+|**Suspicious tenant sending patterns observed**|Generates an alert when Suspicious sending patterns have been observed in your organization, which may lead to your organization being blocked from sending emails. Investigate any potentially compromised user and admin accounts, new connectors, or open relays to avoid tenant exceed threshold blocks. For more information about why organizations are blocked, see [Fix email delivery issues for error code 5.7.7xx in Exchange Online](/Exchange/mail-flow-best-practices/non-delivery-reports-in-exchange-online/fix-error-code-5-7-700-through-5-7-750).|High|No|E1/F1/G1, E3/F3/G3, or E5/G5|

+- **Sentiment**: Messages in alerts now include a sentiment evaluation to help investigators quickly prioritize potentially riskier messages to address first. Messages are flagged as *Positive*, *Negative*, or *Neutral* sentiment and are powered by [Azure Cognitive Service for Language](/azure/cognitive-services/language-service/overview). For some organizations, messages with *Positive* sentiment may be determined to be a lower priority, allowing reviewers to spend more time on other message alerts. The message sentiment is displayed in the **Sentiment column** and is enabled in the default view.

+- **Attachments**: This option allows you to examine Modern attachments that match policy conditions. Modern attachments content is extracted as text and is viewable on the Pending alerts dashboard for a policy. For more information, see the [Communication compliance feature reference](/microsoft-365/compliance/communication-compliance-channels).

+To identify an older policy, review *Last policy scan* column on the **Policy** page. Older policies will display a full date for the scan while policies created after July 31, 2022 will display *1 hour ago* for the scan. Another option to reduce latency is to wait until February 28, 2023 for your existing policies to be automatically migrated to the new detection criteria.

+> Retention policies also support newly created call data records, which are system-generated messages that contain [metadata for meetings and calls](/MicrosoftTeams/ediscovery-investigation#teams-metadata). All call data records are always included with the **Teams chats** location, even call data records for Teams channel messages and Teams private channel messages.

+- To include newly created call data records for Teams channel messages and Teams private channel messages, you must select the **Teams chats** location, instead of the **Teams channel messages** and **Teams private channel messages** locations.

+> [!NOTE]

+> The *Group* option selected in the review set determines which items are included in the content exported from the review set. If *None* is selected, the exported content only includes the selected or filtered items. If *Group by family* is selected, the exported content includes all items in the family.

+> [!NOTE]

+> If the user account for the mailbox is disabled, the mailbox isn't processed by the Managed Folder Assistant and the delay hold remains after the 30 days have expired.

+

+> [!NOTE]

+> Hold tracking logs aren't available if the user account has been disabled.

+Insider risk management alerts are automatically generated by risk indicators that are defined in insider risk management policies. These alerts give compliance analysts and investigators an all-up view of the current risk status and allow your organization to triage and take actions for discovered potential risks. By default, policies generate a certain amount of low, medium, and high severity alerts, but you can [increase or decrease the alert volume](insider-risk-management-settings.md#alert-volume) to suit your needs. Additionally, you can configure the [alert threshold for policy indicators](insider-risk-management-settings.md#indicator-level-settings) when creating a new policy with the policy creation tool.

+- **Modify your insider risk settings**: Insider risk settings include a wide variety of configuration options that can impact the volume and types of alerts you'll receive. These include settings for [policy indicators](insider-risk-management-settings.md#indicators), [indicator thresholds](insider-risk-management-settings.md#indicator-level-settings), and [policy timeframes](insider-risk-management-settings.md#policy-timeframes). Consider configuring [intelligent detections](insider-risk-management-settings.md#intelligent-detections) options to exclude specific file types and sensitive info types, trainable classifiers, define minimum thresholds before activity alerts are reported by your policies, and change the alert volume configuration to a lower setting.

+- **Use automated insider risk features to help discover the highest risk activities**. Insider risk management [sequence detection](insider-risk-management-policies.md#sequence-detection-preview) and [cumulative exfiltration detection](insider-risk-management-policies.md#cumulative-exfiltration-detection-preview) features can help you quickly discover harder to find risks in your organization. Consider fine-tuning your [risk score boosters](insider-risk-management-settings.md#indicators), [file activity detection](insider-risk-management-settings.md#file-activity-detection), [domains](insider-risk-management-settings.md#domains), and the minimum [indicator threshold settings](insider-risk-management-settings.md#indicator-level-settings) for your policies.

+- [Inline alert customization](#inline-alert-customization)

+### Indicator level settings

+If your organization uses Microsoft Sentinel, you can also use the out-of-the-box insider risk management data connector to import insider risk alert information to Sentinel. For more information, see [Insider Risk Management (IRM) (preview)](/azure/sentinel/data-connectors-reference#microsoft-365-insider-risk-management-irm-preview) in the Microsoft Sentinel article.

+

+

+## Inline alert customization

+2. Select the **Inline alert customization** page.

+

+To safeguard against the original file being deleted or moved by users before the copy can be created and labeled, files in locations included in the auto-labeling policy are automatically copied into the Preservation Hold library if they are deleted or moved. These files have a temporary retention period of one day and then follow the standard cleanup process described on this page. When the original file has been deleted or moved, the copy for retaining cloud attachments uses this version of the file. The automatic and temporary retention of deleted or moved files in the Preservation Hold library is unique to auto-labeling policies for cloud attachments.

+1. Online

+ Title: "Service advisories for OAB size limits in Exchange Online monitoring"

+audience: Admin

+ms.localizationpriority: medium

+search.appverid:

+- MET150

+- scotvorg

+- Ent_O365

+- Strat_O365_Enterprise

+- admindeeplinkMAC

+- admindeeplinkEXCHANGE

+f1.keywords:

+- NOCSH

+description: "Learn about service advisories for OAB size limits in Exchange Online monitoring."

