+> We'll be providing unlimited SMS notifications through January 31, 2023 (previously November 30th 2022) for customers with Bookings licenses. As we get closer to the end of the promotion period, we'll provide additional details on licensing requirements. Contact your account team or support to receive pricing details after the promotion period.

+You can track key data on SMS notifications usage in your organization in the Teams admin center. Usage reports include data such as time and date sent, origin number, message type, event type and delivery status. You can use SMS notification telemetry during the promotional period to help forecast and budget for SMS notifications after January 31, 2023.

+Microsoft 365 for frontline workers can help you connect and engage your workforce, enhance workforce management, and increase operational efficiency. There are several solution areas that can help you achieve these goals. Think of Microsoft 365's foundational security and device management capabilities as setting a secure baseline, above which you can build scenarios that enable, empower, and transform your frontline business. You can use the capabilities included with Microsoft 365 for frontline workers, from Microsoft Teams, to SharePoint, Viva Connections, Viva Engage, and the Power Platform, or add in solutions from our partners in the digital ecosystem to connect with existing systems or create custom solutions for your business.

+| [Corporate communications](flw-corp-comms.md) | Employee engagement is a significant contributor to workplace satisfaction, loyalty, and productivity at any organization. Learn how to keep everyone informed and engaged using SharePoint, Teams, Stream, and Viva Engage. Bring it all together with Viva Connections. | Microsoft Teams<br>Outlook<br>SharePoint<br>Viva Engage<br>Viva Connections | Meet |

+| [Engage your employees and focus on employee wellbeing](flw-wellbeing-engagement.md) | Build deeper connections across your organization and create an inclusive workplace. | Microsoft Teams <br>SharePoint <br> Microsoft Stream <br>Viva Connections <br> Viva Engage| Praise |

+| [Onboard new employees](flw-onboarding-training.md) | Make new employee onboarding a great experience by fostering an all-in-one hybrid work environment where new employees can find important resources, meet people in their organization, and prepare to be successful in their new role.| SharePoint<br>Viva Learning <br>Viva Connections <br>Viva Engage | Lists <br>Live meetings |

+| [Ongoing training](flw-onboarding-training.md#ongoing-training) | After they're onboarded, help your workforce keep their skills up to date with ongoing training in Viva Learning. | SharePoint <br>Viva Learning <br>Viva Connections <br>Viva Engage| |

+description: Learn how you can use Viva Connections and Viva Engage to connect your frontline team to your broader organization.

+Keep your frontline team connected with your broader organization by using Viva Engage and Viva Connections.

+| View for a retail worker |View for a retail manager |

+|  |  |

+## Connect across your organization with Viva Engage

+Engage with communities in Viva Engage, which brings the power of Yammer into Teams. Communities in Viva Engage serve the needs of knowledge-sharing, employee experience, company-wide communications, and leadership engagement by providing a central place for your conversations, files, events, and updates. Associates can raise issues, provide feedback, and ask and answer questions in Viva Engage Communities. Hold live events and town halls to keep everyone in your organization in the loop.

+You can create communities for individual locations, identity or interest groups, or work groups such as nurses and financial advisors.

+Learn more about [Viva Engage](/viva/engage/overview) and help your employees and associates [Get started with Viva Engage](https://support.microsoft.com/topic/getting-started-with-microsoft-viva-engage-729f9fce-3aa6-4478-888c-a1543918c284).

+More information about Viva Engage:

+- [Set up Viva Engage for your organization.](/viva/engage/setup)

+- [Read the Viva Engage FAQ.](https://support.microsoft.com/topic/frequently-asked-questions-faq-about-microsoft-viva-engage-1209ec6f-b10d-4518-98fd-f33cca5212b8)

+| Frontline workers can find organization-wide resources, communications, or training with SharePoint, OneDrive, Viva Engage, and Stream. | Information workers create or consume team or organization-wide resources and communications with included Microsoft 365 services (depending on the specific license). |

+**Additional

+Employee engagement is a significant contributor to workplace satisfaction, loyalty, and productivity at any organization. Learn how to keep everyone informed and engaged using SharePoint, Teams, Viva Engage, Stream, and Viva Connections.

