage options](/azure/cloud-adoption-framework/ready/considerations/storage-options) in the Azure Cloud Adoption Framework.

-## About the core Azure Storage services

-## Example scenarios

-There are two basic kinds of encryption available for the core storage services. For more information about security and encryption, see the [Azure Storage security guide](../blobs/security-recommendations.md).

-You can access resources in a storage account by any language that can make HTTP/HTTPS requests. Additionally, the core Azure Storage services offer programming libraries for several popular languages. These libraries simplify many aspects of working with Azure Storage by handling details such as synchronous and asynchronous invocation, batching of operations, exception management, automatic retries, operational behavior, and so forth. Libraries are currently available for the following languages and platforms, with others in the pipeline:

-To get up and running with core Azure Storage services, see [Create a storage account](storage-account-create.md).

-The following comparison matrix shows basic functionality of different tools that can be used for migration of unstructured data.

-| | [Microsoft](https://www.microsoft.com/) | [Datadobi](https://www.datadobi.com) | [Data Dynamics](https://www.datadynamicsinc.com/) | [Komprise](https://www.komprise.com/) |

-| |--|--|||

-| **Solution name** | [Azure File Sync](../../../file-sync/file-sync-deployment-guide.md) | [DobiMigrate](https://azuremarketplace.microsoft.com/marketplace/apps/datadobi1602192408529.datadobi-dobimigrate?tab=Overview) | [Data Mobility and Migration](https://azuremarketplace.microsoft.com/marketplace/apps/datadynamicsinc1581991927942.vm_4?tab=PlansAndPrice) | [Intelligent Data Management](https://azuremarketplace.microsoft.com/marketplace/apps/komprise_inc.intelligent_data_management?tab=OverviewΓÇï) |

-| **Support provided by** | Microsoft | [Datadobi](https://support.datadobi.com/s/)₁ | [Data Dynamics](https://www.datdynsupport.com/)₁ | [Komprise](https://komprise.freshdesk.com/support/home)₁ |

-| **Azure Files support (all tiers)** | Yes | Yes | Yes | Yes |

-| **Azure NetApp Files support** | No | Yes | Yes | Yes |

-| **Azure Blob Hot / Cool support** | No | Yes (via NFS preview) | Yes | Yes |

-| **Azure Blob Archive tier support** | No | No | No | Yes (as migration destination) |

-| **Azure Data Lake Storage support** | No | No | No | No |

-| **Supported Sources** | Windows Server 2012 R2 and up | NAS & cloud file systems | Any NAS and S3 | NAS, Blob, S3 |

-| | [Microsoft](https://www.microsoft.com/) | [Datadobi](https://www.datadobi.com) | [Data Dynamics](https://www.datadynamicsinc.com/) | [Komprise](https://www.komprise.com/) |

-| |--|--|||

-| **Solution name** | [Azure File Sync](../../../file-sync/file-sync-deployment-guide.md) | [DobiMigrate](https://azuremarketplace.microsoft.com/marketplace/apps/datadobi1602192408529.datadobi-dobimigrate?tab=Overview ) | [Data Mobility and Migration](https://azuremarketplace.microsoft.com/marketplace/apps/datadynamicsinc1581991927942.vm_4?tab=PlansAndPrice) | [Intelligent Data Management](https://azuremarketplace.microsoft.com/marketplace/apps/komprise_inc.intelligent_data_management?tab=OverviewΓÇï) |

-| **SMB 2.1** | Yes | Yes | Yes | Yes |

-| **SMB 3.0** | Yes | Yes | Yes | Yes |

-| **SMB 3.1** | Yes | Yes | Yes | Yes |

-| **NFS v3** | No | Yes | Yes | Yes |

-| **NFS v4.1** | No | Yes | No | Yes |

-| **Blob REST API** | No | No | Yes | Yes |

-| **S3** | No | Yes | Yes | Yes |

-| | [Microsoft](https://www.microsoft.com/) | [Datadobi](https://www.datadobi.com) | [Data Dynamics](https://www.datadynamicsinc.com/) | [Komprise](https://www.komprise.com/) |

-| |--|--|||

-| **Solution name** | [Azure File Sync](../../../file-sync/file-sync-deployment-guide.md) | [DobiMigrate](https://azuremarketplace.microsoft.com/marketplace/apps/datadobi1602192408529.datadobi-dobimigrate?tab=Overview ) | [Data Mobility and Migration](https://azuremarketplace.microsoft.com/marketplace/apps/datadynamicsinc1581991927942.vm_4?tab=PlansAndPrice) | [Intelligent Data Management](https://azuremarketplace.microsoft.com/marketplace/apps/komprise_inc.intelligent_data_management?tab=OverviewΓÇï) |