+# Service advisories for OAB size limits

+This alert informs you when your Offline Address Book has reached the size limit outlined in the [Address Book

+Limits](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#address-book-limits)

+within the [Exchange Online limits](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#address-book-limits).

+These alerts are displayed in the Microsoft 365 admin center. To view these alerts, navigate to **Health** \> **Service Health** \> **Exchange Online** and finally, the **Active Issues** tab. This alert will be listed as "Offline Address Book."

+## What Do These Service Alerts Indicate?

+This service alert informs you that the maximum size of a single Offline Address Book within your tenant has exceeded 1 GB. If you receive this alert, we ask that you review any recent changes made to the Offline Address Book(s) in your environment. Your users may observe missing or incomplete data if the size issue isn't corrected.

+## More information

+For more information about Offline Address Books, see the following articles:

+- [Offline address books in Exchange Online \| Microsoft Docs](/exchange/address-books/offline-address-books/offline-address-books)

+- [Exchange Online limits - Address Book Limits](/office365/servicedescriptions/exchange-online-service-description/exchange-online-limits#address-book-limits)

+|[Windows 10 lab environment](https://download.microsoft.com/download/b/7/6/b7696d5b-940e-4af6-ba8b-32cfa3532e6e/Win10_21H2.zip)|[Windows 11 lab environment](https://download.microsoft.com/download/a/1/0/a10d1f67-b499-4c2f-8db1-79d29cd98b05/Windows11_21H1_2022-10-18.zip)|

+For the next 30 days, here's guidance from the product team on key features to try:

+##### [Migrate from the MDE SIEM API to the Microsoft 365 Defender alerts API](configure-siem.md)

+MDE is now generally available on AE COPE devices. Enterprises can onboard devices on COPE mode and push MDE to user's devices through the [Microsoft Endpoint Manager Admin center](https://endpoint.microsoft.com). With this support, Android Enterprise COPE devices will get the full capabilities of our offering on Android including phishing and web protection, malware scanning, Network protection (preview) and additional breach prevention through integration with Microsoft Endpoint Manager and Conditional Access. Read the announcement [here](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-is-now-available-on-android/ba-p/3626100).

+## Microsoft Defender Antivirus exclusions and ASR rules

+Microsoft Defender Antivirus exclusions apply to some Microsoft Defender for Endpoint capabilities, such as some of the attack surface reduction (ASR) rules.

+Following is a list of ASR rules that honor Microsoft Defender Antivirus exclusions:

+|exclusion name | ASR rules name |

+|:|:|

+| BlockAdobeCreateProcessRule | [Block Adobe Reader from creating child processes](#block-adobe-reader-from-creating-child-processes) |

+| BlockKnownRemotingToolCreateProcessRule | [Block process creations originating from PSExec and WMI commands](#block-process-creations-originating-from-psexec-and-wmi-commands) |

+| BlockLsassCredentialTheft | [Block credential stealing from the Windows local security authority subsystem (lsass.exe)](#block-credential-stealing-from-the-windows-local-security-authority-subsystem) |

+| BlockOfficeCreateProcessRule | [Block Office applications from creating executable content](#block-office-applications-from-creating-executable-content) |

+| BlockOfficeInjectionRule | [Block Office applications from injecting code into other processes](#block-office-applications-from-injecting-code-into-other-processes) |

+| BlockOutlookCreateProcessRule | [Block Office communication application from creating child processes](#block-office-communication-application-from-creating-child-processes) |

+<!-- v-jweston/jweston-1 is scheduled to resume authorship Apr/May 2023.-->

+| Application | Machine.Read.All | 'Read all machine profiles' |

+|Delegated (work or school account) | Machine.Read | 'Read machine information' |

+**The bottom section** surfaces six rules based on the number of unprotected devices per rule. The "View configuration" button surfaces all configuration details for all ASR rules. The "Add exclusion" button shows the add exclusion page with all detected file/process names listed for Security Operation Center (SOC) to evaluate. The **Add exclusion** page is linked to Microsoft Endpoint Manager (MEM).

+The "Detection" main page has a list of all detections (files/processes) in the last 30 days. Select on any of the detections to open with drill-down capabilities.

+> Microsoft Defender Antivirus exclusions do apply to some Microsoft Defender for Endpoint capabilities, such as [attack surface reduction (ASR) rules](attack-surface-reduction.md). Some Microsoft Defender Antivirus exclusions are applicable to some ASR rule exclusions. See [Attack surface reduction rules reference - Microsoft Defender Antivirus exclusions and ASR rules](attack-surface-reduction-rules-reference.md#microsoft-defender-antivirus-exclusions-and-asr-rules).

+> Files that you exclude using the methods described in this article can still trigger Endpoint Detection and Response (EDR) alerts and other detections.

+> Experts on Demand is not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/).

+ Title: Migrate from the MDE SIEM API to the Microsoft 365 Defender alerts API

+# Migrate from the MDE SIEM API to the Microsoft 365 Defender alerts API

+After gathering customer feedback, we have learned there are challenges with the timeline originally communicated. As a result, we are making changes to our timeline to improve our customers' experience in migrating to the new API.

+To provide customers with more time to plan and prepare their migration to the new Microsoft 365 Defender APIs, we have pushed the SIEM API deprecation date to December 31, 2023. This will give customers one year from the expected GA release of Microsoft 365 Defender APIs to migrate from the SIEM API. At the time of deprecation, the SIEM API will be declared "deprecated" but not "retired." This means that until this date, the SIEM API will continue to function for existing customers. After the deprecation date, the SIEM API will continue to be available, however it will only be supported for security-related fixes.

+1. [Pulling MDE alerts into an external system](#pulling-defender-for-endpoint-alerts-into-an-external-system) (SIEM/SOAR)

+1. **Microsoft Sentinel** is a scalable, cloud-native, SIEM and Security orchestration, automation, and response (SOAR) solution. Delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for attack detection, threat visibility, proactive hunting, and threat response. The Microsoft 365 Defender connector allows customers to easily pull in all their incidents and alerts from all Microsoft 365 Defender products. To learn more about the integration, see [Microsoft 365 Defender integration with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration).

