Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
lti | Index | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/index.md | For configuration steps, see: - [Microsoft Reflect with Schoology Learning](reflect-lti-schoology.md). - [Microsoft Reflect with Moodle](reflect-lti-moodle.md). - [Microsoft Reflect with D2L Brightspace](reflect-lti-brightspace.md).+- [Microsoft Reflect with Blackboard Learn](reflect-lti-blackboard.md). |
lti | Reflect Lti Blackboard | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/reflect-lti-blackboard.md | + + Title: Integrate Microsoft Reflect LTI with Blackboard Learn ++++ Last updated : 11/28/2023+audience: admin ++++- M365-modern-desktop +- m365initiative-edu +- tier2 +ms.localizationpriority: medium +description: Create impactful check-ins to gain wellbeing insights and build a happier, healthier learning community with the Microsoft Reflect Learning Tools Interoperability App for Blackboard Learn. +++# Integrate Microsoft Reflect LTI with Blackboard Learn ++[Microsoft Reflect](https://reflect.microsoft.com) is a wellbeing app designed to foster connection, expression, and learning by promoting self-awareness, empathy, and emotional growth. + +Reflect LTI integration with Blackboard Learn is designed in compliance with the latest Learning Tools Interoperability (LTI) standards, ensuring strong security and straightforward installation within your Blackboard Learn environment. ++Integrate Reflect into Blackboard Learn to create impactful check-ins, gain wellbeing insights, and build a happier, healthier learning community. ++> [!NOTE] +> This guide provides IT admins steps for registering the Reflect LTI app for Blackboard Learn by Anthology. +> +> The person who performs this integration should be an administrator of Blackboard Learn. ++## One-time setup by administrator ++1. Sign into your Blackboard Learn instance as an administrator. +1. Select the **Admin** link in the global navigation. +1. In the Administrator Panel, select the **LTI Tool Providers** link, and then select **Register LTI 1.3/Advantage Tool**. +1. In the *Client ID* field, type or copy and paste this ID: `f432c937-03fb-47e5-a8f8-fa55a85bc7bc`. +1. Review the prepopulated settings and **Tool Status**, and then select **Submit** to complete the registration. ++Reflect is now installed and ready to be used as a tool in any course in your Blackboard Learn environment. ++## Ongoing use by course instructors and students ++1. After the initial setup, course instructors and students will find a link to Microsoft Reflect in the **Tools** section on every course. +1. Instructors can add a link to Reflect in their course content: + 1. In the course navigation, select **Content**. + 1. Select **Tools** > **More Tools**, and then select **Microsoft Reflect**. + 1. You can edit the link information, such as the name or text, if you want to. + 1. Select **Submit** to add the link to the course content. +1. On their first access, course instructors and students need to sign in using their Microsoft account to get started. +1. Course instructors can [create and share check-ins](https://support.microsoft.com/topic/c6cbbacc-5655-450e-bca9-988ddc506017). +1. Once check-ins are created, course students can access and respond to them by navigating to their Microsoft Reflect link. ++> [!TIP] +> [Explore the Educator Toolkit](https://reflect.microsoft.com/home/resources) for resources that can help educators bring the magic of Reflect to students and share it with peers. ++## Recommended browser settings ++- Cookies should be allowed for Microsoft Reflect. +- Popups shouldn't be blocked for Microsoft Reflect. ++> [!NOTE] +> Cookies aren't allowed by default in the Chrome browser incognito mode and will need to be allowed. +> +> Microsoft Reflect LTI works in the private mode in Microsoft Edge browser. Ensure that you haven't blocked cookies, which are allowed by default. |
lti | Reflect Lti Moodle | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lti/reflect-lti-moodle.md | Reflect is now installed and ready to use in your course by both teachers and st 1. After the initial course setup, teachers and students will find a link to Reflect in the **General** section. 1. On their first access, they need to sign in using their Microsoft account to get started.-1. Course owners can [create and share check-ins](https://support.microsoft.com/topic/c6cbbacc-5655-450e-bca9-988ddc506017). -1. Once check-ins are created, course members can access and respond to them in their Reflect tab. +1. Course teachers can [create and share check-ins](https://support.microsoft.com/topic/c6cbbacc-5655-450e-bca9-988ddc506017). +1. Once check-ins are created, course students can access and respond to them by navigating to their Reflect link. > [!TIP] > [Explore the Educator Toolkit](https://reflect.microsoft.com/home/resources) for resources that can help educators bring the magic of Reflect to students and share it with peers. |
security | Android Configure Mam | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure-mam.md | Use the following steps to configure the Disable sign out: ## Device Tagging -Defender for Endpoint on Android enables bulk tagging the mobile devices during onboarding by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to userΓÇÖs devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory. +Defender for Endpoint on Android enables bulk tagging the mobile devices during onboarding by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to user's devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory. Use the following steps to configure the Device tags: |
security | Android Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure.md | Use the following steps to configure Disable sign-out: ## Device Tagging -Defender for Endpoint on Android enables bulk tagging the mobile devices during onboarding by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to userΓÇÖs devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory. +Defender for Endpoint on Android enables bulk tagging the mobile devices during onboarding by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to user's devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory. Use the following steps to configure the Device tags: |
security | Android Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-whatsnew.md | Last updated 10/25/2023 Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) > [!IMPORTANT]-> Microsoft Defender for Endpoint's **Anti malware engine** is now generally available. All the users are required to have a Microsoft Defender for Endpoint version above **1.0.3815.0000** to utilize this new malware protection capability. Users on Microsoft Defender for Endpoint version below 1.0.3815.0000 will be sent notifications and in-app overlay messages to update their Microsoft Defender for Endpoint application. Users can click on the link provided in the overlay message to go to the managed play store and update the application. +> Microsoft Defender for Endpoint's **Anti malware engine** is now generally available. All the users are required to have a Microsoft Defender for Endpoint version **1.0.3815.0000** or later to utilize this new malware protection capability. Users on Microsoft Defender for Endpoint earlier than version 1.0.3815.0000 are sent notifications and in-app overlay messages to update their Microsoft Defender for Endpoint application. Users can click on the link provided in the overlay message to go to the managed play store and update the application. > > If users can't access the play store, the app can be updated through the company portal. - ## Device Tagging -Mobile Device Tagging is now generally available. This feature enables bulk tagging the mobile devices by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to userΓÇÖs devices. Once the user installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory. +Mobile Device Tagging is now generally available. This feature enables bulk tagging the mobile devices by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to user's devices. Once the user installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory. -This configuration is available for both the enrolled (MDM) devices as well as unenrolled (MAM) devices. For more information, see [Device Tagging (MDM)](/microsoft-365/security/defender-endpoint/android-configure#device-tagging) and [Device Tagging (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam#device-tagging). +This configuration is available for both the enrolled (MDM) devices and unenrolled (MAM) devices. For more information, see [Device Tagging (MDM)](/microsoft-365/security/defender-endpoint/android-configure#device-tagging) and [Device Tagging (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam#device-tagging). ## Microsoft Defender for Endpoint on Company-owned personally enabled devices -MDE is now generally available on AE COPE devices. Enterprises can onboard devices on COPE mode and push MDE to user's devices through the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). With this support, Android Enterprise COPE devices will get the full capabilities of our offering on Android including phishing and web protection, malware scanning, Network protection (preview) and additional breach prevention through integration with Microsoft Intune and Conditional Access. Read the announcement [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-is-now-available-on-android/ba-p/3626100). +MDE is now generally available on AE COPE devices. Enterprises can onboard devices on COPE mode and push MDE to user's devices through the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). With this support, Android Enterprise COPE devices get the full capabilities of our offering on Android, including: ++- Phishing and web protection. +- Malware scanning. +- Network protection (preview). +- Additional breach prevention through integration with Microsoft Intune and Conditional Access. ++Read the announcement [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-is-now-available-on-android/ba-p/3626100). ## Privacy Controls -Microsoft Defender for Endpoint on Android enables Privacy Controls for both the Admins and the End Users. This includes the controls for enrolled (MDM) as well as unenrolled (MAM) devices. Admins can configure the privacy in the alert report while End Users can configure the information shared to their organization. For more information, see [privacy controls(MDM)](/microsoft-365/security/defender-endpoint/android-configure#privacy-controls) and [privacy controls (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam#configure-privacy-controls). +Microsoft Defender for Endpoint on Android enables Privacy Controls for both the Admins and the End Users. This includes the controls for enrolled (MDM) and unenrolled (MAM) devices. Admins can configure the privacy in the alert report while End Users can configure the information shared to their organization. For more information, see [privacy controls(MDM)](/microsoft-365/security/defender-endpoint/android-configure#privacy-controls) and [privacy controls (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam#configure-privacy-controls). ## Optional Permissions and Disable Web Protection Microsoft Defender for Endpoint on Android enables **Optional Permissions** in the onboarding flow. Currently the permissions required by MDE are mandatory in the onboarding flow. With this feature, admin can deploy MDE on devices without enforcing the mandatory **VPN** and **Accessibility** permissions during onboarding. End Users can onboard the app without the mandatory permissions and can later review these permissions. This feature is currently present only for unenrolled devices (MAM). For more information, see [optional permissions](/microsoft-365/security/defender-endpoint/android-configure-mam#optional-permissions). -## Microsoft defender on Android enterprise BYOD personal profile +## Microsoft Defender on Android enterprise BYOD personal profile Microsoft Defender for Endpoint is now supported on Android Enterprise personal profile (BYOD only) with all the key features including malware scanning, protection from phishing links, network protection and vulnerability management. This support is coupled with [privacy controls](/microsoft-365/security/defender-endpoint/android-configure#privacy-controls) to ensure user privacy on personal profile. For more information, read the [announcement](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-the-public-preview-of-defender-for-endpoint-personal/ba-p/3370979) and the [deployment guide](/microsoft-365/security/defender-endpoint/android-intune#set-up-microsoft-defender-in-personal-profile-on-android-enterprise-in-byod-mode). ## Network protection -Network Protection on Microsoft Defender for Endpoint is now available. Network protection provides protection against rogue Wi-Fi related threats, rogue hardware like pineapple devices and notifies the user if a related threat is detected. Users will also see a guided experience to connect to secure networks and change networks when they are connected to an unsecure connection. +Network Protection on Microsoft Defender for Endpoint is now available. Network protection provides protection against rogue Wi-Fi related threats, rogue hardware like pineapple devices and notifies the user if a related threat is detected. Users also see a guided experience to connect to secure networks and change networks when they're connected to an unsecure connection. -It includes several admin controls to offer flexibility, such as the ability to configure the feature from within the Microsoft Intune admin center. Admins can also enable privacy controls to configure the data that is sent by Defender for Endpoint from Android devices. For more information, see [network protection](/microsoft-365/security/defender-endpoint/android-configure). +It includes several admin controls to offer flexibility, such as the ability to configure the feature from within the Microsoft Intune admin center. Admins can also enable privacy controls to configure the data that's sent by Defender for Endpoint from Android devices. For more information, see [network protection](/microsoft-365/security/defender-endpoint/android-configure). > [!NOTE]-> Microsoft Defender is no longer supported for versions below 1.0.3011.0302. Users are requested to upgrade to latest versions to keep their devices secure. +> Microsoft Defender is no longer supported for versions 1.0.3011.0302 or earlier. Users are requested to upgrade to latest versions to keep their devices secure. To update, users can use the following steps: > 1. On your work profile, go to Managed Play Store. To update, users can use the following steps: ## Microsoft Defender for Endpoint is now Microsoft Defender in the Play store -Microsoft Defender for Endpoint is now available as **Microsoft Defender** in the play store. With this update, the app will be available as preview for **Consumers in the US region** - based on how you log into the app with your work or personal account, you will have access to features for Microsoft Defender for Endpoint or to features for Microsoft Defender for individuals. Please see [this blog](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals) for more details. +Microsoft Defender for Endpoint is now available as **Microsoft Defender** in the play store. With this update, the app is available as preview for **Consumers in the US region**. Based on how you log into the app with your work or personal account, you have access to features for Microsoft Defender for Endpoint or for Microsoft Defender for individuals. For more information, see [this blog](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals). ## Vulnerability Management -On January 25, 2022, we announced the general availability of Vulnerability management on Android and iOS. For more details, see [the techcommunity post here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-general-availability-of-vulnerability-management/ba-p/3071663). +On January 25, 2022, we announced the general availability of Vulnerability management on Android and iOS. For more information, see [the techcommunity post here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-general-availability-of-vulnerability-management/ba-p/3071663). ## Upcoming permission changes for Microsoft Defender for Endpoint running Android 11 or later (Nov 2021) Release Build: 1.0.3501.0301 Release month: Nov 2021-Microsoft Defender for Endpoint has released this update required by [Google](https://developer.android.com/distribute/play-policies#APILevel30) to upgrade to Android API 30. This change will prompt users seeking access to [new storage permission](https://developer.android.com/training/data-storage/manage-all-files#all-files-access-google-play), for devices running Android 11 or later. Users will need to accept this new storage permission once they update Defender app with the release build 1.0.3501.0301 or later. This will ensure that Defender for Endpoint's app security feature to function without any disruption. For more information, review the following sections. +Microsoft Defender for Endpoint has released this update required by [Google](https://developer.android.com/distribute/play-policies#APILevel30) to upgrade to Android API 30. This change prompts users seeking access to [new storage permission](https://developer.android.com/training/data-storage/manage-all-files#all-files-access-google-play), for devices running Android 11 or later. Users need to accept this new storage permission once they update Defender app with the release build 1.0.3501.0301 or later. This update ensures that Defender for Endpoint's app security feature to function without any disruption. For more information, review the following sections. -**How will this affect your organization:** -These changes will take effect if you are using Microsoft Defender for Endpoint on devices running Android 11 or later and updated Defender for Endpoint to release build 1.0.3501.0301 or later. +**How will this affect your organization:** These changes take effect if you're using Microsoft Defender for Endpoint on devices running Android 11 or later and updated Defender for Endpoint to release build 1.0.3501.0301 or later. > [!NOTE] > The new storage permissions cannot be configured by admin to 'Auto Approve' through Microsoft Intune. User will need to take action to provide access to this permission. -- **User experience:** Users will receive a notification indicating a missing permission for app security. If the user denies this permission, the 'App security' functionality will be turned off on the device. If user doesn't accept or deny permission, they will continue to receive the prompt when unlocking their device or opening the app, until it has been approved.