-| **UID / SID remapping** | No | Yes | Yes | No |

-| **Protocol ACL remapping** | No | No | No | No |

-| **DFS Support** | Yes | Yes | Yes | Yes |

-| **Throttling support** | Yes | Yes | Yes | Yes |

-| **File pattern exclusions** | No | Yes | Yes | Yes (using copy functionality) |

-| **Support for selective file attributes** | Yes | Yes | Yes | Yes (for extended attributes) |

-| **Delete propagations** | Yes | Yes | Yes | Yes |

-| **Follow NTFS junctions** | No | Yes | No | Yes |

-| **Override SMB Owner and Group Owner** | Yes | Yes | Yes | No |

-| **Chain of custody reporting** | No | Yes | No | Yes |

-| **Support for alternate data streams** | No | Yes | Yes | No |

-| **Scheduling for migration** | No | Yes | Yes | Yes |

-| **Preserving ACL** | Yes | Yes | Yes | Yes |

-| **DACL support** | Yes | Yes | Yes | Yes |

-| **SACL support** | Yes | Yes | Yes | No |

-| **Preserving access time** | Yes | Yes | Yes | Yes |

-| **Preserving modified time** | Yes | Yes | Yes | Yes |

-| **Preserving creation time** | Yes | Yes | Yes | Yes |

-| **Azure Data Box support** | Yes | Yes | No | No |

-| **Migration of snapshots** | No | Manual | Yes | No |

-| **Symbolic link support** | No | Yes | No | Yes |

-| **Hard link support** | No | Migrated as separate files | Yes | Yes |

-| **Support for open / locked files** | Yes | Yes | Yes | Yes |

-| **Incremental migration** | Yes | Yes | Yes | Yes |

-| **Switchover support** | No | Yes | Yes | No (manual only) |

-| **[Other features](#other-features)** | [Link](#azure-file-sync)| [Link](#datadobi-dobimigrate) | [Link](#data-dynamics-data-mobility-and-migration) | [Link](#komprise-intelligent-data-management) |

-| | [Microsoft](https://www.microsoft.com/) | [Datadobi](https://www.datadobi.com) | [Data Dynamics](https://www.datadynamicsinc.com/) | [Komprise](https://www.komprise.com/) |

-| |--|--|||

-| **Solution name** | [Azure File Sync](../../../file-sync/file-sync-deployment-guide.md) | [DobiMigrate](https://azuremarketplace.microsoft.com/marketplace/apps/datadobi1602192408529.datadobi-dobimigrate?tab=Overview ) | [Data Mobility and Migration](https://azuremarketplace.microsoft.com/marketplace/apps/datadynamicsinc1581991927942.vm_4?tab=PlansAndPrice) | [Intelligent Data Management](https://azuremarketplace.microsoft.com/marketplace/apps/komprise_inc.intelligent_data_management?tab=OverviewΓÇï) |

-| **Capacity** | No | Yes | Yes | Yes |

-| **# of files / folders** | No | Yes | Yes | Yes |

-| **Age distribution over time** | No | Yes | Yes | Yes |

-| **Access time** | No | Yes | Yes | Yes |

-| **Modified time** | No | Yes | Yes | Yes |

-| **Creation time** | No | Yes | Yes | Yes |

-| **Per file / object report status** | Partial | Yes | Yes | Yes |

-| | [Microsoft](https://www.microsoft.com/) | [Datadobi](https://www.datadobi.com) | [Data Dynamics](https://www.datadynamicsinc.com/) | [Komprise](https://www.komprise.com/) |

-| |--|--|||

-| **Solution name** | [Azure File Sync](../../../file-sync/file-sync-deployment-guide.md) | [DobiMigrate](https://azuremarketplace.microsoft.com/marketplace/apps/datadobi1602192408529.datadobi-dobimigrate?tab=Overview ) | [Data Mobility and Migration](https://azuremarketplace.microsoft.com/marketplace/apps/datadynamicsinc1581991927942.vm_4?tab=PlansAndPrice) | [Intelligent Data Management](https://azuremarketplace.microsoft.com/marketplace/apps/komprise_inc.intelligent_data_management?tab=OverviewΓÇï) |

-| **BYOL** | N / A | Yes | Yes | Yes |

-| **Azure Commitment** | Yes | Yes | Yes | Yes |

-### Komprise Intelligent Data Management

-*List was last verified on March, 31st 2021.*

-₁ Support provided by ISV, not Microsoft

-This tutorial shows you how to use Azure Virtual Network NAT service. You'll create a NAT gateway to provide outbound connectivity for a virtual machine in Azure.

