+> [!IMPORTANT]

+> You must have bought at least one subscription through Microsoft to access Microsoft support. If you bought all your subscriptions through a partner, contact your partner for support.

+800 969 805

+ Title: "Payment options for your Microsoft business subscription"

+description: "Learn what payment options are available to pay for your Microsoft business subscription."

+# Payment options for your Microsoft business subscription

+You can use a credit or debit card, or bank account to pay for your Microsoft business subscription. In some cases, you can pay by invoice, using check or electronic funds transfer (EFT). If you have a billing profile, your options are slightly different. For more information, see [How to pay for your subscription with a billing profile](pay-for-subscription-billing-profile.md). If you're not sure if your account has a billing profile, see [Understand billing profiles](manage-billing-profiles.md).

+Documents encrypted with the previous settings can still be returned by an eDiscovery search. This result may happen when a document property (such as the title, author, or modified date) matches the search criteria. Although these documents might be included in search results, they can't be previewed or reviewed. These documents will also remain encrypted when they're exported in eDiscovery (Premium).

+- If you need to prevent someone from decrypting RMS-protect messages and encrypted file attachments, you have to create a custom role group (by copying the built-in eDiscovery Manager role group), and then remove the RMS Decrypt management role from the custom role group. Then add the person who you don't want to decrypt messages as a member of the custom role group.

+² Only items labeled in SharePoint (or uploaded to SharePoint after integration with sensitivity labels are enabled) and that have labels with admin-defined permissions and no expiration are decrypted. For more information, see [Enable sensitivity labels for Office files in SharePoint and OneDrive](/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files).

+Other documents aren't decrypted, including:

+- Files encrypted in the client and uploaded before sensitivity labels were integrated with SharePoint Online.

+- Documents encrypted with legacy RMS templates and not labeled.

+- Documents with user-defined permissions or with expiration settings (SMIME or other standards).

+³ Only content encrypted with RMS keys hosted in Microsoft 365 is transparently decrypted by eDiscovery (Premium). Double Key Encryption (DKE), Hold Your Own Key (HYOK), on-premises RMS, etc. aren't supported. For more information, see [Your Azure Information Protection tenant key](/azure/information-protection/plan-implement-tenant-key#tenant-root-keys-generated-by-microsoft).

+- **Microsoft Defender for Endpoint indicators (preview)**: These include indicators from Microsoft Defender for Endpoint related to unapproved or malicious software installation or bypassing security controls. To receive alerts in insider risk management, you must have an active Defender for Endpoint license and insider risk integration enabled. For more information on configuring Defender for Endpoint for insider risk management integration, see [Configure advanced features in Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features\#share-endpoint-alerts-with-microsoft-compliance-center).

+- **Risky browsing indicators (preview)**: These include policy indicators for user browsing activity related to websites that are considered malicious or risky and pose potential insider risk that may lead to a security or compliance incident. Risky browsing activity refers to users who visit potentially risky websites, such as those associated with malware, pornography, violence, and other unallowed activities. To include these risk management activities in policy alerts, select one or more indicators in this section. To learn about configuring browser exfiltration signals, see [Insider risk management browser signal detection](insider-risk-management-browser-support.md).

+- **Physical access indicators (preview)**: These include policy indicators for physical access to sensitive assets. For example, attempted access to a restricted area in your physical badging system logs can be shared with insider risk management policies. To receive these types of alerts in insider risk management, you must have priority physical assets enabled in insider risk management and the [Physical badging data connector](import-physical-badging-data.md) configured. To learn about configuring physical access, see the [Priority physical access section](#priority-physical-assets-preview) in this article.

+- **Health record access indicators**: These include policy indicators for patient medical record access. For example, attempted access to patient medical records in your electronic medical records (EMR) system logs can be shared with insider risk management healthcare policies. To receive these types of alerts in insider risk management, you must have a healthcare-specific data connector and the HR data connector configured.

