-1. Course owners can [create and share check-ins](https://support.microsoft.com/topic/c6cbbacc-5655-450e-bca9-988ddc506017).

-1. Once check-ins are created, course members can access and respond to them in their Reflect tab.

-Defender for Endpoint on Android enables bulk tagging the mobile devices during onboarding by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to userΓÇÖs devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory.

-Defender for Endpoint on Android enables bulk tagging the mobile devices during onboarding by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to userΓÇÖs devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory.

-> Microsoft Defender for Endpoint's **Anti malware engine** is now generally available. All the users are required to have a Microsoft Defender for Endpoint version above **1.0.3815.0000** to utilize this new malware protection capability. Users on Microsoft Defender for Endpoint version below 1.0.3815.0000 will be sent notifications and in-app overlay messages to update their Microsoft Defender for Endpoint application. Users can click on the link provided in the overlay message to go to the managed play store and update the application.

-Mobile Device Tagging is now generally available. This feature enables bulk tagging the mobile devices by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to userΓÇÖs devices. Once the user installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory.

-This configuration is available for both the enrolled (MDM) devices as well as unenrolled (MAM) devices. For more information, see [Device Tagging (MDM)](/microsoft-365/security/defender-endpoint/android-configure#device-tagging) and [Device Tagging (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam#device-tagging).

-MDE is now generally available on AE COPE devices. Enterprises can onboard devices on COPE mode and push MDE to user's devices through the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). With this support, Android Enterprise COPE devices will get the full capabilities of our offering on Android including phishing and web protection, malware scanning, Network protection (preview) and additional breach prevention through integration with Microsoft Intune and Conditional Access. Read the announcement [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-is-now-available-on-android/ba-p/3626100).

-Microsoft Defender for Endpoint on Android enables Privacy Controls for both the Admins and the End Users. This includes the controls for enrolled (MDM) as well as unenrolled (MAM) devices. Admins can configure the privacy in the alert report while End Users can configure the information shared to their organization. For more information, see [privacy controls(MDM)](/microsoft-365/security/defender-endpoint/android-configure#privacy-controls) and [privacy controls (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam#configure-privacy-controls).

-## Microsoft defender on Android enterprise BYOD personal profile

-Network Protection on Microsoft Defender for Endpoint is now available. Network protection provides protection against rogue Wi-Fi related threats, rogue hardware like pineapple devices and notifies the user if a related threat is detected. Users will also see a guided experience to connect to secure networks and change networks when they are connected to an unsecure connection.

-It includes several admin controls to offer flexibility, such as the ability to configure the feature from within the Microsoft Intune admin center. Admins can also enable privacy controls to configure the data that is sent by Defender for Endpoint from Android devices. For more information, see [network protection](/microsoft-365/security/defender-endpoint/android-configure).

-> Microsoft Defender is no longer supported for versions below 1.0.3011.0302. Users are requested to upgrade to latest versions to keep their devices secure.

-Microsoft Defender for Endpoint is now available as **Microsoft Defender** in the play store. With this update, the app will be available as preview for **Consumers in the US region** - based on how you log into the app with your work or personal account, you will have access to features for Microsoft Defender for Endpoint or to features for Microsoft Defender for individuals. Please see [this blog](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals) for more details.

-On January 25, 2022, we announced the general availability of Vulnerability management on Android and iOS. For more details, see [the techcommunity post here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-general-availability-of-vulnerability-management/ba-p/3071663).

-Microsoft Defender for Endpoint has released this update required by [Google](https://developer.android.com/distribute/play-policies#APILevel30) to upgrade to Android API 30. This change will prompt users seeking access to [new storage permission](https://developer.android.com/training/data-storage/manage-all-files#all-files-access-google-play), for devices running Android 11 or later. Users will need to accept this new storage permission once they update Defender app with the release build 1.0.3501.0301 or later. This will ensure that Defender for Endpoint's app security feature to function without any disruption. For more information, review the following sections.

-**How will this affect your organization:**

-These changes will take effect if you are using Microsoft Defender for Endpoint on devices running Android 11 or later and updated Defender for Endpoint to release build 1.0.3501.0301 or later.

