Updates from: 01/23/2021 04:20:35
Category Microsoft Docs article Related commit history on GitHub Change details
admin https://docs.microsoft.com/en-us/microsoft-365/admin/dns/create-dns-records-at-cloudflare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/dns/create-dns-records-at-cloudflare.md
@@ -81,7 +81,7 @@ Before you use your domain with Microsoft, we have to make sure that you own it.
4. On the **DNS management** page, click **Add record**, and then select the values from the following table.
- |**Type**|**Name**|**Automatic TTL**|**Content**|
+ | Type | Name | Automatic TTL | Content |
|:-----|:-----|:-----|:----| |TXT <br/> |@ <br/> |30 minutes <br/> |MS=ms *XXXXXXXX* <br/> **Note:** This is an example. Use your specific **Destination or Points to Address** value here, from the table. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |
@@ -125,7 +125,7 @@ When Microsoft finds the correct TXT record, your domain is verified.
4. On the **DNS management** page, click **Add record**, and then select the values from the following table.
- |**Type**|**Name**|**Mail server**|**Priority**|**TTL**|
+ | Type | Name | Mail server | Priority | TTL |
|:-----|:-----|:-----|:-----|:-----| |MX <br/> |@ <br/> |*\<domain-key\>* .mail.protection.outlook.com <br/> **Note:** Get your *\<domain-key\>* from your Microsoft 365 account. [How do I find this?](../get-help-with-domains/information-for-dns-records.md) |1 <br/> For more information about priority, see [What is MX priority?](https://docs.microsoft.com/microsoft-365/admin/setup/domains-faq) <br/>|30 minutes <br/> |
@@ -154,7 +154,7 @@ When Microsoft finds the correct TXT record, your domain is verified.
On the **DNS management** page, click **Add record**, and then select the values from the following table.
- |**Type**|**Name**|**Target**|**TTL**|
+ | Type | Name | Target | TTL |
|:-----|:-----|:-----|:-----| |CNAME <br/> |autodiscover <br/> |autodiscover.outlook.com <br/> |30 minutes <br/> | |CNAME <br/> |sip <br/> |sipdir.online.lync.com <br/> |30 minutes <br/> |
@@ -187,7 +187,7 @@ When Microsoft finds the correct TXT record, your domain is verified.
4. On the **DNS management** page, click **Add record**, and then select the values from the following table.
- |**Type**|**Name**|**TTL**|**Content**|
+ | Type | Name | TTL | Content |
|:-----|:-----|:-----|:-----| |TXT <br/> |@ <br/> |30 minutes <br/> |v=spf1 include:spf.protection.outlook.com -all <br/> **Note:** We recommend copying and pasting this entry, so that all of the spacing stays correct. |
@@ -212,7 +212,7 @@ When Microsoft finds the correct TXT record, your domain is verified.
On the **DNS management** page, click **Add record**, and then select the values from the first row of the following table.
- |**Type**|**Service**|**Protocol**|**Name**|**TTL**|**Priority**|**Weight**|**Port**|**Target**|
+ | Type | Service | Protocol | Name | TTL | Priority | Weight | Port | Target |
|:-----|:-----|:-----|:-----|:-----|:-----|:-----|:-----|:-----| |SRV|_sip |TLS |Use your *domain_name*; for example, contoso.com |30 minutes | 100|1 |443 |sipfed.online.lync.com | |SRV|_sipfederationtls | TCP|Use your *domain_name*; for example, contoso.com |30 minutes |100 |1 |5061 | sipfed.online.lync.com |
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/search-cloud-based-mailboxes-for-on-premises-users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-cloud-based-mailboxes-for-on-premises-users.md
@@ -30,6 +30,8 @@ Here are the requirements and limitations for enabling cloud-based storage for o
- The user whose primary mailbox is located in the on-premises organization must be assigned a Microsoft Teams license and a minimum of an Exchange Online Plan 1 license.
+- If your organization doesn't have an Exchange hybrid deployment, you must synchrozize your on-premises Exchange schema to Azure Active Directory. If you don't do this, you might risk creating duplicate cloud-based mailboxes in Exchange Online for users that have a mailbox in your on-premises Exchange organization.
+ - Only Teams chat data associated with an on-premises user is stored in the cloud-based storage area. An on-premises user can't access this storage area in any way. - You have to submit a request to Microsoft Support to enable your organization to search for Teams chat data for on-premises users. See [Filing a request with Microsoft Support to enable this feature](#filing-a-request-with-microsoft-support-to-enable-this-feature) in this article.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance.md
@@ -61,10 +61,12 @@ Need to find if a user viewed a specific document or purged an item from their m
Be sure to read the following items before you start searching the audit log. -- You (or another admin) must first turn on audit logging before you can start searching the audit log. To turn it on, click **Turn on auditing** on the **Audit log search** page in the Security & Compliance Center. (If you don't see this link, auditing has already been turned on for your organization.) After you turn it on, a message is displayed that says the audit log is being prepared and that you can run a search in a couple of hours after the preparation is complete. You only have to do this once. For more information, see [Turn audit log search on or off](turn-audit-log-search-on-or-off.md).