+**Additional

+| Viva Engage | Connect your entire organization and enable communication across departments and regions. | [Overview of Viva Engage](/viva/engage/overview) | [Use Viva Engage](https://support.microsoft.com/topic/getting-started-with-microsoft-viva-engage-729f9fce-3aa6-4478-888c-a1543918c284) |

+**Additional

+**Additional

+| Viva Engage | Connect your entire organization and enable communication across plants and regions. | [Overview of Viva Engage](/viva/engage/overview) | [Use Viva Engage](https://support.microsoft.com/topic/getting-started-with-microsoft-viva-engage-729f9fce-3aa6-4478-888c-a1543918c284) |

+**Additional

+Employee engagement is a significant contributor to workplace satisfaction, loyalty, and productivity at any organization. Learn how to keep everyone informed and engaged using SharePoint, Teams, Viva Engage, Stream, and Viva Connections.

+**Additional

+**Additional

+| Viva Engage | Connect your organization and allow communication across departments and regions with Viva Engage. | [Overview of Viva Engage](/viva/engage/overview) | [Use Viva Engage](https://support.microsoft.com/topic/getting-started-with-microsoft-viva-engage-729f9fce-3aa6-4478-888c-a1543918c284) |

+## Ingest alerts using security information and events management (SIEM) tools

+> [!NOTE]

+>

+> [Microsoft Defender for Endpoint Alert](alerts.md) is composed from one or more suspicious or malicious events that occurred on the device and their related details. The Microsoft Defender for Endpoint Alert API is the latest API for alert consumption and contains a detailed list of related evidence for each alert. For more information, see [Alert methods and properties](alerts.md) and [List alerts](get-alerts.md).

+Microsoft Defender for Endpoint supports security information and event management (SIEM) tools ingesting information from your enterprise tenant in Azure Active Directory (AAD) using the OAuth 2.0 authentication protocol for a registered AAD application representing the specific SIEM solution or connector installed in your environment.

+For more information, see:

+- [Microsoft Defender for Endpoint APIs license and terms of use](api-terms-of-use.md)

+- [Access the Microsoft Defender for Endpoint APIs](apis-intro.md)

+- [Hello World example (describes how to register an application in Azure Active Directory)](api-hello-world.md)

+- [Get access with application context](exposed-apis-create-app-webapp.md)

+- [Microsoft 365 Defender SIEM integration](../defender/configure-siem-defender.md)

+ ¹ The patch must be deployed prior to device onboarding in order to configure Defender for Endpoint to the correct environment.

+ ² Learn about the [unified modern solution for Windows 2016 and 2012 R2](configure-server-endpoints.md#new-windows-server-2012-r2-and-2016-functionality-in-the-modern-unified-solution). If you have previously onboarded your servers using MMA, follow the guidance provided in [Server migration](server-migration.md) to migrate to the new solution.

+ ³ When using [Microsoft Monitoring Agent](onboard-downlevel.md#install-and-configure-microsoft-monitoring-agent-mma) you'll need to choose "Azure US Government" under "Azure Cloud" if using the [setup wizard](/azure/log-analytics/log-analytics-windows-agents#install-agent-using-setup-wizard), or if using a [command line](/azure/log-analytics/log-analytics-windows-agents#install-agent-using-command-line) or a [script](/azure/log-analytics/log-analytics-windows-agents#install-agent-using-dsc-in-azure-automation) - set the "OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE" parameter to 1. </br>

+ The minimum MMA supported version is 10.20.18029 (March 2020).

+||::|::|::|

+|Microsoft Secure Score||||

+|Microsoft Threat Experts||||

+ ¹ While Microsoft Secure Score is available for GCC customers, there are some security recommendations that aren't available.

+<br />

+|Reports: Web content filtering||||

+|Reports: Device health||||

+Policy conflict handling for domains/URLs/IP addresses differ from policy conflict handling for certs.

+In the case were multiple different action types are set on the same indicator (for example, **block**, **warn**, and **allow**, action types set for Microsoft.com), the order those action types would take effect is:

+1. Allow

+2. Warn

+3. Block

+_Allow_ overrides _warn_ which overrides _block_: Allow > Warn > Block. Therefore, in the above example, Microsoft.com would be allowed.