+- **User experience:** Users receive a notification indicating a missing permission for app security. If the user denies this permission, the 'App security' functionality is turned off on the device. If user doesn't accept or deny permission, they'll continue to receive the prompt when unlocking their device or opening the app, until it has been approved. > [!NOTE] > If your organization is previewing 'Tamper protection' feature and if the new storage permissions are not granted by the user within 7 days of updating to the latest version, the user might lose access to corporate resources. These changes will take effect if you are using Microsoft Defender for Endpoint Notify your users and helpdesk (as applicable) that users will need to accept the new permissions when prompted after they have updated Defender for Endpoint to build 1.0.3501.0301 or later version. To accept the permissions, users should: -1. Tap on the Defender for Endpoint in-app notification or open the Defender for Endpoint app. Users will see a screen that lists the permissions needed. A green check mark will be missing next to the Storage permission. +1. Tap on the Defender for Endpoint in-app notification or open the Defender for Endpoint app. Users see a screen that lists the permissions needed. A green check mark is missing next to the Storage permission. 2. Tap **Begin**. |
security | Get All Vulnerabilities | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/get-all-vulnerabilities.md | Here is an example of the response. "description": "A spoofing vulnerability exists when Microsoft Browsers does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could impersonate a user request by crafting HTTP queries. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services.To exploit the vulnerability, the user must click a specially crafted URL. In an email attack scenario, an attacker could send an email message containing the specially crafted URL to the user in an attempt to convince the user to click it.In a web-based attack scenario, an attacker could host a specially crafted website designed to appear as a legitimate website to the user. However, the attacker would have no way to force the user to visit the specially crafted website. The attacker would have to convince the user to visit the specially crafted website, typically by way of enticement in an email or instant message, and then convince the user to interact with content on the website.The update addresses the vulnerability by correcting how Microsoft Browsers parses HTTP responses.", "severity": "Medium", "cvssV3": 4.3,- "cvssVectorΓÇ¥: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", + "cvssVector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C", "exposedMachines": 4, "publishedOn": "2019-10-08T00:00:00Z", "updatedOn": "2019-12-16T16:20:00Z", |
security | Exploit Protection Reference | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/exploit-protection-reference.md | Hardware-enforced stack protection offers robust protection against ROP exploits ### Compatibility considerations -Hardware-enforced stack protection will only work on chipsets with support for hardware shadow stacks, IntelΓÇÖs Control-flow Enforcement Technology (CET) or AMD shadow stacks. +Hardware-enforced stack protection will only work on chipsets with support for hardware shadow stacks, Intel's Control-flow Enforcement Technology (CET) or AMD shadow stacks. ### Configuration options |
security | Ios Configure Features | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-configure-features.md | This configuration is available for both the enrolled (MDM) devices as well as u ## Device Tagging -Defender for Endpoint on iOS enables bulk tagging the mobile devices during onboarding by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to userΓÇÖs devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory. +Defender for Endpoint on iOS enables bulk tagging the mobile devices during onboarding by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to user's devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory. This configuration is available for both the enrolled (MDM) devices as well as unenrolled (MAM) devices. Admins can use the following steps to configure the Device tags. |
security | Ios Install | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install.md | Microsoft Defender iOS app can be deployed on the Intune User Enrolled devices u - Additional configuration: Key - **device_registration** ; Type - **String** ; Value- **{{DEVICEREGISTRATION}}** 1. Set up the MDM Key for User Enrollment.- - In Intune, go to Go to Apps > App configuration policies > Add > Managed devices - - Give the policy a name, select Platform > iOS/iPadOS, - - Select Microsoft Defender for Endpoint as the target app. - - In Settings page, select Use configuration designer and add **UserEnrolmentEnabled** as the key, value type as **String**, value as **True**. + - In Intune, go to Go to Apps \> App configuration policies \> Add \> Managed devices + - Give the policy a name, select Platform \> iOS/iPadOS, + - Select Microsoft Defender for Endpoint as the target app. + - In Settings page, select Use configuration designer and add **UserEnrolmentEnabled** as the key, value type as **String**, value as **True**. 1. Admin can push Defender as a required VPP app from Intune. |
security | Ios Whatsnew | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-whatsnew.md | ms.pagetype: security ms.localizationpriority: medium Previously updated : 10/25/2023 Last updated : 1/5/2024 audience: ITPro Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.]( ## Device Tagging -Mobile Device Tagging is now generally available. This feature enables bulk tagging the mobile devices by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to userΓÇÖs devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory. For more information, read [Configure Device Tagging](/microsoft-365/security/defender-endpoint/ios-configure-features#device-tagging). +Mobile Device Tagging is now generally available. This feature enables bulk tagging the mobile devices by allowing the admins to set up tags via Intune. Admin can configure the device tags through Intune via configuration policies and push them to user's devices. Once the User installs and activates Defender, the client app passes the device tags to the Security Portal. The Device tags appear against the devices in the Device Inventory. For more information, read [Configure Device Tagging](/microsoft-365/security/defender-endpoint/ios-configure-features#device-tagging). ## Vulnerability assessment of apps -Vulnerability assessment of apps on Microsoft Defender for Endpoint for iOS is now generally available. Defender for Endpoint on iOS supports vulnerability assessments of apps only for enrolled (MDM) devices. For more details, see [Configure vulnerability assessment of apps](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-vulnerability-assessment-of-apps). +Vulnerability assessment of apps on Microsoft Defender for Endpoint for iOS is now generally available. Defender for Endpoint on iOS supports vulnerability assessments of apps only for enrolled (MDM) devices. For more information, see [Configure vulnerability assessment of apps](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-vulnerability-assessment-of-apps). ## Network protection -Network Protection on Microsoft Defender for Endpoint is now generally available. Network protection provides protection against rogue Wi-Fi related threats, rogue hardware like pineapple devices and notifies the user if a related threat is detected. Users will also see a guided experience to connect to secure networks and change networks when they are connected to an unsecure connection. +Network Protection on Microsoft Defender for Endpoint is now generally available. Network protection provides protection against rogue Wi-Fi related threats, rogue hardware like pineapple devices and notifies the user if a related threat is detected. Users also see a guided experience to connect to secure networks and change networks when they're connected to an unsecure connection. -It includes several admin controls to offer flexibility, such as the ability to configure the feature from within the Microsoft Intune admin center. Admins can also enable privacy controls to configure the data that is sent by Defender for Endpoint from iOS devices. For more information, read [Configure Network Protection](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-network-protection). +It includes several admin controls to offer flexibility, such as the ability to configure the feature from within the Microsoft Intune admin center. Admins can also enable privacy controls to configure the data that's sent by Defender for Endpoint from iOS devices. For more information, read [Configure Network Protection](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-network-protection). ## Privacy Controls -Microsoft Defender for Endpoint on iOS enables Privacy Controls for both the Admins and the End Users. This includes the controls for enrolled (MDM) as well as unenrolled (MAM) devices. Admins can configure the privacy in the phish alert report while End Users can configure the information shared to their organization. +Microsoft Defender for Endpoint on iOS enables Privacy Controls for both the Admins and the End Users. This includes the controls for enrolled (MDM) and unenrolled (MAM) devices. Admins can configure the privacy in the phish alert report while End Users can configure the information shared to their organization. ## Optional Permissions and Disable Web Protection Microsoft Defender for Endpoint on iOS enables **Optional Permissions** in the onboarding flow. Currently the permissions required by MDE are mandatory in the onboarding flow. With this feature, admin can deploy MDE on BYOD devices without enforcing the mandatory **VPN Permission** during onboarding. End Users can onboard the app without the mandatory permissions and can later review these permissions. This feature is currently present only for enrolled devices (MDM). -With **Disable Web Protection**,Customers who do not want to set up a VPN, can configure to disable **Web Protection** and deploy MDE without that feature. Other MDE features will continue to work. This configuration is available for both the enrolled (MDM) devices as well as unenrolled (MAM) devices. +With **Disable Web Protection**, customers who don't want to set up a VPN can configure to disable **Web Protection** and deploy MDE without that feature. Other MDE features will continue to work. This configuration is available for both the enrolled (MDM) devices and unenrolled (MAM) devices. ## Integration with Tunnel -Microsoft Defender for Endpoint on iOS can now integrate with Microsoft Tunnel, a VPN gateway solution to enable security and connectivity in a single app. Integration with Tunnel provides a simpler, secure VPN experience on iOS with just one app. This feature was earlier available only on Android. For more details, [see the techcommunity post here](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/what-s-new-in-microsoft-endpoint-manager-2204-april-edition/ba-p/3297995) +Microsoft Defender for Endpoint on iOS can now integrate with Microsoft Tunnel, a VPN gateway solution to enable security and connectivity in a single app. Integration with Tunnel provides a simpler, secure VPN experience on iOS with just one app. This feature was earlier available only on Android. For more information, [see the techcommunity post here](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/what-s-new-in-microsoft-endpoint-manager-2204-april-edition/ba-p/3297995) ## Improved experience on supervised iOS devices Microsoft Defender for Endpoint on iOS now has specialized ability on supervised ## Microsoft Defender for Endpoint is now Microsoft Defender in the App store -Microsoft Defender for Endpoint is now available as **Microsoft Defender** in the app store. With this update, the app will be available as preview for **Consumers in the US region**. Based on how you log into the app with your work or personal account, you will have access to features for Microsoft Defender for Endpoint or to features for Microsoft Defender for individuals. For more information, see [this blog](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals). +Microsoft Defender for Endpoint is now available as **Microsoft Defender** in the app store. With this update, the app is available as preview for **Consumers in the US region**. Based on how you log into the app with your work or personal account, you'll have access to features for Microsoft Defender for Endpoint or to features for Microsoft Defender for individuals. For more information, see [this blog](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals). ## Vulnerability Management -On January 25, 2022, we announced the general availability of Vulnerability management on Android and iOS. For more details, see [the techcommunity post here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-general-availability-of-vulnerability-management/ba-p/3071663). +On January 25, 2022, we announced the general availability of Vulnerability management on Android and iOS. For more information, see [the techcommunity post here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-general-availability-of-vulnerability-management/ba-p/3071663). ## 1.1.28250101 - **Integration with Tunnel** - Microsoft Defender for Endpoint on iOS can now integrate with Microsoft Tunnel, a VPN gateway solution to enable security and connectivity in a single app. For more information, see [Microsoft Tunnel Overview](/mem/intune/protect/microsoft-tunnel-overview). On January 25, 2022, we announced the general availability of Vulnerability mana ## 1.1.23010101 -- Bug fixes and performance improvements +- Bug fixes and performance improvements - Performance optimizations were made in this release. Test battery performance with this version and let us know your feedback. ## 1.1.20240103 On January 25, 2022, we announced the general availability of Vulnerability mana ## 1.1.15010101 -- With this version, we are announcing support for iPadOS/iPad devices.+- With this version, we're announcing support for iPadOS/iPad devices. - Bug fixes. [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Linux Support Ebpf | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-ebpf.md | The eBPF sensor for Microsoft Defender for Endpoint on Linux is supported on the ## Use eBPF -The eBPF sensor will be automatically enabled for all customers by default for agent versions ΓÇ£101.23082.0006ΓÇ¥ and above. Customers need to update to the above-mentioned supported versions to experience the feature. When the eBPF sensor is enabled on an endpoint, Defender for Endpoint on Linux updates supplementary_events_subsystem to ebpf. +The eBPF sensor will be automatically enabled for all customers by default for agent versions "101.23082.0006" and above. Customers need to update to the above-mentioned supported versions to experience the feature. When the eBPF sensor is enabled on an endpoint, Defender for Endpoint on Linux updates supplementary_events_subsystem to ebpf. :::image type="content" source="../../mediatp health command" lightbox="../../media/defender-endpoint/ebpf-subsystem-linux.png"::: |
