| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| compliance | Audit Log Activities | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-activities.md | The following table lists events that result from using [sensitivity labels](sen |:--|:--|:--| |Applied sensitivity label to site|SiteSensitivityLabelApplied|A sensitivity label was applied to a SharePoint or Teams site.| |Removed sensitivity label from site|SiteSensitivityLabelRemoved|A sensitivity label was removed from a SharePoint or Teams site.|-|Applied sensitivity label to file|FileSensitivityLabelApplied|A sensitivity label was applied to a document by using Microsoft 365 apps, Office on the web. or an auto-labeling policy.| +|Applied sensitivity label to file|FileSensitivityLabelApplied|A sensitivity label was applied to a document by using Microsoft 365 apps, Office on the web, or an auto-labeling policy.| |Changed sensitivity label applied to file|FileSensitivityLabelChanged<br /><br>SensitivityLabelUpdated|A different sensitivity label was applied to a document. <br /><br>The operations for this activity are different depending on how the label was changed:<br /> - Office on the web or an auto-labeling policy (FileSensitivityLabelChanged) <br /> - Microsoft 365 apps (SensitivityLabelUpdated)| |Changed sensitivity label on a site|SiteSensitivityLabelChanged|A different sensitivity label was applied to a SharePoint or Teams site.| |Removed sensitivity label from file|FileSensitivityLabelRemoved|A sensitivity label was removed from a document by using Microsoft 365 apps, Office on the web, an auto-labeling policy, or the [Unlock-SPOSensitivityLabelEncryptedFile](/powershell/module/sharepoint-online/unlock-sposensitivitylabelencryptedFile) cmdlet.| |
| compliance | Insider Risk Management Activities | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-activities.md | To view activities for a user, first select **Create user activity report** and - **User**: Search for a user by name or email address. - **Start date**: Use the calendar control to select the start date for user activities. - **End date**: Use the calendar control to select the end date for user activities. The end date selected must be greater than two days after the selected start date and no greater than 90 days from the selected start date.- ++>[!NOTE] +>User activity data is available for reporting approximately 48 hours after the activity occurred. For example, to review user activity data for December 1st, you'll need to make sure at least 48 hours have elapsed before creating the report (you'd create a report on December 3rd at the earliest). + New reports typically take up to 10 hours before they're ready for review. When the report is ready, you'll see *Report ready* in the **Status** column on the User activity report page. Select the user to view the detailed report:  |
| compliance | Insider Risk Management Forensic Evidence Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-forensic-evidence-configure.md | To configure forensic evidence settings, complete the following steps: ### Step 4: Create a policy -Forensic evidence policies define the scope of security-related user activity to capture on configured devices. You can have one policy that captures all activities approved users perform on their devices (all keystrokes, mouse movements, and so on) and additional policies that capture only specific activities (such as printing or exfiltrating files). Once created, you'll include these policies in forensic evidence requests to control what activity to capture for users whose requests are approved. +Forensic evidence policies define the scope of security-related user activity to capture on configured devices. You can have one policy that captures all activities approved users perform on their devices and additional policies that capture only specific activities (such as printing or exfiltrating files). Once created, you'll include these policies in forensic evidence requests to control what activity to capture for users whose requests are approved. 1. In the [Microsoft Purview compliance portal](https://compliance.microsoft.com/), go to **Insider risk management** > **Forensic evidence (preview)** > **Forensic evidence policies**. 2. Select **Create forensic evidence policy**. 3. On the **Scope** page, you'll choose the scope of security-related user activity to capture. Select one of the following options: - **Specific activities**: This option only captures activities detected by policies that users are included in. These activities are defined by the indicators selected in forensic evidence policies. Captures for this option will be available for review on the **Forensic evidence (preview)** tab on the **Alerts** or **Cases** dashboard.- - **All activities**: This option captures any activity performed by users. This includes mouse movement, keystrokes, and all activities defined by insider risk indicators. Captures for this option will be available for review on the **Forensic evidence (preview)** tab on the **User activity reports (preview)** dashboard. + - **All activities**: This option captures any activity performed by users. Captures for this option will be available for review on the **Forensic evidence (preview)** tab on the **User activity reports (preview)** dashboard. 4. Select **Next**. 5. On the **Name and description** page, complete the following fields: - **Name (required)**: Enter a friendly name for the forensic evidence policy. This name can't be changed after the policy is created. |