-1. Tap on the Defender for Endpoint in-app notification or open the Defender for Endpoint app. Users will see a screen that lists the permissions needed. A green check mark will be missing next to the Storage permission.

- "cvssVectorΓÇ¥: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C",

-Hardware-enforced stack protection will only work on chipsets with support for hardware shadow stacks, IntelΓÇÖs Control-flow Enforcement Technology (CET) or AMD shadow stacks.

-Defender for Endpoint on iOS enables bulk tagging the mobile devices during onboarding by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to userΓÇÖs devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory.

- - In Intune, go to Go to Apps > App configuration policies > Add > Managed devices

- - Give the policy a name, select Platform > iOS/iPadOS,

- - Select Microsoft Defender for Endpoint as the target app.

- - In Settings page, select Use configuration designer and add **UserEnrolmentEnabled** as the key, value type as **String**, value as **True**.

-Mobile Device Tagging is now generally available. This feature enables bulk tagging the mobile devices by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to userΓÇÖs devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory. For more information, read [Configure Device Tagging](/microsoft-365/security/defender-endpoint/ios-configure-features#device-tagging).

-Vulnerability assessment of apps on Microsoft Defender for Endpoint for iOS is now generally available. Defender for Endpoint on iOS supports vulnerability assessments of apps only for enrolled (MDM) devices. For more details, see [Configure vulnerability assessment of apps](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-vulnerability-assessment-of-apps).

-Network Protection on Microsoft Defender for Endpoint is now generally available. Network protection provides protection against rogue Wi-Fi related threats, rogue hardware like pineapple devices and notifies the user if a related threat is detected. Users will also see a guided experience to connect to secure networks and change networks when they are connected to an unsecure connection.

-It includes several admin controls to offer flexibility, such as the ability to configure the feature from within the Microsoft Intune admin center. Admins can also enable privacy controls to configure the data that is sent by Defender for Endpoint from iOS devices. For more information, read [Configure Network Protection](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-network-protection).

-Microsoft Defender for Endpoint on iOS enables Privacy Controls for both the Admins and the End Users. This includes the controls for enrolled (MDM) as well as unenrolled (MAM) devices. Admins can configure the privacy in the phish alert report while End Users can configure the information shared to their organization.

-With **Disable Web Protection**,Customers who do not want to set up a VPN, can configure to disable **Web Protection** and deploy MDE without that feature. Other MDE features will continue to work. This configuration is available for both the enrolled (MDM) devices as well as unenrolled (MAM) devices.

-Microsoft Defender for Endpoint on iOS can now integrate with Microsoft Tunnel, a VPN gateway solution to enable security and connectivity in a single app. Integration with Tunnel provides a simpler, secure VPN experience on iOS with just one app. This feature was earlier available only on Android. For more details, [see the techcommunity post here](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/what-s-new-in-microsoft-endpoint-manager-2204-april-edition/ba-p/3297995)

-Microsoft Defender for Endpoint is now available as **Microsoft Defender** in the app store. With this update, the app will be available as preview for **Consumers in the US region**. Based on how you log into the app with your work or personal account, you will have access to features for Microsoft Defender for Endpoint or to features for Microsoft Defender for individuals. For more information, see [this blog](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals).

-On January 25, 2022, we announced the general availability of Vulnerability management on Android and iOS. For more details, see [the techcommunity post here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-general-availability-of-vulnerability-management/ba-p/3071663).

-The eBPF sensor will be automatically enabled for all customers by default for agent versions ΓÇ£101.23082.0006ΓÇ¥ and above. Customers need to update to the above-mentioned supported versions to experience the feature. When the eBPF sensor is enabled on an endpoint, Defender for Endpoint on Linux updates supplementary_events_subsystem to ebpf.

-In this step, we'll go over the ΓÇ£Preferences," which enables you to configure anti-malware and edr policies using Microsoft Defender portal and Microsoft Intune.

-To set PurviewΓÇÖs Data Loss Prevention (DLP) for endpoint on macOS, follow the steps in [Onboard and offboard macOS devices into Compliance solutions using Microsoft Intune](/purview/device-onboarding-offboarding-macos-intune-mde).

