Updates from: 01/22/2022 02:47:24
Category Microsoft Docs article Related commit history on GitHub Change details
admin Customize Your Organization Theme https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/setup/customize-your-organization-theme.md
You can create up to four additional group themes.
## Logos: Specify your theme logos
-On the **Logos** page, you can you can add your logos, and specify the URL where users will navigate to, when they select the logo.
+On the **Logos** page, you can add your logos, and specify the URL where users will navigate to when they select the logo.
- **Default logo**: Add a URL location that points to your logo. Make sure that the URL uses HTTPS. Add a HTTPS image url that allows anonymous access and doesn't require authentication. For default theme, you also have an option to upload a logo image that is less than 10kb. Your default logo can be in the JPG, PNG, GIF, or SVG format. For SVG images, they will be resized to fit 24 pixels vertically. JPG, PNG, GIF images will be scaled to fit 200 x 48 pixels. Logo aspect ratio will always be preserved. - **Alternate logo**: Add a URL location that points to your logo. Your alternate logo should be optimized for use in Office dark themes. Same requirements as the default logo.
compliance Classifier Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/classifier-learn-about.md
Sensitivity and retention labels can then be automatically applied to make the c
This classification method is well suited to content that isn't easily identified by either the manual or automated pattern-matching methods. This method of classification is more about using a classifier to identify an item based on what the item is, not by elements that are in the item (pattern matching). A classifier learns how to identify a type of content by looking at hundreds of examples of the content you're interested in classifying.
+> [!NOTE]
+> You can view the trainable classifiers in content explorer by expanding **Trainable Classifiers** in the filters panel. The trainable classifiers will automatically display the number of incidents found in SharePoint, Teams, and OneDrive, without requiring any labeling.
+> If you do not want to use this feature, you must file a request with Microsoft Support to disable out-of-the-box classification. This will disable the scanning of your sensitive and labeled content before you create labeling policies.
+ ### Where you can use classifiers Classifiers are available to use as a condition for [Office autolabeling with sensitivity labels](apply-sensitivity-label-automatically.md), [auto-apply retention label policy based on a condition](apply-retention-labels-automatically.md#configuring-conditions-for-auto-apply-retention-labels) and in [communication compliance](communication-compliance.md).
compliance Dlp Conditions And Exceptions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-conditions-and-exceptions.md
The tables in the following sections describe the conditions and exceptions that
If you use the sender address as a condition or exception the actual field where the value is looked for varies depending on the type of rule you use. For DLP based rules, the Envelope address is used as the sender address. For Exchange transport rules the Header address is used as the sender address.
+<!--
> [!NOTE] > Starting January 20, 2022, the default sender address location will be moved to the Header address along with the availability of the -SenderAddressLocation parameter to configure desired behavior at a DLP rule level.
To configure the sender address location at a DLP rule level, the parameter is _
- **Header or envelope** (`HeaderOrEnvelope`) Examine senders in the message header and the message envelope. <br>-
+-->
|condition or exception in DLP|condition/exception parameters in Microsoft 365 PowerShell|property type|description| ||||| |Sender is|condition: *From* <br/> exception: *ExceptIfFrom*|Addresses|Messages that are sent by the specified mailboxes, mail users, mail contacts, or Microsoft 365 groups in the organization.|
This table describes the actions that are available in DLP.
|Add recipient|AddRecipients|First property: *Field*</br>Second property: *Addresses*|Adds one or more recipients to the To/Cc/Bcc field of the message. This parameter uses the syntax: @{<AddToRecipients \|CopyTo \|BlindCopyTo> = "emailaddress"}| |Add the senderΓÇÖs manager as recipient|AddRecipients|First property: *AddedManagerAction*</br>Second property: *Field*|Adds the sender's manager to the message as the specified recipient type (To, Cc, Bcc), or redirects the message to the sender's manager without notifying the sender or the recipient. This action only works if the sender's Manager attribute is defined in Active Directory. This parameter uses the syntax: @{AddManagerAsRecipientType = "<To \|Cc \|Bcc>"}| Prepend subject|PrependSubject|String|Adds the specified text to the beginning of the Subject field of the message. Consider using a space or a colon (:) as the last character of the specified text to differentiate it from the original subject text.</br>To prevent the same string from being added to messages that already contain the text in the subject (for example, replies), add the "The subject contains words" (ExceptIfSubjectContainsWords) exception to the rule.|
-|Modify Subject|ModifySubject|PswsHashTable | Remove text from the subject line that matches a specific pattern and replace it with different text. See the example below. You can: </br>- **Replace** all matches in the subject with the replacement text </br>- **Append** to remove all matches in the subject and inserts the replacement text at the end of the subject. </br>- **Prepend** to remove all matches and inserts the replacement text at the beginning of the subject.|
|Apply HTML disclaimer|ApplyHtmlDisclaimer|First property: *Text*</br>Second property: *Location*</br>Third property: *Fallback action*|Applies the specified HTML disclaimer to the required location of the message.</br>This parameter uses the syntax: @{ Text = ΓÇ£ ΓÇ¥ ; Location = <Append \|Prepend>; FallbackAction = <Wrap \|Ignore \|Reject> }| |Remove Office 365 Message Encryption and rights protection|RemoveRMSTemplate|n/a|Removes Office 365 encryption applied on an email| |Deliver the message to the hosted quarantine |_Quarantine_|n/a| This action is currently in **public preview**. During this phase, emails quarantined by DLP policies will show policy type as ExchangeTransportRule.</br> Delivers the message to the quarantine in EOP. For more information, see [Quarantined email messages in EOP](/microsoft-365/security/office-365-security/quarantine-email-messages).| |+
+<!--|Modify Subject|ModifySubject|PswsHashTable | Remove text from the subject line that matches a specific pattern and replace it with different text. See the example below. You can: </br>- **Replace** all matches in the subject with the replacement text </br>- **Append** to remove all matches in the subject and inserts the replacement text at the end of the subject. </br>- **Prepend** to remove all matches and inserts the replacement text at the beginning of the subject. See ModifySubject parameter in, /powershell/module/exchange/new-dlpcompliancerule|-->
+
compliance Get Started With Sensitivity Labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-sensitivity-labels.md
All scenarios require you to [Create and configure sensitivity labels and their
|I want to ...|Documentation| |-|| |Manage sensitivity labels for Office apps so that content is labeled as it's createdΓÇöincludes support for manual labeling on all platforms |[Manage sensitivity labels in Office apps](sensitivity-labels-office-apps.md)|
-|Extend labeling beyond Office apps by using File Explorer and PowerShell, with additional features for Office apps on Windows (if needed)|[Azure Information Protection unified labeling client for Windows](/azure/information-protection/rms-client/aip-clientv2)|