+- Audit log search is turned on by default for Microsoft 365 and Office 365 enterprise organziations. This includes organizations with E3/G3 or E5/G5 subscriptions. To verify that audit log search is turned on, you can run the following command in Exchange Online PowerShell:
- > [!NOTE]
- > We're in the process of turning on auditing by default. Until then, you can turn it on as previously described.
+ ```powershell
+ Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
+ ```
+ The value of `True` for the *UnifiedAuditLogIngestionEnabled* property indicates that audit log search is turned on. For more information, see [Turn audit log search on or off](turn-audit-log-search-on-or-off.md).
- You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the audit log. By default, these roles are assigned to the Compliance Management and Organization Management role groups on the **Permissions** page in the Exchange admin center. Note global administrators in Office 365 and Microsoft 365 are automatically added as members of the Organization Management role group in Exchange Online. To give a user the ability to search the audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the View-Only Audit Logs or Audit Logs role, and then add the user as a member of the new role group. For more information, see [Manage role groups in Exchange Online](https://go.microsoft.com/fwlink/p/?LinkID=730688).
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/turn-audit-log-search-on-or-off.md
@@ -24,7 +24,7 @@ description: How to turn on or off the Audit log search feature in the Security
# Turn audit log search on or off
-You (or another admin) must turn on audit logging before you can start searching the audit log. When audit log search in the Security & Compliance Center is turned on, user and admin activity from your organization is recorded in the audit log and retained for 90 days, and up to one year depending on the license assigned to users. However, your organization may have reasons for not wanting to record and retain audit log data. In those cases, a global admin may decide to turn off auditing in Microsoft 365.
+Audit logging is turned on by default for Microsoft 365 and Office 365 enterprise organizations. This includes organizations with E3/G3 or E5/G5 subscriptions. When audit log search in the compliance center is turned on, user and admin activity from your organization is recorded in the audit log and retained for 90 days, and up to one year depending on the license assigned to users. However, your organization may have reasons for not wanting to record and retain audit log data. In those cases, a global admin may decide to turn off auditing in Microsoft 365.
> [!IMPORTANT] > If you turn off audit log search in Microsoft 365, you can't use the Office 365 Management Activity API or Azure Sentinel to access auditing data for your organization. Turning off audit log search by following the steps in this article means that no results will be returned when you search the audit log using the Security & Compliance Center or when you run the **Search-UnifiedAuditLog** cmdlet in Exchange Online PowerShell. This also means that audit logs won't be available through the Office 365 Management Activity API or Azure Sentinel.
@@ -34,21 +34,29 @@ You (or another admin) must turn on audit logging before you can start searching
- You have to be assigned the Audit Logs role in Exchange Online to turn audit log search on or off in your Microsoft 365 organization. By default, this role is assigned to the Compliance Management and Organization Management role groups on the **Permissions** page in the Exchange admin center. Global admins in Microsoft 365 are members of the Organization Management role group in Exchange Online. > [!NOTE]
- > Users have to be assigned permissions in Exchange Online to turn audit log search on or off. If you assign users the Audit Logs role on the **Permissions** page in the Security & Compliance Center, they won't be able to turn audit log search on or off. This is because the underlying cmdlet is an Exchange Online cmdlet.
+ > Users have to be assigned permissions in Exchange Online to turn audit log search on or off. If you assign users the Audit Logs role on the **Permissions** page in the Security & Compliance Center, they won't be able to turn audit log search on or off. This is because the underlying cmdlet is an Exchange Online PowerShell cmdlet.
- For step-by-step instructions on searching the audit log, see [Search the audit log in the Security & Compliance Center](search-the-audit-log-in-security-and-compliance.md). For more information about the Microsoft 365 Management Activity API, see [Get started with Microsoft 365 Management APIs](https://docs.microsoft.com/office/office-365-management-api/get-started-with-office-365-management-apis).+
+- To verify that audit log search is turned on, you can run the following command in Exchange Online PowerShell:
+
+ ```powershell
+ Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
+ ```
+
+ The value of `True` for the _UnifiedAuditLogIngestionEnabled_ property indicates that audit log search is turned on.
## Turn on audit log search
-You can use the Security & Compliance Center or PowerShell to turn on audit log search in Microsoft 365. It may take several hours after you turn on audit log search before you can return results when you search the audit log. You have to be assigned the Audit Logs role in Exchange Online to turn on audit log search.
