-The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md). In the **Microsoft Teams app usage report**, you can gain insights into the Teams apps activity in your organization. This article explains how to access the report and view and interpret the various metrics within the report.

-**User activity** - This report helps you answer:

-2. From the dashboard homepage, click on the **View more** button on the Microsoft Teams apps activity card.

-You can filter all charts by the time range picker in the top right.

-This chart shows you the total number of app installs across your organization up to each date within the selected period. For example ΓÇô if you select January 28th 2022, the chart will show you the total number of installs from October 2021 up to January 28th 2022.

-

-### Platform

-This table shows you per-app view with the following metrics for each app. A subset of the metric columns are included by default, and you can select/edit the column list by clicking on **Choose columns**ΓÇ¥** in the top right.

-|**Metric**|**Definition**|**Included by default?**|

-|:--|:--|:--|

-|||

-|App ID <br/> |The external App identifier present in the app manifest. <br/> |Yes |

-|Last used date <br/> |The date when that app was last used by anyone in your organization. <br/> |Yes |

-|Teams using this app <br/> |The number of distinct Teams teams that have at least one user using this app. <br/> |Yes |

-|Users using this app <br/> |The number of distinct users in your organization that are using this app. <br/> |Yes |

-|Used on Windows <br/> | This indicates whether that app has been used on Windows by at least one user in your organization. <br/> |Yes |

-|Used on Mobile <br/> |This indicates whether that app has been used on Mobile by at least one user in your organization. <br/> |Yes |

-|Used on Web <br/> | This indicates whether that app has been used on Web by at least one user in your organization. <br/> |Yes |

-|Used on Mac <br/> |The number of ad hoc meetings a user organized during the specified time period. <br/>|No |

-|App name <br/> |The Name of this application as present in the app manifest. <br/>|No |

-|Publisher <br/> |The publisher of this application as present in the app manifest. This is only available for apps published to the global Store. <br/>|No |

-|||

-You can view the **user activity** in the Teams app usage report by choosing the **User activity** tab. <br/>

-You can filter all charts by the time range picker in the top right.

-This chart shows you the total number of unique users that have installed an app up to each date within the selected period. For example ΓÇô if you select January 28th 2022 the chart will show you the total number of users from October 2021 up to January 28th 2022.

-This chart shows you the number of unique users that have used any app on each date within the selected period. For example ΓÇô if you select January 28th, the chart will show you the total number of users on January 28th.

-### Platform

-This chart shows you the number of apps used across your organization by platform for the selected period. Available platforms are Windows, Mac, Mobile (across iOS and Android), and Web.

-

-This table shows you per-user view with the following metrics for each app. A subset of the metric columns are included by default, and you can select/edit the column list by clicking on **Choose columns** in the top right.

-|**Metric**|**Definition**|**Included by default?**|

-|:--|:--|:--|

-||||

-|User name <br/> |The User name for a unique user. Value is concealed by default. <br/> |Yes |

-|Apps installed <br/> |The number of unique apps (across Store and custom) that the user has installed. <br/> |Yes |

-|Apps used <br/> |The number of unique apps (across Store and custom) that the user has opened and/or used. <br/> |Yes |

-|Apps used in a Team <br/> |The number of unique apps (across Store and custom) that the user has opened and/or used in a Teams Team. <br/> |Yes |

-|Used on Windows <br/> | This indicates whether that user has used any app on Windows. <br/> |Yes |

-|Used on Mobile <br/> |This indicates whether that user has used any app on Mobile (iOS or Android). <br/> |Yes |

-|Used on Web <br/> | This indicates whether that user has used any app on Web. <br/> |Yes |

-|Used on Mac <br/> |This indicates whether that user has used any app on Mac. <br/>|No |

-|||

-

-For more information, seeΓÇ»[assign licenses to users](../manage/assign-licenses-to-users.md).

-To learn more, see [About admin roles](../add-users/about-admin-roles.md) andΓÇ»[Assign admin roles](../add-users/assign-admin-roles.md).

-Chinese and English phone support: Monday through Friday, 9 AM-9 PM\

-> [!TIP]

-The labels are ordered for evaluation according to their position that you specify in the policy: The label positioned first has the lowest position (least sensitive) and the label positioned last has the highest position (most sensitive). For more information on priority, see [Label priority (order matters)](sensitivity-labels.md#label-priority-order-matters).

-|Automatically applied or default label from policy, lower priority |Word, Excel, PowerPoint: Yes <br /><br> Outlook: Yes | SharePoint and OneDrive: Yes <br /><br> Exchange: Yes |

-> Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

->[!IMPORTANT]

->Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

->[!IMPORTANT]

->Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

->[!IMPORTANT]

->Using PowerShell to create and manage communication compliance policies isn't supported. To create and manage these policies, you must use the policy management controls in the [communication compliance solution](https://compliance.microsoft.com/supervisoryreview).

->[!TIP]

->Want to see an in-depth walkthrough of setting up a new communication compliance policy and remediating an alert? Check out [this 15-minute video](/microsoft-365/compliance/communication-compliance-plan#creating-a-communication-compliance-policy-walkthrough) to see a demonstration of how communication compliance policies can help you detect potentially inappropriate messages, investigate potential violations, and remediate compliance issues.

->[!IMPORTANT]

->Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

->[!IMPORTANT]

->Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

-> Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to ensure user-level privacy.

-User reported messages from Teams chats are the only messages processed by the User-reported message policy and only the assigned reviewers for the policy can be modified. All other policy properties aren't editable. When the policy is created, the initial reviewers assigned to the policy are all members of the *Communication Compliance Admins* role group (if populated with at least one user) or all members of your organization's *Global Admin* role group. The policy creator is a randomly selected user from the *Communication Compliance Admins* role group (if populated with at least one user) or a randomly selected user from your organization's *Global Admin* role group.

-The *Report a concern* option is enabled by default and can be controlled via Teams messaging policies in the [Teams Admin Center](/microsoftteams/manage-teams-in-modern-portal). Users in your organization will automatically get the global policy, unless you create and assign a custom policy. Edit the settings in the global policy or create and assign one or more custom policies to turn on or turn off the *Report a concern* option. To learn more, see [Manage messaging policies in Teams](/microsoftteams/messaging-policies-in-teams).

-When configured for an insider risk management disgruntlement policy, a dedicated policy named *Disgruntlement in messages - (date created)* is created in communication compliance and automatically includes all organization users in the policy. This policy starts detecting disgruntlement behavior in messages by using the built-in [Threat, Harassment, and Discrimination classifiers](#classifiers) and automatically sends these signals to insider risk management. If needed, this policy can be edited to update the scope of included users and the policy conditions and classifiers.

-[Built-in trainable and global classifiers](/microsoft-365/compliance/classifier-learn-about) inspect sent or received messages across all communication channels in your organization for different types of compliance issues. Classifiers use a combination of artificial intelligence and keywords to identify language in messages likely to violate anti-harassment policies.

-| **Corporate sabotage (preview)** | Detects messages that may mention acts to damage or destroy corporate assets or property. This classifier can help customers manage regulatory compliance obligations such as NERC Critical Infrastructure Protection standards or state by state regulations like Chapter 9.05 RCW in Washington state. |

-| **Customer complaints (preview)** | Detects messages that may suggest customer complaints made on your organization's products or services, as required by law for regulated industries. This classifier can help customers manage regulatory compliance obligations such as FINRA Rule 4530, FINRA 4513, FINRA 2111, Consumer Financial Protection Bureau, Code of Federal Regulations Title 21: Food and Drugs, and the Federal Trade Commission Act. |

-| **Gifts & entertainment (preview)** | Detects messages that may suggest exchanging gifts or entertainment in return for service, which violates regulations related to bribery. This classifier can help customers manage regulatory compliance obligations such as Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and FINRA Rule 2320. |

-| **Unauthorized disclosure (preview)** | Detects sharing of information containing content that is explicitly designated as confidential or internal to unauthorized individuals. This classifier can help customers manage regulatory compliance obligations such as FINRA Rule 2010 and SEC Rule 10b-5. |

-| **Message is received from any of these domains** <br><br> **Message is not received from any of these domains** | Apply the policy to include or exclude specific domains in received messages. Enter each domain and separate multiple domains with a comma. Each domain entered is applied separately, only one domain must apply for the policy to apply to the message. If you want to use **Message is received from any of these domains** to look for messages from specific emails address you need to combine this with another condition like **Message contains any of these words** or **Content matches any of these classifiers** or you might get unexpected results. <br><br> If you want to scan all email from a specific domain, but want to exclude messages that don't need review (newsletters, announcements, and so on), you must configure a **Message is not received from any of these domains** condition that excludes the email address (example newsletter@contoso.com). |

-| **Message is sent to any of these domains** <br><br> **Message is not sent to any of these domains** | Apply the policy to include or exclude specific domains in sent messages. Enter each domain and separate multiple domains with a comma. Each domain is applied separately, only one domain must apply for the policy to apply to the message. <br><br> If you want to exclude all emails sent to two specific domains, you'd configure the **Message is not sent to any of these domains** condition with the two domains (example 'contoso.com,wingtiptoys.com'). |

-| **Message is classified with any of these labels** <br><br> **Message is not classified with any of these labels** | To apply the policy when certain retention labels are included or excluded in a message. Retention labels must be configured separately and configured labels are chosen as part of this condition. Each label you choose is applied separately (only one of these labels must apply for the policy to apply to the message). For more information about retention labels, see [Learn about retention policies and retention labels](/microsoft-365/compliance/retention).|

-| **Message contains any of these words** <br><br> **Message contains none of these words** | To apply the policy when certain words or phrases are included or excluded in a message, enter each word separated with a comma. For phrases of two words or more, use quotation marks around the phrase. Each word or phrase you enter is applied separately (only one word must apply for the policy to apply to the message). For more information about entering words or phrases, see the next section [Matching words and phrases to emails or attachments](#matching-words-and-phrases-to-emails-or-attachments).|

-| **Attachment contains any of these words** <br><br> **Attachment contains none of these words** | To apply the policy when certain words or phrases are included or excluded in a message attachment (such as a Word document), enter each word separated with a comma. For phrases of two words or more, use quotation marks around the phrase. Each word or phrase you enter is applied separately (only one word must apply for the policy to apply to the attachment). For more information about entering words or phrases, see the next section [Matching words and phrases to emails or attachments](#matching-words-and-phrases-to-emails-or-attachments).|

-| **Attachment is any of these file types** <br><br> **Attachment is none of these file types** | To supervise communications that include or exclude specific types of attachments, enter the file extensions (such as .exe or .pdf). If you want to include or exclude multiple file extensions, enter file types separated by a comma (example *.exe,.pdf,.zip*). Only one attachment extension must match for the policy to apply.|

-| **Message size is larger than** <br><br> **Message size is not larger than** | To review messages based on a certain size, use these conditions to specify the maximum or minimum size a message can be before it's subject to review. For example, if you specify **Message size is larger than** \> **1.0 MB**, all messages that are 1.01 MB and larger are subject to review. You can choose bytes, kilobytes, megabytes, or gigabytes for this condition.|

-| **Attachment is larger than** <br><br> **Attachment is not larger than** | To review messages based on the size of their attachments, specify the maximum or minimum size an attachment can be before the message and its attachments are subject to review. For example, if you specify **Attachment is larger than** \> **2.0 MB**, all messages with attachments 2.01 MB and over are subject to review. You can choose bytes, kilobytes, megabytes, or gigabytes for this condition.|

->[!IMPORTANT]

->Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

->[!IMPORTANT]

->Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

-A common need for organizations is to integrate communication compliance alerts and their SIEM solutions. With this integration, organizations can view communication compliance alerts in their SIEM solution and then remediate alerts within the communication compliance workflow and user experience.

-| Policy detecting potentially inappropriate language | { <br> CreationTime: 2022-09-17T23:44:35 <br> ID: e0ef6f54-9a52-4e4c-9584-08d97a351ad0 <br> IsPolicyHit: true <br> ObjectId: <BN6PR05MB3571AD9FBB85C4E12C1F66B4CCDD9@BN6PR05MB3571.namprd05.prod.outlook.com> <br> Operation: SupervisionRuleMatch <br> OrganizationId: d6a06676-95e8-4632-b949-44bc00f0793f <br> RecordType: 68 <br> ResultStatus: {"ItemClass":"IPM.Yammer.Message","CcsiResults":""} <br> SRPolicyMatchDetails: { [+] } <br> UserId: user1@contoso.com <br> UserKey: SupervisionStoreDeliveryAgent <br> UserType: 0 <br> Version: 1 <br> } |

->[!IMPORTANT]

->Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

-> Microsoft Purview Communication Compliance provides the tools to help organizations detect regulatory compliance violations (for example SEC or FINRA), such as sensitive or confidential information, harassing or threatening language, and sharing of adult content. Built with privacy by design, usernames are pseudonymized by default, role-based access controls are built in, investigators are opted in by an admin, and audit logs are in place to help ensure user-level privacy.