+- Currently rolling out to [Current Channel (Preview)](https://office.com/insider)

+|[AIP add-in disabled by default](sensitivity-labels-aip.md#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in)| Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Not relevant | Not relevant | Not relevant| Not relevant |

+|[AIP add-in disabled by default](sensitivity-labels-aip.md#how-to-configure-newer-versions-of-office-to-enable-the-aip-add-in)| Preview: Rolling out to [Current Channel (Preview)](https://office.com/insider) | Not relevant | Not relevant | Not relevant| Not relevant |

+| **License report**<br/>(*NEW!*) | The license report (currently in [preview](mdb-preview.md)) provides information about licenses your organization has purchased and is using. To access this report, in the navigation pane, choose **Settings** > **Endpoints** > **License**. |

+- [Microsoft Defender for Endpoint APIs license and terms of use](api-terms-of-use.md)

+> In February we announced the [Deprecation of the Microsoft Defender for Endpoint (MDE) SIEM API would be postponed](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/deprecating-the-legacy-siem-api-postponed/ba-p/3139643).

+After gathering customer feedback, we have learned there are challenges with the timeline originally communicated. As a result, we are making changes to our timeline to improve our customersΓÇÖ experience in migrating to the new API.

+The new Microsoft 365 Defender alerts API, released to public preview in MS Graph, is the official and recommended API for customers migrating from the SIEM API. This API will enable customers to work with alerts across all Microsoft 365 Defender products using a single integration. We expect the new API to reach general availability (GA) by Q1 CY 2023.

+To provide customers with more time to plan and prepare their migration to the new Microsoft 365 Defender APIs, we have pushed the SIEM API deprecation date to December 31, 2023. This will give customers one year from the expected GA release of Microsoft 365 Defender APIs to migrate from the SIEM API. At the time of deprecation, the SIEM API will be declared ΓÇ£deprecatedΓÇ¥ but not ΓÇ£retired.ΓÇ¥ This means that until this date, the SIEM API will continue to function for existing customers. After the deprecation date, the SIEM API will continue to be available, however it will only be supported for security-related fixes.

+Effective December 31st, 2024, three years after the original deprecation announcement, we reserve the right to turn off the SIEM API, without additional notice.

+For additional information about the new APIs see the blog announcement: [The new Microsoft 365 Defender APIs in Microsoft Graph are now available in public preview!](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/the-new-microsoft-365-defender-apis-in-microsoft-graph-are-now/ba-p/3603099)

+API documentation: [Use the Microsoft Graph security API - Microsoft Graph beta](/graph/api/resources/security-api-overview#alerts-and-incidents-preview)

+If you are a customer using the SIEM API, we strongly recommend planning and executing the migration. Listed below is information about the options available to migrate to a supported capability:

+1. [Pulling MDE alerts into an external system](#pulling-defender-for-endpoint-alerts into-an-external-system) (SIEM/SOAR)

+Read about the new Microsoft 365 Defender [alerts and incidents API](https://techcommunity.microsoft.com/t5/microsoft-365-defender-blog/the-new-microsoft-365-defender-apis-in-microsoft-graph-are-now/ba-p/3603099#:~:text=Incidents%3A%20Contain%20incident%20metadata%20and%20a%20collection%20of,richer%20and%20actionable%20information%20for%20your%20automation%20flows.)

+3. Expand the tree to **Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Controlled folder access**.