+If audit log search is not turned on for your orgnanization, you can turn it on in the compliance center or by using Exchange Online PowerShell. It may take several hours after you turn on audit log search before you can return results when you search the audit log.
-### Use the Security & Compliance Center to turn on audit log search
+### Use the compliance center to turn on audit log search
-1. [Go to the Security & Compliance Center](https://protection.office.com) and sign in.
+1. [Go to the compliance center](https://protection.office.com) and sign in.
-2. In the Security & Compliance Center, go to **Search** \> **Audit log search**.
+2. In the compliance center, go to **Search** > **Audit log search**.
- A banner is displayed saying that auditing has to be turned on to record user and admin activity.
+ If audit log search is not turned on for your orgnanization, a banner is displayed saying that auditing has to be turned on to record user and admin activity.
3. Click **Turn on auditing**.
@@ -70,11 +78,11 @@ You can use the Security & Compliance Center or PowerShell to turn on audit log
## Turn off audit log search
-You have to use remote PowerShell connected to your Exchange Online organization to turn off audit log search. Similar to turning on audit log search, you have to be assigned the Audit Logs role in Exchange Online to turn off audit log search.
+You have to use Exchange Online PowerShell to turn off audit log search.
1. [Connect to Exchange Online PowerShell](https://go.microsoft.com/fwlink/p/?LinkID=396554)
-2. Run the following PowerShell command to turn off audit log search in Office 365.
+2. Run the following PowerShell command to turn off audit log search.
```powershell Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $false
@@ -82,7 +90,7 @@ You have to use remote PowerShell connected to your Exchange Online organization
3. After a while, verify that audit log search is turned off (disabled). There are two ways to do this:
- - In PowerShell, run the following command:
+ - In Exchange Online PowerShell, run the following command:
```powershell Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled
@@ -90,6 +98,6 @@ You have to use remote PowerShell connected to your Exchange Online organization
The value of `False` for the _UnifiedAuditLogIngestionEnabled_ property indicates that audit log search is turned off.
- - In the [Security & Compliance Center](https://protection.office.com), go to **Search** \> **Audit log search**.
+ - In the [compliance center](https://protection.office.com), go to **Search** \> **Audit log search**.
- A banner is displayed saying that auditing has to be turned on in order to record user and admin activity.
\ No newline at end of file
+ A banner is displayed saying that auditing has to be turned on in order to record user and admin activity.
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-started/company-portal https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/company-portal.md
@@ -33,9 +33,7 @@ This topic provides info on how to:
- Verify active sync between Intune and Microsoft Store for Business ## Step 2 - Assign Company Portal to your users
-Submit a support request to Microsoft Managed Desktop Operations through the Microsoft Managed Desktop Admin portal. In the support request, request that Company Portal be assigned to your users. Microsoft Managed Desktop will deploy Company Portal to your tenant and install the app on Microsoft Managed Desktop devices in your organization.
-
-For more information on submitting support requests with Microsoft Managed Desktop, see [Admin support for Microsoft Managed Desktop](../working-with-managed-desktop/admin-support.md).
+Following your enrollment in Microsoft Managed Desktop, Microsoft Managed Desktop Operations will automatically deploy Company Portal to your tenant and install the app on Microsoft Managed Desktop devices in your organization.
## Step 3 - Communicate change to your users As the IT administrator for your organization, itΓÇÖs important to let your users know how to use Company Portal in your organization. Microsoft Managed Desktop recommends:
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/microsoft-secure-score.md
@@ -77,6 +77,7 @@ Currently there are recommendations for the following products:
- Microsoft Defender for Endpoint - Microsoft Defender for Identity - Cloud App Security
+- Microsoft Teams
Recommendations for other security products are coming soon. The recommendations won't cover all the attack surfaces associated with each product, but they're a good baseline. You can also mark the improvement actions as covered by a third party or alternate mitigation.
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/monitor-and-report-identities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/monitor-and-report-identities.md deleted file mode 100644
@@ -1,38 +0,0 @@
-title: Identity monitoring and reporting - Security center
-description: Describes how you can monitor the users in your organization and keep track of suspicious or risky behaviors.
-keywords: security, malware, Microsoft 365, M365, security center, monitor, report, identity, users
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-f1.keywords:
- - NOCSH
-ms.author: ellevin
-author: levinec
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365initiative-m365-defender
-ms.topic: article
-search.appverid: met150
-ms.custom: seo-marvel-apr2020
-ms.technology: m365d
-
-# Identity monitoring and reporting in the Microsoft 365 security center
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
--
-Monitor the identities in your organization and keep track of suspicious or risky behaviors. In the **Identities** category of **Reports**, you can track:
-
-* Users with the most detected anomalies
-* How many users are reported at risk by conditional access policies
-* The number of global admins in your org
-
-![Identities category of reports page](../../media/identities.png)
-
-For users with specific detections, you can explore the specific alert and investigate in Microsoft Defender Security Center. Detections include anomalies such as users who sign in from unfamiliar locations.