-The following example creates a resource group named **myResourceGroupNAT** in the **eastus2** location:

-```azurecli-interactive

- az group create \

- --name myResourceGroupNAT \

- --location eastus2

-```

-To access the Internet, you need one or more public IP addresses for the NAT gateway. Use [az network public-ip create](/cli/azure/network/public-ip#az_network_public_ip_create) to create a public IP address resource named **myPublicIP** in **myResourceGroupNAT**.

-```azurecli-interactive

- az network public-ip create \

- --resource-group myResourceGroupNAT \

- --name myPublicIP \

- --sku standard \

- --allocation static

-```

-Create a global Azure NAT gateway with [az network nat gateway create](/cli/azure/network/nat#az_network_nat_gateway_create). The result of this command will create a gateway resource named **myNATgateway** that uses the public IP address **myPublicIP**. The idle timeout is set to 10 minutes.

-```azurecli-interactive

- az network nat gateway create \

- --resource-group myResourceGroupNAT \

- --name myNATgateway \

- --public-ip-addresses myPublicIP \

- --idle-timeout 10

- ```

-Create a virtual network named **myVnet** with a subnet named **mySubnet** [az network vnet create](/cli/azure/network/vnet#az_network_vnet_create) in the **myResourceGroup** resource group. The IP address space for the virtual network is **10.1.0.0/16**. The subnet within the virtual network is **10.1.0.0/24**.

-```azurecli-interactive

- az network vnet create \

- --resource-group myResourceGroupNAT \

- --location eastus2 \

- --name myVnet \

- --address-prefix 10.1.0.0/16 \

- --subnet-name mySubnet \

- --subnet-prefix 10.1.0.0/24

-```

-### Create bastion host

-Create an Azure Bastion host named **myBastionHost** to access the virtual machine.

-```azurecli-interactive

-az network vnet subnet create \

- --resource-group myResourceGroupNAT \

- --name AzureBastionSubnet \

- --vnet-name myVNet \

- --address-prefixes 10.1.1.0/24

-```

-Create a public IP address for the bastion host with [az network public-ip create](/cli/azure/network/public-ip#az_network_public_ip_create).

-```azurecli-interactive

-az network public-ip create \

- --resource-group myResourceGroupNAT \

- --name myBastionIP \

- --sku Standard

-```

-Use [az network bastion create](/cli/azure/network/bastion#az_network_bastion_create) to create the bastion host.

-```azurecli-interactive

-az network bastion create \

- --resource-group myResourceGroupNAT \

- --name myBastionHost \

- --public-ip-address myBastionIP \

- --vnet-name myVNet \

- --location eastus2

-```

-We'll configure the source subnet **mySubnet** in virtual network **myVnet** to use a specific NAT gateway resource **myNATgateway** with [az network vnet subnet update](/cli/azure/network/vnet/subnet#az_network_vnet_subnet_update). This command will activate the NAT service on the specified subnet.

-```azurecli-interactive

- az network vnet subnet update \

- --resource-group myResourceGroupNAT \

- --vnet-name myVnet \

- --name mySubnet \

- --nat-gateway myNATgateway

-```

-## Virtual machine

-In this section, you'll create a virtual machine to test the NAT gateway to verify the public IP address of the outbound connection.

-```azurecli-interactive

-az vm create \

- --name myVM \

- --resource-group myResourceGroupNAT \

- --admin-username azureuser \

- --image win2019datacenter \

- --public-ip-address "" \

- --subnet mySubnet \

- --vnet-name myVNet

-```

-

-2. Make note of the public IP address:

-3. Select **All services** in the left-hand menu, select **All resources**, and then from the resources list, select **myVM** that is located in the **myResourceGroupNAT** resource group.

-4. On the **Overview** page, select **Connect**, then **Bastion**.

-5. Select the blue **Use Bastion** button.

-6. Enter the username and password entered during VM creation.

-7. Open **Internet Explorer** on **myTestVM**.

-8. Enter **https://whatsmyip.com** in the address bar.

-9. Verify the IP address displayed matches the NAT gateway address you noted in the previous step:

-the virtual network, virtual machine, and NAT gateway with the following steps:

-```azurecli-interactive

- --name myResourceGroupNAT

-You can execute the script from the Azure [Cloud Shell](https://shell.azure.com/bash), or from a local Azure CLI installation. If you use the CLI locally, this script requires that you are running version 2.0.28 or later. To find the installed version, run `az --version`. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli). If you are running the CLI locally, you also need to run `az login` to create a connection with Azure.