-| Data leaks by disgruntled users | Job level changes, Performance reviews, Performance improvement plans|

-| Security policy violations by disgruntled users| Job level changes, Performance reviews, Performance improvement plans |

-14. If you've selected the *Data leaks by disgruntled users* or *Security policy violations by disgruntled users* templates, you'll see options on the **Triggers for this policy** page for integration with communication compliance and HR data connector events. You have the choice to assign risk scores when users send messages that contain potentially threatening, harassing, or discriminatory language or to bring users into the the policy scope after disgruntlement events are reported in your HR system. If you select the **Disgruntlement triggers from communication compliance (preview)** option, you can accept the default communication compliance policy (automatically created), choose a previously created policy scope for this trigger, or create another scoped policy. If you select **HR data connector events**, you must configure a HR data connector for your organization.

-### Data leaks by disgruntled users (preview)

-When users experience employment stressors, they may become disgruntled, which may increase the chances of insider risk activity. This template starts scoring user activity when an indicator associated with disgruntlement is identified. Examples may include performance improvement notifications, poor performance reviews, changes to job level status, or email and other messages that may signal disgruntlement. Data leaks for disgruntled users may include downloading files from SharePoint Online and copying data to personal cloud messaging and storage services.

-When using this template, you must either configure a HR connector, select the option to [integrate communication compliance disgruntlement signals](/microsoft-365/compliance/communication-compliance-policies#policy-for-insider-risk-management-integration-preview) from user messages, or choose both. The HR connector enables the periodic import of performance improvement notifications, poor performance review statuses, or job level change information for users in your organization. Communication compliance disgruntlement integration imports signals for user messages that may contain potentially threatening, harassing, or discriminatory text content. Associated alerts generated in Communication Compliance do not need to be triaged, remediated, or changed in status to be integrated with the insider risk management policy.

-You'll need to have Microsoft Defender for Endpoint configured in your organization and enable Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features#share-endpoint-alerts-with-microsoft-compliance-center).

-### Security policy violations by disgruntled users (preview)

-Users that experience employment stressors may be at a higher risk for inadvertent or malicious security policy violations. These stressors may result in behaviors that result in the user being placed on a performance improvement plan, a poor performance review status, being demoted from their current position, or the user sending email and other messages that may signal disgruntlement. This policy template starts risk scoring based on these indicators and activities associated with these events for these users.

-When using this template, you must configure a HR connector, or select the option to [integrate communication compliance disgruntlement signals](/microsoft-365/compliance/communication-compliance-policies#policy-for-insider-risk-management-integration-preview) from user messages, or both. The HR connector enables the periodic import of performance improvement notifications, poor performance review statuses, or job level change information for users in your organization. Communication compliance disgruntlement integration imports signals for user messages that may contain potentially threatening, harassing, or discriminatory text content. Associated alerts generated in communication compliance do not need to be triaged, remediated, or changed in status to be integrated with the insider risk management policy. To configure a HR connector, see the [Import data with the HR connector](import-hr-data.md) article. To configure integration with communication compliance, you'll select this option in wizard when you configure the policy.

-| **Data leaks by disgruntled users** | - Performance improvement, poor performance, or job level change indicators from HR connector. <br> - Messages containing potentially threatening, harassing, or discriminatory language | Microsoft 365 HR connector configured for disgruntlement indicators <br><br> AND/OR <br><br> Communication Compliance integration and dedicated disgruntlement policy |

-| **Security policy violations by disgruntled user** | - Performance improvement, poor performance, or job level change indicators from HR connector. <br> - Messages containing potentially threatening, harassing, or discriminatory language | Microsoft 365 HR connector configured for disgruntlement indicators <br><br> AND/OR <br><br> Communication Compliance integration and dedicated disgruntlement policy <br><br> AND <br><br> Active Microsoft Defender for Endpoint subscription <br><br> Microsoft Defender for Endpoint integration with Microsoft Purview compliance portal configured |

-|**HR connector isn't configured or working as expected**|- Data theft by departing user <br> - Security policy violations by departing user <br> - Data leaks by disgruntled users <br> - Security policy violations by disgruntled users|There's an issue with the HR connector. <br><br> 1. If you're using an HR connector, check that your HR connector is sending correct data <br><br> OR <br><br> 2. Select the Azure AD account deleted triggering event.|

-|**No devices are onboarded**|- Data theft by departing users <br> - General data leaks <br> - Data leaks by disgruntled users <br> - Data Leaks by priority users|Device indicators are selected but there aren't any devices onboarded to the compliance portal <br><br> Check whether devices are onboarded and meet requirements.|

-|**HR connector hasn't uploaded data recently**|- Data theft by departing user <br> - Security policy violations by departing user <br> - Data leaks by disgruntled users <br> - Security policy violations by disgruntled users|HR connector hasn't imported data in more than 7 days. <br><br> Check that your HR connector is configured correctly and sending data.|

-|**We're unable to check the status of your HR connector right now, please check again later**|- Data theft by departing user <br> - Security policy violations by departing user <br> - Data leaks by disgruntled users <br> - Security policy violations by disgruntled users|The insider risk management solution is unable to check the status of your HR connector. <br><br> Check that your HR connector is configured correctly and sending data, or come back and check the policy status.|

-|**Your organization doesn't have a Microsoft Defender for Endpoint subscription**|- General security policy violations <br> - Security policy violations by departing users <br> - Security policy violations by disgruntled users <br> - Security policy violations by priority users|An active Microsoft Defender for Endpoint subscription wasn't detected for your organization. <br><br> Until a Microsoft Defender for Endpoint subscription is added, these policies won't assign risk scores to user activity.|

-|**Microsoft Defender for Endpoint alerts aren't being shared with the compliance portal**|- General security policy violations <br> - Security policy violations by departing users <br> - Security policy violations by disgruntled users <br> - Security policy violations by priority users|Microsoft Defender for Endpoint alerts aren't being shared with the compliance portal. <br><br> Configure sharing of Microsoft Defender for Endpoint alerts.|

-|Data leak by disgruntled users|7,500|

-|Security policy violations by disgruntled users|7,500|

-14. If you've selected the *Data leaks by disgruntled users* or *Security policy violations by disgruntled users* templates, you'll see options on the **Triggers for this policy** page for integration with communication compliance and HR data connector events. You have the choice to assign risk scores when users send messages that contain potentially threatening, harassing, or discriminatory language or to bring users into the the policy scope after disgruntlement events are reported in your HR system. If you select the **Disgruntlement triggers from communication compliance (preview)** option, you can accept the default communication compliance policy (automatically created), choose a previously created policy scope for this trigger, or create another scoped policy. If you select **HR data connector events**, you must configure a HR data connector for your organization.

-14. If you've selected the *Data leaks by disgruntled users* or *Security policy violations by disgruntled users* templates, you'll see options on the **Triggers for this policy** page for [integration with communication compliance](/microsoft-365/compliance/communication-compliance-policies#policy-for-insider-risk-management-integration-preview) and HR data connector events. You have the choice to assign risk scores when users send messages that contain potentially threatening, harassing, or discriminatory language or to bring users into the the policy scope after disgruntlement events are reported in your HR system. If you select the **Disgruntlement triggers from communication compliance (preview)** option, you can accept the default communication compliance policy (automatically created), choose a previously created policy scope for this trigger, or create another scoped policy. If you select **HR data connector events**, you must configure a HR data connector for your organization.

-By excluding sensitive info types, you can specify which types map to indicators and triggers involving file-related activities for Endpoint, SharePoint, Teams, OneDrive, and Exchange. For those files that contain any sensitive info types identified here, they will be risk scored but not shown as activities involving content related to sensitive info types. For a complete list, see [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md).

-You can select the sensitive info types to be excluded from the list of all available (out-of-box and custom) types available in the tenant. Insider risk management excludes several sensitive info types by default, such as ABA Routing Number. You can choose up to 100 sensitive info types to be excluded.

-### Actions and behaviors by disgruntled users (preview)

-description: "Learn about email and document properties that you can search by using the eDiscovery search tools in Microsoft 365."

-|Folderid|The folder ID (GUID) of a specific mailbox folder. If you use this property, be sure to search the mailbox that the specified folder is located in. Only the specified folder will be searched. Any subfolders in the folder won't be searched. To search subfolders, you need to use the *Folderid* property for the subfolder you want to search. <p> For more information about searching for the *Folderid* property and using a script to obtain the folder IDs for a specific mailbox, see [Use Content search for targeted collections](use-content-search-for-targeted-collections.md).|`folderid:4D6DD7F943C29041A65787E30F02AD1F00000000013A0000` <p> `folderid:2370FB455F82FC44BE31397F47B632A70000000001160000 AND participants:garthf@contoso.com`|The first example returns all items in the specified mailbox folder. The second example returns all items in the specified mailbox folder that were sent or received by *garthf@contoso.com*.|

-A single tenant can have a maximum of 10,000 policies (any configuration). This maximum number includes the different policies for retention, and other policies for compliance such as policies for DLP, information barriers, eDiscovery holds, Litigation holds, In-Place Holds, and sensitivity labels. However, this maximum excludes:

-> These maximum numbers for Exchange and SharePoint are not exclusive to retention but are shared with other types of hold policies that include eDiscovery holds, Litigation holds, and In-Place Holds.

-The ordering of sublabels is used with [auto-labeling policies](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-policies-for-sharepoint-onedrive-and-exchange), though. When you configure more than one auto-labeling policy for the same location, multiple matches can result for more than one label. To determine the label to apply, the label ordering is used even with sublabels: The last sensitive label is selected, and then if applicable, the last sublabel.

-The service advisories for eDiscovery throttling inform admins about their tenant being throttled due to number of Search and Export jobs exceeding the limit set by Microsoft. Various limits are applied to eDiscovery search tools in the [Microsoft Purview](/compliance/index.yml) compliance portal. This includes searches run on the [Content Search](/compliance/search-for-content) page and searches that are associated with an eDiscovery case on the [eDiscovery (Standard)](/compliance/get-started-core-ediscovery) page. These limits help to maintain the health and quality of services provided to organizations. These advisories provide awareness so that you can take these limits into consideration when planning, running, and troubleshooting eDiscovery searches and exports.

-For limits related to the Microsoft Purview eDiscovery (Standard) tool, see [Limits for Content search and eDiscovery (Standard) in the compliance center](/compliance/limits-for-content-search?viewFallbackFrom=o365-worldwide%20for%20service%20limits).

- >[!IMPORTANT]

- >If **Admin Consent** isn't accepted, the next step will give you an error, and you'll have to wait an hour before you can continue.

- 1. Paste the `ToolOIDCLaunchRedirectUri` value into the **Redirect URLs** field.

- >[!IMPORTANT]

-Users will see a generic link icon rather than a OneDrive cloud icon. The name shown in the menu will be the name provided in the app's LTI link settings.

-The OneDrive LTI FilePicker looks at the LTI language setting parameter passed from the LMS, and (as backup) the browser setting (since the former is an optional claim) to determine the language to use.

->[!NOTE]

->Network Protection on Microsoft Defender for Endpoint is now in public preview. The following information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

-Network protection in Microsoft Defender for endpoint is enabled by default. Admins can use the following steps to **configure Network protection in Android devices.**

-1. In Settings page, select **'Use configuration designer'** and add **'Enable Network Protection in Microsoft Defender'** as the key and value as **'0'** to disable Network Protection. (Network protection is enabled by default)

- To establish trust for the root CAs use **'Trusted CA certificate list for Network Protection (Preview)'** as the key and in value add the **'comma separated list of certificate thumbprints'**.

- > [!div class="mx-imgBorder"]

-1. For other configurations related to Network protection, add the following keys and appropriate corresponding value.

- |Enable Network Protection Privacy|1 - Enable , 0 - Disable ; This setting is managed by IT admins to enable or disable privacy in network protection.|

- |Enable Users to Trust Networks and Certificates|1 - Enable , 0 - Disable ; This setting is used by IT admins to enable or disable the end user in-app experience to trust and untrust the unsecure and suspicious networks and malicious certificates.|

- |Automatic Remediation of Network Protection Alerts|1 - Enable , 0 - Disable ; This setting is used by IT admins to enable or disable the remediation alerts that is sent when a user performs remediation activities, such as switching to a safer Wi-Fi access points or deleting suspicious certificates detected by Defender|

-1. Add the required groups on which the policy will have to be applied. Review and create the policy.

-Network Protection on Microsoft Defender for Endpoint is now in public preview. Network protection provides protection against rogue Wi-Fi related threats, rogue hardware like pineapple devices and notifies the user if a related threat is detected. Users will also see a guided experience to connect to secure networks and change networks when they are connected to an unsecure connection.

-description: Presents methods to retrieve Microsoft Defender Antivirus device health details.

-keywords: apis, graph api, supported apis, get, device health api, Microsoft Defender for Endpoint report api microsoft defender reports api, microsoft defender for endpoint reporting api, windows defender reporting api, defender for endpoint reporting api, windows defender report api

-ms.sitesec: library

-ms.pagetype: security

-One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Use Microsoft Defender for Endpoint APIs for details.

-| Application | Machine.Read.All | ΓÇÿRead all machine profilesΓÇÖ |

-|Delegated (work or school account) | Machine.Read | ΓÇÿRead machine informationΓÇÖ |

-URL: GET: /api/deviceavinfo

-| Authorization | String | Bearer {token}. Required. |

-SupportsΓÇ»[OData V4 queries](https://www.odata.org/documentation/).