-
-For a complete set of risk events, see [Azure Active Directory risk events](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-risk-events).
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/monitor-apps https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/monitor-apps.md deleted file mode 100644
@@ -1,70 +0,0 @@
-title: App monitoring & reporting - Security center
-description: Learn how to gain more insight into cloud app use in your organization. Includes different kinds of apps, their level of risk, and alerts.
-keywords: security, malware, Microsoft 365, M365, security center, monitor, report, apps
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-f1.keywords:
- - NOCSH
-ms.author: ellevin
-author: levinec
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365initiative-m365-defender
-ms.topic: article
-search.appverid: met150
-ms.custom: seo-marvel-apr2020
-ms.technology: m365d
-
-# App monitoring and reporting in the Microsoft 365 security center
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
--
-These reports provide more insight into how cloud apps are being used in your organization. Includes different kinds of apps, their level of risk, and alerts.
-
-## Monitor email accounts at risk
-
-**Email protection** shows email accounts at risk. You can select an account to investigate further in Microsoft Defender Security Center.
-
-![Email protection card](../../media/email-protection.png)
-
-## Monitor app permissions granted by users
-
-**Cloud App Security - OAuth apps** lists apps discovered by Cloud App Security that have been granted permissions by users. Cloud App Security's risk catalog includes over 16,000 apps that are assessed using over 70 risk factors.
-
-The risk factors start from general information, such as the app publisher. It then moves to security measures and controls, such as whether the app supports encryption at rest or provides an audit log of user activity.
-
-![Cloud App Security OAuth apps card](../../media/cloud-app-security-oauth-apps.png)
-
-## Monitor cloud app user accounts
-
-**Cloud app accounts for review** lists accounts that may require attention.
-
-![Cloud App accounts for review card](../../media/cloud-app-accounts-for-review.png)
-
-## Understand which cloud apps are used
-
-**Discovered cloud apps (categories)** show what kinds of apps are being used in your organization. It links to the Cloud Discovery dashboard in Cloud App Security. For more information, see [Quickstart: Work with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps).
-
-![Discovered cloud apps categories card](../../media/discovered-cloud-apps-categories.png)
-
-## Monitor where users access cloud apps
-
-**Cloud app activity locations** show where users are accessing cloud apps.
-
-![Cloud App activity locations card](../../media/cloud-app-activity-locations.png)
-
-## Monitor health for infrastructure workloads
-
-**Infrastructure health** shows health status alerts for infrastructure workloads in Azure Defender.
-
-Azure Defender provides unified security management and Defender for Office 365 across on-premises and cloud workloads. You can collect, search, and analyze security data from different sources, including firewalls and other partner solutions.
-
-For more information, see [Azure Defender Documentation](https://docs.microsoft.com/azure/security-center/).
-
-![Infrastructure health card](../../media/infrastructure-health.png)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/monitor-data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/monitor-data.md deleted file mode 100644
@@ -1,37 +0,0 @@
-title: Data monitoring & reporting - Security center
-description: Learn how you can track user activity that could lead to unauthorized data disclosure in Microsoft 365 security center.
-keywords: security, malware, Microsoft 365, M365, security center, monitor, report, data
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-f1.keywords:
- - NOCSH
-ms.author: ellevin
-author: levinec
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365initiative-m365-defender
-ms.topic: article
-search.appverid: met150
-ms.custom: seo-marvel-apr2020
-ms.technology: m365d
-
-# Data monitoring and reporting in the Microsoft 365 security center
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
--
-The **Data** category helps track user activity that could lead to unauthorized data disclosure. They are the rework of existing DLP policy reports plus a third-party DLP policy match report.
-
-You can see:
--- Users who share the most files from cloud apps-- How many DLP policy matches occurred-- How many DLP policies overrides or false positives are reported-- How many DLP policy matches happened in third-party cloud services via Microsoft Cloud App Security-
-![Data category of reports page](../../media/data.png)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/monitor-devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/monitor-devices.md deleted file mode 100644
@@ -1,233 +0,0 @@
-title: Device monitoring & reporting - Security center
-description: Describes how you can keep your devices secure, up-to-date, and spot potential threats in your organization
-keywords: security, malware, Microsoft 365, M365, security center, monitor, report, devices
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-f1.keywords:
- - NOCSH
-ms.author: ellevin
-author: levinec
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365initiative-m365-defender
-ms.topic: article
-search.appverid: met150
-ms.custom: seo-marvel-apr2020
-ms.technology: m365d
-
-# Device monitoring and reporting in the Microsoft 365 security center
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
--
-Keep your devices secure, up-to-date, and spot potential threats in the Microsoft 365 security center.