+|Extend labeling to File Explorer and PowerShell, with additional features for Office apps on Windows (if needed)|[Azure Information Protection unified labeling client for Windows](/azure/information-protection/rms-client/aip-clientv2)|
|Encrypt documents and emails with sensitivity labels and restrict who can access that content and how it can be used |[Restrict access to content by using sensitivity labels to apply encryption](encryption-sensitivity-labels.md)| |Enable sensitivity labels for Office on the web, with support for coauthoring, eDiscovery, data loss prevention, searchΓÇöeven when documents are encrypted | [Enable sensitivity labels for Office files in SharePoint and OneDrive](sensitivity-labels-sharepoint-onedrive-files.md) |Use co-authoring and AutoSave in Office desktop apps when documents are encrypted | [Enable co-authoring for files encrypted with sensitivity labels](sensitivity-labels-coauthoring.md)
compliance Information Protection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-protection.md
To apply flexible protection actions that include encryption, access restriction
|Capability|What problems does it solve?|Get started| |:|:||
-|[Sensitivity labels](sensitivity-labels.md)| A single solution across apps, services, and devices to label and protect your data as it travels inside and outside your organization. <p> Example scenarios: <p> [Manage sensitivity labels for Office apps](sensitivity-labels-office-apps.md) <p> [Encrypt documents and emails](encryption-sensitivity-labels.md) <p> [Apply and view labels in Power BI](/power-bi/admin/service-security-apply-data-sensitivity-labels) <p> For a comprehensive list of scenarios for sensitivity labels, see the Get started documentation.|[Get started with sensitivity labels](get-started-with-sensitivity-labels.md) |
-|[Azure Information Protection unified labeling client](/azure/information-protection/rms-client/aip-clientv2)| For Windows computers, extends sensitivity labels for additional features and functionality that includes labeling and protecting all file types from File Explorer and PowerShell <p> Example additional features: [Custom configurations for the Azure Information Protection unified labeling client](/azure/information-protection/rms-client/clientv2-admin-guide-customizations)| [Azure Information Protection unified labeling client administrator guide](/azure/information-protection/rms-client/clientv2-admin-guide)|
+|[Sensitivity labels](sensitivity-labels.md)| A single solution across apps, services, and devices to label and protect your data as it travels inside and outside your organization. <br /><br /> Example scenarios: <br />- [Manage sensitivity labels for Office apps](sensitivity-labels-office-apps.md) <br />- [Encrypt documents and emails](encryption-sensitivity-labels.md) <br />- [Apply and view labels in Power BI](/power-bi/admin/service-security-apply-data-sensitivity-labels) <br /><br /> For a comprehensive list of scenarios for sensitivity labels, see the Get started documentation.|[Get started with sensitivity labels](get-started-with-sensitivity-labels.md) |
+|[Azure Information Protection unified labeling client](/azure/information-protection/rms-client/aip-clientv2)| For Windows computers, extends labeling to File Explorer and PowerShell, with additional features for Office apps if needed| [Azure Information Protection unified labeling client administrator guide](/azure/information-protection/rms-client/clientv2-admin-guide)|
|[Double Key Encryption](double-key-encryption.md)| Under all circumstances, only your organization can ever decrypt protected content or for regulatory requirements, you must hold encryption keys within a geographical boundary. | [Deploy Double Key Encryption](double-key-encryption.md#deploy-dke)|
-|[Office 365 Message Encryption (OME)](ome.md)| Encrypts email messages and attached documents that are sent to any user on any device, so only authorized recipients can read emailed information. <p> Example scenario: [Revoke email encrypted by Advanced Message Encryption](revoke-ome-encrypted-mail.md) | [Set up new Message Encryption capabilities](set-up-new-message-encryption-capabilities.md)|
+|[Office 365 Message Encryption (OME)](ome.md)| Encrypts email messages and attached documents that are sent to any user on any device, so only authorized recipients can read emailed information. <br /><br /> Example scenario: [Revoke email encrypted by Advanced Message Encryption](revoke-ome-encrypted-mail.md) | [Set up new Message Encryption capabilities](set-up-new-message-encryption-capabilities.md)|
|[Service encryption with Customer Key](customer-key-overview.md) | Protects against viewing of data by unauthorized systems or personnel, and complements BitLocker disk encryption in Microsoft datacenters. | [Set up Customer Key for Office 365](customer-key-set-up.md)| |[SharePoint Information Rights Management (IRM)](set-up-irm-in-sp-admin-center.md#irm-enable-sharepoint-document-libraries-and-lists)|Protects SharePoint lists and libraries so that when a user checks out a document, the downloaded file is protected so that only authorized people can view and use the file according to policies that you specify. | [Set up Information Rights Management (IRM) in SharePoint admin center](set-up-irm-in-sp-admin-center.md)| [Rights Management connector](/azure/information-protection/deploy-rms-connector) |Protection-only for existing on-premises deployments that use Exchange or SharePoint Server, or file servers that run Windows Server and File Classification Infrastructure (FCI). | [Steps to deploy the RMS connector](/azure/information-protection/deploy-rms-connector#steps-to-deploy-the-rms-connector) |[Azure Information Protection unified labeling scanner](/azure/information-protection/deploy-aip-scanner)| Discovers, labels, and protects sensitive information that resides in data stores that are on premises. | [Configuring and installing the Azure Information Protection unified labeling scanner](/azure/information-protection/deploy-aip-scanner-configure-install)| |[Microsoft Defender for Cloud Apps](/cloud-app-security/what-is-cloud-app-security)| Discovers, labels, and protects sensitive information that resides in data stores that are in the cloud. | [Discover, classify, label, and protect regulated and sensitive data stored in the cloud](/cloud-app-security/best-practices#discover-classify-label-and-protect-regulated-and-sensitive-data-stored-in-the-cloud)| |[Azure Purview](/azure/purview/overview) |Identifies sensitive data and applies automatic labeling to content in Azure Purview assets. These include files in storage such as Azure Data Lake and Azure Files, and schematized data such as columns in Azure SQL DB, and Cosmos DB. |[Labeling in Azure Purview](/azure/purview/create-sensitivity-label) |
-|[Microsoft Information Protection SDK](/information-protection/develop/overview#microsoft-information-protection-sdk)|Extends sensitivity labels to third-party apps and services. <p> Example scenario: [Set and get a sensitivity label (C++)](/information-protection/develop/quick-file-set-get-label-cpp) |[Microsoft Information Protection (MIP) SDK setup and configuration](/information-protection/develop/setup-configure-mip)|
+|[Microsoft Information Protection SDK](/information-protection/develop/overview#microsoft-information-protection-sdk)|Extends sensitivity labels to third-party apps and services. <br /><br /> Example scenario: [Set and get a sensitivity label (C++)](/information-protection/develop/quick-file-set-get-label-cpp) |[Microsoft Information Protection (MIP) SDK setup and configuration](/information-protection/develop/setup-configure-mip)|
## Prevent data loss
managed-desktop Win11 Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/intro/win11-overview.md
Following the announcement of Windows 11, you might have started planning Window
For specific steps to follow to get Windows 11 installed on your Microsoft Managed Desktop devices, see [Preview and test Windows 11 with Microsoft Managed Desktop](../working-with-managed-desktop/test-win11-mmd.md).