+2. Click "Download the Potentially Unwanted Application 'test' file" link

+description: Use Intune OMA-URI and Intune user interface to deploy and manage removable storage access control.

+ To block a specific removable storage class but allow specific media, you can use '`IncludedIdList` a group through `PrimaryId` and `ExcludedIDList` a group through `DeviceId`/`HardwareId`/etc.' For additional details, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](device-control-removable-storage-access-control.md).

+ > [!NOTE]

+ > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

+ > [!NOTE]

+ > Comments using XML comment notation `<!-- COMMENT -->` can be used in the Rule and Group XML files, but they must be inside the first XML tag, not the first line of the XML file.

+ Here is the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

+ :::image type="content" source="media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png" alt-text="A screenshot of approved USBs" lightbox= "media/188234372-526d20b3-cfea-4f1d-8d63-b513497ada52.png":::

+ :::image type="content" source="media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png" alt-text="A screenshot of policy 1" lightbox= "media/188243425-c0772ed4-6537-4c6a-9a1d-1dbb48018578.png":::

+ Here is the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%201%20Block%20Write%20and%20Execute%20Access%20but%20allow%20approved%20USBs.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

+ :::image type="content" source="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png" alt-text="A screenshot of group 1" lightbox="media/188234308-4db09787-b14e-446a-b9e0-93c99b08748f.png":::

+ Here is the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Any%20Removable%20Storage%20and%20CD-DVD%20and%20WPD%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

+ Here is the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Unapproved%20USBs%20Group.xml). See step 3 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

+ Here is the [sample file](https://github.com/microsoft/mdatp-devicecontrol/blob/main/Removable%20Storage%20Access%20Control%20Samples/Intune%20OMA-URI/Scenario%202%20Audit%20Write%20and%20Execute%20access%20to%20all%20but%20block%20specific%20unapproved%20USBs.xml). See step 4 from the [Deploy Removable Storage Access Control](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri) section to deploy the configuration.

+ :::image type="content" source="media/188244203-36c869b6-9330-4e2a-854b-494c342bb77d.png" alt-text="A screenshot of audit write and execute access" lightbox= "media/188244203-36c869b6-9330-4e2a-854b-494c342bb77d.png":::

+This capability is available in the Microsoft Endpoint Manager admin center (<https://endpoint.microsoft.com/>).

+- To block a specific removable storage class but allow specific media, you can use '`IncludedIdList` a group through `PrimaryId` and `ExcludedIDList` a group through `DeviceId`\/`HardwareId`/etc.` For additional guidance, see [Deploy Removable Storage Access Control by using Intune OMA-URI](deploy-manage-removable-storage-intune.md#deploy-removable-storage-access-control-by-using-intune-oma-uri).

+| avMode | String | Antivirus mode. | Each mode will be a string typed integer value ranging from 0 to 5. Refer to the mapping below to see its value's meaning: <ul><li>'' = Other</li><li> '0' = Active</li><li> '1' = Passive</li><li> '2' = Disabled</li><li> '3' = Other</li><li> '4' = EDRBlocked</li><li>'5' = PassiveAudit</li></ul> |

+<!-- v-jweston/jweston-1 is scheduled to resume authorship Apr/May 2023.-->

+Ideally, the "Current state" graph shows that the number of operating systems is weighted in favor of more current OS over older versions. Otherwise, the trends graph indicates that new systems are being adopted and/or older systems are being updated or replaced.

+Endpoint Attack Notifications are alerts that have been hand crafted by Microsoft's managed hunting service based on suspicious activity in your environment. They can be viewed through several mediums:

+## View events in the Defender for Endpoint service event log

+You can review event IDs in the [Event Viewer](https://msdn.microsoft.com/library/aa745633(v=bts.10).aspx) on individual devices. This can help when, for example, a device isn't appearing in the Devices list. In this scenario, you can look for event IDs on the device and then use the table below to determine further troubleshooting steps based on the corresponding event ID.

+To open the Defender for Endpoint service event log:

+1. Select **Start** on the Windows menu, type **Event Viewer**, and press **Enter** to open the Event Viewer.

+3. Events recorded by the service will appear in the log.

+See the following table for a list of events recorded by the service.

+## View Defender for Endpoint events in the System event log

+Microsoft Defender for Endpoint events also appear in the System event log.

+To open the System event log:

+1. Select **Start** on the Windows menu, type **Event Viewer**, and press **Enter** to open the Event Viewer.

+2. In the log list, under **Log Summary**, scroll until you see **System**. Double-click the item to open the log.

+You can use this table for more information on the Defender for Endpoint events in the System events log and to determine further troubleshooting steps.

+ |Event ID|Message|Description|Action|

+ |||||

+ |1|The backing-file for the real-time session "SenseNdrPktmon" has reached its maximum size. As a result, new events will not be logged to this session until space becomes available.|This real-time session, between Pktmon - the built-in Windows service that captures network traffic, and our agent (SenseNDR) - that analyzes packets asynchroniously, is configured to limited to prevent potential performance issues. As a result, this alert may appear if too many packets are intercepted in a short time period, causing some packets to be skipped. This alert is more common with high network traffic.|Normal operating notification; no action required.|

+> Experts on Demand is not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/).

+This API returns all the data for installed software that doesn't have a [Common Platform Enumeration(CPE)](https://nvd.nist.gov/products/cpe), on a per-device basis. The information returned by this API, along with the information returned by the [Export software inventory assessment](get-assessment-non-cpe-software-inventory.md) API, for software that does have a CPE, gives you full visibility into the software installed across your organization and the devices it's installed on.