+```bash

+mdatp health --details edr

+edr_early_preview_enabled : "disabled"

+edr_device_tags : []

+edr_group_ids : ""

+edr_configuration_version : "20.199999.main.2022.10.25.03-514032a834557bdd31ac415be6df278d9c2a4c25"

+edr_machine_id : "a47ba049f43319ac669b6291ce73275cd445c9cd"

+edr_sense_guid : "298a1a8c-04dd-4929-8efd-3bb14cb54b94"

+edr_preferred_geo : "unitedstates"

+```

+<details>

+ <summary>Nov-2022 (Build: 101.87.30 | Release version: 20.122082.18681.0)</summary>

+&ensp;Build: **101.87.30**<br/>

+&ensp;Release version: **20.122082.18681.0**<br/>

+&ensp;Engine version: **1.1.19700.3**<br/>

+&ensp;Signature version: **1.379.17.0**<br/>

+**What's new**

+- Fix for some users experiencing performance issues and temporary system hangs

+- Bug and performance fixes

+<br/>

+</details>

+ [Device discovery](../defender-endpoint/device-discovery.md) <p> [Device inventory](../defender-endpoint/machines-view-overview.md) <p> [Vulnerability assessment](tvm-weaknesses.md) <p> [Configuration assessment](tvm-microsoft-secure-score-devices.md) <p> [Risk based prioritization](tvm-security-recommendation.md) <p> [Remediation tracking](tvm-remediation.md) <p> [Continuous monitoring](../defender-endpoint/configure-vulnerability-email-notifications.md) <p> [Software assessment](tvm-software-inventory.md) <p> [Software usages insights](tvm-usage-insights.md) <p> | [Security baselines assessment](tvm-security-baselines.md) <p> [Block vulnerable applications](tvm-block-vuln-apps.md) <p> [Browser extensions](tvm-browser-extensions.md) <p> [Digital certificate assessment](tvm-certificate-inventory.md) <p> [Network share analysis](tvm-network-share-assessment.md) | [Device discovery](../defender-endpoint/device-discovery.md) <p> [Device inventory](../defender-endpoint/machines-view-overview.md) <p> [Vulnerability assessment](tvm-weaknesses.md) <p> [Continuous monitoring](../defender-endpoint/configure-vulnerability-email-notifications.md) <p> [Risk based prioritization](tvm-security-recommendation.md) <p> [Remediation tracking](tvm-remediation.md) <p> [Configuration assessment](tvm-microsoft-secure-score-devices.md) <p> [Software assessment](tvm-software-inventory.md) <p> [Software usages insights](tvm-usage-insights.md) <p> [Security baselines assessment](tvm-security-baselines.md) <p> [Block vulnerable applications](tvm-block-vuln-apps.md) <p> [Browser extensions](tvm-browser-extensions.md) <p> [Digital certificate assessment](tvm-certificate-inventory.md) <p> [Network share analysis](tvm-network-share-assessment.md)|

+ Title: Software usage insights

+description: Use Microsoft Defender Vulnerability Management to assess software usage

+keywords: Microsoft Defender Vulnerability Management, Microsoft Defender for Endpoint block vulnerable applications, mdvm, vulnerability management, software usage, insights

+ms.mktglfcycl: deploy

+ms.sitesec: library

+ms.pagetype: security

+ms.localizationpriority: medium

+audience: ITPro

+ - m365-security-compliance

+ - tier1

+search.appverid: met150

+# Software usage insights

+**Applies to:**

+- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037)

+- [Microsoft Defender Vulnerability Management](index.yml)

+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)

+>[!Note]

+> Want to experience Microsoft Defender Vulnerability Management? Learn more about how you can sign up to the [Microsoft Defender Vulnerability Management public preview trial](../defender-vulnerability-management/get-defender-vulnerability-management.md).

+Defender Vulnerability Management software usage information gives you insights into the total number of devices using an application in your organization and the median usage (in days) for that application over the past 30 days.

+Software usage information is critical when it comes to evaluating software vulnerabilities in your organization. When vulnerable applications are widely and frequently used, it poses a security risk. These insights can help organizations understand the potential affect of blocking vulnerable applications.

+## Minimum requirements

+**Microsoft Defender Antivirus (active or passive mode)**:

+The detection of file execution events requires Microsoft Defender Antivirus to be enabled in active or passive mode. To learn more, see [Deploy Microsoft Defender Antivirus](../defender-endpoint/deploy-manage-report-microsoft-defender-antivirus.md).