-## Timeline for Windows 11
+## Timeline for Windows 10 and Windows 11
-Windows 11 preview builds are available starting June 28, 2021 through the [Windows Insider Program](/windows-insider/). We expect release builds to be generally available by the end of calendar year 2021.
+Windows 11 became generally available on October 4, 2021. It is ready for consumer and enterprise deployment and is a fully supported platform. We will begin scheduling deployments for all Microsoft Managed Desktop devices starting January 2023, but will provide full support for those that wish to deploy Windows 11 sooner. We'll consult and advise admins to develop and implement migration plans for each tenant based on technical readiness and your business considerations.
-You are welcome to install preview builds on devices whether they are managed by Microsoft Managed Desktop or not. WeΓÇÖll continue to support Windows 10 in parallel until it reaches end of enterprise support. Please see [Windows 10 release information](/windows/release-health/release-information) for life cycle information.
+Microsoft Managed Desktop continues to support Windows 10 in parallel until it reaches end of enterprise support. See [Windows 10 release information](/windows/release-health/release-information) for life cycle information.
-When Windows 11 is generally available, we'll do more validation testing. We expect that January 2022 will be the soonest that Windows 11 will be offered to Microsoft Managed Desktop production devices through our standard deployment groups.
-We'll consult and advise admins to develop and implement migration plans for each tenant based on technical readiness and your business considerations.
## Assessing pre-release versions of Windows 11
-More than 95% of Microsoft Managed Desktop devices are eligible for Windows 11, so you might want to preview the upgrade on test devices prior to production deployment. For more about Windows 11 system requirements, see [Windows 11 requirements](/windows/whats-new/windows-11-requirements). You can request details about the eligibility status of your devices from Microsoft Managed Desktop.
+More than 95% of Microsoft Managed Desktop devices are eligible for Windows 11, so you might want to try the upgrade on test devices prior to production deployment. For more about Windows 11 system requirements, see [Windows 11 requirements](/windows/whats-new/windows-11-requirements).
-For Microsoft Managed Desktop devices, you can request to add test devices to the **Modern Workplace - Windows 11 Pre-Release Test Devices** device group. This group receives Windows 11 preview builds along with a Microsoft Managed Desktop baseline configuration. Microsoft Managed Desktop doesn't manage the release cadence of Windows 11 preview builds, so members of this device group might receive updates more frequently than Windows 10 device groups.
+For Microsoft Managed Desktop devices, you can [add devices to the Windows 11 test device group](/microsoft-365/managed-desktop/working-with-managed-desktop/test-win11-mmd?view=o365-worldwide#add-devices-to-the-windows-11-test-group). This group receives the Windows 11 general availability build along with a Microsoft Managed Desktop baseline configuration. Once added to the device group, allow one to two days for a device to pick up the new settings and be offered Windows 11.
-For your devices that aren't managed by Microsoft Managed Desktop, you can join the [Windows Insider Program](/windows-insider/) to download preview builds and get guidance on deploying Windows 11 yourself. If you have devices running Windows 11 pre-release builds and later enroll them in Microsoft Managed Desktop, they won't revert back to Windows 10.
+For your devices that aren't managed by Microsoft Managed Desktop, you can read [Endpoint Manager guidance](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/endpoint-manager-simplifies-upgrades-to-windows-11/ba-p/2771886) to learn about deploying Windows 11 yourself. If you have devices running Windows 11 and later, enroll them in Microsoft Managed Desktop; they won't revert back to Windows 10.
## Support for pre-release Windows 11 devices
-Pre-release builds of any platform are expected to contain defects and application compatibility issues that can be identified and resolved prior to general availability. As a result, we consider devices running pre-release builds of Windows 11 to be test devices, but we do monitor them along with the rest of the environment for security threats and they are subject to the same security alert response as other Microsoft Managed Desktop devices.
+For those that opted into Windows 11 testing prior to general availability, devices may have preview builds installed. Microsoft Managed Desktop devices in this state will not be offered the Windows 11 general availability build, but will still be supported in resolving issues encountered. Additionally, Microsoft Managed Desktop monitors all managed devices for security threats and will respond to any alerts regardless of whether the device is running a Windows 11 preview build.
-Because we are committed to helping you migrate to Windows 11 while remaining productive, we encourage you to report defects you encounter with pre-release builds. We prioritize defects that will block user productivity upon broad deployment of Windows 11, and defects that block user productivity on Windows 10 devices.
+Because we are committed to helping you migrate to Windows 11 while remaining productive, we encourage you to report defects you encounter with the platform. We prioritize defects that will block user productivity upon broad deployment of Windows 11, and defects that block user productivity on Windows 10 devices.
## Testing application compatibility
Application compatibility is one of the most common concerns in any platform mig
### Proactive measures
-**Common apps:** Microsoft is extensively testing the most common enterprise applications and suites deployed on builds of Windows 11. We work with external software publishers and internal product teams to resolve any issues discovered during testing. For more information about our proactive compatibility testing effort, see the [Application Compatibility blog](https://blogs.windows.com/windowsexperience/2019/01/15/application-compatibility-in-the-windows-ecosystem/).
