| Category | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| admin | Microsoft Teams Device Usage Preview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/activity-reports/microsoft-teams-device-usage-preview.md | description: "Gain insights into the Microsoft Teams apps used in your organizat # Microsoft 365 Reports in the admin center - Microsoft Teams device usage -The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md). In the Microsoft Teams app usage report, you can gain insights into the Microsoft Teams apps that are used in your organization. +The Microsoft 365 Reports dashboard shows you the activity overview across the products in your organization. It enables you to drill in to individual product level reports to give you more granular insight about the activities within each product. Check out [the Reports overview topic](activity-reports.md). In the Microsoft Teams device usage report, you can gain insights into the types of devices on which the Microsoft Teams apps is being used in your organization. -## How to get to the Microsoft Teams app usage report +## How to get to the Microsoft Teams device usage report 1. In the admin center, go to the **Reports** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=2074756" target="_blank">Usage</a> page. 2. From the dashboard homepage, click on the **View more** button on the Microsoft Teams activity card. -## Interpret the Microsoft Teams app usage report +## Interpret the Microsoft Teams device usage report You can view the device use in the Teams report by choosing the **Device usage** tab.<br/> |
| compliance | Communication Compliance Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-configure.md | Use the following chart to help you configure groups in your organization for co | **Policy Member** | **Supported Groups** | **Unsupported Groups** | |:--|:--|:--|-|Supervised users <br> Excluded users | Distribution groups <br> Microsoft 365 Groups | Dynamic distribution groups <br> Nested distribution groups <br> Mail-enabled security groups <br> Microsoft 365 groups with dynamic membership | +|Supervised users <br> Excluded users | Distribution groups <br> Microsoft 365 Groups | Dynamic distribution groups <br> Shared mailbox <br> Nested distribution groups <br> Mail-enabled security groups <br> Microsoft 365 groups with dynamic membership | | Reviewers | None | Distribution groups <br> Dynamic distribution groups <br> Nested distribution groups <br> Mail-enabled security groups | When you assign a *distribution group* in the policy, the policy detects all emails and Teams chats from each user in the *distribution group*. When you assign a *Microsoft 365 group* in the policy, the policy detects all emails and Teams chats sent to the *Microsoft 365 group*,* not the individual emails and chats received by each group member. Using distribution groups in communication compliance policies are recommended so that individual emails and Teams chats from each user are automatically detected. |
| compliance | Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/whats-new.md | Whether it be adding new solutions to the [Microsoft Purview compliance portal]( [!INCLUDE [purview-preview](../includes/purview-preview.md)] +## November 2022 ++### eDiscovery ++- [Limits in eDiscovery (Premium)](/microsoft-365/compliance/limits-ediscovery20) - new section for review set viewer limits, the maximum number of items displayed per page in a review set is now 10,000. +- [Decryption in Microsoft Purview eDiscovery tools](/microsoft-365/compliance/ediscovery-decryption) - clarified how items labeled within SharePoint Online are decrypted with eDiscovery tools. +- [Conduct an eDiscovery investigation of content in Microsoft Teams](/microsoftteams/ediscovery-investigation) - expanded reactions in Microsoft Teams chats are now supported in eDiscovery (Premium). +- [Create an eDiscovery hold](/microsoft-365/compliance/create-ediscovery-holds) - clarified how eDiscovery holds are handled when a user's OneDrive URL changes. + ## October 2022 +### Audit ++- [Audit New Search](/microsoft-365/compliance/audit-new-search) - users can now run 10 concurrent audit search jobs with a max of one unfiltered search job, and review the progress %, result number, and job status in the UI. Historical search jobs results are now stored for 30 days and can be accessed after completion.) + ### Communication compliance - **In preview**: New communication compliance [integration with insider risk management](/microsoft-365/compliance/communication-compliance#integration-with-insider-risk-management-preview). Communication compliance can now provide risk signals detected in messages to insider risk management policies. Risky users detected in messages by the communication compliance policy act as a triggering event to bring users into scope for the insider risk management policies. ### Data loss prevention -- **In preview** Multiple updates for authorization groups in [Configure endpoint DLP settings](/microsoft-365/compliance/dlp-configure-endpoint-settings) and [Using Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-using).+- **In preview**: Multiple updates for authorization groups in [Configure endpoint DLP settings](/microsoft-365/compliance/dlp-configure-endpoint-settings) and [Using Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-using). - [Printer groups](/microsoft-365/compliance/dlp-configure-endpoint-settings#printer-groups-preview) - [Removable USB storage device groups](/microsoft-365/compliance/dlp-configure-endpoint-settings#removable-storage-device-groups-preview) - [Network share paths](/microsoft-365/compliance/dlp-configure-endpoint-settings#network-share-groups-preview) - [Website groups](/microsoft-365/compliance/endpoint-dlp-using#scenario-4-avoid-looping-dlp-notifications-from-cloud-synchronization-apps-with-auto-quarantine-preview) - [VPN network location groups](/microsoft-365/compliance/dlp-configure-endpoint-settings#vpn-settings-preview) - [Sensitive service domains](/microsoft-365/compliance/dlp-configure-endpoint-settings#sensitive-service-domains)-- **In preview** Polices can use grouping of conditions, nesting of groups and the use of boolean operators (AND/OR/NOT) between them.