| compliance | Insider Risk Management Forensic Evidence | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-forensic-evidence.md | The following tables include the supported minimum requirements for utilizing in Depending how your organization decides to configure forensic evidence, there are two capturing options: - **Specific activities**: This policy option captures activity only when a triggering event has brought an approved user into scope for the forensic evidence policy and when the conditions for a policy indicator are detected for the user. For example, a user approved for forensic evidence capturing is brought in-scope to the forensic evidence policy and the user copies data to personal cloud storage services or portable storage devices. Capturing is scoped only to the configured time frame when the user is copying the data to the personal cloud storage service or portable storage device. Captures for this option will be available for review on the **Forensic evidence (preview)** tab on the **Alerts** dashboard.-- **All activities**: This policy option captures any activity performed by users. This includes mouse movement, keystrokes, and all activities defined by insider risk indicators. For example, your organization has a time-sensitive need for capturing activities for an approved user that is actively involved in potentially risky activities that may lead to a security incident. Policy indicators may not have reached the threshold for an alert to be generated by the policy and the potentially risky activity may not be documented. Continuous capturing help prevents the potentially risky activity from being missed or going undetected. Captures for this option will be available for review on the **Forensic evidence (preview)** tab on the **User activity reports (preview)** dashboard.+- **All activities**: This policy option captures any activity performed by users. For example, your organization has a time-sensitive need for capturing activities for an approved user that is actively involved in potentially risky activities that may lead to a security incident. Policy indicators may not have reached the threshold for an alert to be generated by the policy and the potentially risky activity may not be documented. Continuous capturing help prevents the potentially risky activity from being missed or going undetected. Captures for this option will be available for review on the **Forensic evidence (preview)** tab on the **User activity reports (preview)** dashboard. >[!IMPORTANT] >Forensic evidence clips are deleted 120 days after they're captured or at the end of the preview period, whichever is sooner. You can download or transfer forensic evidence clips before they're deleted. |
| contentunderstanding | Learn About Document Understanding Models Through The Sample Model | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/learn-about-document-understanding-models-through-the-sample-model.md | description: Learn about unstructured document processing models in Microsoft Sy # Import a sample model for Microsoft Syntex +<sup>**Applies to:**   ✓ Unstructured document processing </sup> + Microsoft Syntex provides you with a sample unstructured document processing model you can use to examine, giving you a better understanding of how to create your own models. The sample model also allows you to examine model components, such as its classifier, extractors, and explanations. You can also use the sample files to train the model. ## Import the sample model |
| contentunderstanding | Model Types Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/model-types-overview.md | description: Learn about custom models and prebuilt models in Microsoft Syntex. # Overview of model types in Microsoft Syntex +<sup>**Applies to:**   ✓ All custom models   |   ✓ All prebuilt models</sup> + Content understanding in Microsoft Syntex starts with AI models. Models let you identify and classify documents that are uploaded to SharePoint document libraries, and then to extract the information you need from each file. When applied to a SharePoint document library, the model is associated with a content type and has columns to store the information being extracted. The content type you create is stored in the SharePoint content type gallery. You can also choose to use existing content types to use their schema. |
| contentunderstanding | Syntex Azure Billing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/syntex-azure-billing.md | This preview does not include structured or freeform document processing which u To use Microsoft Syntex pay-as-you go, you need: -- An Azure subscription+- An Azure subscription in the same tenant as Microsoft Syntex - An Azure resource group in that subscription - An Azure storage account in that subscription if you want to create usage reports. (See [Azure Blob Storage pricing](https://azure.microsoft.com/pricing/details/storage) for pricing.) |
| contentunderstanding | Train Model | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/train-model.md | description: Learn how to train custom models in Microsoft Syntex. # Train your model in Microsoft Syntex +<sup>**Applies to:**   ✓ All custom models   </sup> + The steps to train your model depends on the type of model you are using. |Model type |Steps to train | |
| enterprise | Microsoft 365 U S Government Dod Endpoints | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-u-s-government-dod-endpoints.md | Title: Office 365 US Government DOD endpoints Previously updated : 09/29/2022 Last updated : 01/03/2023 audience: ITPro Office 365 requires connectivity to the Internet. The endpoints below should be |Notes|Download| |||-|**Last updated:** 09/29/2022 -  [Change Log subscription](https://endpoints.office.com/version/USGOVDoD?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|**Download:** the full list in [JSON format](https://endpoints.office.com/endpoints/USGOVDoD?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)| +|**Last updated:** 01/03/2023 -  [Change Log subscription](https://endpoints.office.com/version/USGOVDoD?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|**Download:** the full list in [JSON format](https://endpoints.office.com/endpoints/USGOVDoD?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)| | Start with [Managing Office 365 endpoints](managing-office-365-endpoints.md) to understand our recommendations for managing network connectivity using this data. Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This lets customers who don't yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you're using a script or a network device to access this data, you should go to the [Web service](microsoft-365-ip-web-service.md) directly. |