-
-## View device alerts
-
-Get up-to-date alerts about breach activity and other threats on your devices from Microsoft Defender for Endpoint (available with an E5 license). Microsoft 365 security center effectively monitors these alerts at a high level using your preferred workflow.
-
-### Monitor high-impact alerts
-
-Each Microsoft Defender for Endpoint alert has a corresponding severity (high, medium, low, or informational). It indicates potential impact to your network if left unattended.
-
-Use the **Device alert severity** card to focus specifically on alerts that are more severe and might require immediate response. From this card, you can view more information on the Microsoft Defender Security Center portal.
-
-![Device alerts severity card](../../media/device-alerts-severity.png)
-
-### Understand sources of alerts
-
-Microsoft Defender for Endpoint leverages data from a broad range of security sensors and intelligence sources to generate alerts. For example, it can use detection information from Microsoft Defender Antivirus and third-party antimalware. It can also use your own custom threat intelligence provided through the web service API.
-
-The **Device alert detection** sources card shows the distribution of alerts by source. Track activity related to certain sources, particularly your custom sources. You can also use the card to focus on alerts coming from sensors that aren't configured to automatically block malicious activity or components.
-
-![Device alert detection sources card](../../media/device-alert-detection-sources.png)
-
-From this card, you can view more information on the Microsoft Defender Security Center portal.
-
-### Understand the types of threats that trigger alerts
-
-Microsoft Defender for Endpoint sorts each alert into a category representing a certain stage in the attack chain or type of threat component. For example, a detected threat activity might be categorized as "lateral movement" to indicate there was an attempt to reach other devices on the network. The activity has likely occurred after attackers gained an initial foothold. When detected, a threat component might be classified broadly as malware or specifically as a specific threat type. Specifics include ransomware, credential stealing, or other types of malicious or unwanted software.
-
-The **Device threat categories** card shows the distribution of alerts into these categories. Use this information to identify threat activity, such as credential theft attempts, that usually have higher impact than social engineering attempts. You can also to monitor for potentially destructive threats like ransomware.
-
-![Device threat categories card](../../media/device-threat-categories.png)
-
-### Monitor active alerts
-
-The **Device alert status** card indicates the number of alerts that haven't been resolved and may require attention. From this card, you can view more information on the Microsoft Defender Security Center portal.
-
-![Device alert status card](../../media/device-alert-status.png)
-
-### Monitor classification of resolved alerts
-
-When resolving a Microsoft Defender for Endpoint alert, your security staff can specify whether an alert has been verified as:
-
-* A true alert that identifies actual breach activity or threat components
-* A false alert that has incorrectly detected normal activity
-
-The **Device alert classification** card shows whether your resolved alerts have been classified as true or false alerts. From this card, you can view more information on the Microsoft Defender Security Center portal.
-
-Note: In some cases, classification information is unavailable for certain alerts.
-
-![Device alert classification card](../../media/device-alert-classification.png)
-
-### Monitor determination of resolved alerts
-
-Along with classifying whether an alert is true or false during resolution, your security staff can provide a determination. A determination indicates the type of normal or malicious activity that was found while validating the alert.
-
-The **Device alert determination** card shows the determination provided for each alert.
-
-* **APT**: advanced persistent threat, indicating that the detected activity or threat component is part of a sophisticated breach designed to gain a foothold in the affected network
-* **Malware**: malicious file or code
-* **Security personnel**: normal activity performed by security staff
-* **Security testing**: activity or components designed to simulate actual threats and expected to trigger security sensors and generate alerts
-* **Unwanted software**: apps and other software that are not considered malicious, but otherwise violate policy or acceptable use standards
-* **Others**: any other determination that doesn't fall under the provided types
-
-From this card, you can view more information in Microsoft Defender Security Center.
-
-![Device alert determination card](../../media/device-alert-determination.png)
-
-### Understand which devices are at risk
-
-**Device protection** shows the risk level for devices. The risk level is based on factors such as the type and severity of alerts on the device.
-
-![Device protection card](../../media/device-protection.png)
-
-## Monitor and report status of Intune-managed devices
-
-The following reports contain data from devices enrolled in Intune. Data from unenrolled devices isn't included. Only Global Administrators can view these cards.
-
-Intune enrolled device data includes:
-
-* Device compliance
-* Devices with active malware
-* Types of malware on devices
-* Malware on devices
-* Devices with malware detections
-* Users with malware detections
-
-### Monitor device compliance
-
-**Device compliance** shows how many devices that are enrolled in Intune comply with configuration policies.