-[!code-azurecli-interactive[main](../../../cli_scripts/virtual-network/filter-network-traffic/filter-network-traffic.sh "Filter VM network traffic")]

-## Clean up deployment

-Run the following command to remove the resource group, VM, and all related resources:

-az group delete --name MyResourceGroup --yes

-## Script explanation

-You can execute the script from the Azure [Cloud Shell](https://shell.azure.com/bash), or from a local Azure CLI installation. If you use the CLI locally, this script requires that you are running version 2.0.28 or later. To find the installed version, run `az --version`. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli). If you are running the CLI locally, you also need to run `az login` to create a connection with Azure.

-## Prerequisites

-To use the IPv6 for Azure virtual network feature, you must configure your subscription only once as follows:

-```azurecli

-az feature register --name AllowIPv6VirtualNetwork --namespace Microsoft.Network

-az feature register --name AllowIPv6CAOnStandardLB --namespace Microsoft.Network

-```

-It takes up to 30 minutes for feature registration to complete. You can check your registration status by running the following Azure CLI command:

-```azurecli

-az feature show --name AllowIPv6VirtualNetwork --namespace Microsoft.Network

-az feature show --name AllowIPv6CAOnStandardLB --namespace Microsoft.Network

-```

-After the registration is complete, run the following command:

-```azurecli

-az provider register --namespace Microsoft.Network

-```

-```azurecli

-# Create a resource group

-az group create \

-# Create an IPV4 IP address

-az network public-ip create \

-# Create an IPV6 IP address

-az network public-ip create \

-# Create public IP addresses for remote access to VMs

-az network public-ip create \

-az network public-ip create \

-# Create load balancer

-az network lb create \

-# Create IPv6 front-end

-az network lb frontend-ip create \

-# Configure IPv6 back-end address pool

-az network lb address-pool create \

-# Create a load balancer rule

-az network lb rule create \

-az network lb rule create \

-# Create an availability set

-az vm availability-set create \

-# Create network security group

-az network nsg create \

-# Create inbound rule for port 3389

-az network nsg rule create \

-# Create inbound rule for port 80

-az network nsg rule create \

-# Create outbound rule

-az network nsg rule create \

-# Create the virtual network

-az network vnet create \

-# Create a single dual stack subnet

-az network vnet subnet create \

-# Create NICs

-az network nic create \

-az network nic create \

-# Create IPV6 configurations for each NIC

-az network nic ip-config create \

-az network nic ip-config create \

-# Create virtual machine dsVM0

- az vm create \

-# Create virtual machine dsVM1

-az vm create \

-```

-## View IPv6 dual stack virtual network in Azure portal

-You can view the IPv6 dual stack virtual network in Azure portal as follows:

-1. In the portal's search bar, enter *dsVnet*.

-2. When **myVirtualNetwork** appears in the search results, select it. This launches the **Overview** page of the dual stack virtual network named *dsVnet*. The dual stack virtual network shows the two NICs with both IPv4 and IPv6 configurations located in the dual stack subnet named *dsSubnet*.

-> [!NOTE]

-> The IPv6 for Azure virtual network is available in the Azure portal in read-only for this preview release.

-Run the following command to remove the resource group, VM, and all related resources:

-az group delete --name <resourcegroupname> --yes

-## Script explanation

-| [az vm availability-set create](/cli/azure/network/lb/rule#az_network_lb_rule_create) | Creates an availability set. Availability sets ensure application uptime by spreading the virtual machines across physical resources such that if failure occurs, the entire set is not effected. |

-Additional Azure Networking CLI script samples can be found in the [Azure Networking documentation](../cli-samples.md).

-You can execute the script from the Azure [Cloud Shell](https://shell.azure.com/bash), or from a local Azure CLI installation. If you use the CLI locally, this script requires that you are running version 2.0.28 or later. To find the installed version, run `az --version`. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli). If you are running the CLI locally, you also need to run `az login` to create a connection with Azure.

-## Prerequisites

-To use the IPv6 for Azure virtual network feature, you must configure your subscription only once as follows:

-```azurecli

-az feature register --name AllowIPv6VirtualNetwork --namespace Microsoft.Network

-az feature register --name AllowIPv6CAOnStandardLB --namespace Microsoft.Network