+- **In preview**: Policies can use grouping of conditions, nesting of groups and the use of boolean operators (AND/OR/NOT) between them. - [Complex rule design](/microsoft-365/compliance/dlp-policy-design#complex-rule-design-preview) - [Use trainable classifiers as conditions in DLP policies](/microsoft-365/compliance/dlp-policy-reference#location-support-for-how-content-can-be-defined)-- **In preview** For endpoints, support for detecting sensitive items that are password protected or encrypted.+- **In preview**: For endpoints, support for detecting sensitive items that are password protected or encrypted. - [Conditions that devices support](/microsoft-365/compliance/dlp-policy-reference#conditions-devices-supports)-- **Generally available** [100 new files types that can be scanned](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments#supported-file-types-for-mail-flow-rule-content-inspection)+- **Generally available**: [100 new files types that can be scanned](/exchange/security-and-compliance/mail-flow-rules/inspect-message-attachments#supported-file-types-for-mail-flow-rule-content-inspection) ++### eDiscovery ++- [Limits for Content search and eDiscovery (Standard)](/microsoft-365/compliance/limits-for-content-search) - clarified how eDiscovery jobs are counted towards limits. +- [Export documents from a review set in eDiscovery (Premium)](/microsoft-365/compliance/export-documents-from-review-set) - removed conversation PDF support per feature and UI updates. +- [Assign eDiscovery permissions in the compliance portal](/microsoft-365/compliance/assign-ediscovery-permissions) - added content to support new Manage review set tags role. +- [New-ComplianceSecurityFilter](/powershell/module/exchange/new-compliancesecurityfilter) - now support only 'all' parameters, removed non-supported example scenarios. +- [Keyword queries and search conditions for eDiscovery](/microsoft-365/compliance/keyword-queries-and-search-conditions) - clarified the supported FolderId 48-character format indexed for search. ### Insider risk management Whether it be adding new solutions to the [Microsoft Purview compliance portal]( ### Data lifecycle management and records management -- In preview: Retention labels now support running a Power Automate flow at the end of the retention period to support custom actions and integration with other solutions. For more information, see [Customize what happens at the end of the retention period](retention-label-flow.md).+- **In preview**: Retention labels now support running a Power Automate flow at the end of the retention period to support custom actions and integration with other solutions. For more information, see [Customize what happens at the end of the retention period](retention-label-flow.md). - For records management items undergoing disposition review, when you select that item in the Disposition area of the compliance portal, a new Progress column displays the item's status. That status can be "Approved for deletion, 'Awaiting deletion from SharePoint/OneDrive' or 'Awaiting deletion from Exchange', or "Permanently Deleted". When an item is approved for permanent deletion as part of the disposition review process, that deletion can take up to 15 days to complete and this new column helps you to track its progress. - The configuration to [enable a mailbox for archiving](enable-archive-mailboxes.md) is moving to the new Exchange admin center (EAC) and instructions have been updated accordingly. - Currently, trainable classifiers for auto-apply retention labels aren't supported with adaptive scopes. As a workaround, use static scopes for this configuration combination. Whether it be adding new solutions to the [Microsoft Purview compliance portal]( ### Sensitivity labels - [PDF support](sensitivity-labels-office-apps.md#pdf-support) in Word, Excel, and PowerPoint is now available to Windows Current Channel and Monthly Enterprise Channel. - Default label for existing documents is now fully rolled out to Mac and Windows in Current Channel and Monthly Enterprise Channel, providing parity with the AIP add-in.-- In preview: The new [sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) and support for [label colors](sensitivity-labels-office-apps.md#label-colors) in Office apps, providing parity with the AIP add-in with additional functionality.-- In preview: [S/MIME support](sensitivity-labels-office-apps.md#configure-a-label-to-apply-smime-protection-in-outlook) for Windows, providing parity with the AIP add-in. Support for Mac and mobile is now fully rolled out.-- In preview: Trainable classifiers for auto-labeling policies (all workloads).+- **In preview**: The new [sensitivity bar](sensitivity-labels-office-apps.md#sensitivity-bar) and support for [label colors](sensitivity-labels-office-apps.md#label-colors) in Office apps, providing parity with the AIP add-in with additional functionality. +- **In preview**: [S/MIME support](sensitivity-labels-office-apps.md#configure-a-label-to-apply-smime-protection-in-outlook) for Windows, providing parity with the AIP add-in. Support for Mac and mobile is now fully rolled out. +- **In preview**: Trainable classifiers for auto-labeling policies (all workloads). ### Trainable classifiers Whether it be adding new solutions to the [Microsoft Purview compliance portal]( - Generally available (GA) and no longer need to opt in: Mobile devices (iOS and Android, with minimal versions) support [co-authoring for files encrypted with sensitivity labels](sensitivity-labels-coauthoring.md). - GA with Current Channel 2208+ for Word, Excel, PowerPoint on Windows: [Support for PDF](sensitivity-labels-office-apps.md#pdf-support). Support for Outlook to block print to PDF when required, is rolling out to Beta Channel. - Rolling out to GA with Current Channel 2208+ for Windows, and 16.63+ for macOS: Default label for existing documents.