-GET https://api.securitycenter.microsoft.com/api/deviceavinfo

-{

- @odata.context: "https://api.securitycenter.microsoft.com/api/$metadata#DeviceAvInfo",

-"value": [{

- "id": "Sample Guid",

- "machineId": "Sample Machine Guid",

- "computerDnsName": "appblockstg1",

- "osKind": "windows",

- "osPlatform": "Windows10",

- "osVersion": "10.0.19044.1865",

- "avMode": "0",

- "avSignatureVersion": "1.371.1279.0",

- "avEngineVersion": "1.1.19428.0",

- "avPlatformVersion": "4.18.2206.108",

- "lastSeenTime": "2022-08-02T19:40:45Z",

- "quickScanResult": "Completed",

- "quickScanError": "",

- "quickScanTime": "2022-08-02T18:40:15.882Z",

- "fullScanResult": "",

- "fullScanError": "",

- "fullScanTime": null,

- "dataRefreshTimestamp": "2022-08-02T21:16:23Z",

- "avEngineUpdateTime": "2022-08-02T00:03:39Z",

- "avSignatureUpdateTime": "2022-08-02T00:03:39Z",

- "avPlatformUpdateTime": "2022-06-20T16:59:35Z",

- "avIsSignatureUpToDate": "True",

- "avIsEngineUpToDate": "True",

- "avIsPlatformUpToDate": "True",

- "avSignaturePublishTime": "2022-08-02T00:03:39Z",

- "rbacGroupName": "TVM1",

- "rbacGroupId": 4415

- },

- ...

- ]

-}

-| Application | Vulnerability.Read.All | 'Read "threat and vulnerability management" vulnerability informationΓÇÖ |

-| Delegated (work or school account) | Vulnerability.Read | 'Read "threat and vulnerability management" vulnerability informationΓÇÖ |

-GET /api/machines/InfoGatheringExport

-GET https://api-us.securitycenter.contoso.com/api/machines/InfoGatheringExport

-#### 2.6.2 Response example

- "https://tvmexportexternalprdeus.blob.core.windows.net/temp-../2022-08-02/2201/InfoGatheringExport/json/OrgId=../_RbacGroupId=../part-00055-12fc2fcd-8f56-4e09-934f-e8efe7ce74a0.c000.json.gz?sv=2020-08-04&st=2022-08-02T22%3A47%3A11Z&se=2022-08-03T01%3A47%3A11Z&sr=b&sp=r&sig=..",

-## Microsoft Defender Antivirus health tab

-*Currently up to date reporting is only available for Windows devices. Cross platform devices such as Mac and Linux are listed under ΓÇ£No data availableΓÇ¥/Unknown

-To add or remove specific types of information on the **Microsoft Defender Antivirus details** flyout, select **Customize Columns**. In **Customize Columns**, select or clear items to specify what you want included in the Microsoft Defender Antivirus details report.

-| Security intelligence publish time | Indicates MicrosoftΓÇÖs release date of the security intelligence update version on the device. Devices with a security intelligence publish time greater than seven days are considered out of date in the reports. |

-| Data refresh timestamp | Indicates when client events were last received for reporting on: AV mode, AV engine version, AV platform version, AV security intelligence version, and scan information. |

-Microsoft continually updates Microsoft Defender security intelligence to address the latest threats, and to refine detection logic. These refinements to security intelligence enhance Microsoft Defender AntivirusΓÇÖ (and other Microsoft anti-malware solutionsΓÇÖ) ability to accurately identify potential threats. This security intelligence works directly with cloud-based protection to deliver AI-enhanced, next-generation protection that is fast and powerful.

-The up-to-date cards show the up-to-date status for **Antivirus engine**, **Antivirus platform**, and **Security intelligence** update versions. There are three possible states: _Up to date_ (‘True’), _out of date_ (‘False’), and _no data available_ (‘Unknown’).

-Definitions for  _Up to date_, _out of date_, and _no data available_ are provided for each card below.

-Microsoft Defender Antivirus uses the additional criteria of ΓÇ£Signature refresh timeΓÇ¥ (the last time device communicated with up to date reports) to make up-to-date reports and determinations for engine, platform, and security intelligence updates.

-The up-to-date status is automatically marked as ΓÇ£unknownΓÇ¥ or ΓÇ£no data availableΓÇ¥ if the device hasn't communicated with reports for more than seven days (signature refresh time >7).

->*Currently up to date reporting is only available for Windows devices. Cross platform devices such as Mac and Linux are listed under ΓÇ£no data availableΓÇ¥

-| **up-to-date** | the device communicated with the Defender report event (‘Signature refresh time’) within last seven days, and the Engine or Platform version build time is within last 60 days. |

-| **out-of-date** | the device communicated with the Defender report event (‘Signature refresh time’) within last seven days, but Engine or Platform version build time is older than 60 days. |

-| **unknown (no data available)** | the device hasn't communicated with the report event (ΓÇÿSignature refresh timeΓÇÖ) for more than seven days. |

-**The general definition of ΓÇÿ_Up to date_ΓÇÖ** - The engine version on the device is the most recent engine release. The engine is _typically_ released monthly, via Windows Update (WU)). There's a three-day grace period given from the day when Windows Update (WU) is released.

-The following table lays out the possible values for up to date reports for **Antivirus Engine**. Reported Status is based on the last time reporting event was received (_signature refresh time_). If the device hasn't communicated with reports for more than seven days (signature refresh time >7 days), then the status is automatically marked as ΓÇÿUnknownΓÇÖ / ΓÇÿNo Data AvailableΓÇÖ.

-| EventΓÇÖs Last Refresh Time (also known as ΓÇ£Signature Refresh TimeΓÇ¥ in reports) | _Reported Status_: |

-For information about Manage Microsoft Defender Antivirus update versions, see:ΓÇ»[Monthly platform and engine versions](manage-updates-baselines-microsoft-defender-antivirus.md#monthly-platform-and-engine-versions)

-**The general definition of ‘Up to date’** The platform version on the device is the most recent platform release. Platform is _typically_ released monthly, via Windows Update (WU). There's a three-day grace period from the day when WU is released.

-The following table lays out the possible up to date report values for **Antivirus Platform**. Reported values are based on the last time reporting event was received (signature refresh time). If the device hasn't communicated with reports for more than seven days (signature refresh time >7 days) then the status is automatically marked as ΓÇÿUnknownΓÇÖ/ ΓÇÿNo Data AvailableΓÇÖ.

-| EventΓÇÖs Last Refresh Time (also known as ΓÇ£Signature Refresh TimeΓÇ¥ in reports) | _Reported Status_: |

-**The general definition of ΓÇÿUp to dateΓÇÖ** ΓÇô the security intelligence version on the device was written in the past 7 days.

-The following table lays out the possible up to date report values for **Security Intelligence** updates. Reported values are based on the last time reporting event was received, and the security intelligence publish time. If the device hasn't communicated with reports for more than seven days (signature refresh time >7 days), then the status is automatically marked as ΓÇÿUnknown/ No Data AvailableΓÇÖ. Otherwise, the determination is made based on whether the security intelligence publish time is within seven days.

-| EventΓÇÖs Last Refresh Time <br/> (Also known as ΓÇ£Signature Refresh TimeΓÇ¥ in reports) | Security Intelligence Publish Time | _Reported Status_: |

-| >7 days (old) | <7 days (new) | _Unknown_ |

-Microsoft Defender for Endpoint policy has precedence over Microsoft Defender Antivirus policy. In situations when Defender for Endpoint is set to **Allow**, but Microsoft Defender Antivirus is set to **Block**, the policy will default to **Allow**.

-#### Precedence for multiple active policies

-Investigate a domain to see if the devices and servers in your enterprise network have been communicating with a known malicious domain.

-You can investigate a URL or domain by using the search feature, from the incident experience (in evidence tab, or from the alert story) or by clicking on the URL or domain link from theΓÇ»**Device timeline**.

-You can see information from the following sections in the URL and domain view:

-### Domain entity

-You can pivot to the domain page from the domain details in the URL page or side panel, just click on **View domain page** link. The domain entity shows an aggregation of all the data from the URLs with the FQDN (Fully qualified domain name). For example, if one device is observed communicating with `sub.domain.tld/path1`, and another device is observed communicating with `sub.domain.tld/path2`, each URL of the above will show one device observation, and the domain will show the two device observations. In this case, a device that communicated with `othersub.domain.tld/path` won't correlate to this domain page, but to `othersub.domain.tld`.

-## URL and Domain overview

-The URL worldwide section lists the URL, a link to further details at Whois, the number of related open incidents, and the number of active alerts.

-### URL summary details

-Displays the original URL (existing URL information), with the query parameters and the application-level protocol. Below that you can find the full domain details, such as registration date, modification date and registrant contact info.

-Microsoft verdict of the URL or domain and a devices prevalence section. In this area, you can see the number of devices that communicated with the URL or domain in the last 30 days, and pivot to the first or last event in the device timeline right away. To investigate initial access or if there's still a malicious activity in your environment.

-### Incidents and alerts

-The Incident and alerts section displays a bar chart of all active alerts in incidents over the past 180 days.

-### Microsoft Verdict

-The Microsoft verdict section displays the verdict of the URL or domain from Microsoft TI library. It shows if the URL or domain is already known as phishing or malicious entity.

-### Prevalence

-The Prevalence section provides the details on the prevalence of the URL within the organization, over the last 30 days, such and trend chart – which shows the number of distinct devices that communicated with the URL or domain over a specific period of time. Below if you can find details of the first and last device observations communicated with the URL in the last 30 days, where you can pivot to the device timeline right away, to investigate initial access from the phish link, or if there’s still a malicious communication in your environment.

-## Incident and alerts

-

-The incident and alerts tab provides a list of incidents that are associated with the URL or domain. The table shown here is a filtered version of the incidents visible on the Incident queue screen, showing only incidents associated with the URL or domain, their severity, impacted assets and more.

-The incidents and alerts tab can be adjusted to show more or less information, by selecting **Customize columns** from the action menu above the column headers. The number of items displayed can also be adjusted, by selecting items per page on the same menu.

-The Devices tab provides a chronological view of all the devices that were observed for a specific URL or a domain. This tab includes a trend chart and a customizable table listing device details, such as risk level, domain and more. Beyond that, you can see the first and last event times where the device interacted with the URL or domain, and the action type of this event. Using the menu next to the device name, you can quickly pivot to the device timeline to further investigate what happened before or after the event that involved this URL or domain.

-Although the default time period is the past 30 days, you can customize this from the drop-down available at the corner of the card. The shortest range available is for prevalence over the past day, while the longest range is over the past six months.

-

-

-3. Click the search icon or press **Enter**. Details about the URL are displayed.

-

-

->[!NOTE]

->Network Protection on Microsoft Defender for Endpoint is now in public preview. The following information relates to prerelease of the product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

-Network protection in Microsoft Defender for endpoint is enabled by default. Admins can use the following steps to configure MAM support for Network protection in iOS devices.

-3. In Settings page, add 'DefenderNetworkProtectionEnable' as the key and value as 'false' to disable Network Protection. (Network protection is enabled by default)

-Network Protection on Microsoft Defender for Endpoint is now in public preview. Network protection provides protection against rogue Wi-Fi related threats, rogue hardware like pineapple devices and notifies the user if a related threat is detected. Users will also see a guided experience to connect to secure networks and change networks when they are connected to an unsecure connection.

- > Using ```--output json``` (note the double dash) ensures that the output format is ready for parsing.

- For example, the output of the command will be something like the below:

->- The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by Microsoft Customer Support Services (CSS) to collect information such as (but not limited to) IP addresses, PC names that will help troubleshoot issues you may be experiencing with Microsoft Defender for Endpoint. For more information about our privacy statement, see [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).

->- As a general best practice, it is recommended to update the [ Microsoft Defender for Endpoint agent to latest available version](mac-whatsnew.md)  and confirming that the issue still persists before investigating further.

->In case after following the above steps, the performance problem persists, please contact customer support for further instructions and mitigation.

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra

-This is a multi step process. You'll need to complete all of the following steps:

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, macos, catalina, mojave, high sierra

-keywords: device, group, microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra

-keywords: policies, microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamfpro, macos, catalina, mojave, high sierra

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, management, preferences, enterprise, intune, jamf, macos, catalina, mojave, high sierra

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, privacy, diagnostic

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, pua, pus

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, scans, antivirus

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, install

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, performance

->Before starting, please make sure that other security products are not currently running on the device. Multiple security products may conflict and impact the host performance.

-

- The output of the above is a list of the top contributors to performance issues. The first column is the process identifier (PID), the second column is te process name, and the last column is the number of scanned files, sorted by impact.

->- The Microsoft Defender for Endpoint Client Analyzer tool is regularly used by Microsoft Customer Support Services (CSS) to collect information such as (but not limited to) IP addresses, PC names that will help troubleshoot issues you may be experiencing with Microsoft Defender for Endpoint. For more information about our privacy statement, see [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement).