-```

-It takes up to 30 minutes for feature registration to complete. You can check your registration status by running the following Azure CLI command:

-```azurecli

-az feature show --name AllowIPv6VirtualNetwork --namespace Microsoft.Network

-az feature show --name AllowIPv6CAOnStandardLB --namespace Microsoft.Network

-```

-After the registration is complete, run the following command:

-```azurecli

-az provider register --namespace Microsoft.Network

-```

-```azurecli

-# Create a resource group

-az group create \

-# Create an IPV4 IP address

-az network public-ip create \

-# Create an IPV6 IP address

-az network public-ip create \

-# Create public IP addresses for remote access to VMs

-az network public-ip create \

-# Create load balancer

-az network public-ip create \

-az network lb create \

-# Create IPv6 front-end

-az network lb frontend-ip create \

-# Configure IPv6 back-end address pool

-az network lb address-pool create \

-# Create a load balancer rule

-az network lb rule create \

-az network lb rule create

-# Create an availability set

-az vm availability-set create \

-# Create network security group

-az network nsg create \

-# Create inbound rule for port 3389

-az network nsg rule create \

-# Create outbound rule

-az network nsg rule create \

-# Create the virtual network

-az network vnet create \

-# Create a single dual stack subnet

-az network vnet subnet create \

-# Create NICs

-az network nic create \

-az network nic create \

-# Create IPV6 configurations for each NIC

-az network nic ip-config create \

-az network nic ip-config create \

-# Create virtual machines

- az vm create \

-az vm create \

-```

-Run the following command to remove the resource group, VM, and all related resources:

-az group delete --name <resourcegroupname> --yes

-## Script explanation

-| [az vm availability-set create](/cli/azure/network/lb/rule#az_network_lb_rule_create) | Creates an availability set. Availability sets ensure application uptime by spreading the virtual machines across physical resources such that if failure occurs, the entire set is not effected. |

-Additional Azure Networking CLI script samples can be found in the [Azure Networking documentation](../cli-samples.md).

-You can execute the script from the Azure [Cloud Shell](https://shell.azure.com/bash), or from a local Azure CLI installation. If you use the CLI locally, this script requires that you are running version 2.0.28 or later. To find the installed version, run `az --version`. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli). If you are running the CLI locally, you also need to run `az login` to create a connection with Azure.

-[!code-azurecli-interactive[main](../../../cli_scripts/virtual-network/virtual-network-multi-tier-application/virtual-network-multi-tier-application.sh "Virtual network for multi-tier application")]

-## Clean up deployment

-Run the following command to remove the resource group, VM, and all related resources:

-az group delete --name MyResourceGroup --yes

-## Script explanation

-You can execute the script from the Azure [Cloud Shell](https://shell.azure.com/bash), or from a local Azure CLI installation. If you use the CLI locally, this script requires that you are running version 2.0.28 or later. To find the installed version, run `az --version`. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli). If you are running the CLI locally, you also need to run `az login` to create a connection with Azure.

-[!code-azurecli-interactive[main](../../../cli_scripts/virtual-network/peer-two-virtual-networks/peer-two-virtual-networks.sh "Peer two networks")]

-## Clean up deployment

-Run the following command to remove the resource group, VM, and all related resources:

-az group delete --name myResourceGroup --yes

-## Script explanation

-You can execute the script from the Azure [Cloud Shell](https://shell.azure.com/bash), or from a local Azure CLI installation. If you use the CLI locally, this script requires that you are running version 2.0.28 or later. To find the installed version, run `az --version`. If you need to install or upgrade, see [Install the Azure CLI](/cli/azure/install-azure-cli). If you are running the CLI locally, you also need to run `az login` to create a connection with Azure.

-[!code-azurecli-interactive[main](../../../cli_scripts/virtual-network/route-traffic-through-nva/route-traffic-through-nva.sh "Route traffic through a network virtual appliance")]

-## Clean up deployment

-Run the following command to remove the resource group, VM, and all related resources:

-az group delete --name MyResourceGroup --yes

-## Script explanation