-- In preview: Trainable classifiers for [auto-labeling policies](apply-sensitivity-label-automatically.md).+- **In preview**: Trainable classifiers for [auto-labeling policies](apply-sensitivity-label-automatically.md). - Guidance how to [configure Azure AD for encrypted content](encryption-azure-ad-configuration.md), which includes information about External Identities cross-tenant access settings, Conditional Access policies, and guest accounts. ## July 2022 Whether it be adding new solutions to the [Microsoft Purview compliance portal]( ### Sensitivity labels -- In preview: [Default sensitivity label for a SharePoint document library](sensitivity-labels-sharepoint-default-label.md).-- In preview: [Organization-wide custom permissions](encryption-sensitivity-labels.md#support-for-organization-wide-custom-permissions) for Windows when a sensitivity label is configured to let users assign permissions. For more information, see [Support for organization-wide custom permissions](encryption-sensitivity-labels.md#support-for-organization-wide-custom-permissions).+- **In preview**: [Default sensitivity label for a SharePoint document library](sensitivity-labels-sharepoint-default-label.md). +- **In preview**: [Organization-wide custom permissions](encryption-sensitivity-labels.md#support-for-organization-wide-custom-permissions) for Windows when a sensitivity label is configured to let users assign permissions. For more information, see [Support for organization-wide custom permissions](encryption-sensitivity-labels.md#support-for-organization-wide-custom-permissions). - Now rolling out to Current Channel (Preview) for Windows: Default label for existing documents. - Now available with the Semi-Annual Enterprise Channel: [Co-authoring for files encrypted with sensitivity labels](sensitivity-labels-coauthoring.md). - The [label scope name](sensitivity-labels.md#label-scopes) of "Files & emails" that you see when configuring a sensitivity label is now "Items". Whether it be adding new solutions to the [Microsoft Purview compliance portal]( ### Data lifecycle management and records management -- In preview: [Microsoft Graph API for records management](compliance-extensibility.md#microsoft-graph-api-for-records-management-preview)+- **In preview**: [Microsoft Graph API for records management](compliance-extensibility.md#microsoft-graph-api-for-records-management-preview) ### Microsoft Priva Whether it be adding new solutions to the [Microsoft Purview compliance portal]( ### Sensitivity labels -- In preview: [PDF support for Office apps](sensitivity-labels-office-apps.md#pdf-support), which includes converting documents to PDF format, inheriting the label with any visual markings and encryption. Print to PDF isn't supported, and this option becomes unavailable for users if their label policy is configured for mandatory labeling.-- In preview: The dialog box that users see when their label policy is configured to require justification to remove or downgrade a label is updated to warn users that their typed response should not include sensitive data. The screenshot in the [What label policies can do](sensitivity-labels.md#what-label-policies-can-do) section shows this updated dialog box that will make its way into the Office deployment channels for production use.-- In preview: [Support for Outlook to apply S/MIME protection](sensitivity-labels-office-apps.md#configure-a-label-to-apply-smime-protection-in-outlook) is just starting to roll out across client platforms.+- **In preview**: [PDF support for Office apps](sensitivity-labels-office-apps.md#pdf-support), which includes converting documents to PDF format, inheriting the label with any visual markings and encryption. Print to PDF isn't supported, and this option becomes unavailable for users if their label policy is configured for mandatory labeling. +- **In preview**: The dialog box that users see when their label policy is configured to require justification to remove or downgrade a label is updated to warn users that their typed response should not include sensitive data. The screenshot in the [What label policies can do](sensitivity-labels.md#what-label-policies-can-do) section shows this updated dialog box that will make its way into the Office deployment channels for production use. +- **In preview**: [Support for Outlook to apply S/MIME protection](sensitivity-labels-office-apps.md#configure-a-label-to-apply-smime-protection-in-outlook) is just starting to roll out across client platforms. - For [auto-labeling policies](apply-sensitivity-label-automatically.md#creating-an-auto-labeling-policy), a new setting that can automatically turn on the policy if not edited within a set number of days. ### Trainable Classifiers - [Learn about trainable classifiers](classifier-learn-about.md) - added Adult, Racy, Gory images trainable classifier. -## May 2022 --### Communication compliance --- [Communication compliance reports and audits](communication-compliance-reports-audits.md) - updated file size limits for exported reports.-- [Communication compliance policies](communication-compliance-policies.md) - clarified user-reported messages disable/enable process and clarified processing for Teams and Exchange.--### Compliance Manager --- [Alerts and alert policies](compliance-manager-alert-policies.md) - new section explaining the default score change policy for all orgs.-- [Working with improvement actions](compliance-manager-improvement-actions.md) - clarified status states for implementation status and test status, making a distinction for the latter between automatically tested actions and manually tested actions.