-Starting with macOS BigSur (11), AppleΓÇÖs macOS requires all system extensions to be explicitly approved before they're allowed to run on the device.

-health_issues : [ΓÇ£no active event providerΓÇ¥, ΓÇ£network event provider not runningΓÇ¥, ΓÇ£full disk access has not been grantedΓÇ¥]

-|MobileConfig (Plist) |ΓÇ£mdatp healthΓÇ¥ console command output |macOS setting needed for MDE on macOS to function properly |

-|"/Library/Managed Preferences/servicemanagement.plistΓÇ¥ | n/a | Background services |

-#### Step 3: Test the installed profiles using macOS built-in ΓÇÿprofileΓÇÖ tool. It compares your profiles with what we have published in GitHub, reporting inconsistent profiles or profiles missing altogether

-> The **Endpoint Security Policies** page in Microsoft Defender XDR is available only for [users with the security administrator role in Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/assign-portal-access). Any other user role, such as Security Reader, cannot access the portal. When a user has the required permissions to view policies in the Microsoft Defender portal, the data is presented based on Intune permissions. If the user is in scope for Intune role-based access control, it applies to the list of policies presented in the Microsoft Defender portal. We recommend granting security administrators with the [Intune built-in role, ΓÇ£Endpoint Security ManagerΓÇ¥](/mem/intune/fundamentals/role-based-access-control#built-in-roles) to effectively align the level of permissions between Intune and Microsoft Defender XDR.

-1. On the **ΓÇ£Microsoft DefenderΓÇ¥ Would like to Filter Network Content** pop-up screen, click **Allow**.

-1. The command `healthcheck.exe` shows the output, "Launch WSL distro with ΓÇÿbashΓÇÖ command and retry in 5 minutes."

-Engine updates are the updates for the scan engine, which is used by the ΓÇ£Security Intelligence UpdatesΓÇ¥. First released on July 15, 2010.

-Platform Updates, are the .exeΓÇÖs, dllΓÇÖs, and .sysΓÇÖs for the Microsoft Defender Antivirus service.

-| **Beta Channel - Prerelease** | 4.18.2304.4 | ΓÇÿ23 April, minor rev 4 | n/a | This channel is the one you want to test for app compatibility, reliability and performance. |

-| **Current Channel (Preview)** | 4.18.2303.8 | ΓÇÿ23 Mar, minor rev 8 | n/a | Same as for _Beta Channel - Prerelease_ |

-| **Current Channel (Staged)** | 4.18.2303.7 | ΓÇÿ23 Mar, minor rev 7 | n/a | Same as for _Beta Channel - Prerelease_ |

-| **Current Channel (Broad)** | 4.18.2302.7 <br> see note | ΓÇÿ23 Feb, minor rev 7 | ΓÇÖ23 Mar | This channel is the one you want to push out to 90%-100% of your production systems. |

-> - Windows Server Stock Keeping Units (SKUΓÇÖs)

- - You can manually download and install the latest protection updates from theΓÇ»[Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx)

- - See the [Manage Microsoft Defender Antivirus Security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md) topic for more information.

-This information is found in the DeviceInfo table under the ΓÇ£ConnectivityTypeΓÇ¥ column:

-Once a device is migrated to use the streamlined method and the device establishes successful communication with the EDR command & control channel, the value will be represented as ΓÇ£StreamlinedΓÇ¥.

-If you move the device back to the regular method, the value will be ΓÇ£standardΓÇ¥.

-You can use Windows Event ViewerΓÇÖs SENSE operational log to locally validate connections with the new streamlined approach. SENSE Event ID 4 tracks successful EDR connections.

-Run `mdatp health ΓÇôdetails` to confirm simplified_connectivity: "enabled".

-Run `mdatp health ΓÇôdetails edr` to confirm `edr_partner_geo_location` is available. The value should be `GW_<geo>` where 'geo' is your tenantΓÇÖs geo-location.