->- As a general best practice, it is recommended to update the [ Microsoft Defender for Endpoint agent to latest available version](linux-whatsnew.md)  and confirming that the issue still persists before investigating further.

->[!NOTE]

->In case after following the above steps, the performance problem persists, please contact customer support for further instructions and mitigation.

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, kernel, system, extensions, catalina

-In alignment with macOS evolution, we are preparing a Microsoft Defender for Endpoint on macOS update that leverages system extensions instead of kernel extensions. This update will only be applicable to macOS Catalina (10.15.4) and newer versions of macOS.

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, updates, deploy

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, macos, whatsnew

-> [!IMPORTANT]

-> This is a minimal MDE version without known issues on macOS Ventura on the day of publishing the release notes. Between now and macOS Ventura GA, Apple may still release Ventura Beta's with platform changes that impact MDE experience. Visit these release notes around Ventura GA date for the final recommended Ventura-compatible MDE version number.

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, monterey, big sur, catalina, mojave, mde for mac

-Network protection expands the scope of Microsoft Defender [SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources. The blocks on outbound HTTP(s) traffic are based on the domain or hostname.

-curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/20.04/insiders-slow.list

-sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-insiders-slow.list

-sudo apt-get install gpg

-curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -

-sudo apt-get install apt-transport-https

-sudo apt-get update

-sudo apt install -y mdatp

-sudo python3 MicrosoftDefenderATPOnboardingLinuxServer.py

-1. Turn on the ΓÇ£networkProtectionΓÇ¥ feature, edit the ΓÇ£/etc/opt/microsoft/mdatp/wdavcfgΓÇ¥ and set **networkProtection** to **enabled**.

-sudo systemctl restart mdatp

-To confirm Network Protection has successfully started, run the following command from the Terminal; verify that it prints ΓÇ£startedΓÇ¥:

-$ sudo mdatp log level set --level debug

-$ sudo tail -f /var/log/microsoft/mdatp/microsoft_defender_np_ext.logΓÇ»

-sudo systemctl restart mdatp

-Also, make sure that in **Microsoft Defender** > **Settings** > **Endpoints** > **Advanced features** that **ΓÇÿCustom network indicatorsΓÇÖ** toggle is set _enabled_.

-> The above **ΓÇÿCustom network indicatorsΓÇÖ** toggle controls **Custom Indicators** enablement **for ALL platforms with Network Protection support, including Windows. Reminder that - on Windows - for indicators to be enforced you also must have Network Protection explicitly enabled.

- > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

-Network protection expands the scope of Microsoft 365 Defender [SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources. The blocks on outbound HTTP(s) traffic are based on the domain or hostname.

- - Web content filtering is supported with network protection for macOS.

- - If network protection is configured and active on the device, web content filtering (WCF) policies created in the MDEP Portal are respected in browsers, including Chromium Microsoft Edge for macOS. Web content filtering in Microsoft Edge on Mac currently requires network protection; other E5 feature, such as Microsoft Defender for Cloud Applications or Custom Indicators currently also require network protection.

- - Your device must be in either the External (Preview) or InsiderFast (Beta) Microsoft AutoUpdate update channel. You can check the update channel using the following command:

-mdatp health --field release_ring

-After youΓÇÖve configured your device to be in the External(preview) update channel, install the most recent product version through Microsoft AutoUpdate. To open Microsoft AutoUpdate, run the following command from the Terminal:

-Configure the product with your organization information using the instructions in our public documentation.

-To confirm that network protection has been started successfully, run the following command from the Terminal, and verify that it prints ΓÇ£startedΓÇ¥:

-A successful JAMF deployment requires a configuration profile to set the enforcement level of network protection.

-Note: If youΓÇÖve already configured Microsoft 365 Defender for Endpoint on Mac using the instructions listed here, then update the plist file you previously deployed with the content listed below and redeploy it from JAMF.

-1. In **Computers** > **Configuration Profiles**, select **Options** > **Applications & Custom Settings**

-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

-<plist version="1.0">

-<dict>

- <key>networkProtection</key>

- <dict>

- <key>enforcementLevel</key>

- <string>block</string>

- </dict>

-</dict>

-</plist>

-A successful Intune deployment requires a configuration profile to set the enforcement level of network protection.

-> If youΓÇÖve already configured Microsoft Defender for Endpoint on Mac using the instructions listed here, then update the plist file you previously deployed with the content listed below and re-deploy it from Intune.

-1. OpenΓÇ»**Manage**ΓÇ»>ΓÇ»**Device configuration**. SelectΓÇ»**Manage**ΓÇ»>ΓÇ»**Profiles**ΓÇ»>ΓÇ»**Create Profile**.

-2. Specify a name for the profile. Change **Platform=macOS** to **Profile type=Custom**. Select **Configure**.

-```xml

-<?xml version="1.0" encoding="utf-8"?>

-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

-<plist version="1">

- <dict>

- <key>PayloadUUID</key>

- <string>C4E6A782-0C8D-44AB-A025-EB893987A295</string>

- <key>PayloadType</key>

- <string>Configuration</string>

- <key>PayloadOrganization</key>

- <string>Microsoft</string>

- <key>PayloadIdentifier</key>

- <string>com.microsoft.wdav</string>

- <key>PayloadDisplayName</key>

- <string>Microsoft Defender ATP settings</string>

- <key>PayloadDescription</key>

- <string>Microsoft Defender ATP configuration settings</string>

- <key>PayloadVersion</key>

- <integer>1</integer>

- <key>PayloadEnabled</key>

- <true/>

- <key>PayloadRemovalDisallowed</key>

- <true/>

- <key>PayloadScope</key>

- <string>System</string>

- <key>PayloadContent</key>

- <array>

- <dict>

- <key>PayloadUUID</key>

- <string>99DBC2BC-3B3A-46A2-A413-C8F9BB9A7295</string>

- <key>PayloadType</key>

- <string>com.microsoft.wdav</string>

- <key>PayloadOrganization</key>

- <string>Microsoft</string>

- <key>PayloadIdentifier</key>

- <string>com.microsoft.wdav</string>

- <key>PayloadDisplayName</key>

- <string>Microsoft Defender ATP configuration settings</string>

- <key>PayloadDescription</key>

- <string/>

- <key>PayloadVersion</key>

- <integer>1</integer>

- <key>PayloadEnabled</key>

- <true/>

- <key>networkProtection</key>

- <dict>

- <key>enforcementLevel</key>

- <string>block</string>

- </dict>

- </dict>

- </array>

- </dict>

-</plist>

-```

-4. Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs OK:

-```bash

-plutil -lint com.microsoft.wdav.xml

-```

-5. Enter _com.microsoft.wdav_ as the custom configuration profile name.

-6. Open the configuration profile and upload the com.microsoft.wdav.xml file. (This file was created in step 3.)

-7. SelectΓÇ»**OK**

-8. Select **Manage** > **Assignments**. In the **Include** tab, select the devices for which you want to enable network protection.

- > Device group creation is supported in Defender for Endpoint Plan 1 and Plan 2.

-### Custom Indicators of Compromise

-> Tracking bypasses per app** ΓÇô You can track how many users have bypassed the warning in the _Application_ page in Microsoft Defender for Cloud Applications.

-For many organizations, it's important to take the cloud controls provided by Microsoft Defender for Cloud Applications, and to not only set limitations on end users when needed, but to also educate and coach them about:

-Upon facing an unexpected behavior, usersΓÇÖ confusion may be reduced by providing them as much information as possible, not only to explain about what has happened but to also educate them to be more aware the next time they choose a cloud app to complete their job. For example, this information can include:

-For this page, we recommend that your organization uses a basic SharePoint site.

-1. It can take up to two hours (typically less) for app domains to propagate and to be update in the endpoint devices, after it's marked as _Monitored_.

-2. By default, action will be taken for all apps and domains that were marked as Monitored in Microsoft Defender for Cloud Applications portal for all the onboarded endpoints in the organization.

-3. Full URLs are currently not supported and won't be sent from Microsoft Defender for Cloud Applications to Microsoft 365 Defender for Endpoint, if any full URLs are listed under Microsoft Defender for Cloud Applications monitored apps, hence, user wonΓÇÖt get warned on access attempt (for example, google.com/drive isn't supported, while drive.google.com is supported).

-The following professional services can be integrated with Microsoft DefendersΓÇÖ products:

-| Service name | Vendor | Description |

-| -- | | |

-| [Microsoft Defender Experts](https://go.microsoft.com/fwlink/?linkid=2203232)| Microsoft | Defender Experts for Hunting is a proactive threat hunting service for Microsoft 365 Defender. |

-| [Cloud Security Operations Center](https://go.microsoft.com/fwlink/?linkid=2202671) | glueckkanja-gab AG| Monitors your Microsoft Security Solutions 24/7, responds to threats on your behalf and works closely with your IT to continuously improve your security posture.|

-| [Wortell Protect](https://go.microsoft.com/fwlink/?linkid=2202480)| Wortell| Wortell offers a 24.7.365 Managed Detection and Response service, SOC-as-a-service, to secure your Azure subscriptions and Microsoft 365 environment. With this managed service, Wortell will provide security monitoring and incident response, and operate Microsoft Defender and (optionally) Microsoft Sentinel on your behalf. The service also includes threat intelligence feeds and custom machine learning models|

-| [CRITICALSTART® Managed Detection & Response Services for Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2202761)| CRITICALSTART| Critical Start Managed Detection and Response (MDR) services for Microsoft 365 Defender (M365D) extends security defenses to provide cross-domain threat protection and simplify breach prevention. Their team of Microsoft security experts leverages integration with M365D to detect, investigate and respond with the right actions to alerts from identity, to email and cloud – before they disrupt business operations.  |

-| [CRITICALSTART® Managed Detection & Response Services for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202844)  | CRITICALSTART| Critical Start Managed Detection & Response (MDR) service for Microsoft Defender for Endpoint (MDE) simplifies security across an expanded attack surface by combining Microsoft’s cross-enterprise visibility threat detection and auto investigation capabilities with optimized threat detection and response to deliver an 80% reduction in false positives on the first day of production monitoring.  |

-| [InSpark Cloud Security Center](https://go.microsoft.com/fwlink/?linkid=2202387) | InSpark| InSparks' Cloud Security Center is a 24x7 Managed Security Solution including SOC services. It continuously provides your Microsoft cloud platform with the highest level of security.   |

-| [Mandiant MDR for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202388)| Mandiant, Inc. | Mandiant Managed Defense protects your business with a managed detection and response (MDR) service fueled by dedicated and frontline IR experts who protect against motivated adversaries with a combination of up-to-the-minute threat intelligence, data science and real-world expertise. Managed Defense helps customers optimize investments in Microsoft technology, maximize resources and accelerate investigations. |

-| [Onevinn MDR](https://go.microsoft.com/fwlink/?linkid=2202390) | Onevinn| Onevinn MDR, Managed Detection and Response, built on Microsoft Defender and Microsoft Sentinel is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. |

-| [SepagoSOC](https://go.microsoft.com/fwlink/?linkid=2202677) | Sepago GmbH  | SepagoSOC experts ensure that your environment is constantly monitored and protected utilizing the complete range of Microsoft 365 Defender solutions and Microsoft Sentinel. They help you to constantly evolve your security landscape with both technical and organizational experience.|

-| [MDR for Microsoft](https://go.microsoft.com/fwlink/?linkid=2202762) | Red Canary | MDR for Microsoft provides 24x7 managed detection, investigation, and response to threats across your Microsoft environment.  |

-| [Security Operations & MDR](https://go.microsoft.com/fwlink/?linkid=2202843)  | BDO | BDO’s Security Operations Center (SOC) provides continuous detection, protection and response for organizations globally. BDO MDR is like having eyes where you don’t. It's modern technology and experts make hunting, detecting and responding one less thing to keep up with. Because they have eyes where we don’t. |

-| [DXC Managed Endpoint Threat Detection and Response](https://go.microsoft.com/fwlink/?linkid=2202580) | DXC | DXC Managed Endpoint Threat Detection and Response gives your organization the capability to successfully detect and respond to threats in your environment. It's powered by Microsoft’s Defender for Endpoint and DXC Technology security experts with unparalleled knowledge of global threats, |

-| [Managed Security Services for Microsoft Defender Suite](https://go.microsoft.com/fwlink/?linkid=2202476)  | Dell Technologies | Dell Technologies is a Global services delivery company with a distributed Security Operations Center that is available 24 by 7 to serve customers with security monitoring and management. They help onboard customers and improve their security posture and offload the burden of hiring and managing a full security team while reaping the benefits of 24 hour detection and response. |

-| [CSIS Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202385) | CSIS | Provides 24/7 monitoring and analysis of security alerts giving companies actionable insights into what, when, and how security incidents have taken place. |

-| [MDR for Endpoints](https://go.microsoft.com/fwlink/?linkid=2202676)| NTT Ltd. | MDR for Endpoints helps increase your cyber resilience with Managed Detection and Response (MDR) service. Combines 24/7 human & machine expertise, best-of-breed technologies, and global threat intelligence to detect and disrupt hard-to-find attacks, making it more secure. |