| enterprise | Microsoft 365 U S Government Gcc High Endpoints | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/microsoft-365-u-s-government-gcc-high-endpoints.md | Title: "Office 365 U.S. Government GCC High endpoints" Previously updated : 09/29/2022 Last updated : 01/03/2023 audience: ITPro Office 365 requires connectivity to the Internet. The endpoints below should be |Notes|Download| |||-|**Last updated:** 09/29/2022 -  [Change Log subscription](https://endpoints.office.com/version/USGOVGCCHigh?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|**Download:** the full list in [JSON format](https://endpoints.office.com/endpoints/USGOVGCCHigh?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)| +|**Last updated:** 01/03/2023 -  [Change Log subscription](https://endpoints.office.com/version/USGOVGCCHigh?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)|**Download:** the full list in [JSON format](https://endpoints.office.com/endpoints/USGOVGCCHigh?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7)| | Start with [Managing Office 365 endpoints](managing-office-365-endpoints.md) to understand our recommendations for managing network connectivity using this data. Endpoints data is updated as needed at the beginning of each month with new IP Addresses and URLs published 30 days in advance of being active. This lets customers who don't yet have automated updates to complete their processes before new connectivity is required. Endpoints may also be updated during the month if needed to address support escalations, security incidents, or other immediate operational requirements. The data shown on this page below is all generated from the REST-based web services. If you're using a script or a network device to access this data, you should go to the [Web service](microsoft-365-ip-web-service.md) directly. |
| enterprise | Urls And Ip Address Ranges 21Vianet | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/urls-and-ip-address-ranges-21vianet.md | Title: "URLs and IP address ranges for Office 365 operated by 21Vianet" Previously updated : 10/31/2022 Last updated : 01/03/2023 audience: ITPro hideEdit: true **Office 365 endpoints:** [Worldwide (including GCC)](urls-and-ip-address-ranges.md) | *Office 365 operated by 21 Vianet* | [Office 365 U.S. Government DoD](microsoft-365-u-s-government-dod-endpoints.md) | [Office 365 U.S. Government GCC High](microsoft-365-u-s-government-gcc-high-endpoints.md) | -**Last updated:** 10/31/2022 -  [Change Log subscription](https://endpoints.office.com/version/China?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) +**Last updated:** 01/03/2023 -  [Change Log subscription](https://endpoints.office.com/version/China?allversions=true&format=rss&clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) **Download:** all required and optional destinations in one [JSON formatted](https://endpoints.office.com/endpoints/China?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7) list. |
| frontline | Ehr Admin Cerner | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/ehr-admin-cerner.md | appliesto: - Microsoft 365 for frontline workers description: Learn how to integrate the Teams EHR connector to enable healthcare providers in your organization to conduct virtual appointments with patients or other providers in Teams directly from the Cerner EHR system. Previously updated : 12/15/2022 Last updated : 01/05/2023 # Virtual Appointments with Teams - Integration into Cerner EHR The communication and collaboration platform of Teams makes it easy for clinicia This article describes how to set up and configure the Teams EHR connector to integrate with the Cerner platform. It also gives you an overview of the Teams Virtual Appointments experience from the Cerner EHR system. +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE5d6gj] + ## Before you begin > [!NOTE] |
| lighthouse | M365 Lighthouse Deploy Standard Tenant Configurations Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-deploy-standard-tenant-configurations-overview.md | Microsoft 365 Lighthouse baselines provide a repeatable and scalable way for you To view the Microsoft 365 Lighthouse default baseline that applies to all tenants, select **Deployment > Baselines** from the left navigation pane. +## Watch: Deploy baselines demonstration ++> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE5dQib] + ## Microsoft 365 Lighthouse default baseline The Microsoft 365 Lighthouse default baseline is designed to ensure all managed tenants are healthy and secure. To view the tasks included in the default baseline, select **Default baseline** from the list. Select any of the tasks to view additional details about the task and the associated user impact. |