security | Mac Install With Intune | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md | Download [AutoUpdate2.mobileconfig](https://github.com/microsoft/mdatp-xplat/blo ### Step 8: Microsoft Defender for Endpoint configuration settings -In this step, we'll go over the ΓÇ£Preferences," which enables you to configure anti-malware and edr policies using Microsoft Defender portal and Microsoft Intune. +In this step, we'll go over the "Preferences," which enables you to configure anti-malware and edr policies using Microsoft Defender portal and Microsoft Intune. #### Set policies using Microsoft Defender portal To set Device Control for Microsoft Defender for Endpoint on macOS, follow the s ### Step 11: Data Loss Prevention (DLP) for Endpoint -To set PurviewΓÇÖs Data Loss Prevention (DLP) for endpoint on macOS, follow the steps in [Onboard and offboard macOS devices into Compliance solutions using Microsoft Intune](/purview/device-onboarding-offboarding-macos-intune-mde). +To set Purview's Data Loss Prevention (DLP) for endpoint on macOS, follow the steps in [Onboard and offboard macOS devices into Compliance solutions using Microsoft Intune](/purview/device-onboarding-offboarding-macos-intune-mde). ### Step 12: Check status of PList(.mobileconfig) |
security | Mac Support Sys Ext | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-sys-ext.md | Another option is to submit feedback via the Microsoft Defender XDR by launching This article provides information on how to troubleshoot issues with the system extension that's installed as part of Microsoft Defender for Endpoint on macOS. -Starting with macOS BigSur (11), AppleΓÇÖs macOS requires all system extensions to be explicitly approved before they're allowed to run on the device. +Starting with macOS BigSur (11), Apple's macOS requires all system extensions to be explicitly approved before they're allowed to run on the device. ## Symptom The output on running **mdatp health** is: ```Output healthy : false-health_issues : [ΓÇ£no active event providerΓÇ¥, ΓÇ£network event provider not runningΓÇ¥, ΓÇ£full disk access has not been grantedΓÇ¥] +health_issues : ["no active event provider", "network event provider not running", "full disk access has not been granted"] ... real_time_protection_enabled : unavailable real_time_protection_available: unavailable This output is shown in the following screenshot: The following files might be missing if you're managing it via Intune, JamF, or another MDM solution: -|MobileConfig (Plist) |ΓÇ£mdatp healthΓÇ¥ console command output |macOS setting needed for MDE on macOS to function properly | +|MobileConfig (Plist) |"mdatp health" console command output |macOS setting needed for MDE on macOS to function properly | |||| |"/Library/Managed Preferences/com.apple.system-extension-policy.plist" | real_time_protection_subsystem | System extension | |"/Library/Managed Preferences/com.apple.webcontent-filter.plist" | network_events_subsystem | Network Filter extension | |"/Library/Managed Preferences/com.apple.TCC.configuration-profile-policy.plist" | full_disk_access_enabled | Privacy Preference Policy Controls (PPPC, aka TCC (Transparency, Consent & Control), Full Disk Access (FDA)) | |"/Library/Managed Preferences/com.apple.notificationsettings.plist" | n/a | End-user notifications |-|"/Library/Managed Preferences/servicemanagement.plistΓÇ¥ | n/a | Background services | +|"/Library/Managed Preferences/servicemanagement.plist" | n/a | Background services | |"/Library/Managed Preferences/com.apple.TCC.configuration-profile-policy.plist" | full_disk_access_enabled (for DLP) | Accessibility | To troubleshoot the issue of missing files to make Microsoft Defender for Endpoint on macOS work properly, see [Microsoft Defender for Endpoint on Mac](microsoft-defender-endpoint-mac.md#microsoft-defender-for-endpoint-on-mac). For example, - **Other MDM**: Yes - **Manual**: Not applicable -#### Step 3: Test the installed profiles using macOS built-in ΓÇÿprofileΓÇÖ tool. It compares your profiles with what we have published in GitHub, reporting inconsistent profiles or profiles missing altogether +#### Step 3: Test the installed profiles using macOS built-in 'profile' tool. It compares your profiles with what we have published in GitHub, reporting inconsistent profiles or profiles missing altogether 1. Download the script from https://github.com/microsoft/mdatp-xplat/tree/master/macos/mdm. 1. Click **Raw**. The new URL will be https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mdm/analyze_profiles.py. |
security | Manage Security Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-security-policies.md | Use security policies to manage security settings on devices. As a security admi You'll find endpoint security policies under **Endpoints > Configuration management > Endpoint security policies**. > [!NOTE]-> The **Endpoint Security Policies** page in Microsoft Defender XDR is available only for [users with the security administrator role in Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/assign-portal-access). Any other user role, such as Security Reader, cannot access the portal. When a user has the required permissions to view policies in the Microsoft Defender portal, the data is presented based on Intune permissions. If the user is in scope for Intune role-based access control, it applies to the list of policies presented in the Microsoft Defender portal. We recommend granting security administrators with the [Intune built-in role, ΓÇ£Endpoint Security ManagerΓÇ¥](/mem/intune/fundamentals/role-based-access-control#built-in-roles) to effectively align the level of permissions between Intune and Microsoft Defender XDR. +> The **Endpoint Security Policies** page in Microsoft Defender XDR is available only for [users with the security administrator role in Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/assign-portal-access). Any other user role, such as Security Reader, cannot access the portal. When a user has the required permissions to view policies in the Microsoft Defender portal, the data is presented based on Intune permissions. If the user is in scope for Intune role-based access control, it applies to the list of policies presented in the Microsoft Defender portal. We recommend granting security administrators with the [Intune built-in role, "Endpoint Security Manager"](/mem/intune/fundamentals/role-based-access-control#built-in-roles) to effectively align the level of permissions between Intune and Microsoft Defender XDR. :::image type="content" source="./images/endpoint-security-policies.png" alt-text="Managing Endpoint security policies in the Microsoft Defender portal"::: |
security | Manage Sys Extensions Manual Deployment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-sys-extensions-manual-deployment.md | You might see the prompt that's shown in the following screenshot: :::image type="content" source="images/popup-after-checking-both-md-checkboxes.png" alt-text="The popup that appears on checking both the checkboxes." lightbox="images/popup-after-checking-both-md-checkboxes.png"::: -1. On the **ΓÇ£Microsoft DefenderΓÇ¥ Would like to Filter Network Content** pop-up screen, click **Allow**. +1. On the **"Microsoft Defender" Would like to Filter Network Content** pop-up screen, click **Allow**. 1. On the **Microsoft Defender wants to make changes** pop-up screen, enter your password and select **OK**. |
security | Mde Plugin Wsl | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-plugin-wsl.md | DeviceProcessEvents ## Troubleshooting -1. The command `healthcheck.exe` shows the output, "Launch WSL distro with ΓÇÿbashΓÇÖ command and retry in 5 minutes." +1. The command `healthcheck.exe` shows the output, "Launch WSL distro with 'bash' command and retry in 5 minutes." :::image type="content" source="medieplugin-wsl/wsl-health-check.png"::: |
security | Microsoft Defender Antivirus Ring Deployment Group Policy Wsus Appendices | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-wsus-appendices.md | Microsoft continually updates security intelligence in antimalware products to c ## Appendix B - Engine Updates -Engine updates are the updates for the scan engine, which is used by the ΓÇ£Security Intelligence UpdatesΓÇ¥. First released on July 15, 2010. +Engine updates are the updates for the scan engine, which is used by the "Security Intelligence Updates". First released on July 15, 2010. ## Appendix C - Platform Updates -Platform Updates, are the .exeΓÇÖs, dllΓÇÖs, and .sysΓÇÖs for the Microsoft Defender Antivirus service. +Platform Updates, are the .exe's, dll's, and .sys's for the Microsoft Defender Antivirus service. | Channel: | Version: | Revision: | | Remarks | |:|:|:|:|:|-| **Beta Channel - Prerelease** | 4.18.2304.4 | ΓÇÿ23 April, minor rev 4 | n/a | This channel is the one you want to test for app compatibility, reliability and performance. | -| **Current Channel (Preview)** | 4.18.2303.8 | ΓÇÿ23 Mar, minor rev 8 | n/a | Same as for _Beta Channel - Prerelease_ | -| **Current Channel (Staged)** | 4.18.2303.7 | ΓÇÿ23 Mar, minor rev 7 | n/a | Same as for _Beta Channel - Prerelease_ | -| **Current Channel (Broad)** | 4.18.2302.7 <br> see note | ΓÇÿ23 Feb, minor rev 7 | ΓÇÖ23 Mar | This channel is the one you want to push out to 90%-100% of your production systems. | +| **Beta Channel - Prerelease** | 4.18.2304.4 | '23 April, minor rev 4 | n/a | This channel is the one you want to test for app compatibility, reliability and performance. | +| **Current Channel (Preview)** | 4.18.2303.8 | '23 Mar, minor rev 8 | n/a | Same as for _Beta Channel - Prerelease_ | +| **Current Channel (Staged)** | 4.18.2303.7 | '23 Mar, minor rev 7 | n/a | Same as for _Beta Channel - Prerelease_ | +| **Current Channel (Broad)** | 4.18.2302.7 <br> see note | '23 Feb, minor rev 7 | '23 Mar | This channel is the one you want to push out to 90%-100% of your production systems. | > [!NOTE] > Where **23** == _2023_, **02** == _February_, and **.7** is the _minor revision_. |
security | Microsoft Defender Offline | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-offline.md | The following are the hardware requirements for Microsoft Defender Offline Scan > > - ARM Windows 11 > - ARM Windows 10 -> - Windows Server Stock Keeping Units (SKU’s) +> - Windows Server Stock Keeping Units (SKU's) For more information about Windows 10 and Windows 11 requirements, see the following topics: To receive Microsoft Defender Offline Scan updates: - [Platform Update](https://www.microsoft.com/security/portal/definitions/adl.aspx) - [Engine Update](microsoft-defender-antivirus-updates.md) - Security Intelligence Update- - You can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx) - - See the [Manage Microsoft Defender Antivirus Security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md) topic for more information. + - You can manually download and install the latest protection updates from the [Microsoft Malware Protection Center](https://www.microsoft.com/security/portal/definitions/adl.aspx) + - See the [Manage Microsoft Defender Antivirus Security intelligence updates](manage-protection-updates-microsoft-defender-antivirus.md) topic for more information. - User must be logged in with local administrator privileges. - Windows Recovery Environment (WinRE) needs to be enabled. If Microsoft Defender Antivirus determines that need to run: The user will also be notified within the Microsoft Defender Antivirus client or it can be revealed in Microsoft Intune, if you're using it to manage your Windows endpoints. -- You can manually force an offline scan which is built-in Windows 10, version 1607 or newer, and Windows 11. Or, you can scan through a bootable media for the older Windows OS’es as described [here](#use-the-windows-defender-security-app-to-run-an-offline-scan).+- You can manually force an offline scan which is built-in Windows 10, version 1607 or newer, and Windows 11. Or, you can scan through a bootable media for the older Windows OS'es as described [here](#use-the-windows-defender-security-app-to-run-an-offline-scan). In Configuration Manager, you can identify the status of endpoints by navigating to **Monitoring > Overview > Security > Endpoint Protection Status > System Center Endpoint Protection Status**. |
security | Migrate Devices Streamlined | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrate-devices-streamlined.md | Ensure connectivity is established with the appropriate URLs. You can use advanced hunting in Microsoft Defender portal to view the connectivity type status. -This information is found in the DeviceInfo table under the ΓÇ£ConnectivityTypeΓÇ¥ column: +This information is found in the DeviceInfo table under the "ConnectivityType" column: - Column Name: ConnectivityType - Possible Values: `<blank>`, Streamlined, Standard - Data type: String - Description: Type of connectivity from the device to the cloud -Once a device is migrated to use the streamlined method and the device establishes successful communication with the EDR command & control channel, the value will be represented as ΓÇ£StreamlinedΓÇ¥. +Once a device is migrated to use the streamlined method and the device establishes successful communication with the EDR command & control channel, the value will be represented as "Streamlined". -If you move the device back to the regular method, the value will be ΓÇ£standardΓÇ¥. +If you move the device back to the regular method, the value will be "standard". For devices that have not yet attempted reonboard, the value will remain blank. ### Tracking locally on a device through Windows Event Viewer -You can use Windows Event ViewerΓÇÖs SENSE operational log to locally validate connections with the new streamlined approach. SENSE Event ID 4 tracks successful EDR connections. +You can use Windows Event Viewer's SENSE operational log to locally validate connections with the new streamlined approach. SENSE Event ID 4 tracks successful EDR connections. Open the Defender for Endpoint service event log using the following steps: For macOS and Linux, you can use the following methods: ### MDATP connectivity test (macOS and Linux) -Run `mdatp health ΓÇôdetails` to confirm simplified_connectivity: "enabled". +Run `mdatp health -details` to confirm simplified_connectivity: "enabled". -Run `mdatp health ΓÇôdetails edr` to confirm `edr_partner_geo_location` is available. The value should be `GW_<geo>` where 'geo' is your tenantΓÇÖs geo-location. +Run `mdatp health -details edr` to confirm `edr_partner_geo_location` is available. The value should be `GW_<geo>` where 'geo' is your tenant's geo-location. Run mdatp connectivity test. Ensure the streamlined URL pattern is present. You should expect two for '\storage', one for '\mdav', one for '\xplat', and one for '/packages'. |