-| [BlueVoyant MDR for Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2202673) | BlueVoyant | BlueVoyantΓÇÖs MDR (Managed Detection and Response) for Microsoft 365 Defender combines the power of MicrosoftΓÇÖs Defender product suite with BlueVoyantΓÇÖs elite 24x7 security operations team to identify, investigate and eradicate todayΓÇÖs most sophisticated and advanced cyberattacks. In addition to MDR, services can include implementation, assessments, training, concierge, third party integrations, and more. |

-| [White Hat Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202391)  | White Hat IT Security| White Hat MSS offers zero trust approach to managed security on every platform – scalable and adaptive security from true experts. |

-| [eSentire Managed Detection and Response](https://go.microsoft.com/fwlink/?linkid=2202582) | eSentire| MDR you can trust that provides 24/7 threat investigations and responses via Microsoft 365 Defender suite.  |

-| [Aujas Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202672)| Aujas Cybersecurity   | Managed security services that assist organizations to detect threats early and help minimize the impact of a breach.|

-| [Expel for Microsoft](https://go.microsoft.com/fwlink/?linkid=2202477) | Expel | Provides 24/7 detection and response for Microsoft Defender for Endpoint, Azure, and Office 365.|

-| [Managed XDR for Microsoft](https://go.microsoft.com/fwlink/?linkid=2202386)  | CyberProof | CyberProof’s Managed XDR (Extended Detection and Response) for Microsoft identifies intrusions across your enterprise as you migrate to the cloud – from applications to endpoints, identities and data - enabling timely response to reduce the impact of the attack.   The combination of their human expertise and experience in security operations with Microsoft’s 365 Defender and Microsoft Sentinel technology reduces the costs and complexity of adopting and operating a cloud-native cyber defense architecture. |

-| [Taegis XDR](https://go.microsoft.com/fwlink/?linkid=2202848) | Secureworks | Taegis™ ManagedXDR is Secureworks® 24x7 managed detection and response service, which helps you detect advanced threats and take the right action. Included threat hunting and incident response capabilities help you scale your security operations as Secureworks uses threat data collected across thousands of customers to improve your security posture. Secureworks' combination of proprietary security analytics software, SecOps expertise, incident response and threat hunting experience, threat intelligence capabilities, and 20-year history of service excellence helps reduce risk to your business.  |

-| [Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)  | The Collective| The Collective's Cloud Control Managed Protection, Detection and Response services is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch. |

-| [Nedscaper Managed XDR](https://go.microsoft.com/fwlink/?linkid=2202478) | Nedscaper | Nedscaper Manager XDR (MDR) is a Managed Detect and Respond SaaS solution, which provides 24/7 Threat Protection, continues Vulnerability Management and combined Threat Intelligence built on Azure. The Microsoft (365 & Azure) Defender products, plus any non-Microsoft / 3P Security solution, is connected to Microsoft Sentinel as the core platform for the Security analysts. |

-| [dinext. pi-SOC](https://go.microsoft.com/fwlink/?linkid=2202581)| dinext AG | Through a close integration of deployment support, security operations and consulting in hardening and architectural improvements, dinext AG accompanies customers holistically on their way to a modern security environment. |

-| [Synergy Advisors Teams App](https://go.microsoft.com/fwlink/?linkid=2202392)| Synergy Advisors LLC | E-Visor Teams App is a centralized place to involve and empower your end-users in the security and productivity of the organization by presenting unique information using data from Microsoft Defenders and Azure Active Directory while ensuring identity governance, and compliance. |

-| [Managed Microsoft XDR](https://go.microsoft.com/fwlink/?linkid=2202846) | Quorum Cyber | Quorum Cyber’s Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security. |

-|[SecureShield365](https://go.microsoft.com/fwlink/?linkid=2209718)| Patriot Consulting | SecureShield365 includes a full deployment of all Microsoft 365 Defender products including Intune plus 12 months of support. Microsoft XDR including Sentinel, Defender for Cloud, and MDR are available options.|

-|[Open Systems MDR+](https://go.microsoft.com/fwlink/?linkid=2208895) | Open Systems| Built for Microsoft security customers, MDR+ combines certified experts, exemplary processes, and seamless technology to deliver tailored, 24×7 protection while reducing attack surfaces and MTTR.|

-| Service name | Vendor| Description|

-| -| | |

-| [Microsoft Detection and Response Team (DART)](https://go.microsoft.com/fwlink/?linkid=2203105) | Microsoft | The Cybersecurity Incident Response service is an effective way to respond to incidents due to the activities of todayΓÇÖs adversaries and sophisticated criminal organizations. This service seeks to determine whether systems are under targeted exploitation via investigation for signs of advanced implants and anomalous behavior. |

-| [Managed Microsoft XDR](https://go.microsoft.com/fwlink/?linkid=2202846)| Quorum Cyber| Quorum CyberΓÇÖs Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security. |

-| [Trustwave MDR](https://go.microsoft.com/fwlink/?linkid=2202849)| Trustwave | Trustwave offers a security service (Gartner Leader) for endpoint using Microsoft Defender for Endpoint. |

-| [Active Remediation](https://go.microsoft.com/fwlink/?linkid=) | Red Canary | Red Canary security experts respond to remediate threats on your endpoints, 24x7. Requires Red Canary MDR for Microsoft. |

-| [Onevinn DFIR](https://go.microsoft.com/fwlink/?linkid=2202584)  | Onevinn| Onevinn DFIR, Digital Defense and Incident Response team, when you're having a breach and you need urgent assistance to gain back control of your IT Environment. |

-| [Cloud Security Operations Center](https://go.microsoft.com/fwlink/?linkid=2202671) | glueckkanja-gab AG| Monitors your Microsoft Security Solutions 24/7, respond to threats on your behalf and work closely with your IT to continuously improve your security posture.|

-| [Wortell Protect](https://go.microsoft.com/fwlink/?linkid=2202480) | Wortell| Wortell offers a 24.7.365 Managed Detection and Response service, SOC-as-a-service, to secure your Azure subscriptions and Microsoft 365 environment. With this managed service, Wortell will provide security monitoring and incident response, and operate Microsoft Defender and (optionally) Microsoft Sentinel on your behalf. The service also includes threat intelligence feeds and custom machine learning models |

-| [InSpark Cloud Security Center](https://go.microsoft.com/fwlink/?linkid=2202387) | InSpark| InSparks' Cloud Security Center is a 24x7 Managed Security Solution including SOC services. It continuously provides your Microsoft cloud platform with the highest level of security. |

-| [Mandiant MDR for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202388)| Mandiant, Inc. | Mandiant Managed Defense protects your business with a managed detection and response (MDR) service fueled by dedicated and frontline IR experts who protect against motivated adversaries with a combination of up-to-the-minute threat intelligence, data science and real-world expertise. Managed Defense helps customers optimize investments in Microsoft technology, maximize resources and accelerate investigations. |

-| [Onevinn MDR](https://go.microsoft.com/fwlink/?linkid=2202390) | Onevinn| Onevinn MDR, Managed Detection and Response, built on Microsoft Defender and Microsoft Sentinel is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. |

-| [MDR for Microsoft](https://go.microsoft.com/fwlink/?linkid=2202762) | Red Canary | 24x7 managed detection, investigation, and response to threats across your Microsoft environment.|

-| [Security Operations & MDR](https://go.microsoft.com/fwlink/?linkid=2202843) | BDO | BDO’s Security Operations Center (SOC) provides continuous detection, protection and response for organizations globally. BDO MDR is like having eyes where you don’t. It's modern technology and experts make hunting, detecting and responding one less thing to keep up with. Because they have eyes where we don’t.  |

-| [DXC Managed Endpoint Threat Detection and Response](https://go.microsoft.com/fwlink/?linkid=2202580) | DXC | DXC Managed Endpoint Threat Detection and Response gives your organization the capability to successfully detect and respond to threats in your environment. Powered by Microsoft’s Defender for Endpoint and DXC Technology security experts with unparalleled knowledge of global threats,  |

-| [Managed Security Services for Microsoft Defender Suite](https://go.microsoft.com/fwlink/?linkid=2202476)  | Dell Technologies | Dell Technologies is a Global services delivery company with a distributed Security Operations Center that is available 24/7 to serve customers with security monitoring and management. They help onboard customers and improve their security posture and offload the burden of hiring and managing a full security team while reaping the benefits of 24 hour detection and response.|

-| [CSIS Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202385) | CSIS | 24/7 monitoring and analysis of security alerts giving companies actionable insights into what, when, and how security incidents have taken place. |

-| [MDR for Endpoints](https://go.microsoft.com/fwlink/?linkid=2202676)  | NTT Ltd. | Increase your cyber resilience with Managed Detection and Response (MDR) service. Combining 24/7 human & machine expertise, best-of-breed technologies, and global threat intelligence to detect and disrupt hard-to-find attacks, making you more secure. |

-| [BlueVoyant MDR for Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2202673) | BlueVoyant | BlueVoyantΓÇÖs MDR (Managed Detection and Response) for Microsoft 365 Defender combines the power of MicrosoftΓÇÖs Defender product suite with BlueVoyantΓÇÖs elite 24x7 security operations team to identify, investigate and eradicate todayΓÇÖs most sophisticated and advanced cyberattacks. In addition to MDR, services can include implementation, assessments, training, concierge, third party integrations, and more. |

-| [White Hat Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202391)  | White Hat IT Security| White Hat MSS offers zero trust approach to managed security on every platform – scalable and adaptive security from true experts.|

-| [eSentire Managed Detection and Response](https://go.microsoft.com/fwlink/?linkid=2202582)| eSentire | MDR you can trust that provides 24/7 threat investigations and responses via Microsoft 365 Defender suite.  |

-| [Aujas Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202672)| Aujas Cybersecurity   | Managed security services that assist organisations to detect threats early and help minimize the impact of a breach. |

-| [Accenture Managed Extended Detection & Response (MxDR)](https://go.microsoft.com/fwlink/?linkid=2202842)  | Accenture | Accenture's Managed Extended Detection & Response (MxDR) service provides a fully managed service that proactively finds and mitigates advanced cyber-attacks and malicious activity before they cause material business impact across IT and OT environments, both in the cloud and on-premises. |

-| [Taegis XDR](https://go.microsoft.com/fwlink/?linkid=2202848)  | Secureworks | Taegis™ ManagedXDR is Secureworks® 24x7 managed detection and response service, which helps you detect advanced threats and take the right action. Included threat hunting and incident response capabilities help you scale your security operations as Secureworks uses threat data collected across thousands of customers to improve your security posture. Secureworks' combination of proprietary security analytics software, SecOps expertise, incident response and threat hunting experience, threat intelligence capabilities, and 20-year history of service excellence helps reduce risk to your business.  |

-| [Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)  | The Collective | The Collective's Cloud Control Managed Protection, Detection and Response services is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch. |

-| [dinext. pi-SOC](https://go.microsoft.com/fwlink/?linkid=2202581) | dinext AG | Through a close integration of deployment support, security operations and consulting in hardening and architectural improvements, dinext AG accompanies customers holistically on their way to a modern security environment. |

-| [Synergy Advisors Teams App](https://go.microsoft.com/fwlink/?linkid=2202392) | Synergy Advisors LLC | E-Visor Teams App is a centralized place to involve and empower your end-users in the security and productivity of the organization by presenting unique information using data from Microsoft Defenders and Azure Active Directory while ensuring identity governance, and compliance.  |

-| [SepagoSOC](https://go.microsoft.com/fwlink/?linkid=2202677)| Sepago GmbH  | SepagoSOC experts ensure that your environment is constantly monitored and protected utilizing the complete range of Microsoft 365 Defender solutions and Microsoft Sentinel. They help you to constantly evolve your security landscape with both technical and organizational experience.|

-|[SecureShield365](https://go.microsoft.com/fwlink/?linkid=2209718)| Patriot Consulting | SecureShield365 includes a full deployment of all Microsoft 365 Defender products including Intune plus 12 months of support. Microsoft XDR including Sentinel, Defender for Cloud, and MDR are available options.|

-|[Open Systems MDR+](https://go.microsoft.com/fwlink/?linkid=2208895) | Open Systems| Built for Microsoft security customers, MDR+ combines certified experts, exemplary processes, and seamless technology to deliver tailored, 24×7 protection while reducing attack surfaces and MTTR.|

-Protect your organization proactively by evaluating your organizationΓÇÖs ability to effectively prevent, detect, and respond to cyber threats before they disrupt your business.