-- [Templates list](compliance-manager-templates-list.md) - added two new templates in the Europe, Middle East, and Africa (EMEA) region: Qatar National Information Assurance (NIA) and UAE Data Privacy Law.--### Compliance offerings & service assurance --- [Microsoft Security Development Lifecycle](/compliance/assurance/assurance-microsoft-security-development-lifecycle) - new SDL assurance topic for Microsoft services.--### Data lifecycle management and records management --- Currently rolling out in preview: New [relabel option at the end of the retention period](retention-settings.md#relabeling-at-the-end-of-the-retention-period).-- New deployment guidance: [Deploy a data governance solution with Microsoft Purview](data-governance-solution.md)-- Correction in the documentation to confirm that resource mailboxes are supported for Exchange retention and deletion for both static scopes and adaptive scopes. For static scopes, resource mailboxes are included by default in an org-wide policy (the All default).-- New documentation for end users: [Manage email storage with online archive mailboxes](https://support.services.microsoft.com/office/manage-email-storage-with-online-archive-mailboxes-1cae7d17-7813-4fe8-8ca2-9a5494e9a721)--### Data loss prevention --- [Send email notifications and policy tips for DLP policies](use-notifications-and-policy-tips.md) - added new information on what triggers a notification and who can receive them.--### Information barriers --- [Learn about information barriers](information-barriers.md), [Get started with information barriers](information-barriers-policies.md) - refactored structure of topics and added clarification for Exchange Online support and limitations, updated to include support for new IB UI experience.--### Insider risk management --- [Get started with insider risk management settings](insider-risk-management-settings.md) - added guidance for new Defender for Cloud App indicators, new anomaly as a triggering event in custom thresholds, new file extension prioritization and sensitivity labels policy support.-- [Insider risk management cases](insider-risk-management-cases.md) - clarified escalation to eDiscovery case guidance.--### Microsoft Priva --- [Learn about the free Priva trial](/privacy/priva/priva-trial) - updated link to new universal Microsoft 365 trial terms and conditions and minor updates to clarify roles and eligibility.-- [Get started with Priva](/privacy/priva/priva-setup) - added section indicating limitations to Priva availability.--### Sensitive Information Types --- [Learn about exact data match based sensitive information types](sit-learn-about-exact-data-match-based-sits.md) - from a customer escalation, added the regions that EDM is supported in and the procedures to find the region of your tenant.-- [Create EDM SIT rule package](sit-get-started-exact-data-match-create-rule-package.md) - added 'working with specific types of data' from the schema article.-- [Create Schema for EDM SIT](sit-get-started-exact-data-match-create-schema.md) - removed 'working with specific types of data'.-- [Use named entities in your DLP policies](named-entities-use.md) - added support statement for Microsoft Defender for Cloud Apps.--### Sensitivity labels --- New option at the end of the label creation or editing process, to automatically [convert auto-labeling settings into an auto-labeling policy](apply-sensitivity-label-automatically.md#convert-your-label-settings-into-an-auto-labeling-policy).-- Auto-labeling policies for SharePoint and OneDrive can now apply labels with encryption when the account that last modified the file no longer exists in Azure AD.-- Container labels are supported for Office 365 Content Delivery Networks (CDNs).-- Clarifications for [removing and deleting labels](create-sensitivity-labels.md#removing-and-deleting-labels).-- New [common scenarios](get-started-with-sensitivity-labels.md#common-scenarios-for-sensitivity-labels):- - Label SQL database columns by using the same sensitivity labels as those used for files and emails so that the organization has a unified labeling solution that continues to protect structured data when it's exported - - Apply a sensitivity label to a file after receiving an alert that content containing personal data is being shared and needs protection - ### Changes to product names To meet the challenges of today's decentralized, data-rich workplace, we're introducing [Microsoft Purview](https://aka.ms/microsoftpurview), a comprehensive set of solutions which helps you understand, govern, and protect your entire data estate. This new brand family combines the capabilities of the former Microsoft Purview Data Map and the Microsoft 365 compliance portfolio that customers already rely on, providing unified data governance and risk management for your organization. |
| contentunderstanding | Solution Manage Contracts Step2 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/solution-manage-contracts-step2.md | After you attach the SharePoint document library, you'll be able to view any cla ## Customize your Contracts tab tile view > [!NOTE]-> This section references code examples that are contained in the [ContractTileFormatting.json](https://github.com/pnp/syntex-samples/blob/main/scenario%20samples/Contracts%20Management/View%20Formatter/ContractTileFormatting.json) file that is included in the [Contracts Management Solution Assets repository](https://github.com/pnp/syntex-samples/tree/main/scenario%20samples/Contracts%20Management). +> This section references code examples that are contained in the [ContractTileFormatting.json](https://github.com/pnp/syntex-samples/blob/main/scenario-samples/Contracts-Management/View%20Formatter/ContractTileFormatting.json) file that is included in the [Contracts Management Solution Assets repository](https://github.com/pnp/syntex-samples/tree/main/scenario-samples/Contracts-Management). While Teams lets you view your contracts in a tile view, you might want to customize it to view the contract data you want to make visible in the contract card. For example, for the **Contracts** tab, it is important for members to see the client, contractor, and fee amount on the contract card. All of these fields were extracted from each contract through your Syntex model that was applied to your document library. You also want to be able to change the tile header bar to different colors for each status so that members can easily see where the contract is in the approval process. For example, all approved contracts will have a blue header bar.  -The custom tile view you use requires you to make changes to the JSON file used to format the current tile view. You can reference the JSON file used to create the card view by looking at the [ContractTileFormatting.json](https://github.com/pnp/syntex-samples/blob/main/scenario%20samples/Contracts%20Management/View%20Formatter/ContractTileFormatting.json) file. In the following sections, you'll see specific sections of the code for features that are in the contract cards. +The custom tile view you use requires you to make changes to the JSON file used to format the current tile view. You can reference the JSON file used to create the card view by looking at the [ContractTileFormatting.json](https://github.com/pnp/syntex-samples/blob/main/scenario-samples/Contracts-Management/View%20Formatter/ContractTileFormatting.json) file. In the following sections, you'll see specific sections of the code for features that are in the contract cards. If you want to see or make changes to the JSON code for your view in your Teams channel, in the Teams channel, select the view drop-down menu, and then select **Format current view**. If you want to see or make changes to the JSON code for your view in your Teams ## Card size and shape -In the [ContractTileFormatting.json](https://github.com/pnp/syntex-samples/blob/main/scenario%20samples/Contracts%20Management/View%20Formatter/ContractTileFormatting.json) file, look at the following section to see the code for how the size and shape of the card is formatted. +In the [ContractTileFormatting.json](https://github.com/pnp/syntex-samples/blob/main/scenario-samples/Contracts-Management/View%20Formatter/ContractTileFormatting.json) file, look at the following section to see the code for how the size and shape of the card is formatted. ```JSON { In the [ContractTileFormatting.json](https://github.com/pnp/syntex-samples/blob/ ## Contract status -The following code lets you define the status of each title card. Note that each status value (*New*, *In review*, *Approved*, and *Rejected*) will display a different color code for each. In the [ContractTileFormatting.json](https://github.com/pnp/syntex-samples/blob/main/scenario%20samples/Contracts%20Management/View%20Formatter/ContractTileFormatting.json) file, look at the section that defines the status. +The following code lets you define the status of each title card. Note that each status value (*New*, *In review*, *Approved*, and *Rejected*) will display a different color code for each. In the [ContractTileFormatting.json](https://github.com/pnp/syntex-samples/blob/main/scenario-samples/Contracts-Management/View%20Formatter/ContractTileFormatting.json) file, look at the section that defines the status. ```JSON { The following code lets you define the status of each title card. Note that each Each contract card will display three fields that were extracted for each contract (*Client*, *Contractor*, and *Fee Amount*). Additionally, you also want to display the time/date that the file was classified by the Syntex model used to identify it. -In the [ContractTileFormatting.json](https://github.com/pnp/syntex-samples/blob/main/scenario%20samples/Contracts%20Management/View%20Formatter/ContractTileFormatting.json) file, the following sections define each of these. +In the [ContractTileFormatting.json](https://github.com/pnp/syntex-samples/blob/main/scenario-samples/Contracts-Management/View%20Formatter/ContractTileFormatting.json) file, the following sections define each of these. ### Client |
| security | TOC | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md | ### [Device discovery]() #### [Device discovery overview](device-discovery.md) #### [Configure device discovery](configure-device-discovery.md) +#### [Microsoft Defender for IoT integration](enable-microsoft-defender-for-iot-integration.md) #### [Enable Corelight data integration](corelight-integration.md) #### [Device discovery FAQ](device-discovery-faq.md) ### [Device inventory]() #### [Device inventory](machines-view-overview.md) #### [Exclude devices](exclude-devices.md)-#### [Device timeline event flags](device-timeline-event-flag.md) +#### [Device timeline](device-timeline-event-flag.md) #### [Manage device group and tags](machine-tags.md) ### [Network devices](network-devices.md) ### [Experts on Demand](experts-on-demand.md) -## [Enterprise IoT security]() --### [Securing IoT devices in the enterprise]() -### [Onboard an Enterprise IoT plan on your Azure subscription]() -### [Onboard Enterprise IoT sensors]() -### [Manage Enterprise IoT plans]() - ## Reference ### [Understand threat intelligence concepts](threat-indicator-concepts.md) ### [Configure integration with other Microsoft solutions]() |