+**Common apps:** Microsoft extensively tests the most common enterprise applications and suites deployed on builds of Windows 11. We work with external software publishers and internal product teams to resolve any issues discovered during testing. For more information about our proactive compatibility testing effort, see the [Application Compatibility blog](https://blogs.windows.com/windowsexperience/2019/01/15/application-compatibility-in-the-windows-ecosystem/).
**Line-of-business apps:** [Test Base](https://www.microsoft.com/en-us/testbase) is a resource that app publishers and IT admins can use to submit apps and test cases for Microsoft to run on a virtual machine running Windows 11 builds in a secure Azure environment. Results, test insights, and regression analysis for each test execution are available to you on a private Azure portal. Microsoft Managed Desktop will help you prioritize your line-of-business apps for validation based on app usage and reliability data. For more information about Test Base, see [Test Base for Microsoft 365](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/test-base-for-microsoft-365-microsoft-ignite-2021-updates/ba-p/2185566). ### Reactive measures
-If you encounter app compatibility issues in test or production environments, you can receive no-cost support by engaging [App Assure](/fasttrack/products-and-capabilities#app-assure) or FastTrack, as appropriate. For Windows 11, this includes any functionality with Office, Microsoft Edge, Teams, and line-of-business applications running on the latest operating system builds. App Assure directly engages app publishers to prioritize and resolve app compatibility issues.
+If you encounter app compatibility issues in test or production environments, you can receive no-cost support by opening a [service request](/microsoft-365/managed-desktop/working-with-managed-desktop/test-win11-mmd?view=o365-worldwide#report-issues). For Windows 11, this includes any functionality with Office, Microsoft Edge, Teams, and line-of-business applications running on the latest operating system builds. Microsoft App Assure directly engages app publishers to prioritize and resolve app compatibility issues when needed.
managed-desktop Test Win11 Mmd https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/working-with-managed-desktop/test-win11-mmd.md
# Preview and test Windows 11 with Microsoft Managed Desktop
- How to enroll and participate in the Windows 11 compatibility testing program within your Microsoft Managed Desktop environment. For more about Windows 11 and Microsoft Managed Desktop generally, see [Windows 11 and Microsoft Managed Desktop](../intro/win11-overview.md).
+How to enroll and participate in the Windows 11 compatibility testing program within your Microsoft Managed Desktop environment. For more about Windows 11 and Microsoft Managed Desktop generally, see [Windows 11 and Microsoft Managed Desktop](../intro/win11-overview.md).
## Add devices to the Windows 11 test group
-Upon request, we will create the device group (**Modern Workplace - Windows 11 Pre-Release Test Devices**) for testing and evaluating Windows 11. Devices in this group get new Windows 11 builds and Microsoft Managed Desktop baseline configurations as they become available, and are monitored for reliability issues.
+We have created the device group (**Modern Workplace - Windows 11 Pre-Release Test Devices**) for testing and evaluating Windows 11. Despite "pre-release" in the name, devices in this group receive Windows 11 General Availability builds and Microsoft Managed Desktop baseline configurations as they become available, and are monitored for reliability issues.
-You can choose any of your existing or new devices for Windows 11 testing, but you shouldn't enroll production devices in this group due to the elevated risk of defects or compatibility issues in pre-release builds. Prior device group assignments are removed upon assignment to this group.
-
-To enroll your devices in the pre-release test group:
-
-1. Open a new service request with the Microsoft Managed Desktop Service Engineering team.
-2. Use these values for the fields:
- - Title: Windows 11 compatibility enrollment
- - Request type: Change request
- - Category: Devices
- - Subcategory: Deployment group assignment
-3. In the description field, list the serial numbers of the devices that you want to use for Windows 11 testing. Note which, if any, of the specified devices aren't yet deployed in your Microsoft Managed Desktop tenant.
+You can choose any of your existing or new devices for Windows 11 testing, but you shouldn't enroll production devices in this group until you are confident in the compatibility and overall experience on your test devices.
## Prioritize applications to submit to Test Base
If you encounter Windows 11 compatibility issues with your line-of-business or M
- Subcategory: Windows Upgrade/Update 3. Describe the behavior and how severely it would hinder your business in a production environment.
-Microsoft Managed Desktop triages and handles issues with pre-release builds based on the effect on productivity. While our service description doesn't cover issues with pre-release builds, we'll confer with customer admins to ensure that issues that block user productivity are resolved prior to starting migration within any given tenant.
+Microsoft Managed Desktop triages and handles Windows 11 issues based on the effect on productivity. We'll confer with customer admins when the request is opened to ensure that issues that block user productivity are resolved prior to starting broader Windows 11 migration within any given tenant.
security TOC https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md
###### [Phase 3: Implement](attack-surface-reduction-rules-deployment-phase-3.md) ###### [Phase 4: Operationalize](attack-surface-reduction-rules-deployment-phase-4.md) ##### [ASR rules reference](attack-surface-reduction-rules-reference.md)
-##### [Enable ASR rules alternate congiguration methods](enable-attack-surface-reduction.md)
+##### [Enable ASR rules alternate configuration methods](enable-attack-surface-reduction.md)
#### [Attack surface reduction FAQ](attack-surface-reduction-faq.yml) ### Next-generation protection
#### [SIEM integration]() ##### [Integrate SIEM tools with Microsoft Defender for Endpoint](configure-siem.md)
-##### [Microsoft Defender for Endpoint detection fields](api-portal-mapping.md)
+##### [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md)
##### [Pull detections using SIEM REST API](pull-alerts-using-rest-api.md) ##### [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
security Api Portal Mapping https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api-portal-mapping.md
- Title: Microsoft Defender for Endpoint detection fields
-description: Understand how the detection fields map to the values in Microsoft Defender for Endpoint
-keywords: detections, detections fields, fields, api, fields, pull Detections, rest api, request, response
-ms.sitesec: library
-ms.pagetype: security
--------
-# Microsoft Defender for Endpoint detection fields
--
-**Applies to:**
-- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)-- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)-
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-apiportalmapping-abovefoldlink)
-
-> [!NOTICE]
-> The Microsoft Defender for Endpoint SIEM REST API is planned for deprecation, as the Microsoft Defender for Endpoint Alert API and the Microsoft 365 Defender Incident API that replace it provide much richer metadata - including the up-to-date status of the alert, all evidence entities that are related to the alert, all comments entered by analysts, and allows updating status, assignedTo, classification, and determination fields programmatically.