security | Respond Machine Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md | You'll be able to stop containing a device at any time. ## Contain user from the network -When an identity in your network might be compromised, you must prevent that identity from accessing the network and different endpoints. Defender for Endpoint can ΓÇ£containΓÇ¥ an identity, blocking it from access, and helping prevent attacks-- specifically, ransomware. When an identity is contained, any supported Microsoft Defender for Endpoint onboarded device will block incoming traffic in specific protocols related to attacks (network logons, RPC, SMB, RDP) while enabling legitimate traffic. This action can significantly help to reduce the impact of an attack. When an identity is contained, security operations analysts have extra time to locate, identify and remediate the threat to the compromised identity. +When an identity in your network might be compromised, you must prevent that identity from accessing the network and different endpoints. Defender for Endpoint can "contain" an identity, blocking it from access, and helping prevent attacks-- specifically, ransomware. When an identity is contained, any supported Microsoft Defender for Endpoint onboarded device will block incoming traffic in specific protocols related to attacks (network logons, RPC, SMB, RDP) while enabling legitimate traffic. This action can significantly help to reduce the impact of an attack. When an identity is contained, security operations analysts have extra time to locate, identify and remediate the threat to the compromised identity. > [!NOTE]-> Blocking incoming communication with a ΓÇ£containedΓÇ¥ user is supported on onboarded Microsoft Defender for Endpoint Windows 10 and 11 devices (Sense version 8740 and higher), Windows Server 2019+ devices, and Windows Servers 2012R2 and 2016 with the modern agent. +> Blocking incoming communication with a "contained" user is supported on onboarded Microsoft Defender for Endpoint Windows 10 and 11 devices (Sense version 8740 and higher), Windows Server 2019+ devices, and Windows Servers 2012R2 and 2016 with the modern agent. ### How to contain a user -Currently, containing users is only available automatically by using automatic attack disruption. When Microsoft detects a user as being compromised a ΓÇ£Contain UserΓÇ¥ policy is automatically set. +Currently, containing users is only available automatically by using automatic attack disruption. When Microsoft detects a user as being compromised a "Contain User" policy is automatically set. ### View the contain user actions After a user is contained, you can view the action in this History view of the A :::image type="content" source="../../media/defender-endpoint/user-contain-action-center.png" alt-text="View the user contain action in the action center" lightbox="../../media/defender-endpoint/user-contain-action-center.png"::: -Furthermore, after an identity is considered ΓÇ£contained", that user will be blocked by Defender for Endpoint and cannot perform any malicious lateral movement or remote encryption on or to any supported Defender for Endpoint onboarded device. These blocks will show up as alerts to help you quickly see the devices the compromised user attempted access and potential attack techniques: +Furthermore, after an identity is considered "contained", that user will be blocked by Defender for Endpoint and cannot perform any malicious lateral movement or remote encryption on or to any supported Defender for Endpoint onboarded device. These blocks will show up as alerts to help you quickly see the devices the compromised user attempted access and potential attack techniques: :::image type="content" source="../../media/defender-endpoint/user-contain-lateral-move-block.png" alt-text="Shows a user contain lateral movement block event" lightbox="../../media/defender-endpoint/user-contain-lateral-move-block.png"::: You can release the blocks and containment on a user at any time: 1. Select the **Contain User** action in the **Action Center**. In the side pane select **Undo** 2. Select the user from either the user inventory, Incident page side pane or alert side pane and select **Undo** -This action will restore this userΓÇÖs connection to the network. +This action will restore this user's connection to the network. :::image type="content" source="../../media/defender-endpoint/undo-user-contain-action.png" alt-text="Shows user contain undo option in the action center" lightbox="../../media/defender-endpoint/undo-user-contain-action.png"::: After a user is contained, you can investigate the potential threat by viewing t :::image type="content" source="../../media/defender-endpoint/event-blocked by-contained-user.png" alt-text="Shows blocked event details for a contained users" lightbox="../../media/defender-endpoint/event-blocked by-contained-user.png"::: -In addition, you can expand the investigation by using Advanced Hunting. Look for any ΓÇ£Action TypeΓÇ¥ starting with ΓÇ£ContainΓÇ¥ in the ΓÇ£DeviceEventsΓÇ¥ table. Then, you can view all the different singular blocking events in relation to Contain User in your tenant, dive deeper into the context of each block, and extract the different entities and techniques associated with those events. +In addition, you can expand the investigation by using Advanced Hunting. Look for any "Action Type" starting with "Contain" in the "DeviceEvents" table. Then, you can view all the different singular blocking events in relation to Contain User in your tenant, dive deeper into the context of each block, and extract the different entities and techniques associated with those events. :::image type="content" source="../../media/defender-endpoint/user-contain-advanced-hunting.png" alt-text="Shows advanced hunting for user contain events" lightbox="../../media/defender-endpoint/user-contain-advanced-hunting.png"::: |
security | Threat Protection Reports | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/threat-protection-reports.md | Last updated 11/29/2023 > [!IMPORTANT] > The Microsoft Defender for Endpoint Threat Protection report page is deprecated and will no longer be available after January 31st, 2024. Microsoft recommends that you transition to either the Defender XDR Incidents page or Advanced hunting to understand endpoint threat protection details. See the following sections for more information. -## Use the Alert queue filter in Defender XDR +## Use the Alert queue filter in Defender XDR Due to the deprecation of the Defender for Endpoint Threat protection report, you can use the Defender XDR Incidents view, filtered against Defender for Endpoint, to see the current status of alerts for protected devices. For alert status, such as unresolved, you can filter against New and In progress. [Learn more about Defender XDR Incidents](../defender/incident-queue.md#available-filters) ## Use Advanced hunting queries Due to the deprecation of the Defender for Endpoint Threat protection report, you can use Advanced hunting queries to find Defender for Endpoint threat protection information. Note that currently there is no alert status in Advanced hunting elements that maps to resolve/unresolve. [Learn more about Advanced hunting in Defender XDR](../defender/advanced-hunting-overview.md). See below for a sample advanced hunting query that shows endpoint related threat protection details. -### Alert status +### Alert status ```kusto-// Severity -AlertInfo -| where Timestamp > startofday(now()) // Today -| summarize count() by Severity -| render columnchart ΓÇ» ΓÇ» --// Detection source -AlertInfo -| where Timestamp > startofday(now()) // Today -| summarize count() by Severity -| render columnchart ΓÇ» ΓÇ» --// Detection category -AlertInfo -| where Timestamp > startofday(now()) // Today -| summarize count() by Category -| render columnchart ΓÇ» -ΓÇ» +// Severity +AlertInfo +| where Timestamp > startofday(now()) // Today +| summarize count() by Severity +| render columnchart ++// Detection source +AlertInfo +| where Timestamp > startofday(now()) // Today +| summarize count() by Severity +| render columnchart ++// Detection category +AlertInfo +| where Timestamp > startofday(now()) // Today +| summarize count() by Category +| render columnchart ``` -### Alert trend +### Alert trend ```kusto-// Severity -AlertInfo -| where Timestamp > ago(30d) -| summarize count() by DetectionSource , bin(Timestamp, 1d) -| render timechart ΓÇ» ΓÇ» ΓÇ» --// Detection source -AlertInfo -| where Timestamp > ago(30d) -| summarize count() by DetectionSource , bin(Timestamp, 1d) -| render timechart ΓÇ» ΓÇ» --// Detection category -AlertInfo -| where Timestamp > ago(30d) -| summarize count() by Category , bin(Timestamp, 1d) +// Severity +AlertInfo +| where Timestamp > ago(30d) +| summarize count() by DetectionSource , bin(Timestamp, 1d) | render timechart +// Detection source +AlertInfo +| where Timestamp > ago(30d) +| summarize count() by DetectionSource , bin(Timestamp, 1d) +| render timechart ++// Detection category +AlertInfo +| where Timestamp > ago(30d) +| summarize count() by Category , bin(Timestamp, 1d) +| render timechart ``` ## Threat protection reports overview |
security | Uefi Scanning In Defender For Endpoint | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/uefi-scanning-in-defender-for-endpoint.md | Last updated 12/10/2023 Beginning June 17 2020, Microsoft Defender for Endpoint extended its protection capabilities to the firmware level with a new [Unified Extensible Firmware Interface (UEFI)](/windows-hardware/drivers/bringup/unified-extensible-firmware-interface) scanner. -Hardware and firmware-level attacks have continued to rise in recent years, as modern security solutions made persistence and detection evasion on the operating system more difficult. Attackers compromise the boot flow to achieve low-level malware behavior that’s hard to detect, posing a significant risk to an organization’s security posture. +Hardware and firmware-level attacks have continued to rise in recent years, as modern security solutions made persistence and detection evasion on the operating system more difficult. Attackers compromise the boot flow to achieve low-level malware behavior that's hard to detect, posing a significant risk to an organization's security posture. -[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows) helps defend against firmware attacks by providing guarantees for secure boot through hardware-backed security features like [hypervisor-level attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows), also known as Dynamic Root of Trust (DRTM), which are enabled by default in [Secured-core PCs](https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers). The new UEFI scan engine in Defender for Endpoint expands on these protections by making firmware scanning broadly available. +[Windows Defender System Guard](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows) helps defend against firmware attacks by providing guarantees for secure boot through hardware-backed security features like [hypervisor-level attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/) and [Secure Launch](/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows), also known as Dynamic Root of Trust (DRTM), which are enabled by default in [Secured-core PCs](https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers). The new UEFI scan engine in Defender for Endpoint expands on these protections by making firmware scanning broadly available. The UEFI scanner is a new component of the [built-in antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) solution on Windows 10 and newer versions, and gives Defender for Endpoint the unique ability to scan inside of the firmware filesystem and perform security assessment. It integrates insights from our partner chipset manufacturers and further expands the comprehensive endpoint protection provided by Defender for Endpoint. The UEFI scanner is a new component of the [built-in antivirus](/windows/securit ## How did we build the UEFI scanner? -The Unified Extensible Firmware Interface (UEFI) is a replacement for [legacy BIOS](/windows-hardware/drivers/bringup/smbios). If the chipset is configured correctly ([UEFI](https://uefi.org/sites/default/files/resources/UEFI%20Spec%202_6.pdf) & chipset configuration itself) and [secure boot](/windows-hardware/design/device-experiences/oem-secure-boot) is enabled, the firmware is reasonably secure. To perform a hardware-based attack, attackers exploit a vulnerable firmware or a misconfigured machine to deploy a [rootkit](https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/what-is-a-rootkit), which allows attackers to gain foothold on the machine. +The Unified Extensible Firmware Interface (UEFI) is a replacement for [legacy BIOS](/windows-hardware/drivers/bringup/smbios). If the chipset is configured correctly ([UEFI](https://uefi.org/sites/default/files/resources/UEFI%20Spec%202_6.pdf) & chipset configuration itself) and [secure boot](/windows-hardware/design/device-experiences/oem-secure-boot) is enabled, the firmware is reasonably secure. To perform a hardware-based attack, attackers exploit a vulnerable firmware or a misconfigured machine to deploy a [rootkit](https://www.microsoft.com/en-us/microsoft-365-life-hacks/privacy-and-safety/what-is-a-rootkit), which allows attackers to gain foothold on the machine. :::image type="content" source="media/expected-vs-attacker-boot-flow.jpg" alt-text="Screenshot that shows expected boot flow vs compromised boot flow "::: As the figure shows, for devices that are [configured correctly](/windows-hardwa :::image type="content" source="media/uefi-platform-initialization.jpg" alt-text="UEFI platform initialization"::: -The [Serial Peripheral Interface (SPI)](https://en.wikipedia.org/wiki/Serial_Peripheral_Interface) flash stores important information. Its structure depends on OEM's design, and commonly includes processor microcode update, Intel Management Engine (ME), and boot image, a UEFI executable. When a computer runs, processors execute the firmware code from SPI flash for a while during UEFI’s SEC phase. Instead of memory, the flash is permanently mapped to x86 reset vector (physical address 0xFFFF_FFF0). However, attackers can interfere with memory access to reset vector by software. They do this by reprogramming the BIOS control register on misconfigured devices, making it even harder for security software to determine exactly what gets executed during boot. +The [Serial Peripheral Interface (SPI)](https://en.wikipedia.org/wiki/Serial_Peripheral_Interface) flash stores important information. Its structure depends on OEM's design, and commonly includes processor microcode update, Intel Management Engine (ME), and boot image, a UEFI executable. When a computer runs, processors execute the firmware code from SPI flash for a while during UEFI's SEC phase. Instead of memory, the flash is permanently mapped to x86 reset vector (physical address 0xFFFF_FFF0). However, attackers can interfere with memory access to reset vector by software. They do this by reprogramming the BIOS control register on misconfigured devices, making it even harder for security software to determine exactly what gets executed during boot. -Once an implant is deployed, it’s hard to detect. To catch threats at this level, security solutions at the OS level rely on information from the firmware, but the chain of trust is weakened. +Once an implant is deployed, it's hard to detect. To catch threats at this level, security solutions at the OS level rely on information from the firmware, but the chain of trust is weakened. Technically, the firmware is not stored and is not accessible from main memory. As opposed to other software, it is stored in SPI flash storage, so the new UEFI scanner must follow the hardware protocol provided by hardware manufacturers. To be compatible and be up to date with all platforms, it needs to take into consideration protocol differences. The UEFI scanner performs dynamic analysis on the firmware it gets from the hard ## How do you turn on UEFI scanner? -The new UEFI scanner is a component of Microsoft Defender Antivirus, thus, as long as it’s the primary AV, it includes this capability to scan and access UEFI firmware. +The new UEFI scanner is a component of Microsoft Defender Antivirus, thus, as long as it's the primary AV, it includes this capability to scan and access UEFI firmware. ## How do you manage UEFI scanner? -It’s a built-in functionality of Microsoft Defender Antivirus, thus, there is no additional management. +It's a built-in functionality of Microsoft Defender Antivirus, thus, there is no additional management. ## How does the UEFI scanner in Defender for Endpoint work? Defender for Endpoint customers will also see these detections raised as alerts :::image