| security | Defender Endpoint Antivirus Exclusions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-antivirus-exclusions.md | The following table summarizes exclusion types that can be defined for Defender | Product/service | Exclusion types | |:|:-|-| [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) <br/>[Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md) | - [Automatic exclusions](#automatic-exclusions) (for Windows Server 2016 and later) <br/>- [Custom exclusions](#custom-exclusions), such as process-based exclusions, folder location-based exclusions, file extension exclusions, or contextual file and folder exclusions<br/>- [Custom remediation actions](#custom-remediation-actions) based on threat severity or for specific threats <br/><br/> *The standalone versions of Defender for Endpoint Plan 1 and Plan 2 don't include server licenses. To onboard servers, youΓÇÖll need another license, such as [Microsoft Defender for Servers Plan 1 or 2](/azure/defender-for-cloud/defender-for-servers-introduction). If you're a small or medium-sized business using Defender for Endpoint Plan 1 or [Microsoft Defender for Business](../defender-business/mdb-overview.md), you can get [Microsoft Defender for Business servers](../defender-business/get-defender-business-servers.md).* | +| [Microsoft Defender Antivirus](microsoft-defender-antivirus-windows.md) <br/>[Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md) | - [Automatic exclusions](#automatic-exclusions) (for Windows Server 2016 and later) <br/>- [Custom exclusions](#custom-exclusions), such as process-based exclusions, folder location-based exclusions, file extension exclusions, or contextual file and folder exclusions<br/>- [Custom remediation actions](#custom-remediation-actions) based on threat severity or for specific threats <br/><br/> *The standalone versions of Defender for Endpoint Plan 1 and Plan 2 don't include server licenses. To onboard servers, youΓÇÖll need another license, such as [Microsoft Defender for Servers Plan 1 or 2](/azure/defender-for-cloud/defender-for-servers-introduction). If you're a small or medium-sized business using [Microsoft Defender for Business](../defender-business/mdb-overview.md), you can get [Microsoft Defender for Business servers](../defender-business/get-defender-business-servers.md).* | | [Defender for Endpoint Plan 1 or Plan 2](defender-endpoint-plan-1-2.md) | - [Indicators](#defender-for-endpoint-indicators) for files, certificates, or IP addresses, URLs/domains<br/>- [Attack surface reduction exclusions](#attack-surface-reduction-exclusions)<br/>- [Controlled folder access exclusions](#controlled-folder-access-exclusions) | | [Defender for Endpoint Plan 2](microsoft-defender-endpoint.md) | - [Automation folder exclusions](#automation-folder-exclusions) (for automated investigation and remediation) | |
| security | Device Control Report | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-report.md | To see the security of the device, select the **Open device page** button on the ## Reporting delays -There might be a delay of up to 12 hours from the time a media connection occurs to the time the event is reflected in the card or in the domain list. +There might be a delay of up to six hours from the time a media connection occurs to the time the event is reflected in the card or in the domain list. |
| security | Device Timeline Event Flag | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-timeline-event-flag.md | Title: Microsoft Defender for Endpoint device timeline event flags -description: Use Microsoft Defender for Endpoint device timeline event flags to + Title: Microsoft Defender for Endpoint device timeline +description: Use Microsoft Defender for Endpoint device timeline and timeline event flags. keywords: Defender for Endpoint device timeline, event flags ms.mktglfcycl: deploy-# Microsoft Defender for Endpoint device timeline event flags +# Microsoft Defender for Endpoint device timeline [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] search.appverid: met150 - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) +> [!NOTE] > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-assignaccess-abovefoldlink) -Event flags in the Defender for Endpoint device timeline help you filter and organize specific events when you're investigate potential attacks. +The Defender for Endpoint device timeline helps you research and investigate anomalous behavior on your devices more quickly. You can explore specific events and endpoints to review potential attacks in your organization. You can review specific times of each event, set flags to follow up for potentially connected events, and filter to specific date ranges. ++- Custom time range picker: ++ :::image type="content" source="images/custom-time-range.png" alt-text="Screenshot of the custom time range."::: ++- Process tree experience ΓÇô event side panel: ++ :::image type="content" source="images/event-side-panel.png" alt-text="Screenshot of the event side panel." lightbox="images/event-side-panel.png"::: ++ +- All MITRE techniques are shown when thereΓÇÖs more than 1 related technique: ++ :::image type="content" source="images/new-timeline-mitre-techniques.png" alt-text="Screenshot of all MITRE techniques. " lightbox="images/new-timeline-mitre-techniques.png"::: ++- Timeline events are linked to the new user page: ++ :::image type="content" source="images/new-timeline-user.png" alt-text="Screenshot of timeline events linked to the new user page." lightbox="images/new-timeline-user.png"::: ++ :::image type="content" source="images/new-timeline-user-details.png" alt-text="Screenshot of timeline events linked to the new user page 2." lightbox="images/new-timeline-user-details.png"::: ++- Defined filters are now visible at the top of the timeline: ++ :::image type="content" source="images/new-timeline-highlight.png" alt-text="Screenshot of defined filters." lightbox="images/new-timeline-highlight.png"::: ++## Techniques in the device timeline ++You can gain more insight in an investigation by analyzing the events that happened on a specific device. First, select the device of interest from the [Devices list](machines-view-overview.md). On the device page, you can select the **Timeline** tab to view all the events that occurred on the device. ++### Understand techniques in the timeline ++> [!IMPORTANT] +> Some information relates to