->
-> No new onboarding to the Microsoft Defender for Endpoint SIEM API will be supported - instead, see [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md) for more information on integrating with the Microsoft Defender for Endpoint Alert API or the Microsoft 365 Defender Incident API.
->
-> For information on integration SIEM Tools (Splunk, ArcSight, and QRadar), see [Integrate your SIEM tools with Microsoft Defender for Endpoint](../defender-endpoint/configure-siem.md).
-
-Understand what data fields are exposed as part of the detections API and how they map to Microsoft 365 Defender.
-
-> [!NOTE]
->
-> - [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more detections.
-> - **Microsoft Defender for Endpoint Detection** is composed from the suspicious event occurred on the Device and its related **Alert** details.
-> - The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contain a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).
-
-## Detections API fields and portal mapping
-
-The following table lists the available fields exposed in the detections API payload. It shows examples for the populated values and a reference on how data is reflected on the portal.
->
-> The MicroFocus ArcSight FlexConnector described below has been replaced with an official SmartConnector that calls the Microsoft 365 Defender Incident API. For more information, see [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md).
->
-The ArcSight field column contains the default mapping between the Defender for Endpoint fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Defender for Endpoint](enable-siem-integration.md).
-
-Field numbers match the numbers in the images below.
-
-> [!div class="mx-tableFixed"]
->
-> |Portal label|SIEM field name|ArcSight field|Example value|Description|
-> ||||||
-> |1|AlertTitle|name|Microsoft Defender AV detected 'Mikatz' high-severity malware|Value available for every Detection.|
-> |2|Severity|deviceSeverity|High|Value available for every Detection.|
-> |3|Category|deviceEventCategory|Malware|Value available for every Detection.|
-> |4|Detection source|sourceServiceName|Antivirus|Microsoft Defender Antivirus or Defender for Endpoint. Value available for every Detection.|
-> |5|MachineName|sourceHostName|desktop-4a5ngd6|Value available for every Detection.|
-> |6|FileName|fileName|Robocopy.exe|Available for detections associated with a file or process.|
-> |7|FilePath|filePath|C:\Windows\System32\Robocopy.exe|Available for detections associated with a file or process.|
-> |8|UserDomain|sourceNtDomain|CONTOSO|The domain of the user context running the activity, available for Defender for Endpoint behavioral based detections.|
-> |9|UserName|sourceUserName|liz.bean|The user context running the activity, available for Defender for Endpoint behavioral based detections.|
-> |10|Sha1|fileHash|3da065e07b990034e9db7842167f70b63aa5329|Available for detections associated with a file or process.|
-> |11|Sha256|deviceCustomString6|ebf54f745dc81e1958f75e4ca91dd0ab989fc9787bb6b0bf993e2f5|Available for Microsoft Defender AV detections.|
-> |12|Md5|deviceCustomString5|db979c04a99b96d370988325bb5a8b21|Available for Microsoft Defender AV detections.|
-> |13|ThreatName|deviceCustomString1|HackTool:Win32/Mikatz!dha|Available for Microsoft Defender AV detections.|
-> |14|IpAddress|sourceAddress|218.90.204.141|Available for detections associated to network events. For example, 'Communication to a malicious network destination'.|
-> |15|Url|requestUrl|down.esales360.cn|Available for detections associated to network events. For example, 'Communication to a malicious network destination'.|
-> |16|RemediationIsSuccess|deviceCustomNumber2|TRUE|Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE.|
-> |17|WasExecutingWhileDetected|deviceCustomNumber1|FALSE|Available for Microsoft Defender AV detections. ArcSight value is 1 when TRUE and 0 when FALSE.|
-> |18|AlertId|externalId|636210704265059241_673569822|Value available for every Detection.|
-> |19|LinkToWDATP|flexString1|`https://securitycenter.windows.com/alert/636210704265059241_673569822`|Value available for every Detection.|
-> |20|AlertTime|deviceReceiptTime|2017-05-07T01:56:59.3191352Z|The time the event occurred. Value available for every Detection.|
-> |21|MachineDomain|sourceDnsDomain|contoso.com|Domain name not relevant for AAD joined devices. Value available for every Detection.|
-> |22|Actor|deviceCustomString4|BORON|Available for alerts related to a known actor group.|
-> |21+5|ComputerDnsName|No mapping|liz-bean.contoso.com|The device fully qualified domain name. Value available for every Detection.|
-> ||LogOnUsers|sourceUserId|contoso\liz-bean; contoso\jay-hardee|The domain and user of the interactive logon users at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available.|
-> ||InternalIPv4List|No mapping|192.168.1.7, 10.1.14.1|List of IPV4 internal IPs for active network interfaces.|
-> ||InternalIPv6List|No mapping|fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C|List of IPV6 internal IPs for active network interfaces.|
-> ||LinkToMTP|No mapping|`https://securitycenter.windows.com/alert/da637370718981685665_16349121`|Value available for every Detection.
-> ||IncidentLinkToMTP|No mapping|`"https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM`|Value available for every Detection.
-> ||IncidentLinkToWDATP|No mapping|`https://securitycenter.windows.com/preferences2/integration/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM`|Value available for every Detection.
-> |Internal field|LastProcessedTimeUtc|No mapping|2017-05-07T01:56:58.9936648Z|Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved.|
-> ||Not part of the schema|deviceVendor||Static value in the ArcSight mapping - 'Microsoft'.|
-> ||Not part of the schema|deviceProduct||Static value in the ArcSight mapping - 'Microsoft Defender ATP'.|
-> ||Not part of the schema|deviceVersion||Static value in the ArcSight mapping - '2.0', used to identify the mapping versions.|
--------
-## Related topics
--- [Enable SIEM integration in Microsoft Defender for Endpoint](enable-siem-integration.md)-- [Configure ArcSight to pull Microsoft Defender for Endpoint detections](configure-arcsight.md)-- [Pull Microsoft Defender for Endpoint detections using REST API](pull-alerts-using-rest-api.md)-- [Troubleshoot SIEM tool integration issues](troubleshoot-siem.md)
security Configure Siem https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-siem.md
-
+ Title: Integrate your SIEM tools with Microsoft Defender for Endpoint description: Learn how to ingest incidents and alerts, and integrate SIEM tools. keywords: configure siem, security information and events management tools, splunk, arcsight, custom indicators, rest api, alert definitions, indicators of compromise
The SmartConnector replaces the previous FlexConnector for Microsoft 365 Defende
### IBM QRadar >[!NOTE]
->
->IBM QRadar integration with Microsoft Defender for Endpoint is now supported by the new Microsoft 365 Defender Device Support Module (DSM) that calls the [Microsoft 365 Defender Streaming API](../defender/streaming-api.md) that allows ingesting streaming event data from Microsoft 365 Defender products, including Microsoft Defender for Endpoint. For more information on supported event types, see [Supported event types](../defender/supported-event-types.md).