-
-![Device compliance card](../../media/device-compliance.png)
-
-### Discover devices with malware detections
-
-**Device malware detections** provide the number of Intune enrolled devices with malware that hasn't been fully resolved. A lack of resolution can be because of pending actions, a restart, a full scan, manual user actions, or if the remediation action was not successfully completed.
-
-![Device malware detections card](../../media/device-malware-detections.png)
-
-### Understand the types of malware detected
-
-**Types of malware on devices** show different kinds of malware that have been detected on devices enrolled in Intune. You can investigate each type in the Microsoft 365 security center.
-
-![Types of malware on devices card](../../media/types-of-malware-on-devices.png)
-
-### Understand the specific malware detected on your devices
-
-**Malware on devices** provides a list of the specific malware detected on your devices.
-
-![Malware on devices card](../../media/malware-on-devices.png)
-
-### Understand which devices have the most malware
-
-**Devices with malware detections** show which devices have the most malware detections. in the Microsoft 365 security center, you can investigate whether malware is active, who uses the device, and its management status in Intune.
-
-![Devices with malware detections card](../../media/devices-with-malware-detections.png)
-
-### Understand which users have devices with the most malware
-
-**Users with malware detections** show users with devices that had the most malware detections. In the Microsoft 365 security center, you can see how many devices are assigned to each user and more information about each device and the type of malware.
-
-![Users with malware detection card](../../media/users-with-malware-detections.png)
-
-## Monitor and manage attack surface reduction rule deployment and detections
-
-[Attack Surface Reduction (ASR) rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction) help prevent actions and apps that are typically used by exploit-seeking malware to infect devices. These rules control when and how executables can run. For example, you can prevent JavaScript or VBScript from launching a downloaded executable, block Win32 API calls from Office macros, or block processes that run from USB drives.
-
-![Attack surface reductions card](../../media/attack-surface-reduction-rules.png)
-
-The **Attack surface reduction rules** card provides an overview of the deployment of rules across your devices.
-
-The top bar on the card shows the total number of devices that are in the following deployment modes:
-
-* **Block mode**: devices with at least one rule configured to block detected activity
-* **Audit mode**: devices with no rules set to block detected activity, but has at least one rule set to audit detected activity
-* **Off**: devices with all ASR rules turned off
-
-The lower part of this card shows settings by rule across your devices. Each bar indicates the number of devices that are set to block, audit detection, or have the rule completely turned off.
-
-### View ASR detections
-
-To view detailed information about ASR rule detections in your network, select **View detections** on the **Attack surface reduction rules** card. The **Detections** tab in the detailed report page will open.
-
-![Detections tab](../../media/detections-tab.png)
-
-The chart at the top of the page shows detections over time stacking detections that were either blocked or audited. The table at the bottom lists the most recent detections. Use the following information on the table to understand the nature of the detections:
-
-* **Detected file**: the file, typically a script or document, whose contents triggered the suspected attack activity
-* **Rule**: name describing the attack activities the rule is designed to catch. Read about existing ASR rules
-* **Source app**: the application that loaded or executed content triggering the suspected attack activity. It could be a legitimate application, such as web browser, an Office application, or a system tool like PowerShell
-* **Publisher**: the vendor that released the source app
-
-### Review device ASR rule settings
-
-In the **Attack surface reduction rules** report page, go to the **Configuration** tab to review rule settings for individual devices. Select a device to get detailed information about whether each rule is in block mode, audit mode, or turned off entirely.
-
-![Configuration tab](../../media/configuration-tab.png)
-
-Microsoft Intune provides management functionality for your ASR rules. If you want to update your settings, select **Get started** under **Configure devices** in the tab to open device management on Intune.
-
-### Exclude files from ASR rules
-
-Microsoft 365 security center collects the names of the [files you might want to exclude](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction#exclude-files-and-folders-from-asr-rules) from detections by attack surface reduction rules. By excluding files, you can reduce false positive detections and more confidently deploy attack surface reduction rules in block mode.
-
-The exclusions are managed on Microsoft Intune, but Microsoft 365 security center provides an analysis tool to help you understand the files. To start collecting files for exclusion, go to the **Add exclusions** tab in the **Attack surface reduction rules** report page.
-
->[!NOTE]
->The tool analyzes detections by all attack surface reduction rules, but [only some rules support exclusions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr).
-
-![Add exclusions tab](../../media/add-exclusions-tab.png)
-
-The table lists all the file names detected by your attack surface reduction rules. You can select files to review the impact of excluding them:
-
-* How many fewer detections
-* How many fewer devices report the detections
-
-To get a list of the selected files with their full paths for exclusion, select **Get exclusion paths**.