-| Service name | Vendor| Description|

-| - | - | -- |

-| [Microsoft Defender Experts](https://go.microsoft.com/fwlink/?linkid=2203232) | Microsoft | Defender Experts for Hunting is a proactive threat hunting service for Microsoft 365 Defender.|

-| [Microsoft Consulting Services - Security Operations and Threat Protection Services](https://www.microsoft.com/en-us/industrysolutions/solutions/security?activetab=pivot1:primaryr4) | Microsoft | The Microsoft Consulting Services (MCS) Security Operations and Threat Protection Services (SOTPS), provides a structured approach to modern Security Operations Center (SOC) design and implementation using effective change management techniques so your security professionals can detect attacks faster and respond more effectively. |

-| [Onevinn Threat Hunting](https://go.microsoft.com/fwlink/?linkid=2202584)  | Onevinn| If your Internal SOC needs an extra pair of eyes looking for threats, Onevinn´s Threat Hunters can be purchased as your extended hunting team.  |

-| [Microsoft 365 Security Assessment](https://go.microsoft.com/fwlink/?linkid=2202389)  | Nedscaper | The Microsoft 365 Security assessment provides a risk-based approach to scan and analyze the security baseline (prevention is better than the cure) and settings of the Microsoft 365 Security products, from Microsoft 365 E3 security products like Azure AD Conditional Access and Microsoft Endpoint Manager (Microsoft Defender Antivirus policies) to the Microsoft 365 E5 Security products like Microsoft 365 Defender, Azure AD identity Protection and Microsoft Defender for Identity, Devices, Office 365 and Cloud Apps.|

-| [Invoke Monthly Microsoft 365 Security Assessments](https://go.microsoft.com/fwlink/?linkid=2202583)  | Invoke LLC | Provides monthly detailed assessment reports of active threats, vulnerabilities active and Phishing/malware campaigns targeted on your Microsoft 365 Environment. Helps with prescribed mitigations for active threats and improvement actions for recurring threats if any. Monitor Secure score and recommendations, giving your security teams an extra set of eyes to stay on top of risks. |

-| [Cloud Security Operations Center](https://go.microsoft.com/fwlink/?linkid=2202671)| glueckkanja-gab AG| Monitors your Microsoft Security Solutions 24/7, respond to threats on your behalf and work closely with your IT to continuously improve your security posture.|

-| [Wortell Protect](https://go.microsoft.com/fwlink/?linkid=2202480) | Wortell| Wortell offers a 24.7.365 Managed Detection and Response service, SOC-as-a-service, to secure your Azure subscriptions and Microsoft 365 environment. With this managed service, Wortell will provide security monitoring and incident response, and operate Microsoft Defender and (optionally) Microsoft Sentinel on your behalf. The service also includes threat intelligence feeds and custom machine learning models |

-| [InSpark Cloud Security Center](https://go.microsoft.com/fwlink/?linkid=2202387)| InSpark| InSparks' Cloud Security Center is a 24x7 Managed Security Solution including SOC services. It continuously provides your Microsoft cloud platform with the highest level of security. |

-| [Mandiant MDR for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202388)| Mandiant, Inc. | Mandiant Managed Defense protects your business with a managed detection and response (MDR) service fueled by dedicated and frontline IR experts who protect against motivated adversaries with a combination of up-to-the-minute threat intelligence, data science and real-world expertise. Managed Defense helps customers optimize investments in Microsoft technology, maximize resources and accelerate investigations. |

-| [Onevinn MDR](https://go.microsoft.com/fwlink/?linkid=2202390)| Onevinn| Onevinn MDR, Managed Detection and Response, built on Microsoft Defender and Microsoft Sentinel is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks. |

-| [MDR for Microsoft](https://go.microsoft.com/fwlink/?linkid=2202762)| Red Canary | 24x7 managed detection, investigation, and response to threats across your Microsoft environment.|

-| [Security Operations & MDR](https://go.microsoft.com/fwlink/?linkid=2202843) | BDO | BDO’s Security Operations Center (SOC) provides continuous detection, protection and response for organizations globally. BDO MDR is like having eyes where you don’t. It's modern technology and experts make hunting, detecting and responding one less thing to keep up with. Because they have eyes where we don’t.  |

-| [DXC Managed Endpoint Threat Detection and Response](https://go.microsoft.com/fwlink/?linkid=2202580)| DXC | DXC Managed Endpoint Threat Detection and Response gives your organization the capability to successfully detect and respond to threats in your environment. Powered by Microsoft’s Defender for Endpoint and DXC Technology security experts with unparalleled knowledge of global threats,  |

-| [Managed Security Services for Microsoft Defender Suite](https://go.microsoft.com/fwlink/?linkid=2202476) | Dell Technologies | Dell Technologies is a Global services delivery company with a distributed Security Operations Center that is available 24 by 7 to serve customers with security monitoring and management. Help onboard customers and improve their security posture and offload the burden of hiring and managing a full security team while reaping the benefits of 24 hour detection and response.|

-| [BlueVoyant MDR for Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2202673)| BlueVoyant | BlueVoyantΓÇÖs MDR (Managed Detection and Response) for Microsoft 365 Defender combines the power of MicrosoftΓÇÖs Defender product suite with BlueVoyantΓÇÖs elite 24x7 security operations team to identify, investigate and eradicate todayΓÇÖs most sophisticated and advanced cyberattacks. In addition to MDR, services can include implementation, assessments, training, concierge, third party integrations, and more. |

-| [White Hat Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202391)  | White Hat IT Security| White Hat MSS offers zero trust approach to managed security on every platform – scalable and adaptive security from true experts.|

-| [eSentire Managed Detection and Response](https://go.microsoft.com/fwlink/?linkid=2202582)  | eSentire | MDR you can trust that provides 24/7 threat investigations and responses via Microsoft 365 Defender suite.  |

-| [Aujas Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202672) | Aujas Cybersecurity   | Managed security services that assist organizations to detect threats early and help minimize the impact of a breach. |

-| [Accenture Managed Extended Detection & Response (MxDR)](https://go.microsoft.com/fwlink/?linkid=2202842) | Accenture | Accenture's Managed Extended Detection & Response (MxDR) service provides a fully managed service that proactively finds and mitigates advanced cyber-attacks and malicious activity before they cause material business impact across IT and OT environments, both in the cloud and on-premises. |

-| [Taegis XDR](https://go.microsoft.com/fwlink/?linkid=2202848)  | Secureworks | Taegis™ ManagedXDR is Secureworks® 24x7 managed detection and response service, which helps you detect advanced threats and take the right action. Included threat hunting and incident response capabilities help you scale your security operations as Secureworks uses threat data collected across thousands of customers to improve your security posture. Secureworks' combination of proprietary security analytics software, SecOps expertise, incident response and threat hunting experience, threat intelligence capabilities, and 20-year history of service excellence helps reduce risk to your business.  |

-| [Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)  | The Collective | The Collective's Cloud Control Managed Protection, Detection and Response services is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch. |

-| [dinext. pi-SOC](https://go.microsoft.com/fwlink/?linkid=2202581) | dinext AG | Through a close integration of deployment support, security operations and consulting in hardening and architectural improvements, dinext AG accompanies customers holistically on their way to a modern security environment. |

-| [Synergy Advisors Teams App](https://go.microsoft.com/fwlink/?linkid=2202392) | Synergy Advisors LLC | E-Visor Teams App is a centralized place to involve and empower your end-users in the security and productivity of the organization by presenting unique information using data from Microsoft Defenders and Azure Active Directory while ensuring identity governance, and compliance.  |

-| [Managed Microsoft XDR](https://go.microsoft.com/fwlink/?linkid=2202846)  | Quorum Cyber| Quorum Cyber’s Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security. |

-| [SepagoSOC](https://go.microsoft.com/fwlink/?linkid=2202677)  | Sepago GmbH  | SepagoSOC experts ensure that your environment is constantly monitored and protected utilizing the complete range of Microsoft 365 Defender solutions and Microsoft Sentinel. They help you to constantly evolve your security landscape with both technical and organizational experience.|

-|[SecureShield365](https://go.microsoft.com/fwlink/?linkid=2209718)| Patriot Consulting | SecureShield365 includes a full deployment of all Microsoft 365 Defender products including Intune plus 12 months of support. Microsoft XDR including Sentinel, Defender for Cloud, and MDR are available options.|

-|[Open Systems MDR+](https://go.microsoft.com/fwlink/?linkid=2208895) | Open Systems| Built for Microsoft security customers, MDR+ combines certified experts, exemplary processes, and seamless technology to deliver tailored, 24×7 protection while reducing attack surfaces and MTTR.|

-Evolve your organizationΓÇÖs security posture through improved processes and technologies that will up-level threat detection, containment, and remediation capabilities.

-| Service name | Vendor | Description|

-| -- | -- | |

-| [CRITICALSTART® Cybersecurity Consulting

-| [Sepago Adapt](https://go.microsoft.com/fwlink/?linkid=2202677)   | Sepago GmbH | Working with the full range of Microsoft Defender solutions requires a change in processes. Combining Microsoft and sepago best practices and your company-knowledge, together we'll build and establish processes for your organization to enable you to fully utilize the Defender solutions.|

-| [Zero Trust by Onevinn](https://go.microsoft.com/fwlink/?linkid=2202584) | Onevinn | Get started with Zero Trust by fully utilize your investment in Microsoft 365 Security Features |

-| [Cloud Security Operations Center](https://go.microsoft.com/fwlink/?linkid=2202671) | glueckkanja-gab AG | Monitors your Microsoft Security Solutions 24/7, respond to threats on your behalf and work closely with your IT to continuously improve your security posture.|

-| [Wortell Protect](https://go.microsoft.com/fwlink/?linkid=2202480) | Wortell | Wortell offers a 24.7.365 Managed Detection and Response service, SOC-as-a-service, to secure your Azure subscriptions and Microsoft 365 environment. With this managed service, Wortell will provide security monitoring and incident response, and operate Microsoft Defender and (optionally) Microsoft Sentinel on your behalf. The service also includes threat intelligence feeds and custom machine learning models |

-| [Mandiant MDR for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202388) | Mandiant, Inc.  | Mandiant Managed Defense protects your business with a managed detection and response (MDR) service fueled by dedicated and frontline IR experts who protect against motivated adversaries with a combination of up-to-the-minute threat intelligence, data science and real-world expertise. Managed Defense helps customers optimize investments in Microsoft technology, maximize resources and accelerate investigations. |

-| [MDR for Microsoft](https://go.microsoft.com/fwlink/?linkid=2202762) | Red Canary| 24x7 managed detection, investigation, and response to threats across your Microsoft environment.|

-| [Security Operations & MDR](https://go.microsoft.com/fwlink/?linkid=2202843)  | BDO| BDO’s Security Operations Center (SOC) provides continuous detection, protection and response for organizations globally. BDO MDR is like having eyes where you don’t. It's modern technology and experts make hunting, detecting and responding one less thing to keep up with. Because they have eyes where we don’t.  |

-| [DXC Managed Endpoint Threat Detection and Response](https://go.microsoft.com/fwlink/?linkid=2202580) | DXC| DXC Managed Endpoint Threat Detection and Response gives your organization the capability to successfully detect and respond to threats in your environment. Powered by Microsoft’s Defender for Endpoint and DXC Technology security experts with unparalleled knowledge of global threats,  |

-| [BlueVoyant MDR for Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2202673) | BlueVoyant| BlueVoyantΓÇÖs MDR (Managed Detection and Response) for Microsoft 365 Defender combines the power of MicrosoftΓÇÖs Defender product suite with BlueVoyantΓÇÖs elite 24x7 security operations team to identify, investigate and eradicate todayΓÇÖs most sophisticated and advanced cyberattacks. In addition to MDR, services can include implementation, assessments, training, concierge, third party integrations, and more. |

-| [White Hat Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202391)  | White Hat IT Security  | White Hat MSS offers zero trust approach to managed security on every platform – scalable and adaptive security from true experts.|

-| [Taegis XDR](https://go.microsoft.com/fwlink/?linkid=2202848)| Secureworks | Taegis™ ManagedXDR is Secureworks® 24x7 managed detection and response service, which helps you detect advanced threats and take the right action. Included threat hunting and incident response capabilities help you scale your security operations as Secureworks uses threat data collected across thousands of customers to improve your security posture. Secureworks' combination of proprietary security analytics software, SecOps expertise, incident response and threat hunting experience, threat intelligence capabilities, and 20-year history of service excellence helps reduce risk to your business.  |

-| [Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)   | The Collective | The Collective's Cloud Control Managed Protection, Detection and Response services is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch. |

-| [dinext. pi-SOC](https://go.microsoft.com/fwlink/?linkid=2202581)| dinext AG| Through a close integration of deployment support, security operations and consulting in hardening and architectural improvements, it accompanies customers holistically on their way to a modern security environment. |

-| [Managed Microsoft XDR](https://go.microsoft.com/fwlink/?linkid=2202846) | Quorum Cyber | Quorum Cyber’s Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security. |

-| [SepagoSOC](https://go.microsoft.com/fwlink/?linkid=2202677) | Sepago GmbH | SepagoSOC experts ensure that your environment is constantly monitored and protected utilizing the complete range of Microsoft 365 Defender solutions and Microsoft Sentinel. They help you to constantly evolve your security landscape with both technical and organizational experience.|

-|[SecureShield365](https://go.microsoft.com/fwlink/?linkid=2209718)| Patriot Consulting | SecureShield365 includes a full deployment of all Microsoft 365 Defender products including Intune plus 12 months of support. Microsoft XDR including Sentinel, Defender for Cloud, and MDR are available options.|

-|[Open Systems MDR+](https://go.microsoft.com/fwlink/?linkid=2208895) | Open Systems| Built for Microsoft security customers, MDR+ combines certified experts, exemplary processes, and seamless technology to deliver tailored, 24×7 protection while reducing attack surfaces and MTTR.|

-Mature and maintain your internal teamΓÇÖs security capabilities to prevent, detect, contain, and remediate threats.