type="content" source="media/mde-alert-detecting-malicious-code-in-firmware.png" alt-text="Screenshot that shows Defender for Endpoint alert detecting malicious code"::: -Security operations teams can also use the [advanced hunting](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Defender for Endpoint to hunt for these threats: +Security operations teams can also use the [advanced hunting](/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Defender for Endpoint to hunt for these threats: ```powershell DeviceEvents DeviceAlertEvents The new UEFI scanner adds to a rich set of Microsoft technologies that integrate to deliver chip-to-cloud security, from a strong hardware root of trust to cloud-powered security solutions at the OS level. -Hardware backed security features like Secure Launch and device attestation help stop firmware attacks. These features, which are enabled by default in [Secured-core PCs](https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers), seamlessly integrate with Defender for Endpoint to provide comprehensive endpoint protection. +Hardware backed security features like Secure Launch and device attestation help stop firmware attacks. These features, which are enabled by default in [Secured-core PCs](https://www.microsoft.com/en-us/windowsforbusiness/windows10-secured-core-computers), seamlessly integrate with Defender for Endpoint to provide comprehensive endpoint protection. -With its UEFI scanner, [Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) gets even richer visibility into threats at the firmware level, where attackers have been increasingly focusing their efforts on. Security operations teams can use this new level of visibility, along with the rich set of detection and response capabilities in Defender for Endpoint, to investigate and contain such advanced attacks. +With its UEFI scanner, [Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) gets even richer visibility into threats at the firmware level, where attackers have been increasingly focusing their efforts on. Security operations teams can use this new level of visibility, along with the rich set of detection and response capabilities in Defender for Endpoint, to investigate and contain such advanced attacks. -This level of visibility is also available in [Microsoft 365 Defender (M365D)](https://www.microsoft.com/security/technology/threat-protection), which delivers an even broader cross-domain defense that coordinates protection across endpoints, identities, email, and apps. +This level of visibility is also available in [Microsoft 365 Defender (M365D)](https://www.microsoft.com/security/technology/threat-protection), which delivers an even broader cross-domain defense that coordinates protection across endpoints, identities, email, and apps. |
security | Defender Vulnerability Management Trial | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/defender-vulnerability-management-trial.md | To sign up for the Defender Vulnerability Management trial, you can go directly Once you've reached the [Microsoft 365 trials hub](https://security.microsoft.com/trialHorizontalHub): - If you have Defender for Endpoint Plan 2, find the **Defender Vulnerability Management add-on** card and select **Try now**.-- If youΓÇÖre a new customer or an existing Defender for Endpoint P1 or Microsoft 365 E3 customer, choose the **Defender Vulnerability Management** card and select **Try now**.+- If you're a new customer or an existing Defender for Endpoint P1 or Microsoft 365 E3 customer, choose the **Defender Vulnerability Management** card and select **Try now**. :::image type="content" source="../../medivm-trialshub.png" alt-text="Screenshot of Microsoft Defender Vulnerability Management trial hub landing page."::: 2. Review the information about what's included in the trial, then select **Begin trial**. |
security | Fixed Reported Inaccuracies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/fixed-reported-inaccuracies.md | Having accurate and up-to-date information about security vulnerabilities that c If you come across missing or incorrect vulnerability information for your organization, you can use the report inaccuracy capability available for both weaknesses and recommendations to report false positives, inaccuracies, or incomplete information. -This article provides information on inaccuracies that have been reported. You can use it to determine if new or updated vulnerability support has been added, or if support isnΓÇÖt currently available. +This article provides information on inaccuracies that have been reported. You can use it to determine if new or updated vulnerability support has been added, or if support isn't currently available. >[!Note] > The tables may also include updates based on vulnerability support queries from ICMs or in response to customer requests. |
security | Get Defender Vulnerability Management | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management.md | Microsoft Defender Vulnerability Management is available as a standalone and as > - US Government customers using GCC, GCC High, and DoD > - Microsoft Defender for Business customers -- If youΓÇÖre a new customer or an existing Defender for Endpoint P1 or Microsoft 365 E3 customer sign up to try the [Defender Vulnerability Management Standalone Trial](#try-defender-vulnerability-management-standalone)+- If you're a new customer or an existing Defender for Endpoint P1 or Microsoft 365 E3 customer sign up to try the [Defender Vulnerability Management Standalone Trial](#try-defender-vulnerability-management-standalone) - If you already have Defender for Endpoint Plan 2, sign up to try the [Defender Vulnerability Management Add-on Trial](#try-defender-vulnerability-management-add-on-trial-for-defender-for-endpoint-plan-2-customers) > [!NOTE] Microsoft Defender Vulnerability Management is available as a standalone and as ## Try Defender Vulnerability Management Standalone -If youΓÇÖre a new customer or an existing Defender for Endpoint P1 or Microsoft 365 E3 customer, you will sign up to trial the **Defender Vulnerability Management Standalone trial**. +If you're a new customer or an existing Defender for Endpoint P1 or Microsoft 365 E3 customer, you will sign up to trial the **Defender Vulnerability Management Standalone trial**. > [!IMPORTANT] > You must be logged into the tenant as a global administrator to perform this task. |
security | Trial User Guide Defender Vulnerability Management | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-vulnerability-management/trial-user-guide-defender-vulnerability-management.md | Watch the following video to learn more about Defender Vulnerability Management: 3. Learn how to sign up for the Defender Vulnerability Management Trial - If you have Defender for Endpoint Plan 2, choose [Defender Vulnerability Management Add-on](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-add-on-trial-for-defender-for-endpoint-plan-2-customers).- - If youΓÇÖre a new customer or an existing Defender for Endpoint P1 or Microsoft 365 E3, choose [Defender Vulnerability Management Standalone](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-standalone). + - If you're a new customer or an existing Defender for Endpoint P1 or Microsoft 365 E3, choose [Defender Vulnerability Management Standalone](/microsoft-365/security/defender-vulnerability-management/get-defender-vulnerability-management#try-defender-vulnerability-management-standalone). 4. When you're ready to get started, visit the [Microsoft Defender portal](https://security.microsoft.com) and select **Vulnerability management** in the left navigation bar to start using the Defender Vulnerability Management trial. > [!NOTE] |
security | Advanced Hunting Cloudappevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-cloudappevents-table.md | The **CloudAppEvents** table contains enriched logs from all SaaS applications c - GitHub - Atlassian -Connect supported cloud apps for instant, out-of-the-box protection, deep visibility into the appΓÇÖs user and device activities, and more. For more information, see [Protect connected apps using cloud service provider APIs](/defender-cloud-apps/protect-connected-apps). +Connect supported cloud apps for instant, out-of-the-box protection, deep visibility into the app's user and device activities, and more. For more information, see [Protect connected apps using cloud service provider APIs](/defender-cloud-apps/protect-connected-apps). ## Related topics |
security | Automatic Attack Disruption | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/automatic-attack-disruption.md | In automatic attack disruption, we leverage Microsoft-based XDR response actions - [Device contain](/microsoft-365/security/defender-endpoint/respond-machine-alerts#contain-devices-from-the-network) - based on Microsoft Defender for Endpoint's capability, this action is an automatic containment of a suspicious device to block any incoming/outgoing communication with the said device. - [Disable user](/defender-for-identity/remediation-actions) - based on Microsoft Defender for Identity's capability, this action is an automatic suspension of a compromised account to prevent additional damage like lateral movement, malicious mailbox use, or malware execution.-- [Contain user](../defender-endpoint/respond-machine-alerts.md#contain-user-from-the-network) - This response action automatically contains suspicious identities temporarily. This helps to block any lateral movement and remote encryption related to incoming communication with Microsoft Defender for EndpointΓÇÖs onboarded devices.+- [Contain user](../defender-endpoint/respond-machine-alerts.md#contain-user-from-the-network) - This response action automatically contains suspicious identities temporarily. This helps to block any lateral movement and remote encryption related to incoming communication with Microsoft Defender for Endpoint's onboarded devices. For more information, see [remediation actions](m365d-remediation-actions.md) in Microsoft Defender XDR. |
security | Before You Begin Defender Experts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/before-you-begin-defender-experts.md | The following product is **not** covered by this service: ### Server coverage -Defender Experts for Hunting also covers serversΓÇöwhether on premises or on a hyperscale cloud service providerΓÇöthat have Defender for Endpoint deployed on them with a Microsoft Defender for Server license. For Defender Experts coverage, a server is considered as a user account for billing. The service doesnΓÇÖt cover Microsoft Defender for Cloud. +Defender Experts for Hunting also covers serversΓÇöwhether on premises or on a hyperscale cloud service providerΓÇöthat have Defender for Endpoint deployed on them with a Microsoft Defender for Server license. For Defender Experts coverage, a server is considered as a user account for billing. The service doesn't cover Microsoft Defender for Cloud. [Learn more about specific hardware and software requirements](/microsoft-365/security/defender-endpoint/minimum-requirements) ### Ask Defender Experts The following sections enumerate additional information about the service's data All data used for hunting from existing Defender services will continue to reside in the customer's original Microsoft Defender XDR service storage location. [Learn more](../../enterprise/o365-data-locations.md) -Defender Experts for Hunting operational data, such as case tickets and analyst notes, are generated and stored in a Microsoft data center in the US region for the length of the service, irrespective of the Microsoft Defender XDR service storage location. Data generated for the reporting dashboard is stored in customer's Microsoft Defender XDR service storage location. Reporting data and operational data will be retained for a grace period of no more than 90 days after a customerΓÇÖs subscription expires. If the customer terminates their subscription, data will be deleted within 30 days. +Defender Experts for Hunting operational data, such as case tickets and analyst notes, are generated and stored in a Microsoft data center in the US region for the length of the service, irrespective of the Microsoft Defender XDR service storage location. Data generated for the reporting dashboard is stored in customer's Microsoft Defender XDR service storage location. Reporting data and operational data will be retained for a grace period of no more than 90 days after a customer's subscription expires. If the customer terminates their subscription, data will be deleted within 30 days. Microsoft experts hunt over [advanced hunting logs](../../security/defender/advanced-hunting-schema-tables.md) in Microsoft Defender XDR advanced hunting tables. The data in these tables depend on the set of Defender services the customer is enabled for (for example, Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Entra ID). Experts also use a large set of internal threat intelligence data to inform their hunting and automation. |
security | Before You Begin Xdr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/before-you-begin-xdr.md | Defender Experts for XDR is a managed extended detection and response (XDR) serv ### Server coverage -Defender Experts for XDR also covers serversΓÇöwhether on premises or on a hyperscale cloud service providerΓÇöthat have Defender for Endpoint deployed on them with a Microsoft Defender for Server license. For Defender Experts coverage, a server is considered as a user account for billing. The service doesnΓÇÖt cover Microsoft Defender for Cloud. +Defender Experts for XDR also covers serversΓÇöwhether on premises or on a hyperscale cloud service providerΓÇöthat have Defender for Endpoint deployed on them with a Microsoft Defender for Server license. For Defender Experts coverage, a server is considered as a user account for billing. The service doesn't cover Microsoft Defender for Cloud. [Learn more about specific hardware and software requirements](/microsoft-365/security/defender-endpoint/minimum-requirements). ### Ask Defender Experts The following sections enumerate additional information about the service's data All data used for hunting from existing Defender services will continue to reside in the customer's original Microsoft Defender XDR service storage location. [Learn more](/microsoft-365/enterprise/o365-data-locations). -Defender Experts for XDR operational data, such as case tickets and analyst notes, are generated and stored in a Microsoft data center in the US region for the length of the service, irrespective of the Microsoft Defender XDR service storage location. Data generated for the reporting dashboard is stored in customer's Microsoft Defender XDR service storage location. Reporting data and operational data will be retained for a grace period of no more than 90 days after a customerΓÇÖs subscription expires. If the customer terminates their subscription, data will be deleted within 30 days. +Defender Experts for XDR operational data, such as case tickets and analyst notes, are generated and stored in a Microsoft data center in the US region for the length of the service, irrespective of the Microsoft Defender XDR service storage location. Data generated for the reporting dashboard is stored in customer's Microsoft Defender XDR service storage location. Reporting data and operational data will be retained for a grace period of no more than 90 days after a customer's subscription expires. If the customer terminates their subscription, data will be deleted within 30 days. Microsoft experts hunt over [advanced hunting logs](advanced-hunting-schema-tables.md) in Microsoft Defender XDR advanced hunting tables. The data in these tables depend on the set of Defender services the customer is enabled for (for example, Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, and Microsoft Entra ID). Experts also use a large set of internal threat intelligence data to inform their hunting and automation. |
security | Configure Asset Rules | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/configure-asset-rules.md | Dynamic rules can help manage device context by assigning tags and device values ## Create a new dynamic rule -A rule can be based on device name, domain, OS platform, internet facing status, onboarding status and manual device tags. You can select or create a tag that will be applied based on the conditions youΓÇÖve set. +A rule can be based on device name, domain, OS platform, internet facing status, onboarding status and manual device tags. You can select or create a tag that will be applied based on the conditions you've set. The following steps guide you on how to create a new dynamic rule in Microsoft Defender XDR: |