-When an identity in your network might be compromised, you must prevent that identity from accessing the network and different endpoints. Defender for Endpoint can ΓÇ£containΓÇ¥ an identity, blocking it from access, and helping prevent attacks-- specifically, ransomware. When an identity is contained, any supported Microsoft Defender for Endpoint onboarded device will block incoming traffic in specific protocols related to attacks (network logons, RPC, SMB, RDP) while enabling legitimate traffic. This action can significantly help to reduce the impact of an attack. When an identity is contained, security operations analysts have extra time to locate, identify and remediate the threat to the compromised identity.

-> Blocking incoming communication with a ΓÇ£containedΓÇ¥ user is supported on onboarded Microsoft Defender for Endpoint Windows 10 and 11 devices (Sense version 8740 and higher), Windows Server 2019+ devices, and Windows Servers 2012R2 and 2016 with the modern agent.

-Currently, containing users is only available automatically by using automatic attack disruption. When Microsoft detects a user as being compromised a ΓÇ£Contain UserΓÇ¥ policy is automatically set.

-Furthermore, after an identity is considered ΓÇ£contained", that user will be blocked by Defender for Endpoint and cannot perform any malicious lateral movement or remote encryption on or to any supported Defender for Endpoint onboarded device. These blocks will show up as alerts to help you quickly see the devices the compromised user attempted access and potential attack techniques:

-This action will restore this userΓÇÖs connection to the network.

-In addition, you can expand the investigation by using Advanced Hunting. Look for any ΓÇ£Action TypeΓÇ¥ starting with ΓÇ£ContainΓÇ¥ in the ΓÇ£DeviceEventsΓÇ¥ table. Then, you can view all the different singular blocking events in relation to Contain User in your tenant, dive deeper into the context of each block, and extract the different entities and techniques associated with those events.

-## Use the Alert queue filter in Defender XDR

-### Alert status

-// Severity

-AlertInfo

-| where Timestamp > startofday(now()) // Today

-| summarize count() by Severity

-| render columnchart ΓÇ» ΓÇ»

-// Detection source

-AlertInfo

-| where Timestamp > startofday(now()) // Today

-| summarize count() by Severity

-| render columnchart ΓÇ» ΓÇ»

-// Detection category

-AlertInfo

-| where Timestamp > startofday(now()) // Today

-| summarize count() by Category

-| render columnchart ΓÇ»

-ΓÇ»

-### Alert trend

-// Severity

-AlertInfo

-| where Timestamp > ago(30d)

-| summarize count() by DetectionSource , bin(Timestamp, 1d)

-| render timechart ΓÇ» ΓÇ» ΓÇ»

-// Detection source

-AlertInfo

-| where Timestamp > ago(30d)

-| summarize count() by DetectionSource , bin(Timestamp, 1d)

-| render timechart ΓÇ» ΓÇ»

-// Detection category

-AlertInfo

-| where Timestamp > ago(30d)

-| summarize count() by Category , bin(Timestamp, 1d)

-Hardware and firmware-level attacks have continued to rise in recent years, as modern security solutions made persistence and detection evasion on the operating system more difficult. Attackers compromise the boot flow to achieve low-level malware behavior thatΓÇÖs hard to detect, posing a significant risk to an organizationΓÇÖs security posture.

-[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows) helps defend against firmware attacks by providing guarantees for secure boot through hardware-backed security features like [hypervisor-level attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows), also known as Dynamic Root of Trust (DRTM), which are enabled by default in [Secured-core PCs](https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers). The new UEFI scan engine in Defender for Endpoint expands on these protections by making firmware scanning broadly available.

-The Unified Extensible Firmware Interface (UEFI) is a replacement for [legacy BIOS](/windows-hardware/drivers/bringup/smbios). If the chipset is configured correctly ([UEFI](https://uefi.org/sites/default/files/resources/UEFI%20Spec%202_6.pdf) & chipset configuration itself) andΓÇ»[secure boot](/windows-hardware/design/device-experiences/oem-secure-boot) is enabled, the firmware is reasonably secure. To perform a hardware-based attack, attackers exploit a vulnerable firmware or a misconfigured machine to deploy a [rootkit](https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/what-is-a-rootkit), which allows attackers to gain foothold on the machine.