| lighthouse | M365 Lighthouse Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-overview.md | No additional costs are associated with using Lighthouse to manage Microsoft 365 For more information about the CSP program, see the [Cloud Solution Provider program overview](/partner-center/csp-overview). > [!NOTE] -> A similar offering, Azure Lighthouse, helps service providers deliver managed services for Azure services by using comprehensive and robust management tooling built into the Azure platform. To learn more, see [What is Azure Lighthouse?](/azure/lighthouse/overview) +> A similar offering, Azure Lighthouse, helps service providers deliver managed services for Azure services by using comprehensive and robust management tooling built into the Azure platform. To learn more, see [What is Azure Lighthouse?](/azure/lighthouse/overview) ## Watch: What is Microsoft 365 Lighthouse? For more information about the CSP program, see the [Cloud Solution Provider pro Lighthouse helps MSPs secure and manage Microsoft 365 services and connected endpoints at scale by: -- Providing tenant deployment journeys so technicians can follow a consistent set of steps to secure and configure customer tenants. -- Using a default SMB security baseline that prescribes best practices targeted to small- and medium-sized business tenants. +- Providing tenant deployment journeys so technicians can follow a consistent set of steps to secure and configure customer tenants. +- Using a default SMB security baseline that prescribes best practices targeted to small- and medium-sized business tenants. - Providing multi-tenant insights on device compliance for a clear view of how devices are being evaluated across all organizations, tools to compare policies, and the top settings that aren't being met. - Simplifying common tasks like resetting a password.-- Configuring multifactor authentication and self-service password reset, including tools to help drive adoption by users. +- Configuring multifactor authentication and self-service password reset, including tools to help drive adoption by users. - Understanding and protecting against risky sign-ins. - Managing threats on Windows 10 devices by providing details on threats detected by Microsoft 365 Defender and actions to take to resolve issues and keep devices up to date. - Providing insights into Microsoft 365 service incidents and advisories that impact the customer tenants they manage. +## Watch: Microsoft 365 Lighthouse demonstration ++> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE5e61O] + > [!NOTE] > For more information on how to sign up, see [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md). ## Related content [Sign up for Microsoft 365 Lighthouse](m365-lighthouse-sign-up.md) (article) -[Overview of the Tenants page in Microsoft 365 Lighthouse](m365-lighthouse-tenants-page-overview.md) (article) -[Overview of the Device compliance page in Microsoft 365 Lighthouse](m365-lighthouse-device-compliance-page-overview.md) (article) -[Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml) (article) +[Overview of the Tenants page in Microsoft 365 Lighthouse](m365-lighthouse-tenants-page-overview.md) (article) +[Overview of the Device compliance page in Microsoft 365 Lighthouse](m365-lighthouse-device-compliance-page-overview.md) (article) +[Microsoft 365 Lighthouse FAQ](m365-lighthouse-faq.yml) (article) [Microsoft Defender for Business](../security/defender-business/index.yml) (link page) |
| lighthouse | M365 Lighthouse Setup Gdap | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-setup-gdap.md | description: "For Managed Service Providers (MSPs) using Microsoft 365 Lighthous # Set up GDAP for your customers --> [!NOTE] -> This feature is rolling out at different speeds to our customers. If you aren't seeing this feature yet, you should see it soon. - Partners onboarded to Microsoft 365 Lighthouse can now set up all their customers with Granular Delegated Administrative Privileges (GDAP) through Lighthouse, regardless of their licenses or size. Lighthouse enables partners to quickly transition their organization to GDAP and begin the journey to least-privilege for their delegated access to customers. By setting up your organization with GDAP for the customer tenants you manage, users in your organization have the permissions necessary to do their work while keeping customer tenants secure. Delegated access via DAP or GDAP is a prerequisite for customers to be fully onboard to Lighthouse. Therefore, creating GDAP relationships may be the first step in managing your customers in Lighthouse. During the GDAP setup process, you'll assign roles to tiers of job functions for employees in your organization and then create GDAP templates that will assign those tiered roles to specific security groups with users for groups of customers. GDAP roles are scoped to [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference), and when you set up GDAP, you'll see recommendations for a set of roles needed for each tier. +## Watch: Set up GDAP demonstration ++> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE5e61P] + ## Before you begin - You'll need to have specific permissions in your own tenant: |
| security | TOC | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md | ### [Device discovery]() #### [Device discovery overview](device-discovery.md) #### [Configure device discovery](configure-device-discovery.md) -#### [Microsoft Defender for IoT integration](/azure/defender-for-iot/organizations/eiot-defender-for-endpoint/) -#### [Enable Corelight data integration](corelight-integration.md) +#### [Enable Corelight as a data source](corelight-integration.md) +#### [Enterprise IoT security]() +##### [Securing IoT devices in the enterprise](/azure/defender-for-iot/organizations/concept-enterprise/) +##### [Enable Enterprise IoT security with Defender for Endpoint](/azure/defender-for-iot/organizations/eiot-defender-for-endpoint/) +##### [Manage Defender for IoT plans](/azure/defender-for-iot/organizations/manage-subscriptions-enterprise/) +##### [Enhance Enterprise IoT discovery](/azure/defender-for-iot/organizations/eiot-sensor/) #### [Device discovery FAQ](device-discovery-faq.md) -### [Device inventory]() +### [Authenticated scans]() +#### [Network devices](network-devices.md) +#### [Windows authenticated scan](../defender-vulnerability-management/windows-authenticated-scan.md) ++### [Devices]() #### [Device inventory](machines-view-overview.md) #### [Exclude devices](exclude-devices.md) #### [Device timeline](device-timeline-event-flag.md) #### [Manage device group and tags](machine-tags.md) -### [Authenticated scans]() -#### [Network devices](network-devices.md) -#### [Windows authenticated scan](../defender-vulnerability-management/windows-authenticated-scan.md) - ### [Host firewall reporting in Microsoft Defender for Endpoint](host-firewall-reporting.md) ### [Built-in protection](built-in-protection.md) |