+>IBM QRadar integration with Microsoft 365 Defender, which include Microsoft Defender for Endpoint is now supported by the new Microsoft 365 Defender Device Support Module (DSM) that calls the [Microsoft 365 Defender Streaming API](../defender/streaming-api.md) that allows ingesting streaming event data from Microsoft 365 Defender products, including Microsoft Defender for Endpoint. For more information on the new QRadar Microsoft 365 Defender DSM, see [IBM QRadar Product Documentation](https://www.ibm.com/docs/en/dsm?topic=microsoft-365-defender), and for more information on Streaming API supported event types, see [Supported event types](../defender/supported-event-types.md).
+ New customers are no longer being onboarded using the previous QRadar Microsoft Defender ATP Device Support Module (DSM), and existing customers are encouraged to adopt the new Microsoft 365 Defender DSM as their single point of integration with all Microsoft 365 Defender products. ## Ingesting Microsoft Defender for Endpoint events from the Microsoft 365 Defender event streaming API
security Get Started Partner Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/get-started-partner-integration.md
- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
-> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink)
To become a Defender for Endpoint solution partner, you'll need to follow and complete the following steps.
-## Step 1: Subscribe to a Microsoft Defender for Endpoint Developer license
+## Step 1: Subscribe to a Microsoft Defender for Endpoint license
-Subscribe to the [Microsoft Defender for Endpoint Developer license](https://winatpregistration-prd.trafficmanager.net/Developer/UserAgreement?Length=9). Subscribing allows you to use a Microsoft Defender for Endpoint tenant with up to 10 devices to developing solutions that integrate with Microsoft Defender for Endpoint.
+Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink). Subscribing allows you to use a Microsoft Defender for Endpoint tenant with up to three devices to developing solutions that integrate with Microsoft Defender for Endpoint.
## Step 2: Fulfill the solution validation and certification requirements
To have your company listed as a partner in the in-product partner page, you wil
Partnerships with Microsoft Defender for Endpoint help our mutual customers to further streamline, integrate, and orchestrate defenses. We are happy that you chose to become a Microsoft Defender for Endpoint partner and to achieve our common goal of effectively protecting customers and their assets by preventing and responding to modern threats together.
+## MISA nomination
+Managed security service providers (MSSP) and independent software vendors (ISV) can be nominated to the Microsoft Intelligent Security Association (MISA). For more information, see [MISA information page](https://www.microsoft.com/security/business/intelligent-security-association).
++ ## Related topics - [Technical partner opportunities](partner-integration.md)
security Linux Support Perf https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-perf.md
Depending on the applications that you are running and your device characteristi
- Only performance issues related to AV Real-time protection (RTP) is a feature of Defender for Endpoint on Linux that continuously monitors and protects your device against threats. It consists of file and process monitoring and other heuristics.+ The following steps can be used to troubleshoot and mitigate these issues:+ 1. Disable real-time protection using one of the following methods and observe whether the performance improves. This approach helps narrow down whether Defender for Endpoint on Linux is contributing to the performance issues.+ If your device is not managed by your organization, real-time protection can be disabled from the command line:+ ```bash mdatp config real-time-protection --value disabled ```+ ```Output Configuration property updated ```+ If your device is managed by your organization, real-time protection can be disabled by your administrator using the instructions in [Set preferences for Defender for Endpoint on Linux](linux-preferences.md).+ > [!NOTE] > If the performance problem persists while real-time protection is off, the origin of the problem could be the endpoint detection and response (EDR) component. In this case please follow the steps from the **Troubleshoot performance issues using Microsoft Defender for Endpoint Client Analyzer** section of this article.
The following steps can be used to troubleshoot and mitigate these issues:
> This feature is available in version 100.90.70 or newer. This feature is enabled by default on the `Dogfood` and `InsiderFast` channels. If you're using a different update channel, this feature can be enabled from the command line:+ ```bash mdatp config real-time-protection-statistics --value enabled ```+ This feature requires real-time protection to be enabled. To check the status of real-time protection, run the following command:+ ```bash mdatp health --field real_time_protection_enabled ```+ Verify that the `real_time_protection_enabled` entry is `true`. Otherwise, run the following command to enable it:+ ```bash mdatp config real-time-protection --value enabled ```+ ```Output Configuration property updated ```+ To collect current statistics, run:+ ```bash
- mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json
+ mdatp diagnostic real-time-protection-statistics --output json > real_time_protection.json
```+ > [!NOTE]
- > Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing. The output of this command will show all processes and their associated scan activity.
+ > Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing.
+
+ The output of this command will show all processes and their associated scan activity.
3. On your Linux system, download the sample Python parser **high_cpu_parser.py** using the command:+ ```bash wget -c https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/linux/diagnostic/high_cpu_parser.py ```+ The output of this command should be similar to the following:++ ```Output --2020-11-14 11:27:27-- https://raw.githubusercontent.com/microsoft.mdatp-xplat/master/linus/diagnostic/high_cpu_parser.py Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.xxx.xxx
The following steps can be used to troubleshoot and mitigate these issues:
Saving to: 'high_cpu_parser.py' 100%[===========================================>] 1,020 --.-K/s in 0s ```+ 4. Next, type the following commands:+ ```bash chmod +x high_cpu_parser.py ```+ ```bash cat real_time_protection.json | python high_cpu_parser.py > real_time_protection.log ```+ The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is the process name, and the last column is the number of scanned files, sorted by impact. For example, the output of the command will be something like the below: + ```Output ... > python ~/repo/mdatp-xplat/linux/diagnostic/high_cpu_parser.py <~Downloads/output.json | head -n 10 27432 None 76703
- 73467 actool 1249
+ 73467 actool     1249
73914 xcodebuild 1081 73873 bash 1050 27475 None 836
- 1 launchd 407
- 73468 ibtool 344
- 549 telemetryd_v1 325
+ 1    launchd    407
+ 73468 ibtool     344
+ 549  telemetryd_v1   325
4764 None 228
- 125 CrashPlanService 164
+ 125  CrashPlanService 164
```+ To improve the performance of Defender for Endpoint on Linux, locate the one with the highest number under the `Total files scanned` row and add an exclusion for it. For more information, see [Configure and validate exclusions for Defender for Endpoint on Linux](linux-exclusions.md).