a prereleased product feature in public preview which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ++In Microsoft Defender for Endpoint, **Techniques** are an additional data type in the event timeline. Techniques provide more insight on activities associated with [MITRE ATT&CK](https://attack.mitre.org/) techniques or sub-techniques. ++This feature simplifies the investigation experience by helping analysts understand the activities that were observed on a device. Analysts can then decide to investigate further. ++For public preview, Techniques are available by default and shown together with events when a device's timeline is viewed. +++Techniques are highlighted in bold text and appear with a blue icon on the left. The corresponding MITRE ATT&CK ID and technique name also appear as tags under Additional information. ++Search and Export options are also available for Techniques. ++### Investigate using the side pane ++Select a Technique to open its corresponding side pane. Here you can see additional information and insights like related ATT&CK techniques, tactics, and descriptions. ++Select the specific *Attack technique* to open the related ATT&CK technique page where you can find more information about it. ++You can copy an entity's details when you see a blue icon on the right. For instance, to copy a related file's SHA1, select the blue page icon. ++++You can do the same for command lines. +++### Investigate related events ++To use [advanced hunting](advanced-hunting-overview.md) to find events related to the selected Technique, select **Hunt for related events**. This leads to the advanced hunting page with a query to find events related to the Technique. +++> [!NOTE] +> Querying using the **Hunt for related events** button from a Technique side pane displays all the events related to the identified technique but does not include the Technique itself in the query results. ++### Customize your device timeline ++On the upper right-hand side of the device timeline, you can choose a date range to limit the number of events and techniques in the timeline. ++You can customize which columns to expose. You can also filter for flagged events by data type or by event group. ++### Choose columns to expose ++You can choose which columns to expose in the timeline by selecting the **Choose columns** button. ++++From there you can select which information set to include. ++### Filter to view techniques or events only ++To view only either events or techniques, select **Filters** from the device timeline and choose your preferred Data type to view. +++## Timeline event flags ++Event flags in the Defender for Endpoint device timeline help you filter and organize specific events when you're investigating potential attacks. The Defender for Endpoint device timeline provides a chronological view of the events and associated alerts observed on a device. This list of events provides full visibility into any events, files, and IP addresses observed on the device. The list can sometimes be lengthy. Device timeline event flags help you track events that could be related. After you've gone through a device timeline, you can sort, filter, and export th While navigating the device timeline, you can search and filter for specific events. You can set event flags by: - Highlighting the most important events-- Marking events that requires deep dive+- Marking events that require deep dive - Building a clean breach timeline ## Flag an event -1. Find the event that you want to flag +1. Find the event that you want to flag. 2. Click the flag icon in the Flag column. While navigating the device timeline, you can search and filter for specific eve You can apply additional filters by clicking on the time bar. This will only show events prior to the flagged event. |
| security | Investigate Ip | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-ip.md | Identifying all devices in the organization that communicated with a suspected o You can find information from the following sections in the IP address view: -- IP worldwide-- Reverse DNS names+- IP geo information - Alerts related to this IP-- IP in organization-- Prevalence--## IP Worldwide and Reverse DNS names --The IP address details section shows attributes of the IP address such as its ASN and its Reverse DNS names. +- IP in organization observations +- Prevalence in organization ++## IP geo information ++In the left pane, the page provides IP details (if available). +- Organization (ISP) +- ASN +- Country +- State +- City +- Carrier +- Latitude +- Longitude +- Postal code ## Alerts related to this IP The **Alerts related to this IP** section provides a list of alerts that are associated with the IP. -## IP in organization +## IP observed in organization -The **IP in organization** section provides details on the prevalence of the IP address in the organization. +The **IP observed in organization** section provides a list of devices that have a connection with this IP and the last event details for each device (the list is limited to 100 devices). ## Prevalence The **Prevalence** section displays how many devices have connected to this IP address, and when the IP was first and last seen. You can filter the results of this section by time period; the default period is 30 days. -## Most recent observed devices with IP --The **Most recent observed devices** with IP section provides a chronological view on the events and associated alerts that were observed on the IP address. - **Investigate an external IP:** -1. Select **IP** from the **Search bar** drop-down menu. -2. Enter the IP address in the **Search** field. -3. Click the search icon or press **Enter**. +1. Enter the IP address in the **Search** field. +2. Select the IP suggestion box and open the IP side panel. +3. Select **Enter**. -Details about the IP address are displayed, including: registration details (if available), reverse IPs (for example, domains), prevalence of devices in the organization that communicated with this IP Address (during selectable time period), and the devices in the organization that were observed communicating with this IP address. +Details about the IP address are displayed, including: registration details (if available), prevalence of devices in the organization that communicated with this IP Address (during selectable time period), and the devices in the organization that were observed communicating with this IP address. > [!NOTE] > Search results will only be returned for IP addresses observed in communication with devices in the organization. |