+<!-- v-jweston/jweston-1 is scheduled to resume authorship Apr/May 2023.-->

+> The information returned by this API, along with the information returned by the [Export non product code software inventory assessment](get-assessment-non-cpe-software-inventory.md) API, for software that doesn't have a CPE, gives you full visibility into the software installed across your organization and the devices it's installed on.

+By combining these APIs you'll be able to see a description of the permissions requested by the browser extensions that come up in the [Export browser extensions assessment](get-assessment-browser-extensions.md) results.

+2. Save the file as *com.microsoft.wdav.schedquickscan.plist* to the /Library/LaunchDaemons directory.

+2. Save the file as *com.microsoft.wdav.schedfullscan.plist* to the /Library/LaunchDaemons directory.

+ chown root:wheel /Library/LaunchDaemons/com.microsoft.wdav.sched*

+ chmod 644 /Library/LaunchDaemons/com.microsoft.wdav.sched*

+ xattr -c /Library/LaunchDaemons/com.microsoft.wdav.sched*

+ launchctl load -w /Library/LaunchDaemons/<your file name.plist>

+ - The `Weekday` value of `StartCalendarInterval` uses an integer to indicate the fifth day of the week, or Friday. The range is between 1 and 7 with 7 representing Sunday.

+ - The `Hour` value of `StartCalendarInterval` uses an integer to indicate the second hour of the day. The range is between 0 and 23.

+ The `Minute` value of `StartCalendarInterval` uses an integer to indicate fifty minutes of the hour. The range is between 0 and 59.

+For more information on Microsoft Defender for Endpoint on other operating systems:

+- [What's new in Microsoft Defender for Endpoint on Linux](linux-whatsnew.md)

+- [What's new in Microsoft Defender for Endpoint on iOS](ios-whatsnew.md)</br>

+Apple has identified an issue on macOS [Ventura upgrade](<https://developer.apple.com/documentation/macos-release-notes/macos-13_1-release-notes>), and expected to be fixed in the next release.

+- This version adds support for macOS 12.3. Starting with macOS 12.3, [Apple is removing Python 2.7](https://developer.apple.com/documentation/macos-release-notes/macos-12_3-release-notes). There will be no Python version preinstalled on macOS by default. **ACTION NEEDED**:

+\*\*\n

+- Bug fixes

+&ensp;Build: **101.49.25**<br/>

+&ensp;Release version: **20.121092.14925.0** <br/>

+- Added a new switch to the command-line tool to control whether archives are scanned during on-demand scans. This can be configured through `mdatp config scan-archives --value [enabled/disabled]`. By default, this is set to enabled.

+- Bug fixes

+&ensp;Build: **101.47.27**<br/>

+&ensp;Release version: **20.121082.14727.0** <br/>

+- Fix for a system freeze occurring on shutdown on macOS Mojave and macOS Catalina.

+&ensp;Build: **101.43.84**<br/>

+&ensp;Release version: **20.121082.14384.0** <br/>

+- Candidate build for macOS 12 (Monterey)

+- Bug fixes

+&ensp;Build: **101.41.10**<br/>

+&ensp;Release version: **20.121072.14110.0** <br/>

+- Added new switches to the command-line tool:

+ - Control degree of parallelism for on-demand scans. This can be configured through `mdatp config maximum-on-demand-scan-threads --value [number-between-1-and-64]`. By default, a degree of parallelism of 2 is used.

+ - Control whether scans after security intelligence updates are enabled or disabled. This can be configured through `mdatp config scan-after-definition-update --value [enabled/disabled]`. By default, this is set to enabled.

+- Changing the product log level now requires elevation.

+- Performance improvements & bug fixes

+&ensp;Build: **101.40.84**<br/>

+&ensp;Release version: **20.121071.14084.0** <br/>

+- M1 chip native support

+- Performance improvements & bug fixes

+&ensp;Build: **101.37.97**<br/>

+&ensp;Release version: **20.121062.13797.0** <br/>

+- Performance improvements & bug fixes

+&ensp;Build: **101.34.28**<br/>

+&ensp;Release version: **20.121061.13428.0** <br/>

+- Bug fixes

+&ensp;Build: **101.34.27**<br/>

+&ensp;Release version: **20.121052.13427.0** <br/>

+- Bug fixes

+&ensp;Build: **101.34.20**<br/>

+&ensp;Release version: **20.121051.13420.0** <br/>

+- [Device control for macOS](mac-device-control-overview.md) is now in general availability.

+- Addressed an issue where a quick scan could not be started from the status menu on macOS 11 (Big Sur).

+- Other bug fixes

+&ensp;Build: **101.32.69**<br/>

+&ensp;Release version: **20.121042.13269.0** <br/>

+&ensp;Build: **101.29.64**<br/>

+&ensp;Release version: **20.121042.12964.0** <br/>

+- Starting with this version, threats detected during on-demand antivirus scans triggered through the command-line client are automatically remediated. Threats detected during scans triggered through the user interface still require manual action.

+- `mdatp diagnostic real-time-protection-statistics` now supports two additional switches:

+ - `--sort`: sorts the output descending by total number of files scanned

+ - `--top N`: displays the top N results (only works if `--sort` is also specified)

+&ensp;Build: **101.27.50**<br/>

+&ensp;Release version: **20.121022.12750.0** <br/>

+- Fix to accommodate for Apple certificate expiration for macOS Catalina and earlier. This fix restores Microsoft Defender Vulnerability Management (MDVM) functionality.

+&ensp;Build: **101.25.69**<br/>

+&ensp;Release version: **20.121022.12569.0** <br/>

+- Microsoft Defender for Endpoint on macOS is now available in preview for US Government customers. For more information, see [Microsoft Defender for Endpoint for US Government customers](gov.md).

+- Performance improvements (specifically for the situation when the XCode Simulator app is used) & bug fixes.