+## View software usage information

+Daily software usage is calculated from process events collected by the core endpoint detection and response service for all onboarded devices. Software usage information can be viewed through the following experiences in the Microsoft 365 Defender portal.

+### Software inventory view

+You can view software usage by selecting an application in the software inventory page. A flyout panel will open with more details including data related to that softwareΓÇÖs usage over the past 30 days.

+### Software page view

+Software usage for a specific application is also available in the software page. To view the software page:

+1. Go to **Vulnerability management** > **Software inventory**

+2. Select an application from the list

+3. Select **Open software page** in the flyout

+The Software page opens with the software usage information displayed on the Overview tab:

+Select the **Installed devices** tab to see the number of days the software was in use, per device, in the last 30 days.

+You can also view **Software usage (days)** on the **Version distribution** tab in the software page.

+### Security recommendations page

+Software usage insights can be helpful to determine the overall impact of a vulnerability. To view the **Software usage insights** when reviewing security recommendations:

+1. Go to **Vulnerability management** > **Recommendations**

+2. Select an application from the list

+The Recommendations page opens with the software usage information displayed:

+>[!NOTE]

+>If you donΓÇÖt see usage insights, it's because that application is currently not supported. Software usage is currently not supported for:

+>

+> - Software usage related to operating systems

+> - Software usage related to apps for macOS and Linux

+> - Software usage for apps where Microsoft does not have sufficient information about the application

+## Related articles

+- [Vulnerabilities in my organization](tvm-weaknesses.md)

+- [Block vulnerable applications](tvm-block-vuln-apps.md)

+- [Vulnerability management overview](defender-vulnerability-management.md)

+### Configure AAD IP alert service

+1. Go to the Microsoft 365 Defender portal ([security.microsoft.com](https://security.microsoft.com)), select **Settings** > **Microsoft 365 Defender**.

+2. From the list, select **Alert service settings**, and then configure your **Azure AD identity protection** alert service.

+ :::image type="content" source="../../media/investigate-alerts/alerts-ss-aadip-alert.png" alt-text="Screenshot of Azure AD identity protection alerts setting in the Microsoft 365 Defender portal." lightbox="../../media/investigate-alerts/alerts-ss-aadip-alert.png":::

+By default, only the most relevant alerts for the security operation center are enabled. If you want to get all AAD IP risk detections, you can change it in the **Alert service settings** section.

+You can also access **Alert service settings** directly from the **Incidents** page in the Microsoft 365 Defender portal.

+[Microsoft Defender for Office 365 Plan 2](defender-for-office-365.md#whats-the-difference-between-microsoft-defender-for-office-365-plan-1-and-plan-2) includes powerful [automated investigation and response](office-365-air.md) (AIR) capabilities. Such capabilities can save your security operations team a lot of time and effort dealing with threats. Microsoft continues to improve security capabilities. Recently, AIR capabilities were enhanced to include a compromised user security playbook (currently in preview). Read this article to learn more about the compromised user security playbook. And see the blog post [Speed up time to detect and respond to user compromise and limit breach scope with Microsoft Defender for Office 365](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Speed-up-time-to-detect-and-respond-to-user-compromise-and-limit/ba-p/977053) for additional details.

+ > [!Note]

+ > - Adding users to the corresponding Azure Active Directory role in the Microsoft 365 admin center gives users the required permissions *and* permissions for other features in Microsoft 365. For more information, see [About admin roles](../../admin/add-users/about-admin-roles.md).

+ > - The **View-Only Organization Management** role group in [Exchange Online](/Exchange/permissions-exo/permissions-exo#role-groups) also gives read-only access to the feature.