+### Policy conflict handling follows the order below

+1. If the IP, URL/Domain is allowed

+1. If the IP, URL/Domain is not allowed

+1. If the IP, URL/Domain is allowed

+If there are conflicting file IoC policies with the same enforcement type and target, the policy of the more secure will be applied.

+You can find the audit events in **Advanced hunting** in the Defender for Endpoint portal ([https://security.microsoft.com](https://security.microsoft.com)).

+Audit events are in DeviceEvents with an ActionType of `ExploitGuardNetworkProtectionAudited`. Blocks are shown with an ActionType of `ExploitGuardNetworkProtectionBlocked`.

+Here's an example query for viewing Network Protection events for third-party browsers:

+DeviceNetworkEvents

+Note that Microsoft Defender SmartScreen events for the Microsoft Edge browser specifically, needs a different query:

+```kusto

+DeviceEvents

+| where ActionType == "SmartScreenUrlWarning"

+| extend ParsedFields=parse_json(AdditionalFields)

+| project DeviceName, ActionType, Timestamp, RemoteUrl, InitiatingProcessFileName

+```

+> [!NOTE]

+> The new Microsoft 365 Defender alerts API, released to public preview in MS Graph, is the official and recommended API for customers migrating from the SIEM API. See [Migrate from the MDE SIEM API to the Microsoft 365 Defender alerts API](configure-siem.md).

+1. Log in to the [Azure management portal](https://portal.azure.com).

+1. Log in to the [Azure management portal](https://ms.portal.azure.com).

+The **Microsoft Defender Experts for XDR** (Defender Experts for XDR) preview is a managed detection and response service that helps your security operations centers (SOCs) focus and accurately respond to incidents that matter. It provides extended detection and response for customers who use Microsoft 365 Defender workloads: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Azure Active Directory (Azure AD).

+Defender Experts for XDR augments your SOC by combining automation and MicrosoftΓÇÖs security analyst expertise, helping you detect and respond to threats with confidence and improve your security posture. With deep product expertise powered by threat intelligence, weΓÇÖre uniquely positioned to help you:

+- **Focus on incidents that matter** - Our experts prioritize incidents and alerts that matter, alleviate alert fatigue, and drive SOC efficiency for your team

+- **Manage response your way** - Our experts provide detailed, step-by-step, actionable guidance to respond to incidents with the option to act on your behalf as needed

+- **Access expertise when you need it** - Extend your teamΓÇÖs capacity with access to Defender Experts for assistance on an investigation

+- **Stay ahead of emerging threats** - Our experts proactively hunt for emerging threats in your environment, informed by unparalleled threat intelligence and visibility

+- **Managed detection and response** - Expert analysts manage your Microsoft 365 Defender incident queue and handle triage and investigation on your behalf; they partner with you and your team to take action or guide you to respond to incidents

+- **Proactive threat hunting** - [Microsoft Defender Experts for Hunting](../defender/defender-experts-for-hunting.md) is built in to extend your teamΓÇÖs threat hunting capabilities and prioritize significant threats

+- Defender for Endpoint P2 must be licensed for devices and users in scope for the preview and Microsoft Defender Antivirus must be enabled in active mode on devices onboarded to Defender for Endpoint (required for endpoint detection and response capabilities)

+- Azure AD Premium P1 must be licensed for all users and enabled (required for enabling secure service provider access)

+| **How is Microsoft Defender Experts for XDR different from Microsoft Defender Experts for Hunting?** | [Microsoft Defender Experts for Hunting](../defender/defender-experts-for-hunting.md) provides threat hunting service to proactively find threats. This service is meant for customers that have a robust security operations center and want that deep expertise in hunting to expose advanced threats. Microsoft Defender Experts for XDR provides end-to-end security operations capabilities to monitor, investigate and respond to security alerts. This service is meant for customers with constrained security operations centers that are overburdened with alert volume, in need of skilled experts or both. Defender Experts for XDR also includes the proactive threat hunting offered by Defender Experts for Hunting|

+| **What products does Defender Experts for XDR operate on?** | Refer to the [Prerequisites](/microsoft-365/security/defender/dex-xdr-overview#prerequisites) section for details. |

+| **Does Defender Experts for XDR replace my security operations center (SOC) team?** | No. Defender Experts for XDR is meant to augment your SOC team reducing their workload and collaborating with them to protect your organization from threat actors. But we don't replace your SOC team or their processes. |