| security | Attack Surface Reduction Rules Report | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-report.md | Filtering provides a way for you to specify what results are returned: > [!NOTE] > When filtering by rule, the number of individual _detected_ items listed in the lower half of the report is currently limited to 200 rules. You can use **Export** to save the full list of detections to Excel. +> [!TIP] +> As the filter currently functions in this release, every time you want to "group by", you must first scroll down to last detection in the list to load the complete data set. After you have loaded the complete data set, you can then launch the "sort by" filtering. If you don't scroll down to last detection listed on every use or when changing filtering options (for example, the ASR rules applied to the current filter run), then results will be incorrect for any result that has more than one viewable page of listed detections. + >:::image type="content" source="images/attack-surface-reduction-rules-report-main-tabs-search-configuration-tab.png" alt-text="Screenshot that shows the ASR rules report search feature on the configuration tab." lightbox="images/attack-surface-reduction-rules-report-main-tabs-search-configuration-tab.png"::: > [!div class="mx-imgBorder"] |
| security | Configure Network Connections Microsoft Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus.md | The table in this section lists services and their associated website addresses Make sure that there are no firewall or network filtering rules denying access to these URLs. Otherwise, you must create an allow rule specifically for those URLs (excluding the URL `*.blob.core.windows.net`). The URLs in the following table use port 443 for communication. -<br/><br/> - |Service and description|URL| |||-|Microsoft Defender Antivirus cloud-delivered protection service is referred as Microsoft Active Protection Service (MAPS).<p> The Microsoft Defender Antivirus uses the MAPS service to provide cloud-delivered protection.|`*.wdcp.microsoft.com` <p> `*.wdcpalt.microsoft.com` <p> `*.wd.microsoft.com`| +|Microsoft Defender Antivirus cloud-delivered protection service is referred as Microsoft Active Protection Service (MAPS).<p> Microsoft Defender Antivirus uses the MAPS service to provide cloud-delivered protection.|`*.wdcp.microsoft.com` <p> `*.wdcpalt.microsoft.com` <p> `*.wd.microsoft.com` <p> `ctldl.windows.com` | |Microsoft Update Service (MU) and Windows Update Service (WU) <p>These services will allow security intelligence and product updates.|`*.update.microsoft.com` <p> `*.delivery.mp.microsoft.com`<p> `*.windowsupdate.com` <p> For more information, see [Connection endpoints for Windows Update](/windows/privacy/manage-windows-1709-endpoints#windows-update)| |Security intelligence updates Alternate Download Location (ADL)<p>This is an alternate location for Microsoft Defender Antivirus Security intelligence updates, if the installed Security intelligence is out of date (Seven or more days behind).|`*.download.microsoft.com` <p> `*.download.windowsupdate.com`<p> `go.microsoft.com`<p> `https://www.microsoft.com/security/encyclopedia/adlpackages.aspx` <p> `https://definitionupdates.microsoft.com/download/DefinitionUpdates/` <p> `https://fe3cr.delivery.mp.microsoft.com/ClientWebService/client.asmx`| |Malware submission storage <p>This is an upload location for files submitted to Microsoft via the Submission form or automatic sample submission.|`ussus1eastprod.blob.core.windows.net` <p> `ussus2eastprod.blob.core.windows.net` <p> `ussus3eastprod.blob.core.windows.net` <p> `ussus4eastprod.blob.core.windows.net` <p> `wsus1eastprod.blob.core.windows.net` <p> `wsus2eastprod.blob.core.windows.net` <p> `ussus1westprod.blob.core.windows.net` <p> `ussus2westprod.blob.core.windows.net` <p> `ussus3westprod.blob.core.windows.net` <p> `ussus4westprod.blob.core.windows.net` <p> `wsus1westprod.blob.core.windows.net` <p> `wsus2westprod.blob.core.windows.net` <p> `usseu1northprod.blob.core.windows.net` <p> `wseu1northprod.blob.core.windows.net` <p> `usseu1westprod.blob.core.windows.net` <p> `wseu1westprod.blob.core.windows.net` <p> `ussuk1southprod.blob.core.windows.net` <p> `wsuk1southprod.blob.core.windows.net` <p> `ussuk1westprod.blob.core.windows.net` <p> `wsuk1westprod.blob.core.windows.net`| |Certificate Revocation List (CRL) <p> Windows use this list while creating the SSL connection to MAPS for updating the CRL.|`http://www.microsoft.com/pkiops/crl/` <p> `http://www.microsoft.com/pkiops/certs` <p> `http://crl.microsoft.com/pki/crl/products` <p> `http://www.microsoft.com/pki/certs`|-|Symbol Store <p>Microsoft Defender Antivirus use the Symbol Store to restore certain critical files during the remediation flows.|`https://msdl.microsoft.com/download/symbols`| +|Symbol Store <p>Microsoft Defender Antivirus uses the Symbol Store to restore certain critical files during the remediation flows.|`https://msdl.microsoft.com/download/symbols`| |Universal GDPR Client <p> Windows use this client to send the client diagnostic data. <p> Microsoft Defender Antivirus uses General Data Protection Regulation for product quality, and monitoring purposes.|The update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: <p> `vortex-win.data.microsoft.com` <p> `settings-win.data.microsoft.com`| |