-
+ > [!NOTE] > The application stores statistics in memory and only keeps track of file activity since it was started and real-time protection was enabled. Processes that were launched before or during periods when real time protection was off are not counted. Additionally, only events which triggered scans are counted.
The following steps can be used to troubleshoot and mitigate these issues:
For more information, see [Configure and validate exclusions for Microsoft Defender for Endpoint on Linux](linux-exclusions.md).
-## Diagnose performance issues using Microsoft Defender for Endpoint Client Analyzer
+## Troubleshoot performance issues using Microsoft Defender for Endpoint Client Analyzer
**Applies to:** - Performance issues of all available Defender for Endpoint components such as AV and EDR
security Live Response Command Examples https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response-command-examples.md
connections json
## `dir` ```console
-# List files and sub-folders in the current folder
+# List files and sub-folders in the current folder (by default it will show relative paths [-relative_path])
dir ```
+```console
+# List files and sub-folders in the current folder, with their full path
+dir -full_path
+```
+ ```console # List files and sub-folders in a specific folder dir C:\Users\user\Desktop\
security Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md
Before you can initiate a session on a device, make sure you fulfill the followi
- **macOS** - Only applicable for Public Preview, minimum required version: 101.43.84
+ > [!NOTE]
+ > Currently only Intel-based macOS systems are supported.
+
+ - **Linux** - Only applicable for Public Preview, minimum required version: 101.45.13 - **Windows Server 2012 R2** - with [KB5005292](https://support.microsoft.com/topic/microsoft-defender-for-endpoint-update-for-edr-sensor-f8f69773-f17f-420f-91f4-a8e5167284ac)
The following commands are available for user roles that are granted the ability
| library | Lists files that were uploaded to the live response library. | Y | Y | Y | | putfile | Puts a file from the library to the device. Files are saved in a working folder and are deleted when the device restarts by default. | Y | Y | Y | | remediate | Remediates an entity on the device. The remediation action will vary depending on the entity type: File: delete Process: stop, delete image file Service: stop, delete image file Registry entry: delete Scheduled task: remove Startup folder item: delete file NOTE: This command has a prerequisite command. You can use the -auto command in conjunction with remediate to automatically run the prerequisite command. | Y | Y | Y |
-| scan | Runs an antivirus (quick) scan to help identify and remediate malware. | N | Y | Y |
+| scan | Runs an antivirus scan to help identify and remediate malware. | N | Y | Y |
| undo | Restores an entity that was remediated. | Y | Y | Y |
security Advanced Hunting Expert Training https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-expert-training.md
ms.localizationpriority: medium audience: ITPro-+
+ - M365-security-compliance
+ - m365initiative-m365-defender
ms.technology: m365d
security Advanced Hunting Migrate From Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-migrate-from-mde.md
audience: ITPro - M365-security-compliance
- - m365initiative-m365-defender
ms.technology: m365d
security Api Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-access.md
search.appverid:
- MOE150 - MET150 ms.technology: m365d+ # Access the Microsoft 365 Defender APIs
security Api Advanced Hunting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-advanced-hunting.md
search.appverid:
- MOE150 - MET150 ms.technology: m365d+ # Microsoft 365 Defender Advanced hunting API
security Api Articles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-articles.md
search.appverid:
- MOE150 - MET150 ms.technology: m365d+ # Other security and threat protection APIs
security Api Create App User Context https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-create-app-user-context.md
search.appverid:
- MOE150 - MET150 ms.technology: m365d+ # Create an app to access Microsoft 365 Defender APIs on behalf of a user
security Api Create App Web https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-create-app-web.md
search.appverid:
- MOE150 - MET150 ms.technology: m365d+ # Create an app to access Microsoft 365 Defender without a user
security Api Error Codes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-error-codes.md
search.appverid:
- MOE150 - MET150 ms.technology: m365d+ # Common Microsoft 365 Defender REST API error codes
security Api Hello World https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-hello-world.md
search.appverid:
- MOE150 - MET150 ms.technology: m365d+ # Hello World for Microsoft 365 Defender REST API
security Api Incident https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-incident.md
search.appverid:
- MOE150 - MET150 ms.technology: m365d+ # Microsoft 365 Defender incidents API and the incidents resource type
security Api List Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-list-incidents.md
search.appverid:
- MOE150 - MET150 ms.technology: m365d+ # List incidents API in Microsoft 365 Defender
security Api Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-overview.md
search.appverid:
- MOE150 - MET150 ms.technology: m365d+ # Overview of Microsoft 365 Defender APIs
security Api Partner Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-partner-access.md
search.appverid:
- MOE150 - MET150 ms.technology: m365d+ # Create an app with partner access to Microsoft 365 Defender APIs
security Api Supported https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-supported.md
search.appverid:
- MOE150 - MET150 ms.technology: m365d+ # Supported Microsoft 365 Defender APIs
security Api Update Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/api-update-incidents.md
search.appverid:
- MOE150 - MET150 ms.technology: m365d+ # Update incidents API
security Eval Create Eval Environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-create-eval-environment.md
audience: ITPro - M365-security-compliance-
+ - m365solution-scenario
+ - m365solution-evalutatemtp
ms.technology: m365d
security Eval Defender Endpoint Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-architecture.md
audience: ITPro - M365-security-compliance-
+ - m365solution-scenario
+ - m365solution-evalutatemtp
ms.technology: m365d
security Eval Defender Endpoint Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-enable-eval.md
audience: ITPro - M365-security-compliance-
+ - m365solution-scenario
+ - m365solution-evalutatemtp
ms.technology: m365d
security Eval Defender Endpoint Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-overview.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - m365solution-overview
ms.technology: m365d
The following table describes the steps in the illustration.