security | Deception Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/deception-overview.md | Last updated 11/14/2023 Microsoft Defender XDR, through built-in deception capability, delivers high confidence detections of human-operated lateral movement, preventing attacks from reaching an organization's critical assets. Various attacks like [business email compromise (BEC)](https://www.microsoft.com/security/business/security-101/what-is-business-email-compromise-bec), [ransomware](/security/ransomware/), organizational breaches, and nation-state attacks often use lateral movement and can be hard to detect with high confidence in the early stages. Defender XDR's deception technology provides high confidence detections based on deception signals correlated with Microsoft Defender for Endpoint signals. -The deception capability automatically generates authentic-looking decoy accounts, hosts, and lures. The fake assets generated are then automatically deployed to specific clients. When an attacker interacts with the decoys or lures, the deception capability raises high confidence alerts, helping in security teamΓÇÖs investigations and allowing them to observe an attackerΓÇÖs methods and strategies. All alerts raised by the deception capability are automatically correlated into incidents and are fully integrated into Microsoft Defender XDR. In addition, the deception technology is integrated into Defender for Endpoint, minimizing deployment needs. +The deception capability automatically generates authentic-looking decoy accounts, hosts, and lures. The fake assets generated are then automatically deployed to specific clients. When an attacker interacts with the decoys or lures, the deception capability raises high confidence alerts, helping in security team's investigations and allowing them to observe an attacker's methods and strategies. All alerts raised by the deception capability are automatically correlated into incidents and are fully integrated into Microsoft Defender XDR. In addition, the deception technology is integrated into Defender for Endpoint, minimizing deployment needs. This article gives you an overview of Defender XDR's deception technology, prerequisites, and additional resources. The following table lists the requirements to enable the deception capability in Deception technology is a security measure that provides immediate alerts of a potential attack to security teams, allowing them to respond in real-time. Deception technology creates fake assets like devices, users, and hosts that appear to belong to your network. -Attackers interacting with the fake network assets set up by the deception capability can help security teams prevent potential attacks from compromising an organization and monitor the attackersΓÇÖ actions so defenders can improve their environmentΓÇÖs security further. +Attackers interacting with the fake network assets set up by the deception capability can help security teams prevent potential attacks from compromising an organization and monitor the attackers' actions so defenders can improve their environment's security further. ### How does the Microsoft Defender XDR deception capability work? |
security | Get Started Xdr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/get-started-xdr.md | Defender Experts for XDR also lets you exclude automatically identified high-val - **High-value devices** are devices in your organization that were [identified as such](../defender-vulnerability-management/tvm-assign-device-value.md) in Defender for Endpoint - **High-value users** are users in your organization that were tagged with the [Sensitive tag](/defender-for-identity/entity-tags#sensitive--tags) in Microsoft Defender for Identity and the [priority account tag](/microsoft-365/admin/setup/priority-accounts) in Microsoft Defender for Office 365 -Similar to the other excluded device or user groups, you instead get remediation guidance for these high-value entities when theyΓÇÖre excluded. +Similar to the other excluded device or user groups, you instead get remediation guidance for these high-value entities when they're excluded. > [!IMPORTANT] > By using this feature, you will also exclude automatically all devices and users that will be tagged as high-value in the future. Similar to the other excluded device or user groups, you instead get remediation :::image type="content" source="../../media/xdr/managed-remediation-exclusions.png" alt-text="Screenshot of managed remediation exclusions option." lightbox="../../media/xdr/managed-remediation-exclusions.png"::: > [!NOTE]-> Unlike the other excluded device and user groups, excluded high-value entities arenΓÇÖt listed in the **Device groups** or **User groups** tab. +> Unlike the other excluded device and user groups, excluded high-value entities aren't listed in the **Device groups** or **User groups** tab. ## Tell us who to contact for important matters The readiness assessment has two parts: The figures are based on your Defender for Endpoint and Defender for Identity licenses; to achieve these target number of protected assets, [onboard more devices](/microsoft-365/security/defender-endpoint/onboarding) to Defender for Endpoint or [install more Defender for Identity sensors](/defender-for-identity/install-sensor). > [!IMPORTANT]-> Defender Experts for XDR reviews your readiness assessment periodically, especially if there are any changes to your environment, such as the addition of new devices and identities. ItΓÇÖs important that you regularly monitor and run the readiness assessment beyond the initial onboarding to ensure that your environment has strong security posture to reduce risk. +> Defender Experts for XDR reviews your readiness assessment periodically, especially if there are any changes to your environment, such as the addition of new devices and identities. It's important that you regularly monitor and run the readiness assessment beyond the initial onboarding to ensure that your environment has strong security posture to reduce risk. When you complete all the required tasks and meet the onboarding targets in your readiness assessment, your service delivery manager (SDM) initiates the monitoring phase of the Defender Experts for XDR service. For a few days, our experts start monitoring your environment closely to identify latent threats, sources of risk, and normal activity. As we get better understanding of your critical assets, we can streamline the service and fine-tune our responses. |
security | Investigate Incidents | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-incidents.md | From the graph, you can: - Hunt for entity information of a device, file, IP address, or URL. -The *go hunt* option takes advantage of the [advanced hunting](advanced-hunting-go-hunt.md) feature to find relevant information about an entity. The *go hunt* query checks relevant schema tables for any events or alerts involving the specific entity youΓÇÖre investigating. You can select any of the options to find relevant information about the entity: +The *go hunt* option takes advantage of the [advanced hunting](advanced-hunting-go-hunt.md) feature to find relevant information about an entity. The *go hunt* query checks relevant schema tables for any events or alerts involving the specific entity you're investigating. You can select any of the options to find relevant information about the entity: - See all available queries ΓÇô the option returns all available queries for the entity type you're investigating. - All Activity ΓÇô the query returns all activities associated with an entity, providing you with a comprehensive view of the incident's context. |
security | Microsoft 365 Security Center Defender Cloud | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud.md | -Microsoft Defender XDR combines protection, detection, investigation, and response capabilities to protect attacks on device, email, collaboration, identity, and cloud apps. The portalΓÇÖs detection and investigation capabilities are now extended to cloud entities, offering security operations teams a single pane of glass to significantly improve their operational efficiency. +Microsoft Defender XDR combines protection, detection, investigation, and response capabilities to protect attacks on device, email, collaboration, identity, and cloud apps. The portal's detection and investigation capabilities are now extended to cloud entities, offering security operations teams a single pane of glass to significantly improve their operational efficiency. Moreover, the Defender for Cloud incidents and alerts are now part of [Microsoft Defender XDR's public API](api-overview.md). This integration allows exporting of security alerts data to any system using a single API. |
security | Microsoft Sentinel Onboard | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-sentinel-onboard.md | The Microsoft Defender portal supports a single Microsoft Entra tenant and the c To onboard and use Microsoft Sentinel in the Microsoft Defender portal, you must have the following resources and access: -- A Microsoft Entra tenant thatΓÇÖs allow-listed by Microsoft to connect a workspace through the Defender portal+- A Microsoft Entra tenant that's allow-listed by Microsoft to connect a workspace through the Defender portal - A Log Analytics workspace that has Microsoft Sentinel enabled - The data connector for Microsoft Defender XDR (formerly named Microsoft Defender XDR) enabled in Microsoft Sentinel for incidents and alerts - Microsoft Defender XDR onboarded to the Microsoft Entra tenant To connect a workspace that has Microsoft Sentinel enabled to Defender XDR, comp 1. Go to the [Microsoft Defender portal](https://security.microsoft.com/) and sign in. 1. In Microsoft Defender XDR, select **Overview**. - If you're invited to participate in the preview, youΓÇÖll see a banner with an option to connect a workspace. + If you're invited to participate in the preview, you'll see a banner with an option to connect a workspace. 1. Select **Connect a workspace**. 1. Choose the workspace you want to connect and select **Next**. To connect a workspace that has Microsoft Sentinel enabled to Defender XDR, comp 1. Select **Connect**. 1. You might need to wait up to 6 hours until all experiences are fully connected. -After your workspace is connected, the banner on the **Overview** page shows that your unified security information and event management (SIEM) and extended detection and response (XDR) is ready. YouΓÇÖll also see the **Overview** page updated with new sections that include metrics from Microsoft Sentinel like the number of data connectors and automation rules. +After your workspace is connected, the banner on the **Overview** page shows that your unified security information and event management (SIEM) and extended detection and response (XDR) is ready. You'll also see the **Overview** page updated with new sections that include metrics from Microsoft Sentinel like the number of data connectors and automation rules. ## Explore Microsoft Sentinel features in the Defender portal -After you connect your workspace to the Defender portal, youΓÇÖll see **Microsoft Sentinel** on the left-hand side navigation pane. Pages like **Overview**, **Incidents**, and **Advanced Hunting** have unified data from Microsoft Sentinel and Defender XDR. +After you connect your workspace to the Defender portal, you'll see **Microsoft Sentinel** on the left-hand side navigation pane. Pages like **Overview**, **Incidents**, and **Advanced Hunting** have unified data from Microsoft Sentinel and Defender XDR. -YouΓÇÖll also see many of the existing Microsoft Sentinel features are integrated into the Defender portal. For these features, you'll notice that the experience between Microsoft Sentinel in the Azure portal and Defender portal are similar. Use the following articles to help you start working with Microsoft Sentinel in the Defender portal. When using these articles, keep in mind that your starting point in this context is the [Defender portal](https://security.microsoft.com/) instead of the Azure portal. +You'll also see many of the existing Microsoft Sentinel features are integrated into the Defender portal. For these features, you'll notice that the experience between Microsoft Sentinel in the Azure portal and Defender portal are similar. Use the following articles to help you start working with Microsoft Sentinel in the Defender portal. When using these articles, keep in mind that your starting point in this context is the [Defender portal](https://security.microsoft.com/) instead of the Azure portal. - Search - [Search across long time spans in large datasets](/sentinel/search-jobs) |
security | Mto Advanced Hunting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/mto-advanced-hunting.md | Last updated 09/01/2023 [!include[Prerelease information](../../includes/prerelease.md)] -## Advanced hunting --Advanced hunting in multi-tenant management in Microsoft Defender XDR allows you to proactively hunt for intrusion attempts and breach activity affecting your email, data, devices, and accounts over multiple tenants at the same time. +Advanced hunting in multi-tenant management in Microsoft Defender XDR allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants at the same time. ## Run cross-tenant queries -In multi-tenant management, you can use any of the queries you currently have access to. They're filtered by tenant in the **Queries** tab. Select a tenant to view the queries available under each one. +In multi-tenant management, you can use any of the queries you currently have access to. They're filtered by tenant in the **Queries** tab. Select a tenant to view the queries available under each one. -Once you have loaded the query in the query editor, you can then specify the scope of the query by tenant by selecting **Tenant scope**: +Once you load the query in the query editor, you can then specify the scope of the query by tenant by selecting **Tenant scope**: :::image type="content" source="../../media/defender/mto-cross-tenants-query.png" alt-text="Screenshot of the Microsoft Defender XDR cross tenants advanced hunting query page" lightbox="../../media/defender/mto-cross-tenants-query.png"::: -This opens a side pane from which you can specify the tenants to include in the query: +This action opens a side pane from which you can specify the tenants to include in the query: :::image type="content" source="../../media/defender/mto-cross-tenants-sidepane.png" alt-text="Screenshot of the Microsoft Defender XDR cross tenants advanced hunting query side pane scope" lightbox="../../media/defender/mto-cross-tenants-sidepane.png"::: Select the tenants you want to include in your query. Select **Apply**, then **Run query**. ->[!NOTE] +> [!NOTE] > Queries that use the `join` operator are currently not supported in multi-tenant management advanced hunting. The query results contain the tenant ID: Likewise, you can manage custom detection rules from multiple tenants in the cus :::image type="content" source="../../media/defender/mto-custom-detection-tenant-name.png" alt-text="Screenshot of the Microsoft Defender XDR multi-tenant custom detection page" lightbox="../../media/defender/mto-custom-detection-tenant-name.png"::: -To view only a specific tenantΓÇÖs custom detection rules, select **Filter**, choose the tenant or tenants and select **Apply**. +To view only a specific tenant's custom detection rules, select **Filter**, choose the tenant or tenants and select **Apply**. To read more about custom detection rules, read [Custom detections overview](custom-detections-overview.md). |