| security | Corelight Integration | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/corelight-integration.md | Title: Enable Corelight integration in Microsoft Defender for Endpoint + Title: Enable Corelight as data source in Microsoft Defender for Endpoint description: Enable Corelight integration to gain visibility focused on IoT/OT devices in areas of the network where MDE is not deployed keywords: enable siem connector, siem, connector, security information and events search.product: eADQiWindows 10XVcnh-# Enable Corelight data integration +# Enable Corelight as data source in Microsoft Defender for Endpoint [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] With this data source enabled, all events from Corelight network appliances are 1. To setup the Corelight data integration, the user must have the following roles: - Tenant Global Administrator in Azure Active Directory - Security Administrator for the Azure subscription that will be used for the Microsoft Defender for IoT integration-2. An onboarded Defender for IoT plan. For more information, see [Onboard Microsoft Defender for IoT with Microsoft Defender for Endpoint](enable-microsoft-defender-for-iot-integration.md). +2. An onboarded Defender for IoT plan. For more information, see [Enable Enterprise IoT security with Defender for Endpoint](/azure/defender-for-iot/organizations/eiot-defender-for-endpoint/). ## Enabling the Corelight integration |
| security | Defender Endpoint Plan 1 2 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-plan-1-2.md | Suppose that your organization is using a mix of Microsoft endpoint security sub However, **you can contact support and request an override for your tenant experience**. That is, you could request an override to keep the Defender for Endpoint Plan 1 experience for all users. -- For details about licenses and product terms, see [Licensing and product terms for Microsoft 365 subscriptions](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA).+- For more information about licenses and product terms, see [Licensing and product terms for Microsoft 365 subscriptions](https://www.microsoft.com/licensing/terms/productoffering/Microsoft365/MCA). - For information about how to contact support, see [Contact Microsoft Defender for Endpoint support](contact-support.md). > [!TIP]-> If your organization is a small or medium-sized business, see the following articles: -> - [What is Microsoft Defender for Business?](../defender-business/mdb-overview.md) -> - [Compare security features in Microsoft 365 plans for small and medium-sized businesses](../defender-business/compare-mdb-m365-plans.md). +> If your organization is a small or medium-sized business, see [What happens if I have a mix of Microsoft endpoint security subscriptions](/microsoft-365/security/defender-business/mdb-faq#what-happens-if-i-have-a-mix-of-microsoft-endpoint-security-subscriptions)? ## Start a trial |
| security | Device Discovery | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-discovery.md | To address the challenge of gaining enough visibility to locate, identify, and s - **Corelight**: Microsoft has partnered with Corelight to receive data from Corelight network appliances. This provides Microsoft 365 Defender with increased visibility into the network activities of unmanaged devices, including communication with other unmanaged devices or external networks. for more information, see [Enable Corelight data integration](corelight-integration.md). -- **Microsoft Defender for IoT**: This integration combines Microsoft Defender for Endpoint's device discovery capabilities, with the agentless monitoring capabilities of Microsoft Defender for IoT, to secure enterprise IoT devices connected to an IT network (for example, Voice over Internet Protocol (VoIP), printers, and smart TVs). For more information, see [Enable Microsoft Defender for IoT integration](enable-microsoft-defender-for-iot-integration.md).+- **Microsoft Defender for IoT**: This integration combines Microsoft Defender for Endpoint's device discovery capabilities, with the agentless monitoring capabilities of Microsoft Defender for IoT, to secure enterprise IoT devices connected to an IT network (for example, Voice over Internet Protocol (VoIP), printers, and smart TVs). For more information, see [Enable Enterprise IoT security with Defender for Endpoint](/azure/defender-for-iot/organizations/eiot-defender-for-endpoint/). ## Vulnerability assessment on discovered devices |
| security | Tune Performance Defender Antivirus | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus.md | ms.localizationpriority: medium audience: ITPro Previously updated : 08/13/2022 Last updated : 01/05/2023 - m365-security search.appverid: met150 Similar to the way mechanics perform diagnostics and service on a vehicle that has performance problems, performance analyzer can help you improve Defender Antivirus performance. ->:::image type="content" source="images/performance-analyzer-improve-defender-antivirus-performance.png" alt-text="Conceptual performance analyzer image for Microsoft Defender Antivirus. The diagram is related to: Microsoft Defender performance analyzer, defender performance analyzer, Get-MpPerformanceRepor, New-MpPerformanceRecording, windows defender, microsoft defender, microsoft windows 10, microsoft defender antivirus, micro soft windows 11, windows antivirus, microsoft antivirus, windows defender antivirus, Windows 10 antivirus, microsoft windows defender, performance windows. " lightbox="images/performance-analyzer-improve-defender-antivirus-performance.png"::: Some options to analyze include: Starting with Defender version 4.18.2206.X, users will be able to view scan sk ### For CSV - **To export**:-`(Get-MpPerformanceReport -Path:.\Repro-Install.etl -Topscans:1000). TopScans | Export-CSV -Path:.