-| Service name | Vendor | Description|

-| | -- | -- |

-| [CRITICALSTART® Cybersecurity Advisory

-| [Chief 365 Defender](https://go.microsoft.com/fwlink/?linkid=2202584) | Onevinn | This course is aimed at IT security professionals and IT architects who want to get "Best Practices From the Field" within Microsoft 365 security and management of the Microsoft 365 Defender security suite.|

-| [Onevinn Chief Hunter](https://go.microsoft.com/fwlink/?linkid=2202584) | Onevinn | Onevinn Chief Hunter is a detection training on how to build proper detection in Microsoft Sentinel together with Microsoft 365 Defender.  |

-| [Defend Against Threats with SIEM Plus XDR](https://go.microsoft.com/fwlink/?linkid=2202479)  | Netrix | Enable customers with visibility into immediate threats across email, identity & data & how Microsoft Sentinel & Defender detect & quickly stop active threats|

-| [Defend Against Threats with SIEM Plus XDR Workshop](https://go.microsoft.com/fwlink/?linkid=2202479)| Netrix | Organizations today are managing a growing volume of data and alerts while dealing with tight budgets and vulnerable legacy systems. Get help achieving your broader security objectivesΓÇöand identify current and real threatsΓÇöby scheduling a Defend Against Threats with SIEM Plus XDR Workshop |

-| [Secure Multi-Cloud Environments Workshop](https://go.microsoft.com/fwlink/?linkid=2202479)  | Netrix | As the use of cloud services continues to grow, cyber risks and threats continue to evolve. Get help achieving your hybrid and multi-cloud security objectives—and identify current and real threats—by scheduling a Secure Multi-Cloud Environments Workshop. |

-| [Mitigate Compliance & Privacy Risks Workshop](https://go.microsoft.com/fwlink/?linkid=2202479)| Netrix | As your business-critical data expands and your workforce shifts to remote work, having an integrated approach that can help quickly identify, triage, and act on risky insider user activity is more important than ever. The Mitigate Compliance & Privacy Risks Workshop gives you the insights you need to understand insider and privacy risks in your organization. |

-| [Secure Identities & Access Workshop](https://go.microsoft.com/fwlink/?linkid=2202479)  | Netrix | Given the complexity of identities, data, applications, and devices, it’s essential to learn how to ensure the right people are accessing the right information, securely. In this workshop, we’ll show you how identity is the fundamental pillars of an integrated security philosophy and end-to-end security strategy. |

-| [Microsoft 365 Defender Professional Services](https://go.microsoft.com/fwlink/?linkid=2202675)   | Netwoven | Consulting and deployment services for the Defender suite |

-| [Wortell Protect](https://go.microsoft.com/fwlink/?linkid=2202480) | Wortell | Wortell offers a 24.7.365 Managed Detection and Response service, SOC-as-a-service, to secure your Azure subscriptions and Microsoft 365 environment. With this managed service, Wortell will provide security monitoring and incident response, and operate Microsoft Defender and (optionally) Microsoft Sentinel on your behalf. The service also includes threat intelligence feeds and custom machine learning models |

-| [Mandiant MDR for Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2202388)| Mandiant, Inc.  | Mandiant Managed Defense protects your business with a managed detection and response (MDR) service fueled by dedicated and frontline IR experts who protect against motivated adversaries with a combination of up-to-the-minute threat intelligence, data science and real-world expertise. Managed Defense helps customers optimize investments in Microsoft technology, maximize resources and accelerate investigations.  |

-| [BlueVoyant MDR for Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2202673)| BlueVoyant| BlueVoyantΓÇÖs MDR (Managed Detection and Response) for Microsoft 365 Defender combines the power of MicrosoftΓÇÖs Defender product suite with BlueVoyantΓÇÖs elite 24x7 security operations team to identify, investigate and eradicate todayΓÇÖs most sophisticated and advanced cyberattacks. In addition to MDR, services can include implementation, assessments, training, concierge, third party integrations, and more. |

-| [White Hat Managed Security Services](https://go.microsoft.com/fwlink/?linkid=2202391)  | White Hat IT Security  | White Hat MSS offers zero trust approach to managed security on every platform – scalable and adaptive security from true experts. |

-| [Cloud Control - Managed Detection & Response](https://go.microsoft.com/fwlink/?linkid=2202678)  | The Collective | The Collective's Cloud Control Managed Protection, Detection and Response services is an enterprise grade managed service, delivering true Security Operations Center-as-a-Service (SOC) experience with a personal touch. |

-| [Synergy Advisors Teams App](https://go.microsoft.com/fwlink/?linkid=2202392) | Synergy Advisors LLC | E-Visor Teams App is a centralized place to involve and empower your end-users in the security and productivity of the organization by presenting unique information using data from Microsoft Defenders and Azure Active Directory while ensuring identity governance, and compliance.|

-| [Managed Microsoft XDR](https://go.microsoft.com/fwlink/?linkid=2202846)  | Quorum Cyber | Quorum Cyber’s Managed Microsoft XDR, a solution designed to enable customers to unleash the power of Microsoft security to reduce cyber risk and maximize return of investment in security. |

-|[SecureShield365](https://go.microsoft.com/fwlink/?linkid=2209718)| Patriot Consulting | SecureShield365 includes a full deployment of all Microsoft 365 Defender products including Intune plus 12 months of support. Microsoft XDR including Sentinel, Defender for Cloud, and MDR are available options.|

-| Product name | Vendor | Description |

-| |||

-| [Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration) | Microsoft| Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response. |

-| [Splunk](https://go.microsoft.com/fwlink/?linkid=2201963) | Splunk | The Microsoft Defender for Endpoint Add-on allows Splunk users to ingest all of the alerts and supporting information to their Splunk.|

-| [ArcSight](https://go.microsoft.com/fwlink/?linkid=2202142)| Micro Focus | ArcSight allows multiple analytics capabilities for correlation, search, UEBA, enhanced and automated response, and log management. |

-| [Elastic Security](https://go.microsoft.com/fwlink/?linkid=2201772) | Elastic| Elastic Security combines SIEM threat detection features with endpoint prevention and response capabilities in one solution. |

-| [IBM Security QRadar SIEM](https://go.microsoft.com/fwlink/?linkid=2201876) | IBM| IBM Security QRadar SIEM enables centralized visibility and intelligent security analytics to detect, investigate and respond to your critical cybersecurity threats. |

-| [AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2201971)| AttackIQ | AttackIQ Platform validates whether MDE is configured properly by launching continuous attacks safely on production assets.|

-| Product name | Vendor | Description |

-| - | - | - |

-| [Microsoft Sentinel](https://go.microsoft.com/fwlink/?linkid=2201962)| Microsoft| Microsoft Sentinel is a scalable, cloud-native, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response. |

-| [ArcSight](https://go.microsoft.com/fwlink/?linkid=2202142)| Micro Focus  | ArcSight provides multiple analytics capabilities for correlation, search, UEBA, enhanced and automated response, and log management. |

-| [Splunk SOAR](https://go.microsoft.com/fwlink/?linkid=2201773) | Splunk | Splunk SOAR orchestrates workflows and automates tasks in seconds to work smarter and respond faster. |

-| [Security Incident Response](https://go.microsoft.com/fwlink/?linkid=2201874)| ServiceNow | The ServiceNow® Security Incident Response application tracks the progress of security incidents from discovery and initial analysis, through containment, eradication, and recovery, and into the final post-incident review, knowledge base article creation, and closure.|

-| [Swimlane](https://go.microsoft.com/fwlink/?linkid=2202140)| Swimlane Inc | Automates your incident response capabilities with Swimlane (SOAR) and Microsoft Defender.  |

-| [InsightConnect](https://go.microsoft.com/fwlink/?linkid=2201877)  | Rapid7 | InsightConnect provides security orchestration, automation and response solution that accelerates incident response and vulnerability management processes. |

-| [Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2201777) | Palo Alto Networks | Demisto integrates with Microsoft Defender for Endpoint to enable security teams to orchestrate and automate endpoint security monitoring, enrichment and response. |

-| Product name | Vendor| Description|

-| --| -- | -- |

-| [SafeBreach](https://go.microsoft.com/fwlink/?linkid=2201775)| SafeBreach| SafeBreach continuously executes attacks, correlates results to help visualize security gaps, and leverages contextual insights to highlight remediation efforts. With its Hacker’s Playbook™, the industry’s most extensive collection of attack data enabled by state-of-the-art threat intelligence research, SafeBreach empowers organizations to get proactive about security with a simple approach that replaces hope with data.  |

-| [Extended Security Posture Management (XSPM)](https://go.microsoft.com/fwlink/?linkid=2201771) | Cymulate| Cymulate's Extended Security Posture Management enables companies to challenge, assess, and optimize their cybersecurity posture.  |

-| [Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2201967) | SkyBox| Develops a vulnerability program strategy that accurately analyzes exposure risk across hybrid attack surface and prioritize the remediation. |

-| [Attack Path Management](https://go.microsoft.com/fwlink/?linkid=2201774)| XM Cyber| Attack Path Management is a hybrid cloud security company providing attack path management changing the ways organizations approach cyber risk.  |

-| [Better Mobile Security Platform](https://go.microsoft.com/fwlink/?linkid=2202043) | Better Mobile Security Inc. | Provides solution for Threat, Phishing and Privacy Protection and Simulation. |

-| Product name | Vendor | Description|

-| - | - | |

-| [ArcSight](https://go.microsoft.com/fwlink/?linkid=2202142)| Micro Focus  | Provides multiple analytics capabilities for correlation, search, UEBA, enhanced and automated response, and log management.  |

-| [MineMeld](https://go.microsoft.com/fwlink/?linkid=2202044)| Palo Alto Networks | Enriches your endpoint protection by extending Autofocus and other threat feeds to Microsoft Defender for Endpoint using MineMeld. |

-| [MISP (Malware Information Sharing Platform)](https://go.microsoft.com/fwlink/?linkid=2202247) | MISP | Integrates threat indicators from the Open Source Threat Intelligence Sharing Platform into your Microsoft Defender for Endpoint environment. |

-| [ThreatConnect](https://go.microsoft.com/fwlink/?linkid=2202246) | ThreatConnect| Alerts and/or blocks on custom threat intelligence from ThreatConnect Playbooks using Microsoft Defender for Endpoint indicators.|

-| Product name | Vendor | Description|

-| | - | - |

-| [Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2201878)| Aruba, a Hewlett Packard Enterprise company  | Network Access Control applies consistent policies and granular security controls to wired and wireless networks |

-| [Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=2201969) | Vectra | Vectra applies AI & security research to detect and respond to cyber-attacks in real time. |

-| [Blue Hexagon for Network](https://go.microsoft.com/fwlink/?linkid=2201780)| Blue Hexagon | Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection.|

-| [CyberMDX](https://go.microsoft.com/fwlink/?linkid=2201880)| CyberMDX | Cyber MDX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Microsoft Defender for Endpoint environment. |

-| [HYAS Protect](https://www.hyas.com/hyas-protect) | HYAS | HYAS Protect utilizes authoritative knowledge of attacker infrastructure to proactively protect MDE endpoints from cyber attacks. |

-| [Better Mobile Security Platform](https://go.microsoft.com/fwlink/?linkid=2202043) | Better Mobile Security Inc.| Provides solution for Threat, Phishing and Privacy Protection and Simulation. |

-| [Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2201965) | Skybox security| Global security posture management leader with solutions for vulnerability management and network security policy management.  |

-| [Open NDR](https://go.microsoft.com/fwlink/?linkid=2201964)| Corelight| Augment device inventory in Microsoft 365 Defender with network evidence for complete visibility.  |

-| Product name| Vendor | Description|

-| - | | - |

-| [Illusive Platform](https://go.microsoft.com/fwlink/?linkid=2201778)  | Illusive Networks  | Illusive continuously discovers and automatically remediates identity vulnerabilities, and it detects attacks using deceptive controls.  |

-| [Silverfort](https://go.microsoft.com/fwlink/?linkid=2201873) | Silverfort | Enforces Azure AD Conditional Access and MFA across any user system and environment on-prem and in the cloud.  |

-| Product name | Vendor | Description |

-| - | - | |

-| [Corrata Mobile Security](https://go.microsoft.com/fwlink/?linkid=2201879) | Corrata | Corrata is an immune system for mobile devices and tablets that detects & protects mobile devices from the full spectrum of security threats like phishing, malware, man-in-the-middle attacks and data loss. |

-| [Better Mobile Security Platform](https://go.microsoft.com/fwlink/?linkid=2202043)  | Better Mobile Security Inc. | Provides solution for Threat, Phishing and Privacy Protection and Simulation.|

-| [Zimperium Mobile Threat Defense](https://go.microsoft.com/fwlink/?linkid=2202141)  | Zimperuim | Extends your Microsoft Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense. |