security | Onboarding Defender Experts For Hunting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/onboarding-defender-experts-for-hunting.md | You can set up Microsoft Defender XDR to notify you or your staff with an email You can generate a sample Defender Experts Notification to start experiencing the Defender Experts for Hunting service without having to wait for an actual critical activity to happen in your environment. Generating a sample notification also lets you test the [email notifications](#set-up-defender-experts-email-notifications) you might have previously configured in the Microsoft Defender portal for this service, as well as test the configuration of playbooks (if configured for such notifications) and rules in your Security Information and Event Management (SIEM) environment. -A sample Defender Experts Notification shows up in your **Incidents** page with the title _Defender Experts: Test Notification from Microsoft Defender Experts_. The [contents](#receive-defender-experts-notifications) of the notification are placeholder texts, while the other elements such as alerts are randomly generated from events present in your tenant and arenΓÇÖt actually impacted. +A sample Defender Experts Notification shows up in your **Incidents** page with the title _Defender Experts: Test Notification from Microsoft Defender Experts_. The [contents](#receive-defender-experts-notifications) of the notification are placeholder texts, while the other elements such as alerts are randomly generated from events present in your tenant and aren't actually impacted. :::image type="content" source="../../media/mte/defenderexperts/sample-den-dexh.png" alt-text="Screenshot of Sample DEN in Defender Experts for Hunting." lightbox="../../media/mte/defenderexperts/sample-den-dexh.png"::: |
security | Respond First Incident 365 Defender | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/respond-first-incident-365-defender.md | Last updated 08/21/2023 This guide lists Microsoft resources for new Microsoft Defender XDR users to confidently perform [day-to-day incident response tasks](integrate-microsoft-365-defender-secops-services.md) while using the portal. The intended results of using this guide are: - You'll quickly learn to use Microsoft Defender XDR to respond to incidents and alerts.-- YouΓÇÖll discover the portal's features to aid incident investigation and remediation through the videos and tutorials.+- You'll discover the portal's features to aid incident investigation and remediation through the videos and tutorials. Microsoft Defender XDR enables you to see relevant threat events across all assets (devices, identities, mailboxes, cloud apps, and more). The portal consolidates signals from the [Defender protection suite](microsoft-365-defender.md#microsoft-defender-xdr-protection), [Microsoft Sentinel](microsoft-365-defender-integration-with-azure-sentinel.md), and other [integrated security information and event management (SIEM) solutions](configure-siem-defender.md). Correlated attack information with full context in a single pane of glass enables you to successfully defend and protect your organization. This guide has three main sections: ## Understanding incidents -An [incident](incidents-overview.md) is a chain of processes created, commands, and actions that might not have coincided. An incident provides a holistic picture and context of suspicious or malicious activity. A single incident gives you an attackΓÇÖs complete context instead of triaging hundreds of alerts from multiple services. +An [incident](incidents-overview.md) is a chain of processes created, commands, and actions that might not have coincided. An incident provides a holistic picture and context of suspicious or malicious activity. A single incident gives you an attack's complete context instead of triaging hundreds of alerts from multiple services. Microsoft Defender XDR has many features that you can use to respond to an incident. You can navigate the incidents by selecting **View all incidents** in the Active incidents card on the Home page or through **Incidents & alerts** on the left navigation pane. An example of determining incident priority is combining the following factors f You might assign a high priority to the incident using the information above. You can begin your incident investigation once a priority is determined. > [!NOTE]-> Microsoft Defender XDR automatically determines filters like severity, investigation states, impacted assets, and incident statuses. The information is based on your organizationΓÇÖs network activities contextualized with threat intelligence feeds and the automated remediation actions applied. +> Microsoft Defender XDR automatically determines filters like severity, investigation states, impacted assets, and incident statuses. The information is based on your organization's network activities contextualized with threat intelligence feeds and the automated remediation actions applied. ## Manage incidents |
security | Respond First Incident Analyze | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/respond-first-incident-analyze.md | Last updated 08/21/2023 - Microsoft Defender XDR -Understanding the context that surrounds [incidents](incidents-overview.md) is essential in analyzing attacks. Combining your expertise and experience with Microsoft Defender XDR's features and capabilities ensure faster resolution of incidents and your organization’s safety from cyber attacks. +Understanding the context that surrounds [incidents](incidents-overview.md) is essential in analyzing attacks. Combining your expertise and experience with Microsoft Defender XDR's features and capabilities ensure faster resolution of incidents and your organization's safety from cyber attacks. Today's threats on data security - [business email compromise (BEC)](https://www.microsoft.com/security/business/security-101/what-is-business-email-compromise-bec), malware like backdoors and [ransomware](/security/ransomware), organizational breaches, and [nation-state attacks](https://www.microsoft.com/security/business/security-insider/) – require quick, intelligent, and decisive action from incident responders. Tools like [Microsoft Defender XDR](microsoft-365-defender.md) allow response teams to detect, triage, and investigate incidents through its single-pane-of-glass experience and find the information needed to make these timely decisions. ## Investigation tasks -Investigations usually involve responders viewing several apps while simultaneously checking various threat intelligence sources. Sometimes investigations are extended to hunting down other threats. Documenting facts and solutions in an attack investigation is an additional important task that provides history and context for other investigators’ use or for later investigations. These investigation tasks are simplified when using Microsoft Defender XDR through the following: +Investigations usually involve responders viewing several apps while simultaneously checking various threat intelligence sources. Sometimes investigations are extended to hunting down other threats. Documenting facts and solutions in an attack investigation is an additional important task that provides history and context for other investigators' use or for later investigations. These investigation tasks are simplified when using Microsoft Defender XDR through the following: -- **Pivoting** – the portal aggregates important attack information contextualized across the Defender workloads enabled in your organization. The portal consolidates all information across a single attack’s components (file, URL, mailbox, a user account, or device), showing relationships and timeline of activities. With all the information available in a page, the portal allows incident responders to pivot across related entities and events to find the information they need to make decisions.+- **Pivoting** – the portal aggregates important attack information contextualized across the Defender workloads enabled in your organization. The portal consolidates all information across a single attack's components (file, URL, mailbox, a user account, or device), showing relationships and timeline of activities. With all the information available in a page, the portal allows incident responders to pivot across related entities and events to find the information they need to make decisions. - **Hunting** – threat hunters can find known and possible threats within an organization through the portal's [advanced hunting](advanced-hunting-overview.md) capability using Kusto queries. If you're new to Kusto, use the [guided mode](advanced-hunting-modes.md) to hunt for threats. -- **Insight** – where applicable, incident responders can view actions to previously detected event and alerts to aid present investigations. Additional insights are also automatically added to events and alerts through Microsoft’s own threat intelligence efforts and from sources like the [MITRE ATT&CK®](https://attack.mitre.org/) framework and [VirusTotal](https://www.virustotal.com/gui/home/upload).+- **Insight** – where applicable, incident responders can view actions to previously detected event and alerts to aid present investigations. Additional insights are also automatically added to events and alerts through Microsoft's own threat intelligence efforts and from sources like the [MITRE ATT&CK®](https://attack.mitre.org/) framework and [VirusTotal](https://www.virustotal.com/gui/home/upload). -- **Collaboration** – security operations teams can view each team members’ decisions and actions on past and present incidents and alerts through portal features like comments, tagging, flagging, and assignment. Further collaboration with Microsoft’s managed detection and response service through [Defender Experts for XDR](dex-xdr-overview.md) and [Defender Experts for Hunting](defender-experts-for-hunting.md) are also available when an organization requires an augmented response.+- **Collaboration** – security operations teams can view each team members' decisions and actions on past and present incidents and alerts through portal features like comments, tagging, flagging, and assignment. Further collaboration with Microsoft's managed detection and response service through [Defender Experts for XDR](dex-xdr-overview.md) and [Defender Experts for Hunting](defender-experts-for-hunting.md) are also available when an organization requires an augmented response. ## Attack overview Complex threats like [adversary-in-the-middle attacks](https://www.microsoft.com - Presence of malware or suspicious use of tools and apps - Clues about any communication channels or entry points used by any malicious or suspicious entity - Clues pointing to possible identity compromise-- Identifying what the impact is on the organization’s data and security posture+- Identifying what the impact is on the organization's data and security posture The following sections contain tutorials and videos of Microsoft Defender XDR features that aid incident response teams in investigating various complex attacks. Investigate an identity compromise and know what you can do to contain an attack A malicious file's information and capabilities are key to investigating malware. Microsoft Defender XDR, in most cases, can detonate the file to show critical data including hash, metadata, prevalence within the organization, and file capabilities based on MITRE ATT&CK® techniques. This removes the need to do black box testing or static analysis of files. You can view file information from the incident graph, or by viewing an alert process tree, an artifact timeline, or a device timeline. -The following resources provide details on how to use the portal’s capabilities in investigating files: +The following resources provide details on how to use the portal's capabilities in investigating files: - **Tutorial**: [Investigate files](/microsoft-365/security/defender-endpoint/investigate-files) - **Video**: [Investigating malware in Microsoft Defender XDR](https://youtu.be/TTqFlnlwch0) Attackers often use vulnerabilities to gain access to an organization. Some rans - **Tutorial**: [Identify vulnerabilities in your organization](/microsoft-365/security/defender-vulnerability-management/tvm-weaknesses) - **Tutorial**: [Hunt for exposed devices](/microsoft-365/security/defender-vulnerability-management/tvm-hunt-exposed-devices)-- **Tutorial**: [Assess your organization’s risk through the Exposure score](/microsoft-365/security/defender-vulnerability-management/tvm-exposure-score)+- **Tutorial**: [Assess your organization's risk through the Exposure score](/microsoft-365/security/defender-vulnerability-management/tvm-exposure-score) - **Video**: Threat and vulnerability management via Defender Vulnerability Management > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4XTiJ] -Breaches also happen through various devices like phones and tablets that connect to your organization’s network. Incident responders can further investigate these devices within the portal. The following video talks about the top threats from mobile devices and how you can investigate these: +Breaches also happen through various devices like phones and tablets that connect to your organization's network. Incident responders can further investigate these devices within the portal. The following video talks about the top threats from mobile devices and how you can investigate these: - Mobile threat defense in Microsoft Defender XDR |
security | Respond First Incident Remediate | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/respond-first-incident-remediate.md | Learn how automatic attack disruption helps in incident response: > [!VIDEO https://www.microsoft.com/videoplayer/embed/RW10OoF] -Meanwhile, Microsoft Defender XDRΓÇÖs [automated investigation and response](m365d-autoir.md) capabilities can automatically investigate and apply remediation actions to malicious and suspicious items. These capabilities scale investigation and resolution to threats, freeing incident responders to focus their efforts on high-impact attacks. +Meanwhile, Microsoft Defender XDR's [automated investigation and response](m365d-autoir.md) capabilities can automatically investigate and apply remediation actions to malicious and suspicious items. These capabilities scale investigation and resolution to threats, freeing incident responders to focus their efforts on high-impact attacks. You can [configure](m365d-configure-auto-investigation-response.md) and [manage](m365d-autoir-actions.md) automated investigation and response capabilities. You can also view all past and pending actions through the [Action center](m365d-action-center.md). |
security | Advanced Delivery Policy Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/advanced-delivery-policy-configure.md | If your MX record doesn't point to Microsoft 365, the IP address in the `Authent > > If you're using the [Built-in protection preset security policy](preset-security-policies.md#profiles-in-preset-security-policies) or your custom Safe Links policies have the setting **Do not rewrite URLs, do checks via SafeLinks API only** enabled, time of click protection doesn't treat phishing simulation links in email as threats in Outlook on the web, Outlook for iOS and Android, Outlook for Windows v16.0.15317.10000 or later, and Outlook for Mac v16.74.23061100 or later. If you're using older versions of Outlook, consider disabling the **Do not rewrite URLs, do checks via SafeLinks API only** setting in custom Safe Links policies. >-> Adding phishing simulation URLs to the **Do not rewrite the following URLs in email** section in Safe Links policies might result in unwanted alerts for URL clicks. Phishing simulation URLs in email messages are automatically allowed both during mail flow and at time of click. +> Adding phishing simulation URLs to the **Do not rewrite the following URLs in email** section in Safe Links policies might result in unwanted alerts for URL clicks. Phishing simulation URLs in email messages are automatically allowed both during mail flow and at time of click. +> +> Currently, the advanced delivery policy for SecOps mailboxes doesn't support intra-organizational messages (`DIR:INT`), and these messages will be quarantined. As a workaround, add the SecOps mailbox as an exception in the appropriate anti-spam policies. 1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & Collaboration** \> **Policies & Rules** \> **Threat policies** \> **Advanced delivery** in the **Rules** section. Or, to go directly to the **Advanced delivery** page, use <https://security.microsoft.com/advanceddelivery>. |