+> Users in the organization can't send email to these blocked domains and addresses. They'll receive the following non-delivery report (also known as an NDR or bounce message): `550 5.7.703 Your message can't be delivered because one or more recipients are blocked by your organization's tenant recipient block policy.`

+- [New features are continually being added to Microsoft Defender for Office 365](whats-new-in-defender-for-office-365.md). As new features are added, you may need to make adjustments to your existing Safe Links policies.

+ - highpri

+description: Best setup of Microsoft Defender for Office 365 including Safe Attachments, Safe Links, advanced anti-phishing tools, reporting tools, and threat intelligence capabilities.

+> This article is for **business customers**.

+>

+> But if you're using Outlook.com, ***Microsoft 365 Family, or Microsoft 365 Personal***, and you need info about ***Safe Links or Safe Attachments in Outlook*** blocking emails, see [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/advanced-outlook-com-security-for-microsoft-365-subscribers-882d2243-eab9-4545-a58a-b36fee4a46e2?storagetype=live).

+- **[Installation by Preset can set up everything for you](preset-security-policies.md)**: The easiest and the recommended setup automates the roll-out of a secure environment (if automated policies are possible in your organization). Abbreviated steps are available too: [Just the steps for preset policy setup, please!](step-by-step-guides/ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies.md)

+- **[Threat protection policies](#defender-for-office-365-policies)**: Define threat-protection policies to set the appropriate level of protection for your organization.

+- **[Reports](#how-to-view-microsoft-defender-for-office-365-reports)**: View real-time reports to monitor Defender for Office 365 performance in your organization.

+If you need more information, this interactive guide will show you and example of how to safeguard your organization with Microsoft Defender for Office 365.

+You'll also see how Defender for Office 365 can help you define protection policies, analyze threats to your organization, and respond to attacks.

+## What's the difference between Microsoft Defender for Office 365 Plan 1 and Plan 2?

+For more on what's included in Microsoft 365 Plans 1 & 2, browse over to [this document](microsoft-defender-for-office-365-product-overview.md).

+This article spells out what makes up the two products, and the ***emphasis*** of each part of *Microsoft Defender for Office 365* using a familiar structure: *Protect*, *Detect*, *Investigate*, and *Respond*.

+Graphics and short, scannable paragraphs answer questions like:

+- What is *Plan 1* optimized to do for you?

+- What's the biggest advantage to you and your company in *Plan 2*?

+- Who has *Exchange Online Protection* and what's it optimized to do?

+The goal of this article is clarity and quick readability. So, don't miss it!

+There are two methods to set up Microsoft Defender for Office 365 for your subscription.

+### Preset security policy configuration is recommended

+It is **recommended** that -- as much as your organization can, given its specific needs -- you configure via **preset security policies**. You can learn more about presets here: [Preset setup information and steps](preset-security-policies.md); or just [the steps for preset policy setup, please](step-by-step-guides/ensuring-you-always-have-the-optimal-security-controls-with-preset-security-policies.md).

+### Manual configuration for Microsoft Defender for Office 365

+Though it's no longer the recommended practice, here are the initial logical configuration chunks for manual set up:

+To learn by doing things manually, [click this link](protect-against-threats.md).

+## Manual steps to Configure Microsoft Defender for Office 365 policies

+It's recommended that you configure with preset security policies, but some organizations must configure manually.

+The policies that are defined for your organization determine the behavior and protection level for predefined threats.

+Policy options are extremely flexible. For example, your organization's security team can set fine-grained threat protection at the user, organization, recipient, and domain level. It is important to review your policies regularly because new threats and challenges emerge daily.

+## How to view Microsoft Defender for Office 365 reports

+Microsoft Defender for Office 365 includes [reports](view-reports-for-mdo.md) to monitor Defender for Office 365. You can access the reports in theMicrosoft 365 Defender portal at <https://security.microsoft.com> at **Reports** \> **Email & collaboration** \> **Email & collaboration reports**. You can also go directly to the **Email and collaboration reports** page using <https://security.microsoft.com/securityreports>.