+&ensp;Build: **101.23.64**<br/>

+&ensp;Release version: **20.121021.12364.0** <br/>

+- Added a new option to the command-line tool to view information about the last on-demand scan. To view information about the last on-demand scan, run `mdatp health --details antivirus`.

+- Performance improvements & bug fixes

+&ensp;Build: **101.22.79** <br>

+- Performance improvements & bug fixes

+- Performance improvements & bug fixes

+> The old command-line tool syntax has been deprecated with this release. For information on the new syntax, see [Resources](mac-resources.md#configuring-from-the-command-line).

+- Added a new command-line switch to disable the network extension: `mdatp system-extension network-filter disable`. This command can be useful to troubleshoot networking issues that could be related to Microsoft Defender for Endpoint on Mac.

+- Performance improvements & bug fixes

+- Bug fixes

+- Improved the reliability of the agent when running on macOS 11 Big Sur.

+- Added a new command-line switch (`--ignore-exclusions`) to ignore AV exclusions during custom scans (`mdatp scan custom`).

+<br/>

+**What's new**

+- Removed conditions when Microsoft Defender for Endpoint was triggering a macOS 11 (Big Sur) bug that manifests into a kernel panic.

+- Fixed a memory leak in the Endpoint Security system extension when running on mac 11 (Big Sur).

+- Bug fixes

+**What's new**

+- Bug fixes

+**What's new**

+- Added a new managed preference for [disabling the option to send feedback](mac-preferences.md#show--hide-option-to-send-feedback).

+- Status menu icon now shows a healthy state when the product settings are managed. Previously, the status menu icon was displaying a warning or error state, even though the product settings were managed by the administrator.

+- Performance improvements & bug fixes

+**What's new**

+- This product version has been validated on macOS Big Sur 11 beta 9.

+- The new syntax for the mdatp command-line tool is now the default one. For more information on the new syntax, see [Resources for Microsoft Defender for Endpoint on macOS](mac-resources.md#configuring-from-the-command-line).

+> The old command-line tool syntax will be removed from the product on **January 1st, 2021**.

+- Extended `mdatp diagnostic create` with a new parameter (`--path [directory]`) that allows the diagnostic logs to be saved to a different directory.

+- Performance improvements & bug fixes

+**What's new**

+- User interface improvements to differentiate exclusions that are managed by the IT administrator versus exclusions defined by the local user.

+- Improved CPU utilization during on-demand scans.

+- Performance improvements & bug fixes

+**What's new**

+- Added new fields to the output of `mdatp --health` for checking the status of passive mode and the EDR group ID.

+> `mdatp --health` will be replaced with `mdatp health` in a future product update.

+- Fixed a bug where automatic sample submission was not marked as managed in the user interface.

+- Added new settings for controlling the retention of items in the antivirus scan history. You can now [specify the number of days to retain items in the scan history](mac-preferences.md#antivirus-scan-history-retention-in-days) and [specify the maximum number of items in the scan history](mac-preferences.md#maximum-number-of-items-in-the-antivirus-scan-history).

+- Bug fixes

+**What's new**

+- Addressed a performance regression introduced in version `101.05.17`. The regression was introduced with the fix to eliminate the kernel panics some customers have observed when accessing SMB shares. We have reverted this code change and are investigating alternative ways to eliminate the kernel panics.

+&ensp;Build: **101.05.17**<br>

+**What's new**

+> We are working on a new and enhanced syntax for the `mdatp` command-line tool. The new syntax is currently the default in the Insider Fast and Insider Slow update channels. We encourage you to famliliarize yourself with this new syntax.

+> We will continue supporting the old syntax in parallel with the new syntax and will provide more communication around the deprecation plan for the old syntax in the upcoming months.

+- Addressed a kernel panic that occurred sometimes when accessing SMB file shares.

+- Performance improvements & bug fixes

+**What's new**

+- Improvements to quick scan logic to significantly reduce the number of scanned files.

+- Added [autocompletion support](mac-resources.md#how-to-enable-autocompletion) for the command-line tool.

+- Bug fixes

+**What's new**

+- Performance improvements & bug fixes

+**What's new**

+- Improvements around compatibility with Time Machine

+- Accessibility improvements

+- Performance improvements & bug fixes

+**What's new**

+- Improved [product onboarding experience for Intune users](/mem/intune/apps/apps-advanced-threat-protection-macos)

+- Antivirus [exclusions now support wildcards](mac-exclusions.md#supported-exclusion-types)

+- Added the ability to trigger antivirus scans from the macOS contextual menu. You can now right-click a file or a folder in Finder and select **Scan with Microsoft Defender for Endpoint**.

+- In-place product downgrades are now explicitly disallowed by the installer. If you need to downgrade, first uninstall the existing version and reconfigure your device.

+- Other performance improvements & bug fixes

+&ensp;Build: **100.90.27** <br>

+**What's new**

+- You can now [set an update channel](mac-updates.md#set-the-channel-name) for Microsoft Defender for Endpoint on macOS that is different from the system-wide update channel.

+- New product icon

+- Other user experience improvements

+- Bug fixes

+**What's new**

+- Improvements around compatibility with Time Machine

+- Addressed an issue where the product was sometimes not cleaning all files under `/Library/Application Support/Microsoft/Defender` during uninstallation.

+- Reduced the CPU utilization of the product when Microsoft products are updated through Microsoft AutoUpdate.

+- Other performance improvements & bug fixes

+- Performance improvements & bug fixes

+- Added more controls for IT administrators around [management of exclusions](mac-preferences.md#exclusion-merge-policy), [management of threat type settings](mac-preferences.md#threat-type-settings-merge-policy), and [disallowed threat actions](mac-preferences.md#disallowed-threat-actions).

+- When Full Disk Access is not enabled on the device, a warning is now displayed in the status menu.