-TheΓÇ»[Serial Peripheral Interface (SPI)](https://en.wikipedia.org/wiki/Serial_Peripheral_Interface) flash stores important information. Its structure depends on OEM's design, and commonly includes processor microcode update, Intel Management Engine (ME), and boot image, a UEFI executable. When a computer runs, processors execute the firmware code from SPI flash for a while during UEFIΓÇÖs SEC phase. Instead of memory, the flash is permanently mapped to x86 reset vector (physical address 0xFFFF_FFF0). However, attackers can interfere with memory access to reset vector by software. They do this by reprogramming the BIOS control register on misconfigured devices, making it even harder for security software to determine exactly what gets executed during boot.

-Once an implant is deployed, itΓÇÖs hard to detect. To catch threats at this level, security solutions at the OS level rely on information from the firmware, but the chain of trust is weakened.

-The new UEFI scanner is a component of Microsoft Defender Antivirus, thus, as long as itΓÇÖs the primary AV, it includes this capability to scan and access UEFI firmware.

-ItΓÇÖs a built-in functionality of Microsoft Defender Antivirus, thus, there is no additional management.

-Security operations teams can also use the [advanced hunting](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Defender for Endpoint to hunt for these threats:

-Hardware backed security features like Secure Launch and device attestation help stop firmware attacks. These features, which are enabled by default inΓÇ»[Secured-core PCs](https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers), seamlessly integrate with Defender for Endpoint to provide comprehensive endpoint protection.

-With its UEFI scanner,ΓÇ»[Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) gets even richer visibility into threats at the firmware level, where attackers have been increasingly focusing their efforts on. Security operations teams can use this new level of visibility, along with the rich set of detection and response capabilities in Defender for Endpoint, to investigate and contain such advanced attacks.

-This level of visibility is also available inΓÇ»[Microsoft 365 Defender (M365D)](https://www.microsoft.com/security/technology/threat-protection), which delivers an even broader cross-domain defense that coordinates protection across endpoints, identities, email, and apps.

-This article provides information on inaccuracies that have been reported. You can use it to determine if new or updated vulnerability support has been added, or if support isnΓÇÖt currently available.

-If youΓÇÖre a new customer or an existing Defender for Endpoint P1 or Microsoft 365 E3 customer, you will sign up to trial the **Defender Vulnerability Management Standalone trial**.

- - If youΓÇÖre a new customer or an existing Defender for Endpoint P1 or Microsoft 365 E3, choose [Defender Vulnerability Management Standalone](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-standalone).

-Connect supported cloud apps for instant, out-of-the-box protection, deep visibility into the appΓÇÖs user and device activities, and more. For more information, see [Protect connected apps using cloud service provider APIs](/defender-cloud-apps/protect-connected-apps).

-Defender Experts for Hunting also covers serversΓÇöwhether on premises or on a hyperscale cloud service providerΓÇöthat have Defender for Endpoint deployed on them with a Microsoft Defender for Server license. For Defender Experts coverage, a server is considered as a user account for billing. The service doesnΓÇÖt cover Microsoft Defender for Cloud.

-Defender Experts for Hunting operational data, such as case tickets and analyst notes, are generated and stored in a Microsoft data center in the US region for the length of the service, irrespective of the Microsoft Defender XDR service storage location. Data generated for the reporting dashboard is stored in customer's Microsoft Defender XDR service storage location. Reporting data and operational data will be retained for a grace period of no more than 90 days after a customerΓÇÖs subscription expires. If the customer terminates their subscription, data will be deleted within 30 days.

-Defender Experts for XDR also covers serversΓÇöwhether on premises or on a hyperscale cloud service providerΓÇöthat have Defender for Endpoint deployed on them with a Microsoft Defender for Server license. For Defender Experts coverage, a server is considered as a user account for billing. The service doesnΓÇÖt cover Microsoft Defender for Cloud.

-Defender Experts for XDR operational data, such as case tickets and analyst notes, are generated and stored in a Microsoft data center in the US region for the length of the service, irrespective of the Microsoft Defender XDR service storage location. Data generated for the reporting dashboard is stored in customer's Microsoft Defender XDR service storage location. Reporting data and operational data will be retained for a grace period of no more than 90 days after a customerΓÇÖs subscription expires. If the customer terminates their subscription, data will be deleted within 30 days.