security | Email Analysis Investigations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-analysis-investigations.md | During the automated investigation of alerts, Microsoft Defender for Office 365 The automated investigation's email analysis identifies email clusters using attributes from the original email to query for emails sent and received by your organization. This is similar to a security operations analyst would hunt for the related emails in Explorer or Advanced Hunting. Several queries are used to identify matching emails because attackers typically morph the email parameters to avoid security detection. The clustering analysis performs these checks to determine how to handle emails involved in the investigation: -- The email analysis creates queries (clusters) of emails using attributes from the original email ΓÇô sender values (IP address, sender domain) and contents (subject, cluster ID) in order to find emails that might be related.+- The email analysis creates queries (clusters) of emails using attributes from the original email: sender values (IP address, sender domain) and contents (subject, cluster ID) in order to find emails that might be related. - If analysis of the original email's URLs and files identifies that some are malicious (that is, malware or phish), then it will also create queries or clusters of emails containing the malicious URL or file. - Email clustering analysis counts the threats associated with the similar emails in the cluster to determine whether the emails are malicious, suspicious, or have no clear threats. If the cluster of emails matching the query has a sufficient amount of spam, normal phish, high confidence phish or malware threats, the email cluster gets that threat type applied to it. - The email clustering analysis also checks the latest delivery location of the original email and emails in the email clusters to help identify if the emails potentially still need removal or have already been remediated or prevented. This analysis is important because attackers morph malicious content plus security policies and protection may vary between mailboxes. This capability leads to situations where malicious content may still sit in mailboxes, even though one or more malicious emails have been prevented or detected and removed by zero-hour auto purge (ZAP). Here are additional enhancements to email analysis in investigations. During the email clustering analysis, all clustering queries will ignore security mailboxes set up as Security Operations mailboxes in the Advanced Delivery policy. Similarly, the email clustering queries will ignore phish simulation (education) messages that are configured in the Advanced Delivery policy. Neither the SecOps nor the PhishEdu exclusion values are shown in the query to keep the clustering attributes simple and easy to read. This exclusion ensures that threat intelligence and operational mailboxes (SecOps mailboxes) and the phish simulations (PhishEdu) are ignored during threat analysis and do not get removed during any remediation. > [!NOTE]-> When opening an email cluster to view it in Explorer from the email cluster details, the PhishEdu and SecOps mailbox filters will be applied in Explorer but will not be shown. If you change the Explorer filters, dates, or refresh the query within the page ΓÇô then the PhishEdu/SecOps filter exclusions will get removed and emails that match these will be shown once again. If you refresh the Explorer page using the browser refresh function, the original query filters will get re-loaded, including the PhishEdu/SecOps filters ΓÇô but removing any subsequent changes you had made. +> When opening an email cluster to view it in Explorer from the email cluster details, the PhishEdu and SecOps mailbox filters will be applied in Explorer but will not be shown. If you change the Explorer filters, dates, or refresh the query within the page, then the PhishEdu/SecOps filter exclusions will get removed and emails that match these will be shown once again. If you refresh the Explorer page using the browser refresh function, the original query filters will get re-loaded, including the PhishEdu/SecOps filters, but removing any subsequent changes you had made. ## AIR updates pending email action status |
security | Investigate Malicious Email That Was Delivered | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md | Threat Explorer is a powerful report that can serve multiple purposes, such as f *Delivery action* is the action taken on an email due to existing policies or detections. Here are the possible actions an email can take: - - **Delivered** ΓÇô email was delivered to inbox or folder of a user and the user can directly access it. - - **Junked** (Delivered to junk)ΓÇô email was sent to either user's junk folder or deleted folder, and the user has access to email messages in their Junk or Deleted folder. - - **Blocked** ΓÇô any email messages that are quarantined, that failed, or were dropped. - - **Replaced** ΓÇô any email where malicious attachments are replaced by .txt files that state the attachment was malicious + - **Delivered**: Email was delivered to inbox or folder of a user and the user can directly access it. + - **Junked**: Email was sent to either user's Junk Email folder or Deleted Items folder, and the user has access to messages in those folders. + - **Blocked**: Any email messages that are quarantined, that failed, or were dropped. + - **Replaced**: Any email where malicious attachments are replaced by .txt files that state the attachment was malicious **Delivery location**: The Delivery location filter is available in order to help admins understand where suspected malicious mail ended-up and what actions were taken on it. The resulting data can be exported to spreadsheet. Possible delivery locations are: - - **Inbox or folder** ΓÇô The email is in the Inbox or a specific folder, according to your email rules. - - **On-prem or external** ΓÇô The mailbox doesn't exist in the Cloud but is on-premises. - - **Junk folder** ΓÇô The email is in a user's Junk mail folder. - - **Deleted items folder** ΓÇô The email is in a user's Deleted items folder. - - **Quarantine** ΓÇô The email in quarantine, and not in a user's mailbox. - - **Failed** ΓÇô The email failed to reach the mailbox. - - **Dropped** ΓÇô The email was lost somewhere in the mail flow. + - **Inbox or folder**: The email is in the Inbox or a specific folder, according to your email rules. + - **On-prem or external**: The mailbox doesn't exist in the Cloud but is on-premises. + - **Junk folder**: The email is in a user's Junk mail folder. + - **Deleted items folder**: The email is in a user's Deleted items folder. + - **Quarantine**: The email in quarantine, and not in a user's mailbox. + - **Failed**: The email failed to reach the mailbox. + - **Dropped**: The email was lost somewhere in the mail flow. **Directionality**: This option allows your security operations team to filter by the 'direction' a mail comes from, or is going. Directionality values are *Inbound*, *Outbound*, and *Intra-org* (corresponding to mail coming into your org from outside, being sent out of your org, or being sent internally to your org, respectively). This information can help security operations teams spot spoofing and impersonation, because a mismatch between the Directionality value (ex. *Inbound*), and the domain of the sender (which *appears* to be an internal domain) will be evident! The Directionality value is separate, and can differ from, the Message Trace. Results can be exported to spreadsheet. Delivery Status is now broken out into two columns: Delivery action is the action taken on an email due to existing policies or detections. Here are the possible actions an email can take: -- **Delivered** ΓÇô email was delivered to inbox or folder of a user and the user can directly access it.-- **Junked** ΓÇô email was sent to either user's junk folder or deleted folder, and the user has access to email messages in their Junk or Deleted folder.-- **Blocked** ΓÇô any email messages that are quarantined, that failed, or were dropped.-- **Replaced** ΓÇô any email where malicious attachments are replaced by .txt files that state the attachment was malicious.+- **Delivered**: Email was delivered to inbox or folder of a user and the user can directly access it. +- **Junked**: Email was sent to either user's Junk Email folder or Deleted Items folder, and the user has access to messages in those folders. +- **Blocked**: Any email messages that are quarantined, that failed, or were dropped. +- **Replaced**: Any email where malicious attachments are replaced by .txt files that state the attachment was malicious. Delivery location shows the results of policies and detections that run post-delivery. It's linked to a Delivery Action. This field was added to give insight into the action taken when a problem mail is found. Here are the possible values of delivery location: -- **Inbox or folder** ΓÇô The email is in the inbox or a folder (according to your email rules).-- **On-prem or external** ΓÇô The mailbox doesn't exist on cloud but is on-premises.-- **Junk folder** ΓÇô The email is in a user's Junk folder.-- **Deleted items folder** ΓÇô The email is in a user's Deleted items folder.-- **Quarantine** ΓÇô The email in quarantine, and not in a user's mailbox.-- **Failed** ΓÇô The email failed to reach the mailbox.-- **Dropped** ΓÇô The email gets lost somewhere in the mail flow.+- **Inbox or folder**: The email is in the inbox or a folder (according to your email rules). +- **On-prem or external**: The mailbox doesn't exist on cloud but is on-premises. +- **Junk folder**: The email is in a user's Junk Email folder. +- **Deleted items folder**: The email is in a user's Deleted Items folder. +- **Quarantine**: The email in quarantine, and not in a user's mailbox. +- **Failed**: The email failed to reach the mailbox. +- **Dropped**: The email gets lost somewhere in the mail flow. ### View the timeline of your email |
security | Quarantine Admin Manage Messages Files | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/quarantine-admin-manage-messages-files.md | To filter the entries, select :::image type="icon" source="../../media/m365-cc-s - **Next 2 days** - **Next 7 days** - **Custom**: Enter a **Start time** and **End time** (date).-- **Recipient tag**+- **Recipient tag**: Currently, the only selectable [user tag](user-tags-about.md) is Priority account. - **Quarantine reason**: - **Transport rule** (mail flow rule) - **Bulk** |
security | Threat Explorer Views | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-views.md | To view this report, in Explorer, select **All email** in the top navigation pan > [!NOTE] > If you get a **Too much data to display** error, add a filter and, if necessary, narrow the date range you're viewing. -To apply a filter, select the filter dropdown, select an item in the list, and then select **Refresh**. You can view information by sender, sender's domain, recipients, subject, attachment filename, malware family, detection technology (how the malware was detected), and more. +To apply a filter, select the filter dropdown, select an item in the list, and then select **Refresh**. You can view information by sender, sender's domain, recipients, subject, attachment filename, malware family, detection technology (how the malware was detected), and more. You can view more details about specific email messages, such as subject line, recipient, sender, status, and so on below the chart. To view this report, in Explorer (or real-time detections), select **Phish** in Your list of viewing options include data by sender, recipients, sender domain, sender IP, URL domain, click verdict, and more. -For example, to see what actions were taken when people clicked on URLs that were identified as phishing attempts, select **Click verdict**, select one or more options, and then select **Refresh**. +For example, to see what actions were taken when people clicked on URLs that were identified as phishing attempts, select **Click verdict**, select one or more options, and then select **Refresh**. Below the chart, view more details about specific emails, **URL clicks**, **Top URLs**, **Top clicks**, and more. For more information on campaigns, see [Campaigns in Microsoft Defender for Offi ## Content Malware -To view this report, in Explorer (or real-time detections), select **Content Malware** in the top navigation pane. This view shows files that were identified as malicious by [Microsoft Defender for Office 365 in SharePoint Online, OneDrive for Business, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md). +To view this report, in Explorer (or real-time detections), select **Content Malware** in the top navigation pane. This view shows files that were identified as malicious by [Microsoft Defender for Office 365 in SharePoint Online, OneDrive for Business, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md). :::image type="content" source="../../media/threat-explorer-content-malware-new.png" alt-text="Screenshot of the view data about content malware." lightbox="../../media/threat-explorer-content-malware-new.png"::: |
security | User Tags About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-tags-about.md | After you apply system tags or custom tags to users, you can use those tags as f - [Payloads](attack-simulation-training-payloads.md) - [Training campaigns](attack-simulation-training-training-campaigns.md) - [Training modules](attack-simulation-training-training-modules.md)-- [Quarantine](quarantine-admin-manage-messages-files.md)+- [Quarantine](quarantine-admin-manage-messages-files.md) Currently, tag selection on the Quarantine filter page supports only the Priority account tag. - [Admin submissions and user reported messages](submissions-admin.md) - In organizations above a certain size, the [Email issues for priority accounts report](/exchange/monitoring/mail-flow-reports/mfr-email-issues-for-priority-accounts-report) is available in the Exchange admin center (EAC). |
syntex | Apply A Retention Label To A Model | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/apply-a-retention-label-to-a-model.md | - - enabler-strategic + - essentials-manage - m365initiative-syntex ms.localizationpriority: medium description: Learn how to apply a retention label to a model in Microsoft Syntex. |
syntex | Apply A Sensitivity Label To A Model | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/apply-a-sensitivity-label-to-a-model.md | - - enabler-strategic + - essentials-manage - m365initiative-syntex ms.localizationpriority: medium description: Learn how to apply a sensitivity label to a model in Microsoft Syntex. |
syntex | Manage Library Settings | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/manage-library-settings.md | - - enabler-strategic + - essentials-manage - m365initiative-syntex ms.localizationpriority: medium description: Learn how to manage settings on a SharePoint document library with Microsoft Syntex. |
syntex | Requirements And Limitations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/requirements-and-limitations.md | - - enabler-strategic + - essentials-manage - m365initiative-syntex ms.localizationpriority: medium description: Learn about file limitations, file types, supported languages, and other requirements for models in Microsoft Syntex. |
syntex | Set Up Content Understanding | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/set-up-content-understanding.md | audience: admin -- enabler-strategic-- m365initiative-syntex-- Tier1+ - essentials-get-started + - m365initiative-syntex + - Tier1 - admindeeplinkMAC search.appverid: MET150 |
syntex | Syntex Azure Billing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/syntex-azure-billing.md | audience: admin - - enabler-strategic + - essentials-get-started - m365initiative-syntex - Tier1 search.appverid: MET150 |
syntex | Syntex Licensing | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/syntex-licensing.md | audience: admin - - enabler-strategic + - essentials-get-started - m365initiative-syntex - Tier1 search.appverid: MET150 |
syntex | Syntex Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/syntex-overview.md | - - enabler-strategic + - essentials-get-started - m365initiative-syntex - essentials-overview ms.localizationpriority: medium |
syntex | Syntex Pay As You Go Services | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/syntex-pay-as-you-go-services.md | audience: admin - - enabler-strategic + - essentials-get-started - m365initiative-syntex - Tier1 search.appverid: MET150 |
syntex | Syntex Privacy Security | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/syntex/syntex-privacy-security.md | - - essentials-accountability + - essentials-privacy - m365initiative-syntex+ - essentials-security + - essentials-compliance ms.localizationpriority: medium description: Learn about privacy, security, and compliance in Microsoft Syntex. |