+<br/>

+<br/>

+- Fixed an issue where Microsoft Defender for Endpoint on Mac was sometimes interfering with Time Machine.

+- Added ability to view the full threat history in the user interface (can be accessed from the **Protection history** view).

+<details><summary>(Build: 100.72.15)</summary>

+- Bug fixes

+<details><summary>(Build: 100.70.99)</summary>

+</details>

+<details><summary>(Build: 100.68.99)</summary>

+- Added the ability to configure the antivirus functionality to run in [passive mode](mac-preferences.md#enforcement-level-for-antivirus-engine).

+- Performance improvements & bug fixes

+<details><summary>(Build: 100.65.28)</summary>

+- Added support for macOS Catalina.

+>

+>

+> - For manual deployments, see the updated instructions in the [Manual deployment topic](mac-install-manually.md#how-to-allow-full-disk-access).

+> - For managed deployments, see the updated instructions in the [JAMF-based deployment](mac-install-with-jamf.md) and [Microsoft Intune-based deployment](mac-install-with-intune.md#create-system-configuration-profiles) topics.

+- Performance improvements & bug fixes

+> To enable the **Allow installation of devices that match any of these device instance IDs** policy setting to supersede this policy setting for applicable devices, enable the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy setting. Also, the allow policy won't take precedence if the **Block Removable Storage** option is selected in Device Control.

+> Experts on Demand is not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/).

+ For more information, see [Defender for Cloud's multicloud capabilities](https://aka.ms/mdcmc).

+In case you have Windows Server 2012 R2 or 2016 machines that are provisioned with the legacy, Log Analytics-based Microsoft Defender for Endpoint solution, Microsoft Defender for Cloud's deployment process will deploy the Defender for Endpoint [unified solution](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution). After successful deployment, it will stop and disable the legacy Defender for Endpoint process on these machines.

+You can enable network protection in **Audit** mode or **Block** mode. If you want to evaluate the impact of enabling network protection before actually blocking IP addresses or URLs, you can enable network protection in Audit mode for time to gather data on what would be blocked. Audit mode logs when end users have connected to an address or site that would otherwise have been blocked by network protection. Note that in order for indicators of compromise (IoC) or Web content filtering (WCF) to work, network protection must be in "Block mode"

+ echo $(date) "Time Scan Begins" >>/logs/mdav_avacron_full_scan.log

+ echo $(date) "Time Scan Finished" >>/logs/mdav_avacron_full_scan.log

+The following are the solution's categories:

+|[SafeBreach](https://go.microsoft.com/fwlink/?linkid=2201775)|SafeBreach|SafeBreach continuously executes attacks, correlates results to help visualize security gaps, and leverages contextual insights to highlight remediation efforts. With its Hacker's PlaybookΓäó, the industry's most extensive collection of attack data enabled by state-of-the-art threat intelligence research, SafeBreach empowers organizations to get proactive about security with a simple approach that replaces hope with data.|

+|[Zscaler Internet Access](https://go.microsoft.com/fwlink/?linkid=2201779)|Zscaler|Zscaler Internet Access is a cloud native security service edge (SSE) solution that builds on a decade of secure web gateway leadership. Offered as a scalable SaaS platform from the world's largest security cloud, it replaces legacy network security solutions to stop advanced attacks and prevent data loss with a comprehensive zero trust approach.|

+<!-- v-jweston/jweston-1 is scheduled to resume authorship Apr/May 2023.-->

+Starting with Defender version 4.18.2206.X, users will be able to view scan skip reason information under "SkipReason" column. The possible values are:

+## November 2022

+**Zeek is now generally available as a component of Microsoft Defender for Endpoint.**

+Microsoft has partnered with [Corelight](https://corelight.com/company/zeek-now-component-of-microsoft-windows), a leader in open source Network Detection and Response (NDR), to provide a new open-source integration with [Zeek](https://corelight.com/about-zeek/how-zeek-works) for Microsoft Defender for Endpoint. With this integration organizations can super-charge their investigation efforts with rich network signals and reduce the time it takes to detect network-based threats by having unprecedented visibility into network traffic from the endpoints' perspective.

+The new Zeek integration is available in the latest version of the Microsoft Defender for Endpoint agent via the following knowledge base articles: [KB5016691](https://support.microsoft.com/topic/august-25-2022-kb5016691-os-build-22000-918-preview-59097044-915a-49a0-8870-49823236adbd), [KB5016693](https://support.microsoft.com/topic/august-16-2022-kb5016693-os-build-20348-946-preview-ee90d0bc-c162-4124-b7c6-f963ee7b17ed), [KB5016688](https://support.microsoft.com/topic/august-26-2022-kb5016688-os-builds-19042-1949-19043-1949-and-19044-1949-preview-ec31ebdc-067d-44dd-beb0-eabcc984d843), and [KB5016690](https://support.microsoft.com/topic/august-23-2022-kb5016690-os-build-17763-3346-preview-b81d1ac5-75c7-42c1-b638-f13aa4242f42).

+> [!NOTE]

+> This integration doesnΓÇÖt currently support the use of custom scripts to gain visibility into extra signals.

+- Added a fix to resolve a missing intermediate certificate issue with the use of "TelemetryProxyServer" on Windows Server 2012 R2 running the unified agent.

+- Enhanced Microsoft Defender for Endpoint's ability to identify and intercept ransomware and advanced attacks.

+Android 6.0 or higher|Yes|Yes|Not supported|Not supported|Not supported

+iOS 12.0 or higher|Yes|Yes (public preview)|Not supported|Not supported|Not supported

+You can view software usage by selecting an application in the software inventory page. A flyout panel will open with more details including data related to that software's usage over the past 30 days.