+| **What actions can XDR experts take during incident investigation?** | Our expert analysts can take actions based on the roles granted to them in your Microsoft 365 Defender portal. If our analysts are granted a security reader role, they can investigate and provide guided response for your SOC team to act on. If our analysts are granted a security operator role, they can also take specific remediation actions agreed upon with your SOC team. Finally, if they're granted a security administrator role, they can take higher privilege actions like managing certain settings as agreed upon with you. |

+| **Can Defender Experts for XDR help with an active compromise or vulnerability?** | No, Defender Experts currently don't provide incident response services. Contact your Microsoft representative to engage Microsoft Detection and Response Team (DART) for incident response assistance. |

+| **How can my organization participate in the Defender Experts for XDR preview?** |We're gradually expanding the preview to more customers. Contact your Microsoft representative to access the preview.|

+- **Security reader** - This built-in Azure Active Directory (Azure AD) role lets our experts investigate incidents and provide guidance on necessary response actions.

+You can also provide our experts the following permissions to investigate incidents on your behalf:

+2. Under **Additional permissions**, select the other role(s) you want to grant.

+Apart from , our expertise on the Microsoft 365 Defender product suite enables Defender Experts for XDR to run an initial readiness engagement to help you get the most out of your Microsoft security products. This engagement will be based on your [Microsoft Secure Score](microsoft-secure-score.md) and Defender ExpertsΓÇÖ policy recommendations. Our Experts will help prioritizing and customizing our recommendations to fit your environment. They'll request your engagement to get those configurations implemented.

+Through a combination of automation and human expertise, our service triages Microsoft 365 Defender incidents, prioritize them on your behalf, filters out the noise, carries out detailed investigations, and provides detailed guided response to your security operations center (SOC) teams. Alternatively, our analysts can take a response step on your behalf.

+You'll receive detailed response playbooks via emails. You'll also be able to filter the Microsoft 365 Defender portal incident view using the _Defender Experts_ tag to see the current state of the incidents Defender Experts are actively investigating, or the incidents that require your action. Our analysts will also add relevant comments in Microsoft 365 Defender portalΓÇÖs **Comments & history** section so you and your SOC analysts can track the investigation progress.

+Response recommendations include, but aren't limited to:

+These recommendations also appear in the **Comments & history** section of each related incident in the Microsoft 365 Defender portal so you can view them at your convenience.

+Defender Experts for XDR will include an interactive, on-demand report that provides a clear summary of the work our expert analysts are doing on your behalf, aggregate information about your incident landscape, and granular details about specific incidents. Your service delivery manager (SDM) will also use the report to provide you with more context regarding your XDR Experts service during a monthly business review.

+Defender Experts for XDR also includes proactive threat hunting offered by [Microsoft Defender Experts for Hunting](defender-experts-for-hunting.md). Defender Experts for Hunting was created for customers who have a robust security operations center but want Microsoft to help them proactively hunt threats using Microsoft Defender data. This proactive threat hunting service goes beyond the endpoint to hunt across endpoints, Office 365, cloud applications, and identity. Our experts investigate anything they find, then hand off the contextual alert information along with remediation instructions, so you can quickly respond.

+| **[IdentityLogonEvents](advanced-hunting-identitylogonevents-table.md)**|GA|Public preview |Public preview |Public preview |

+| **[IdentityQueryEvents](advanced-hunting-identityqueryevents-table.md)**|GA|Public preview |Public preview |Public preview |

+| **[IdentityDirectoryEvents](advanced-hunting-identitydirectoryevents-table.md)**|GA|Public preview |Public preview |Public preview |

+| **[CloudAppEvents](advanced-hunting-cloudappevents-table.md)**|GA|Public preview |Public preview |Public preview |

+- (Preview) Microsoft Defender Experts for XDR (Defender Experts for XDR) is now available for preview. Defender Experts for XDR is a managed detection and response service that helps your security operations centers (SOCs) focus and accurately respond to incidents that matter. It provides extended detection and response for customers who use Microsoft 365 Defender workloads: Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Azure Active Directory (Azure AD). For details, refer to [Expanded Microsoft Defender Experts for XDR preview](dex-xdr-overview.md).