-A rule can be based on device name, domain, OS platform, internet facing status, onboarding status and manual device tags. You can select or create a tag that will be applied based on the conditions youΓÇÖve set.

-The deception capability automatically generates authentic-looking decoy accounts, hosts, and lures. The fake assets generated are then automatically deployed to specific clients. When an attacker interacts with the decoys or lures, the deception capability raises high confidence alerts, helping in security teamΓÇÖs investigations and allowing them to observe an attackerΓÇÖs methods and strategies. All alerts raised by the deception capability are automatically correlated into incidents and are fully integrated into Microsoft Defender XDR. In addition, the deception technology is integrated into Defender for Endpoint, minimizing deployment needs.

-Attackers interacting with the fake network assets set up by the deception capability can help security teams prevent potential attacks from compromising an organization and monitor the attackersΓÇÖ actions so defenders can improve their environmentΓÇÖs security further.

-Similar to the other excluded device or user groups, you instead get remediation guidance for these high-value entities when theyΓÇÖre excluded.

-> Unlike the other excluded device and user groups, excluded high-value entities arenΓÇÖt listed in the **Device groups** or **User groups** tab.

-> Defender Experts for XDR reviews your readiness assessment periodically, especially if there are any changes to your environment, such as the addition of new devices and identities. ItΓÇÖs important that you regularly monitor and run the readiness assessment beyond the initial onboarding to ensure that your environment has strong security posture to reduce risk.

-The *go hunt* option takes advantage of the [advanced hunting](advanced-hunting-go-hunt.md) feature to find relevant information about an entity. The *go hunt* query checks relevant schema tables for any events or alerts involving the specific entity youΓÇÖre investigating. You can select any of the options to find relevant information about the entity:

-Microsoft Defender XDR combines protection, detection, investigation, and response capabilities to protect attacks on device, email, collaboration, identity, and cloud apps. The portalΓÇÖs detection and investigation capabilities are now extended to cloud entities, offering security operations teams a single pane of glass to significantly improve their operational efficiency.

- If you're invited to participate in the preview, youΓÇÖll see a banner with an option to connect a workspace.

-After your workspace is connected, the banner on the **Overview** page shows that your unified security information and event management (SIEM) and extended detection and response (XDR) is ready. YouΓÇÖll also see the **Overview** page updated with new sections that include metrics from Microsoft Sentinel like the number of data connectors and automation rules.

-After you connect your workspace to the Defender portal, youΓÇÖll see **Microsoft Sentinel** on the left-hand side navigation pane. Pages like **Overview**, **Incidents**, and **Advanced Hunting** have unified data from Microsoft Sentinel and Defender XDR.

-YouΓÇÖll also see many of the existing Microsoft Sentinel features are integrated into the Defender portal. For these features, you'll notice that the experience between Microsoft Sentinel in the Azure portal and Defender portal are similar. Use the following articles to help you start working with Microsoft Sentinel in the Defender portal. When using these articles, keep in mind that your starting point in this context is the [Defender portal](https://security.microsoft.com/) instead of the Azure portal.

-## Advanced hunting

-Advanced hunting in multi-tenant management in Microsoft Defender XDR allows you to proactively hunt for intrusion attempts and breach activity affecting your email, data, devices, and accounts over multiple tenants at the same time.

-In multi-tenant management, you can use any of the queries you currently have access to. They're filtered by tenant in the **Queries** tab. Select a tenant to view the queries available under each one.

-Once you have loaded the query in the query editor, you can then specify the scope of the query by tenant by selecting **Tenant scope**:

-This opens a side pane from which you can specify the tenants to include in the query:

->[!NOTE]

-To view only a specific tenantΓÇÖs custom detection rules, select **Filter**, choose the tenant or tenants and select **Apply**.

-A sample Defender Experts Notification shows up in your **Incidents** page with the title _Defender Experts: Test Notification from Microsoft Defender Experts_. The [contents](#receive-defender-experts-notifications) of the notification are placeholder texts, while the other elements such as alerts are randomly generated from events present in your tenant and arenΓÇÖt actually impacted.