+>If you don't see usage insights, it's because that application is currently not supported. Software usage is currently not supported for:

+## October 2022

+Several Linux platforms have high numbers of CVEs that are reported in official channels as not having a fix available (Red Hat, CentOS, Debian, and Ubuntu). This results in a high volume of non-actionable CVEs appearing in Microsoft Defender Vulnerability Management.

+To address this, Defender Vulnerability Management will no longer report such CVEs on the above Linux platforms. The new behavior may lead to reporting of fewer exposed devices and lower organization exposure score.

+## September 2022

+- Vulnerability assessment of apps on Microsoft Defender for Endpoint for iOS is now in public preview. Defender for Endpoint on iOS supports vulnerability assessments of apps only for enrolled (MDM) devices. For more information, see [Configure vulnerability assessment of apps](/microsoft-365/security/defender-endpoint/ios-configure-features#configure-vulnerability-assessment-of-apps). If you are interested in participating in the preview, share your tenant name and ID with us at: [mdatpmobile@microsoft.com](mailto:mdatpmobile@microsoft.com).

+## August 2022

+- Defender Vulnerability Management is now supported for Amazon Linux 2 and Fedora 33 or higher.

+- [Browser extensions APIs](../defender-endpoint/get-assessment-browser-extensions.md) </br>

+ You can now use the new browser extensions APIs to view all browser extensions installed in your organization, including installed versions, permissions requested, and associated risk.

+- [Extended software inventory API support for non product code software](../defender-endpoint/get-assessment-non-cpe-software-inventory.md) </br>

+- Closed list - You don't need to remember the exact value you are looking for. You can easily choose from a suggested closed list that supports multi-selection.<br>

+You don't need to remember the device ID, full device name, or user account name. You can start typing the first few characters of the device or user you are looking for and a suggested list appears from which you can choose what you need:

+Selecting EventType under Registry Events allows you to choose from different registry events, including the one you're hunting for, **RegistryValueDeleted**.

+If you're still working on your query and would like to see its performance and some sample results quickly, adjust the number of records to return by picking a smaller set through the **Sample size** dropdown menu.

+To hunt for successful network communications to a specific IP address, start typing "ip" to get suggested filters:

+Once a suspicious IP is recognized, you can review the accounts that signed in. It's possible that a group of accounts were compromised and successfully used to sign in from the IP or other similar IPs.

+> Experts on Demand is not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/).

+- Enable the 'show first contact safety tip' option

+ - Ensure that no sender domains are allowed for anti-spam policies (will replace "Ensure that there are no sender domains allowed for Anti-spam policies" to extend functionality also for specific senders)

+> Experts on Demand is not a security incident response service. It's intended to provide a better understanding of complex threats affecting your organization. Engage with your own security incident response team to address urgent security incident response issues. If you don't have your own security incident response team and would like Microsoft's help, create a support request in the [Premier Services Hub](/services-hub/).

+> Users in the organization can't send email to these blocked domains and addresses. They'll receive the following non-delivery report (also known as an NDR or bounce message): `550 5.7.703 Your message can't be delivered because one or more recipients are blocked by your organization's tenant recipient block policy.` The entire message is blocked for all recipients of the message, even if only one recipient email address or domain is defined in a block entry.

+f1.keywords:

+search.appverid:

+3. **Search and filter in Threat Explorer**: Filters appear at the top of the page in the search bar to help admins in their investigations. Notice that multiple filters can be applied at the same time, and multiple comma-separated values added to a filter to narrow down the search. Remember:

+4. **Advanced filters**: With these filters, you can build complex queries and filter your data set. Clicking on *Advanced Filters* opens a flyout with options.

+5. **Fields in Threat Explorer**: Threat Explorer exposes a lot more security-related mail information such as *Delivery action*, *Delivery location*, *Special action*, *Directionality*, *Overrides*, and *URL threat*. It also allows your organization's security team to investigate with a higher certainty.

+6. **Email timeline view**: Your security operations team might need to deep-dive into email details to investigate further. The email timeline allows admins to view actions taken on an email from delivery to post-delivery. To view an email timeline, click on the subject of an email message, and then click Email timeline. (It appears among other headings on the panel like Summary or Details.) These results can be exported to spreadsheet.

+7. **Preview / download**: Threat Explorer gives your security operations team the details they need to investigate suspicious email. Your security operations team can either:

+ - Users in the organization can't send email to these blocked domains and addresses. They'll receive the following non-delivery report (also known as an NDR or bounce message): '550 5.7.703 Your message can't be delivered because one or more recipients are blocked by your organization's tenant recipient block policy'. The entire message is blocked for all recipients of the message, even if only one recipient email address or domain is defined in a block entry.

+>

+> Information is blocked from going outside the organization when data is not supposed to leave the tenant boundary for compliance purposes (for example, in U.S. Government organizations: Microsoft 365 GCC, GCC High, and DoD). Reporting a message or file to Microsoft from one of these organizations will have the following message in the result details:

+>

+> **Further investigation needed**. Your tenant does not allow data to leave the environment, so we could not find anything with an initial scan. You'll need to contact Microsoft support to have this item reviewed.

+- [Detect and Remediate Illicit Consent Grants](detect-and-remediate-illicit-consent-grants.md)

+- You're licensed for Microsoft Defender for Office 365 and host your mailboxes in Office 365

+- If your current security provider is configured to modify messages *in any way*, it's important to note that authentication signals can impact the ability for Defender for Office to protect you against attacks such as spoofing. If your third party supports Authenticated Received Chain (ARC), then enabling this is a highly recommended step in your journey to advanced dual filtering. Moving any message modification configuration to Defender for Office 365 is also an alternative.

+- Attack simulation training allows you to run realistic but benign cyber-attack scenarios in your organization. If you don't already have phishing simulation capabilities from your primary email security provider, Microsoft's simulated attacks can help you identify and find vulnerable users, policies, and practices. This is important knowledge to have and correct *before* a real attack impacts your organization. Post simulation we assign in product or custom training to educate users about the threats they missed, ultimately reducing your organization's risk profile. With Attack simulation training we deliver messages directly into the inbox, so the user experience is rich. This also means no security changes such as overrides needed to get simulations delivered correctly.