\Repro-Install-Scans.csv -Encoding:UTF8 -NoTypeInformation` +`(Get-MpPerformanceReport -Path .\Repro-Install.etl -Topscans 1000). TopScans | Export-CSV -Path .\Repro-Install-Scans.csv -Encoding UTF8 -NoTypeInformation` - **To convert**:-`(Get-MpPerformanceReport -Path:.\Repro-Install.etl -Topscans:100). TopScans | ConvertTo-Csv -NoTypeInformation` +`(Get-MpPerformanceReport -Path .\Repro-Install.etl -Topscans 100). TopScans | ConvertTo-Csv -NoTypeInformation` ### For JSON - **To convert**:-`(Get-MpPerformanceReport -Path:.\Repro-Install.etl -Topscans:1000). TopScans | ConvertTo-Json -Depth:1` +`(Get-MpPerformanceReport -Path .\Repro-Install.etl -Topscans 1000). TopScans | ConvertTo-Json -Depth 1` To ensure machine-readable output for exporting with other data processing systems, it is recommended to use -Raw parameter for Get-MpPerformanceReport. See below for details Windows Version 10 and later. ##### Example 1: Collect a performance recording and save it ```powershell-New-MpPerformanceRecording -RecordTo:.\Defender-scans.etl +New-MpPerformanceRecording -RecordTo .\Defender-scans.etl ``` The above command collects a performance recording and saves it to the specified path: **.\Defender-scans.etl**. The above command collects a performance recording on Server02 (as specified by ##### Example 3: Collect a performance recording in non-interactive mode ```powershell-New-MpPerformanceRecording -RecordTo:.\Defender-scans.etl -Seconds 60 +New-MpPerformanceRecording -RecordTo .\Defender-scans.etl -Seconds 60 ``` The above command collects a performance recording for the duration in seconds specified by parameter -Seconds. This is recommended for users conducting batch collections that require no interaction or prompt. Windows Version 10 and later. ##### Example 1: Single query ```powershell-Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:20 +Get-MpPerformanceReport -Path .\Defender-scans.etl -TopScans 20 ``` ##### Example 2: Multiple queries ```powershell-Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopFiles:10 -TopExtensions:10 -TopProcesses:10 -TopScans:10 +Get-MpPerformanceReport -Path .\Defender-scans.etl -TopFiles 10 -TopExtensions 10 -TopProcesses 10 -TopScans 10 ``` ##### Example 3: Nested queries ```powershell-Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopProcesses:10 -TopExtensionsPerProcess:3 -TopScansPerExtensionPerProcess:3 +Get-MpPerformanceReport -Path .\Defender-scans.etl -TopProcesses 10 -TopExtensionsPerProcess 3 -TopScansPerExtensionPerProcess 3 ``` ##### Example 4: Using -MinDuration parameter ```powershell-Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopScans:100 -MinDuration:100ms +Get-MpPerformanceReport -Path .\Defender-scans.etl -TopScans 100 -MinDuration 100ms ``` ##### Example 5: Using -Raw parameter ```powershell-Get-MpPerformanceReport -Path:.\Defender-scans.etl -TopFiles:10 -TopExtensions:10 -TopProcesses:10 -TopScans:10 -Raw | ConvertTo-Json +Get-MpPerformanceReport -Path .\Defender-scans.etl -TopFiles 10 -TopExtensions 10 -TopProcesses 10 -TopScans 10 -Raw | ConvertTo-Json ``` Using \-Raw in the above command specifies that the output should be machine readable and readily convertible to serialization formats like JSON |
| security | Whats New In Microsoft Defender Endpoint | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/whats-new-in-microsoft-defender-endpoint.md | For more information on Microsoft Defender for Endpoint on specific operating sy - Discover IoT devices (preview): [Device discovery](device-discovery.md) now has the ability to help you find unmanaged IoT devices connected to your corporate network. This gives you a single unified view of your IoT inventory alongside the rest of your IT devices (workstations, servers, and mobile). -- [Microsoft Defender for IoT integration (preview)](enable-microsoft-defender-for-iot-integration.md): This integration enhances your device discovery capabilities with the agentless monitoring capabilities provided by Microsoft Defender for IoT. This provides increased visibility to help locate, identify, and secure the IoT devices in your network.+- Microsoft Defender for IoT integration (preview): See [Enable Enterprise IoT security with Defender for Endpoint](/azure/defender-for-iot/organizations/eiot-defender-for-endpoint/). This integration enhances your device discovery capabilities with the agentless monitoring capabilities provided by Microsoft Defender for IoT. This provides increased visibility to help locate, identify, and secure the IoT devices in your network. ## November 2021 |
| security | Tvm Security Recommendation | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/tvm-security-recommendation.md | To see the list of security recommendations that apply to a device you can: :::image type="content" source="../../media/defender-vulnerability-management/security-recommendation-devicepage.png" alt-text="Screenshot of the certificate inventory page" lightbox="../../media/defender-vulnerability-management/security-recommendation-devicepage.png"::: > [!NOTE]-> If you have the [Microsoft Defender for IoT](/azure/defender-for-iot/organizations/index.yml) integration enabled in Defender for Endpoint, recommendations for Enterprise IoT devices that appear on IoT devices tab will appear on the security recommendations page. For more information, see [Enable Microsoft Defender for IoT integration](../defender-endpoint/enable-microsoft-defender-for-iot-integration.md) +> If you have the [Microsoft Defender for IoT](/azure/defender-for-iot/organizations/concept-enterprise/) integration enabled in Defender for Endpoint, recommendations for Enterprise IoT devices that appear on IoT devices tab will appear on the security recommendations page. For more information, see [Enable Enterprise IoT security with Defender for Endpoint](/azure/defender-for-iot/organizations/eiot-defender-for-endpoint/). ## Request remediation |