-| [Bitdefender](https://go.microsoft.com/fwlink/?linkid=2201968)  | Bitdefender  | Bitdefender GravityZone is a layered next generation endpoint protection platform offering comprehensive protection against the full spectrum of sophisticated cyber threats. |

-| Product name | Vendor | Description|

-| - | | --|

-| [Atlassian](https://go.microsoft.com/fwlink/?linkid=2202039)| Atlassian | Atlassian provides collaboration, development, and issue tracking software for teams. |

-| [Azure](https://go.microsoft.com/fwlink/?linkid=2202040) | Microsoft | Microsoft Azure provides tools and services to help you reach and scale to a global audience with cloud gaming services. |

-| [AWS](https://go.microsoft.com/fwlink/?linkid=2202041)| Amazon | Amazon Web Services provides information technology infrastructure services to businesses in the form of web services. |

-| [Box](https://go.microsoft.com/fwlink/?linkid=2202042)| Box | Box is an online file sharing and cloud content management service offering unlimited storage, custom branding, and administrative controls. |

-| [DocuSign](https://go.microsoft.com/fwlink/?linkid=2201767) | DocuSign| DocuSign is an Electronic Signature and Agreement Cloud enabling employees to securely send, sign and manage agreements. |

-| [Dropbox](https://go.microsoft.com/fwlink/?linkid=2202139) | Dropbox| Dropbox is a smart workspace company that provides secure file sharing, collaboration, and storage solutions. |

-| [Egnyte](https://go.microsoft.com/fwlink/?linkid=2201956) | Egnyte | Egnyte delivers secure content collaboration, compliant data protection and simple infrastructure modernization. |

-| [GITHUB](https://go.microsoft.com/fwlink/?linkid=2201957) | Microsoft | GitHub is a code hosting platform for collaboration and version control. It allows developers to work together on their projects right from planning and coding to shipping the software. |

-| [Google Workspace](https://go.microsoft.com/fwlink/?linkid=2201958)| Alphabet| Google Workspace plans provide a custom email for your business and includes collaboration tools like Gmail, Calendar, Meet, Chat, Drive, Docs, Sheets, Slides, Forms, Sites, and more. |

-| [Google Cloud Platform](https://go.microsoft.com/fwlink/?linkid=2202244) | Alphabet| Google Cloud Platform is a set of modular cloud-based services that allows you to create anything from simple websites to complex applications.|

-| [NetDocuments](https://go.microsoft.com/fwlink/?linkid=2201768) | NetDocuments | NetDocuments enables businesses of all sizes to create, secure, manage, access, and collaborate on documents and email anywhere, anytime. |

-| [Office 365](https://go.microsoft.com/fwlink/?linkid=2201959) | Microsoft | Microsoft Office 365 is a subscription-based online office and software services suite, which offers access to various services and software built around the Microsoft Office platform. |

-| [OKTA](https://go.microsoft.com/fwlink/?linkid=2201867)| OKTA | Okta is a management platform that secures critical resources from cloud to ground for workforce and customers. |

-| [OneLogin](https://go.microsoft.com/fwlink/?linkid=2201868) | OneLogin| OneLogin is a cloud identity and access management solution that enables enterprises to secure all apps for their users on all devices. |

-| [Salesforce](https://go.microsoft.com/fwlink/?linkid=2201869) | Salesforce | Salesforce is a global cloud computing company that offers customer relationship management (CRM) software & cloud computing for businesses of all sizes. |

-| [ServiceNow](https://go.microsoft.com/fwlink/?linkid=2201769) | ServiceNow | ServiceNow provides cloud-based solutions that define, structure, manage, and automate services for enterprise operations. |

-| [Slack](https://go.microsoft.com/fwlink/?linkid=2201870) | Slack| Slack is an enterprise software platform that allows teams and businesses of all sizes to communicate effectively. |

-| [SmartSheet](https://go.microsoft.com/fwlink/?linkid=2201871) | SmartSheet | Smartsheet is a cloud-based work management platform that empowers collaboration, drives better decision making, and accelerates innovation. |

-| [Webex](https://go.microsoft.com/fwlink/?linkid=2201872) | Cisco| Webex, a Cisco company, provides on-demand applications for businesses to conduct web conferencing, telework and application remote control. |

-| [Workday](https://go.microsoft.com/fwlink/?linkid=2201960) | Workday| Workday offers enterprise-level software solutions for human resource and financial management.|

-| [Zendesk](https://go.microsoft.com/fwlink/?linkid=2201961) | Zendesk| Zendesk is a customer service platform that develops software to empower organization and customer relationships.|

-| Product name| Vendor | Description |

-| | -- | -- |

-| [Attack Path Management](https://go.microsoft.com/fwlink/?linkid=2201774) | XM Cyber| Hybrid cloud security company providing attack path management changing the ways organizations approach cyber risk.  |

-| [Corrata Mobile Security](https://go.microsoft.com/fwlink/?linkid=2201879) | Corrata | Corrata is an immune system for mobile devices and tablets that detects & protects mobile devices from the full spectrum of security threats like phishing, malware, man-in-the-middle attacks and data loss.  |

-| [Zimperium Mobile Threat Defense](https://go.microsoft.com/fwlink/?linkid=2202141)  | Zimperuim| Extend your Microsoft Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense.  |

-| [RiskAnalyzer](https://go.microsoft.com/fwlink/?linkid=2202245)   | DeepSurface Security  | DeepSurface RiskAnalyzer helps quickly and efficiently discover, analyze and prioritize cybersecurity risk  |

-| [Vulnerability Control](https://go.microsoft.com/fwlink/?linkid=2201965)| Skybox security| Global security posture management leader with solutions for vulnerability management and network security policy management.  |

-| [Vulcan Cyber risk management platform](https://go.microsoft.com/fwlink/?linkid=2201770)  | Vulcan Cyber  | Vulcan Cyber gives you the tools to effectively manage the vulnerability and risk lifecycle for all your cyber assets, including application, cloud, and infrastructure.  |

-| [Extended Security Posture Management (XSPM)](https://go.microsoft.com/fwlink/?linkid=2201771) | Cymulate| Cymulate's Extended Security Posture Management enables companies to challenge, assess, and optimize their cybersecurity posture. |

-| [Illusive Platform](https://go.microsoft.com/fwlink/?linkid=2201778)  | Illusive Networks  | Illusive continuously discovers and automatically remediates identity vulnerabilities, and it detects attacks using deceptive controls. |

-| Product name | Vendor | Description |

-| | - | |

-| [Zscaler Internet Access](https://go.microsoft.com/fwlink/?linkid=2201779)  | Zscaler | Zscaler Internet Access is a cloud native security service edge (SSE) solution that builds on a decade of secure web gateway leadership. Offered as a scalable SaaS platform from the world’s largest security cloud, it replaces legacy network security solutions to stop advanced attacks and prevent data loss with a comprehensive zero trust approach. |

-| Product name | Vendor | Description |

-| - | | -- |

-| [Morphisec](https://go.microsoft.com/fwlink/?linkid=2201966) | Morphisec | Provides Moving Target Defense-powered advanced threat prevention and integrates forensics data directly into WD Security Center dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information. |

-| [THOR Cloud](https://go.microsoft.com/fwlink/?linkid=2201875) | Nextron systems | Provides on-demand live forensics scans using a signature base focused on persistent threats.  |

-keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, mojave, high sierra

->[!Note]

- You can now use the new broswer extenstions APIs to view all browser extensions installed in your organization, including installed versions, permissions requested, and associated risk.

- A new API is now available and returns all the data for installed software that doesn't have a [Common Platform Enumeration(CPE)](https://nvd.nist.gov/products/cpe). The information returned by this API, along with the information returned by the Export software inventory assessment API, for software that does have a CPE, gives you full visibility into the software installed across your organization and the devices itΓÇÖs installed on.

-description: Alert grading recipients from malicious exchange connectors activity and protect their network from malicious attack.

-Threat actors use compromised exchange connectors for sending out spam and phishing emails in bulk to unsuspecting recipients by masquerading legitimate emails. Since the connector is compromised, the emails would usually be trusted by the recipients. These kinds of phishing emails are common vectors for phishing campaigns, and business email compromise (BEC) scenario. Hence, such emails need to be monitored heavily due to the likelihood of successful recipientsΓÇÖ compromises being high.

- - If malicious, remediate/remove the malicious connector from the environment.

-Attackers may compromise an existing exchange connector or compromise an admin, and set up a new connector by sending phish or spam/bulk emails.

-The typical indicators of a malicious connector can be found when looking at email traffic and its headers. For example, when email traffic is observed from a connector node with a mismatch in P1 (header sender) and P2 (envelope sender) sender addresses along with no information on SenderΓÇÖs AccountObjectId.

-This alert tries to identify such instances of mail flow, wherein the mail sending activity seems suspicious adding to that relevant information on sender is unavailable.

-ΓÇâ

- - Look for domains that are not part of your environment.

- - Field values in the P1 sender (email header sender) and P2 sender (envelope sender), and check whether thereΓÇÖs a mismatch.

- - The NetworkMessageId (Message ID) of the emails that were sent from the malicious connector.

-

-You can use [advanced hunting](/microsoft-365/security/defender/advanced-hunting-overview?) queries to gather information related to an alert and determine whether the activity is suspicious.

-|**Table Name** |**Description** |

-|||

- ```

- ``` ΓÇâ

- ```

- ```

- ```

- - Check the mail content for bad behavior

- - Look at URLs in the email or email having attachments.

- - Look for login failures from unusual locations.

-Once itΓÇÖs determined that the observed alert activities are part of TP, classify those alerts and perform the actions below:

- - Look for suspicious activities performed by the admin.

-# Alert grading for session cookie theft alert

-

-This playbook helps in investigating cases where suspicious behavior is observed indicative of an Attack-in-the-middle (AiTM) type of attack for cookie theft. This helps security teams like security operations center (SOC) and IT administrators to review, manage and grade the alerts as True Positive (TP) or False Positive (FP), and if it's TP, take recommended actions to remediate the attack and mitigate the security risks arising because of it.

-1. Investigate whether the affected user has triggered any other security alerts.

-

- - Look for events associated with the identified (stolen) session ID to trace activities performed using the stolen cookie `[CloudAppEvents]`.

- - Look for a time difference between sign-in activities where there's a difference in the geo-location. Multiple sessions shouldn't be possible for the same account with different locations (indicating that the session could be stolen).

- - Check for alerts generated for the account from the corporate host.

- - If the account is compromised, there could be alerts that preceded the compromise indicating attacks, for example, SmartScreen alerts `[NetworkConnectionEvents]`.

- - Office 365 applications (like Exchange online permission changes, mail auto forwarding or redirection)

- - Azure environments (for example, Azure portal subscription modifications, etc.)

-

- - An example would be looking into BEC cases

- - Search activities in the mailbox could have keywords observed in financial fraud (for example, invoices, payments, etc.), which are suspicious.

- - Look for mail flow events [EmailEvents & EmailUrlInfo on NetworkMessageId] where the multiple emails are sent with the same Url.

- - Follow up with inspecting whether an increase or a high volume of mail deletion (ActivityType as Trash or Delete) is observed `[CloudAppEvents]` for the mailbox account.

- - Matching behavior could be deemed as highly suspicious.

- - Examine device events for Url events that match click events `[DeviceEvents on AccountName|AccountUpn]` for Office365 emails.

- - Matching the events for click sources (for example, different IP addresses for the same Url) could be an indication of malicious behavior.

-## Advanced hunting queries

-[Advanced hunting](advanced-hunting-overview.md) is a query-based threat hunting tool that lets you inspect events in your network and locate threat indicators.

-| where ApplicationId == "4765445b-32c6-49b0-83e6-1d93765276ca" //OfficeHome application

-| where ClientAppUsed == "Browser"

-| where LogonType has "interactiveUser"

-| where ApplicationId != "4765445b-32c6-49b0-83e6-1d93765276ca"

-| where ClientAppUsed == "Browser"

-| where Timestamp > ago(7d)

-| where ApplicationId == "4765445b-32c6-49b0-83e6-1d93765276ca" //OfficeHome application

-| where ClientAppUsed == "Browser"

-| where LogonType has "interactiveUser"

-| summarize Countries = make_set(Country) by AccountObjectId, AccountDisplayName

-## Recommended actions

- - Domains that are typo-squatted might either clear DMARC, DKIM, SPF policies (since the domain is different altogether) or they might return ΓÇ£nullΓÇ¥ results (as it's probably not configured by the threat actor).

-

- > - `Γüánoreply@email.teams.microsoft.com`

- > - `Γüánoreply@email.teams.microsoft.com`

-Whiteboard content is stored in OneDrive for Business and Azure. OneDrive for Business is the default storage for all new whiteboards. Whiteboards that were originally created in Azure, and whiteboards that were initiated on a Surface Hub or a Microsoft Teams Rooms device, are stored in Azure.

->[!NOTE]

->[!NOTE]

-If you want to retain a deleted userΓÇÖs whiteboards, *before* you delete the account, you can transfer ownership. You can transfer a single whiteboard or all of them to another user.