+In the event that a campaign has targeted your organization and you'd like to learn more about the impact:

+1. If you would like to take an action and move the messages out of the inbox, you can select the message and then select **Message actions** \> **Move to junk folder**. This will ensure your user doesn't continue to interact with the malicious message that could result in a potential breach.

+Microsoft SharePoint Online is a widely used user collaboration and file storage tool. The following steps help reduce the attack surface area in SharePoint Online and that help keep this collaboration tool in your organization secure. However, it's important to note there is a balance to strike between security and productivity, and not all these steps may be relevant for your organizational risk profile. Take a look, test, and maintain that balance.

+1. Sign in to the [security center's safe attachments configuration page](https://security.microsoft.com/safeattachmentv2).

+- **Use Microsoft's integrated report experience** section:

+ - **Send the reported messages to** section: Select one of the following options:

+ - **Microsoft (Recommended)**: The user reports go directly to Microsoft for analysis. Only the metadata such as sender, recipient, reported by, and the message details from the user reports are provided to the tenant admin via the Microsoft 365 Defender portal.

+ - **Microsoft and my organization's mailbox**: In the box that appears, enter the email address of an existing Exchange Online mailbox to use as the user submissions mailbox. Distribution groups are not allowed. User submissions go to Microsoft for analysis and to the user submissions mailbox for an admin or security operations team to analyze.

+ - **My organization's mailbox**: In the box that appears, enter the email address of an existing Exchange Online mailbox. Distribution groups are not allowed. User submissions go only to the user submissions mailbox for an admin or the security operations team to analyze. Messages don't go to Microsoft for analysis unless an admin manually submits the messages.

+ > [!IMPORTANT]

+ > In U.S. Government organizations (Microsoft 365 GCC, GCC High, and DoD), the only available selection in the **Send the reported messages to** section is **My organization's mailbox**. The other two options are grayed out.

+ >

+ > If you used [Outlook on the web mailbox policies](/exchange/clients-and-mobile-in-exchange-online/outlook-on-the-web/configure-outlook-web-app-mailbox-policy-properties) to disable junk email reporting in Outlook on the web, but you select **Microsoft** or **Microsoft and my organization's mailbox**, users will be able to report messages to Microsoft in Outlook on the web using the Report Message add-in or the Report Phishing add-in.

+ >

+ > If you select **My organization's mailbox**, reported messages appear on the **User reported messages** tab on the **Submissions** page at <https://security.microsoft.com/reportsubmission>. But the **Result** value of these messages will always be empty, because the messages were not rescanned.

+ >

+ > If you use [Attack simulation training](attack-simulation-training-get-started.md) or a third-party product to do phishing simulations, you must configure the user submissions mailbox as a SecOps mailbox as previously described in the [Configuration requirements for the user submissions mailbox](#configuration-requirements-for-the-user-submissions-mailbox) section earlier in this article. If you don't, a user reporting a message might trigger a training assignment in the phishing simulation product.

+ Regardless of your selection, the following settings are also available in the **Send the reported messages to** section:

+ - **Let users choose if they want to report**: This setting controls the options that are available in the **Select reporting options that are available to users** section:

+ - **Let users choose if they want to report** selected: You can select some, all or none of the settings in the **Select reporting options that are available to users** section.

+ - **Let users choose if they want to report** not selected: You can select only one setting in the **Select reporting options that are available to users** section.

+ - **Select reporting options that are available to users** section:

+ - **Ask me before sending the message**

+ - **Always report the message**

+ - **Never report the message**

+ - **User reporting experience** section: The following settings are available:

+ As shown on the page, if you select an option that sends the reported messages to Microsoft, the following text is also added to the notification:

+ > Your email will be submitted as-is to Microsoft for analysis. Some emails might contain personal or sensitive information.

+ - **Before reporting** tab: In the **Title** and **Message body** boxes, enter the descriptive text that users see before they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable `%type%` to include the submission type (junk, not junk, phishing, etc.).

+ - **After reporting** tab: In the **Title** and **Confirmation message** boxes, enter the descriptive text that users see after they report a message using the Report Message add-in or the Report Phishing add-in. You can use the variable `%type%` to include the submission type.

+ - **Only display when user reports phishing**: Select this option to display the **Before reporting** and **After reporting** notifications only when users report messages as phishing. Otherwise, the notifications are shown for all reported messages.

+ - **Email notifications for admin review results** section: The following settings are available:

+ - **Specify Office 365 email address to use as sender**: Select this setting and enter the email address in the box that appears.

+ - **Customize notifications**: Click this link to customize the email notification that's sent after an admin reviews and marks a reported message.

+ On the **Customize confirmation message** flyout that appears, configure the following settings:

+ - **Phishing**, **Junk** and **No threats found** tabs: In the **Review result text** on some, none, or all of the tabs, enter the custom text to use.

+ - **Footer** tab: The following options are available:

+ When you're finished on the **Customize confirmation message** flyout, click **Confirm**.

+- **Use Microsoft's integrated Outlook reporting experience** section:

+ **Use this custom mailbox to receive user reported messages**: Select this option and enter the email address of an existing Exchange Online mailbox to use as the user submissions mailbox. Distribution groups are not allowed.

+This query allows admins to identify wanted and unwanted senders. If a bulk sender has a BCL score that doesn't meet the bulk threshold, admins can [submit the sender's messages to Microsoft for analysis](allow-block-email-spoof.md#use-the-microsoft-365-defender-portal-to-create-allow-entries-for-domains-and-email-addresses-in-the-submissions-portal), which adds the sender as an allow entry to the Tenant Allow/Block List.