-
-Logs for the ASR rule **Block credential stealing from the Windows local security authority subsystem (lsass.exe)** capture the source app **lsass.exe**. It is a normal system file, but captured as the detected file. As a result, the generated list of exclusion paths will include this file. To exclude the file that triggered this rule instead of **lsass.exe**, use the path to the source app instead of the detected file.
-
-To locate the source app, run the following [advanced hunting query](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting) for this specific rule (identified by rule ID 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2):
-
-```kusto
-DeviceEvents
-| where Timestamp > ago(7d)
-| where ActionType startswith "Asr"
-| where AdditionalFields contains "9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2"
-| project InitiatingProcessFolderPath, InitiatingProcessFileName
-```
-
-#### Check files for exclusion
-
-Before excluding a file from ASR, we recommend that you inspect the file to determine if it's indeed not malicious.
-
-To review a file, use the [file information page](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-files) on Microsoft Defender Security Center. The page provides prevalence information and the VirusTotal antivirus detection ratio. You can also use the page to submit the file for deep analysis.
-
-To locate a detected file in Microsoft Defender Security Center, search for all ASR detections using the following advanced hunting query:
-
-```kusto
-MiscEvents
-| where EventTime > ago(7d)
-| where ActionType startswith "Asr"
-| project FolderPath, FileName, SHA1, InitiatingProcessFolderPath, InitiatingProcessFileName, InitiatingProcessSHA1
-```
-
-Use the **SHA1** or the **InitiatingProcessSHA1** in the results to search for the file using the universal search bar in Microsoft Defender Security Center.
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/monitoring-and-reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/monitoring-and-reporting.md deleted file mode 100644
@@ -1,48 +0,0 @@
-title: Monitor and view reports - Security center
-description: Describes how Microsoft 365 security center provides at a glance summary of protection and security status.
-keywords: security, malware, Microsoft 365, M365, security center, monitor, report, status
-ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.localizationpriority: medium
-f1.keywords:
- - NOCSH
-ms.author: ellevin
-author: levinec
-manager: dansimp
-audience: ITPro
-ms.collection:
- - M365-security-compliance
- - m365initiative-m365-defender
-ms.topic: article
-search.appverid: met150
-ms.custom: seo-marvel-apr2020
-ms.technology: m365d
-
-# Monitor and view reports in the Microsoft 365 security center
-
-[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
-
-> Want to experience Microsoft 365 Defender? You can [evaluate it in a lab environment](https://aka.ms/mtp-trial-lab) or [run your pilot project in production](https://aka.ms/m365d-pilotplaybook).
->
-
-The Microsoft 365 security center provides a summary of protection and security statuses across your Microsoft 365 environment.
-
-The security center includes a **Reports** section which features a host of cards covering a variety of areas. Security analysts and administrators can track the cards as part of their day-to-day operations. On drill-down, cards provide detailed reports and, in some cases, management options.
-
-## Customize views
-
-By default, cards are grouped into these categories:
-
-* [Identities](monitor-and-report-identities.md) - user accounts and credentials
-* [Data](monitor-data.md) - email and document contents
-* [Devices](monitor-devices.md) - computers, mobile phones, and other devices
-* [Apps](monitor-apps.md) - programs and attached online services
-
-Switch to **Group by topic**, to rearrange the cards and group them into the following topics:
-
-* **Risk** - cards that highlight entities, such as accounts and devices, that might be at risk. These cards also highlight possible sources of risk, such as new threat campaigns and privileged cloud apps
-* **Detection trends** - cards that highlight new threat detections, anomalies, and policy violations
-* **Configuration and health** - cards that cover the configuration and deployment of security controls, including device onboarding states to management services
-* **Other** - all other cards not categorized under other topics
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/overview-security-center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/overview-security-center.md
@@ -39,13 +39,21 @@ Visit the Microsoft 365 security center at [https://security.microsoft.com](http
> [!NOTE] > You must be assigned an appropriate role, such as Global Administrator, Security Administrator, Security Operator, or Security Reader in Azure Active Directory to access the Microsoft 365 security center. -
-## Let's take a closer look
+## At-a-glance view of your Microsoft 365 environment
The **Home** page shows many of the common cards that security teams need. The composition of cards and data is dependent on the user role. Because the Microsoft 365 security center uses role-based access control, different roles will see cards that are more meaningful to their day to day jobs. This at-a-glance information helps you keep up with the latest activities in your organization. The Microsoft 365 security center brings together signals from different sources to present a holistic view of your Microsoft 365 environment.
+Loosely, the cards fall into these categories:
+
+- **Identities**- Monitor the identities in your organization and keep track of suspicious or risky behaviors. [Learn more about identity protection](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection)
+- **Data** - Help track user activity that could lead to unauthorized data disclosure.