-An [incident](incidents-overview.md) is a chain of processes created, commands, and actions that might not have coincided. An incident provides a holistic picture and context of suspicious or malicious activity. A single incident gives you an attackΓÇÖs complete context instead of triaging hundreds of alerts from multiple services.

-> Microsoft Defender XDR automatically determines filters like severity, investigation states, impacted assets, and incident statuses. The information is based on your organizationΓÇÖs network activities contextualized with threat intelligence feeds and the automated remediation actions applied.

-Understanding the context that surrounds [incidents](incidents-overview.md) is essential in analyzing attacks. Combining your expertise and experience with Microsoft Defender XDR's features and capabilities ensure faster resolution of incidents and your organizationΓÇÖs safety from cyber attacks.

-Investigations usually involve responders viewing several apps while simultaneously checking various threat intelligence sources. Sometimes investigations are extended to hunting down other threats. Documenting facts and solutions in an attack investigation is an additional important task that provides history and context for other investigatorsΓÇÖ use or for later investigations. These investigation tasks are simplified when using Microsoft Defender XDR through the following:

-The following resources provide details on how to use the portalΓÇÖs capabilities in investigating files:

-Breaches also happen through various devices like phones and tablets that connect to your organizationΓÇÖs network. Incident responders can further investigate these devices within the portal. The following video talks about the top threats from mobile devices and how you can investigate these:

-Meanwhile, Microsoft Defender XDRΓÇÖs [automated investigation and response](m365d-autoir.md) capabilities can automatically investigate and apply remediation actions to malicious and suspicious items. These capabilities scale investigation and resolution to threats, freeing incident responders to focus their efforts on high-impact attacks.

-> Adding phishing simulation URLs to the **Do not rewrite the following URLs in email** section in Safe Links policies might result in unwanted alerts for URL clicks. Phishing simulation URLs in email messages are automatically allowed both during mail flow and at time of click.

-> When opening an email cluster to view it in Explorer from the email cluster details, the PhishEdu and SecOps mailbox filters will be applied in Explorer but will not be shown. If you change the Explorer filters, dates, or refresh the query within the page ΓÇô then the PhishEdu/SecOps filter exclusions will get removed and emails that match these will be shown once again. If you refresh the Explorer page using the browser refresh function, the original query filters will get re-loaded, including the PhishEdu/SecOps filters ΓÇô but removing any subsequent changes you had made.

- - **Delivered** ΓÇô email was delivered to inbox or folder of a user and the user can directly access it.

- - **Junked** (Delivered to junk)ΓÇô email was sent to either user's junk folder or deleted folder, and the user has access to email messages in their Junk or Deleted folder.

- - **Blocked** ΓÇô any email messages that are quarantined, that failed, or were dropped.

- - **Replaced** ΓÇô any email where malicious attachments are replaced by .txt files that state the attachment was malicious

- - **Inbox or folder** ΓÇô The email is in the Inbox or a specific folder, according to your email rules.

- - **On-prem or external** ΓÇô The mailbox doesn't exist in the Cloud but is on-premises.

- - **Junk folder** ΓÇô The email is in a user's Junk mail folder.

- - **Deleted items folder** ΓÇô The email is in a user's Deleted items folder.

- - **Quarantine** ΓÇô The email in quarantine, and not in a user's mailbox.

- - **Failed** ΓÇô The email failed to reach the mailbox.

- - **Dropped** ΓÇô The email was lost somewhere in the mail flow.

-To apply a filter, select the filter dropdown, select an item in the list, and then select **Refresh**. You can view information by sender, sender's domain, recipients, subject, attachment filename, malware family, detection technology (how the malware was detected), and more.

-For example, to see what actions were taken when people clicked on URLs that were identified as phishing attempts, selectΓÇ»**Click verdict**, select one or more options, and then select **Refresh**.

-To view this report, in Explorer (or real-time detections), select **Content Malware** in the top navigation pane. This view shows files that were identified as malicious by [Microsoft Defender for Office 365 in SharePoint Online, OneDrive for Business, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md).

- - enabler-strategic

- - enabler-strategic

- - enabler-strategic

- - enabler-strategic

- - enabler-strategic

- - enabler-strategic

- - enabler-strategic

- - enabler-strategic

- - essentials-accountability