| security | Microsoft Secure Score Improvement Actions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score-improvement-actions.md | Ranking is based on the number of points left to achieve, implementation difficu When you select a specific recommended action, a full page flyout appears. To complete the action, you have a few options: Choose any statuses and record notes specific to the recommended action. - **To address** - You recognize that the recommended action is necessary and plan to address it at some point in the future. This state also applies to actions that are detected as partially, but not fully completed. - **Planned** - There are concrete plans in place to complete the recommended action.-- **Risk accepted** - Security should always be balanced with usability, and not every recommendation will work for your environment. When that is the case, you can choose to accept the risk, or the remaining risk, and not enact the recommended action. You won't be given any points, but the action will no longer be visible in the list of recommended actions. You can view this action in history or undo it at any time.+- **Risk accepted** - Security should always be balanced with usability, and not every recommendation will work for your environment. When that is the case, you can choose to accept the risk, or the remaining risk, and not enact the recommended action. You won't be given any points for this status. You can view this action in history or undo it at any time. - **Resolved through third party** and **Resolved through alternate mitigation** - The recommended action has already been addressed by a third-party application or software, or an internal tool. You'll gain the points that the action is worth, so your score better reflects your overall security posture. If a third party or internal tool no longer covers the control, you can choose another status. Keep in mind, Microsoft will have no visibility into the completeness of implementation if the recommended action is marked as either of these statuses. #### Recommended action status for devices |
| security | Create Safe Sender Lists In Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/create-safe-sender-lists-in-office-365.md | The following example assumes you need email from contoso.com to skip spam filte 1. **Condition**: **The sender** \> **domain is** \> contoso.com. 2. Configure either of the following settings:-- - **Mail flow rule condition**: **A message header** \> **includes any of these words** \> **Header name**: `Authentication-Results` \> **Header value**: `dmarc=pass` or `dmarc=bestguesspass`. + - **Mail flow rule condition**: **The message headers** \> **includes any of these words**: + - **Header name**: `Authentication-Results` + - **Header value**: `dmarc=pass` or `dmarc=bestguesspass` (add both values). This condition checks the email authentication status of the sending email domain to ensure that the sending domain is not being spoofed. For more information about email authentication, see [SPF](email-authentication-spf-configure.md), [DKIM](email-authentication-dkim-configure.md), and [DMARC](email-authentication-dmarc-configure.md). The following example assumes you need email from contoso.com to skip spam filte > - If you allow an IP address that's behind a network address translation (NAT) gateway, you need to know the servers that are involved in the NAT pool in order to know the scope of your IP Allow List. IP addresses and NAT participants can change. You need to periodically check your IP Allow List entries as part of your standard maintenance procedures. 3. **Optional conditions**:- - **The sender** \> **is internal/external** \> **Outside the organization**: This condition is implicit, but it's OK to use it to account for on-premises email servers that might not be correctly configured. - **The subject or body** \> **subject or body includes any of these words** \> \<keywords\>: If you can further restrict the messages by keywords or phrases in the subject line or message body, you can use those words as a condition. -4. **Action**: Configure both of these actions in the rule: -+4. **Action**: Configure both of the following actions in the rule: 1. **Modify the message properties** \> **set the spam confidence level (SCL)** \> **Bypass spam filtering**.- 2. **Modify the message properties** \> **set a message header**: **Set the message header** \<CustomHeaderName\> **to the value** \<CustomHeaderValue\>. + 2. **Modify the message properties** \> **set a message header**: + - **Header name**: For example, `X-ETR`. + - **Heaver value**: For example, `Bypass spam filtering for authenticated sender 'contoso.com'`. - For example, `X-ETR: Bypass spam filtering for authenticated sender 'contoso.com'`. If you have more than one domain in the rule, you can customize the header text as appropriate. + If you have more than one domain in the rule, you can customize the header text as appropriate. - When a message skips spam filtering due to a mail flow rule, the value `SFV:SKN` value is stamped in the **X-Forefront-Antispam-Report** header. If the message is from a source that's on the IP Allow List, the value `IPV:CAL` is also added. These values can help you with troubleshooting. +When a message skips spam filtering due to a mail flow rule, the value `SFV:SKN` value is stamped in the **X-Forefront-Antispam-Report** header. If the message is from a source that's on the IP Allow List, the value `IPV:CAL` is also added. These values can help you with troubleshooting. - :::image type="content" source="../../media/1-AllowList-SkipFilteringFromContoso.png" alt-text="The Mail flow rule settings in the EAC for bypassing spam filtering" lightbox="../../media/1-AllowList-SkipFilteringFromContoso.png"::: ## Use Outlook Safe Senders |