+- **Devices** - Get up-to-date information on alerts, breach activity, and other threats on your devices.
+- **Apps** - Gain insight into how cloud apps are being used in your organization. [Learn more about Cloud App Security discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps)
+
+## Explore what the security center has to offer
+ The Microsoft 365 security center includes: * **Home** ΓÇô Get at-a-glance view of the overall security health of your organization.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/admin-submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/admin-submission.md
@@ -28,7 +28,15 @@ ms.prod: m365-security
In Microsoft 365 organizations with mailboxes in Exchange Online, admins can use the Submissions portal in the Security & Compliance Center to submit email messages, URLs, and attachments to Microsoft for scanning.
-When you submit an email, you will get information about any policies that may have allowed the incoming email into your tenant, as well as examination of any URLs and attachments in the mail. Policies that may have allowed a mail include an individual user's safe sender list as well as tenant level policies such as Exchange mail flow rules (also known as transport rules).
+When you submit an email message, you will get:
+
+1. **Email authentication check**: Details on whether email authentication passed or failed when it was delivered.
+2. **Policy hits**: Information about any policies that may have allowed or blocked the incoming email into your tenant, overriding our service filter verdicts.
+3. **Payload reputation/detonation**: Examination of any URLs and attachments in the message.
+4. **Grader analysis**: Review done by human graders in order to confirm whether or not messages are malicious.
+
+> [!IMPORTANT]
+> Payload reputation/detonation and grader analysis are not done in all tenants. Information is blocked from going outside the organization when data is not supposed to leave the tenant boundary for compliance purposes.
For other ways to submit email messages, URLs, and attachments to Microsoft, see [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/air-remediation-actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-remediation-actions.md
@@ -2,7 +2,7 @@
title: Remediation actions following automated investigation in Microsoft Defender for Office 365 keywords: AIR, autoIR, ATP, automated, investigation, response, remediation, threats, advanced, threat, protection f1.keywords:
- - NOCSH
+- NOCSH
ms.author: deniseb author: denisebmsft manager: dansimp
@@ -10,15 +10,15 @@ audience: ITPro
ms.topic: article localization_priority: Normal search.appverid:
- - MET150
- - MOE150
+- MET150
+- MOE150
ms.collection:
- - M365-security-compliance
- - m365initiative-defender-office365
+- M365-security-compliance
+- m365initiative-defender-office365
description: Learn about remediation actions following automated investigation in Microsoft Defender for Office 365.
-ms.date: 09/29/2020
+ms.date: 01/21/2021
ms.custom:
- - air
+- air
ms.technology: mdo ms.prod: m365-security ---
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulator https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulator.md
@@ -152,7 +152,8 @@ If you're going to use one of the built-in templates or create the email message
- Click **Use Template** and select a built-in or custom email template. After you select the template, the **Name** box is automatically filled based on the template, but you can change the name.
- ![Phishing Start Page](../../media/5e93b3cc-5981-462f-8b45-bdf85d97f1b8.jpg)
+ > [!div class="mx-imgBorder"]
+ > ![Phishing Start Page](../../media/5e93b3cc-5981-462f-8b45-bdf85d97f1b8.jpg)
When you're finished, click **Next**.
@@ -215,7 +216,8 @@ If you're going to use one of the built-in templates or create the email message
For **Spear Phishing (Attachment)** campaigns, you should remove the link from the body of the message (otherwise, the message will contain both a link **and** an attachment, and link clicks aren't tracked in an attachment campaign).
- ![Compose Email Body](../../media/9bd65af4-1f9d-45c1-8c06-796d7ccfd425.jpg)
+ > [!div class="mx-imgBorder"]
+ > ![Compose Email Body](../../media/9bd65af4-1f9d-45c1-8c06-796d7ccfd425.jpg)
When you're finished, click **Next**.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp.md
@@ -6,7 +6,7 @@ keywords: integrate, Microsoft Defender, ATP
ms.author: deniseb author: denisebmsft manager: dansimp
-ms.date: 09/29/2020
+ms.date: 01/21/2021
audience: ITPro ms.topic: article
@@ -58,7 +58,7 @@ Integrating Microsoft Defender for Office 365 with Microsoft Defender for Endpoi
![Explorer in Threat Management menu](../../media/ThreatMgmt-Explorer-nav.png)
-3. In the upper right corner of the screen, choose **Defender for Endpoint Settings**.
+3. In the upper right corner of the screen, choose **Defender for Endpoint Settings (MDE Settings)**.
4. In the Microsoft Defender for Endpoint connection dialog box, turn on **Connect to Microsoft Defender for Endpoint**.