| security | Manage Automation Folder Exclusions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-automation-folder-exclusions.md | You can control the following attributes about the folder that you'd like to be ## Add an automation folder exclusion -1. In the navigation pane, select **Settings** \> **Endpoints** \> **Rules** \> **Automation folder exclusions**. +1. Log in to [Microsoft 365 Defender](https://go.microsoft.com/fwlink/p/?linkid=2077139) using an account with the Security administrator or Global administrator role assigned. ++2. In the navigation pane, select **Settings** \> **Endpoints** \> **Rules** \> **Automation folder exclusions**. 2. Click **New folder exclusion**. |
| security | Microsoft 365 Defender Portal | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender-portal.md | The Microsoft 365 Defender portal helps security teams investigate and respond t - Secure score - Learning hub - Trials+- Partner catalog Microsoft 365 Defender emphasizes *unity, clarity, and common goals*. Microsoft 365 Defender emphasizes *unity, clarity, and common goals*. Centralizing security information creates a single place for investigating security incidents across Microsoft 365. A primary example is **Incidents** under **Incidents & alerts**. Selecting an incident name displays a page that demonstrates the value of centralizing security information as you'll have better insights into the full extend of a threat, from email, to identity, to endpoints. Take the time to review the incidents in your environment, drill down into each alert, and practice building an understanding of how to access the information and determine next steps in your analysis. Threat analytics is the Microsoft 365 Defender threat intelligence solution from > [!TIP] > There are lots of other learning opportunities in [Microsoft Learn](/training/). You'll find certification training such as [Course MS-500T00: Microsoft 365 Security Administration](/training/courses/ms-500t00). +## Partner catalog ++Microsoft 365 Defender supports two types of partners: +1. Third-party integrations to help secure users with effective threat protection, detection, investigation, and response in various security fields of endpoints, vulnerability management, email, identities, and cloud apps. +2. Professional services where organizations can enhance the detection, investigation, and threat intelligence capabilities of the platform. ++ ## Send us your feedback We need your feedback. We're always looking to improve, so if there's something you'd like to see, [watch this video to find out how you can trust us to read your feedback](https://www.microsoft.com/videoplayer/embed/RE4K5Ci). |
| security | Microsoft Secure Score Improvement Actions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-secure-score-improvement-actions.md | Choose any statuses and record notes specific to the improvement action. - **Risk accepted** - Security should always be balanced with usability, and not every recommendation will work for your environment. When that is the case, you can choose to accept the risk, or the remaining risk, and not enact the improvement action. You won't be given any points, but the action will no longer be visible in the list of improvement actions. You can view this action in history or undo it at any time. - **Resolved through third party** and **Resolved through alternate mitigation** - The improvement action has already been addressed by a third-party application or software, or an internal tool. You'll gain the points that the action is worth, so your score better reflects your overall security posture. If a third party or internal tool no longer covers the control, you can choose another status. Keep in mind, Microsoft will have no visibility into the completeness of implementation if the improvement action is marked as either of these statuses. -#### Microsoft Defender Vulnerability Management improvement actions +#### Recommended action status for devices -For improvement actions in the "Device" category, you can't choose statuses. Instead, you'll be directed to the associated [Microsoft Defender Vulnerability Management security recommendation](/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) in the Microsoft 365 Defender to take action. The exception you choose and justification you write will be specific to that portal. It won't be present in the Microsoft Secure Score portal. +You won't be able to choose a status for Secure Score recommended actions in the "Device" category, instead, you'll be directed to the associated [Microsoft Defender Vulnerability Management security recommendation](/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation) to take action. ++>[!NOTE] +>If you choose to create a ΓÇÿGlobal exceptionΓÇÖ in the Defender Vulnerability management security recommendation, the status in the Microsoft Secure Score recommended action will be updated with the exception justification. Updates may take up to 2 hours. +> +>If you choose to create an ΓÇÿException per device groupΓÇÖ in the Defender Vulnerability manage security recommendation, Secure Score will not be updated and the recommended action will remain as ΓÇÿTo addressΓÇÖ. #### Completed improvement actions |