|Step |Description ||| | [Step 1. Review architecture requirements and key concepts](eval-defender-endpoint-architecture.md) | Understand the Defender for Endpoint architecture and the capabilities available to you. |
-|[Step 2. Enable the evaluation environment](eval-defender-office-365-enable-eval.md) | Follow the steps to setup the evaluation environment. |
-|[Step 3. Set up the pilot ](eval-defender-office-365-pilot.md) | Verify your pilot group, run simulations, and become familiar with key features and dashboards. |
+|[Step 2. Enable the evaluation environment](eval-defender-endpoint-enable-eval.md) | Follow the steps to setup the evaluation environment. |
+|[Step 3. Set up the pilot ](eval-defender-endpoint-pilot.md) | Verify your pilot group, run simulations, and become familiar with key features and dashboards. |
security Eval Defender Endpoint Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-endpoint-pilot.md
audience: ITPro - M365-security-compliance-
+ - m365solution-scenario
+ - m365solution-evalutatemtp
ms.technology: m365d
security Eval Defender Identity Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-architecture.md
audience: ITPro - M365-security-compliance-
+ - m365solution-scenario
+ - m365solution-evalutatemtp
ms.technology: m365d
security Eval Defender Identity Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-enable-eval.md
audience: ITPro - M365-security-compliance-
+ - m365solution-scenario
+ - m365solution-evalutatemtp
ms.technology: m365d
security Eval Defender Identity Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-overview.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - m365solution-overview
ms.technology: m365d
security Eval Defender Identity Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-pilot.md
audience: ITPro - M365-security-compliance-
+ - m365solution-scenario
+ - m365solution-evalutatemtp
ms.technology: m365d
security Eval Defender Investigate Respond Additional https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond-additional.md
audience: ITPro - M365-security-compliance-
+ - m365solution-scenario
+ - m365solution-evalutatemtp
ms.technology: m365d
security Eval Defender Mcas Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-architecture.md
audience: ITPro - M365-security-compliance
-
+ - m365solution-scenario
+ - m365solution-evalutatemtp
ms.technology: m365d
security Eval Defender Mcas Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-enable-eval.md
audience: ITPro - M365-security-compliance
-
+ - m365solution-scenario
+ - m365solution-evalutatemtp
ms.technology: m365d
security Eval Defender Mcas Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-overview.md
audience: ITPro
- M365-security-compliance - m365solution-scenario
- - m365solution-evalutatemtp
+ - m365solution-evalutatemtp
+ - m365solution-overview
ms.technology: m365d
security Eval Defender Mcas Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-mcas-pilot.md
audience: ITPro - M365-security-compliance
-
+ - m365solution-scenario
+ - m365solution-evalutatemtp
ms.technology: m365d
security Eval Defender Office 365 Architecture https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-architecture.md
audience: ITPro - M365-security-compliance-
+ - m365solution-scenario
+ - m365solution-evalutatemtp
ms.technology: m365d
security Eval Defender Office 365 Enable Eval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-enable-eval.md
audience: ITPro - M365-security-compliance-
+ - m365solution-scenario
+ - m365solution-evalutatemtp
ms.technology: m365d
security Eval Defender Office 365 Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-overview.md
- M365-security-compliance - m365solution-scenario - m365solution-evalutatemtp
+ - m365solution-overview
ms.technology: m365d
security Eval Defender Office 365 Pilot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-pilot.md
audience: ITPro - M365-security-compliance--
+ - m365solution-scenario
+ - m365solution-evalutatemtp
+ -
ms.technology: m365d
security Integrate Microsoft 365 Defender Secops Plan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops-plan.md
audience: ITPro - M365-security-compliance
- - m365initiative-m365-defender
- m365solution-m365dsecops search.appverid:
security Integrate Microsoft 365 Defender Secops Readiness https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops-readiness.md
audience: ITPro - M365-security-compliance
- - m365initiative-m365-defender
- m365solution-m365dsecops search.appverid:
security Integrate Microsoft 365 Defender Secops Roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops-roles.md
audience: ITPro - M365-security-compliance
- - m365initiative-m365-defender
- m365solution-m365dsecops search.appverid:
security Integrate Microsoft 365 Defender Secops Services https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops-services.md
audience: ITPro - M365-security-compliance
- - m365initiative-m365-defender
- m365solution-m365dsecops search.appverid:
security Integrate Microsoft 365 Defender Secops Tasks https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops-tasks.md
audience: ITPro - M365-security-compliance
- - m365initiative-m365-defender
- m365solution-m365dsecops search.appverid:
security Integrate Microsoft 365 Defender Secops Use Cases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops-use-cases.md
audience: ITPro - M365-security-compliance
- - m365initiative-m365-defender
- m365solution-m365dsecops search.appverid:
security Integrate Microsoft 365 Defender Secops https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/integrate-microsoft-365-defender-secops.md
audience: ITPro - M365-security-compliance
- - m365initiative-m365-defender
- m365solution-m365dsecops - m365solution-overview
security Microsoft 365 Defender Integration With Azure Sentinel https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender-integration-with-azure-sentinel.md
audience: ITPro - M365-security-compliance
- - m365initiative-m365-defender
search.appverid: - MOE150
security Microsoft 365 Security Center Mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mde.md
search.appverid:
- MET150 - M365-security-compliance -- m365initiative-m365-defender
security Microsoft 365 Security Center Mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdo.md
search.appverid:
- MOE150 - M365-security-compliance-- m365initiative-m365-defender ms.prod: m365-security ms.technology: m365d
security Microsoft 365 Security Mde Redirection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-mde-redirection.md
audience: ITPro - M365-security-compliance
- - m365initiative-m365-defender
ms.technology: m365d
security Microsoft 365 Security Mdo Redirection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-mdo-redirection.md
audience: ITPro - M365-security-compliance
- - m365initiative-m365-defender
- admindeeplinkDEFENDER - admindeeplinkEXCHANGE
security Microsoft Secure Score Improvement Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score-improvement-actions.md
audience: ITPro-+
+- M365-security-compliance
+- m365initiative-m365-defender
search.appverid: - MOE150
security Microsoft Secure Score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score.md
audience: ITPro
- - M365-security-compliance
- - Adm_TOC
+- M365-security-compliance
+- m365initiative-m365-defender
+- Adm_TOC
search.appverid: - MOE150
security Mssp Access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mssp-access.md
search.appverid:
- MET150 - M365-security-compliance -- m365initiative-m365-defender # Provide managed security service provider (MSSP) access
security Portals https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/portals.md
audience: ITPro - M365-security-compliance
- - m365initiative-m365-defender
search.appverid: met150 ms.technology: m365d
security Threat Analytics Analyst Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/threat-analytics-analyst-reports.md
audience: ITPro - M365-security-compliance -- m365initiative-m365-defender
security Whats New https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/whats-new.md
audience: ITPro - M365-security-compliance
- - m365initiative-m365-defender
ms.technology: m365d