+- **[Threat Explorer in Plan 2 (or real-time detections in Plan 1)](threat-explorer.md)** (also referred to as Explorer) is a real-time report that allows you to identify and analyze recent threats. You can configure Explorer to show data for custom periods.

+When you are investigating a potential cyberattack, time is of the essence. The sooner you can identify and mitigate threats, the better off your organization will be.

+[Automated investigation and response](office-365-air.md) (AIR) capabilities include a set of security playbooks that can be launched automatically, such as when an alert is triggered, or manually, such as from a view in Explorer.

+AIR can save your security operations team time and effort in mitigating threats effectively and efficiently. To learn more, see [AIR in Office 365](office-365-air.md).

+To access Microsoft Defender for Office 365 features, you *must* be assigned an appropriate role. The following table includes some examples:

+|global administrator (or Organization Management)|You can assign this role in Azure Active Directory or in the Microsoft 365 Defender portal. For more information, see [Permissions in the Microsoft 365 Defender portal](permissions-microsoft-365-security-center.md).|

+## Where to get Microsoft Defender for Office 365

+Microsoft Defender for Office 365 is included in certain subscriptions, such as Microsoft 365 E5, Office 365 E5, Office 365 A5, and Microsoft 365 Business Premium.

+If your subscription doesn't include Defender for Office 365, you can get Defender for Office 365 Plan 1 or Plan 2 as an add-on to certain subscriptions. To learn more, take a look at the following resources:

+## What new features are coming for Microsoft Defender for Office 365?

+The Tenant Allow/Block List in the Microsoft 365 Defender portal gives you a way to manually override the Microsoft 365 filtering verdicts. The Tenant Allow/Block List is used during mail flow for incoming messages from external senders (does not apply to intra-org messages) and at the time of user clicks.

+ - Users in the organization can't send email to these blocked domains and addresses. They'll receive the following non-delivery report (also known as an NDR or bounce message): '550 5.7.703 Your message can't be delivered because one or more recipients are blocked by your organization's tenant recipient block policy.'

+ - If the message was not blocked, and an allow entry for the sender is not created, it won't show on the **Spoofed senders** tab or the **Domains & addresses** tab.

+With **allow expiry management** (currently in Private preview), if Microsoft has not learned from the allow entry, Microsoft will automatically extend the expiry time of allow entries that will soon expire by another 30 days. This extension helps to prevent legitimate email from going to junk or quarantine again. If Microsoft does not learn within 90 calendar days from the date of the original creation of the allow entry, Microsoft will remove the allow entry.

+AIR capabilities are included in [Microsoft Defender for Office 365](defender-for-office-365.md#whats-the-difference-between-microsoft-defender-for-office-365-plan-1-and-plan-2), provided your policies and alerts are configured. Need some help? Follow the guidance in [Protect against threats](protect-against-threats.md) to set up or configure the following protection settings:

+[Microsoft Defender for Office 365 Plan 2](defender-for-office-365.md#whats-the-difference-between-microsoft-defender-for-office-365-plan-1-and-plan-2) licenses should be assigned to:

+Microsoft 365 threat investigation and response capabilities are included in Microsoft Defender for Office 365 Plan 2, which is included in Enterprise E5 or as an add-on to certain subscriptions. To learn more, see [Defender for Office 365 Plan 1 and Plan 2](defender-for-office-365.md#whats-the-difference-between-microsoft-defender-for-office-365-plan-1-and-plan-2).

+ > [!NOTE]

+ > We don't allow the same display name, subject, or disclaimer text for different languages. You need to provide a different display name, subject, and disclaimer text for each language that you select.

+- [New features are continually being added to Microsoft Defender for Office 365](whats-new-in-defender-for-office-365.md). As new features are added, you may need to make adjustments to your existing Safe Links policies.

+Recently, events from automated investigation and response capabilities in [Microsoft Defender for Office 365 Plan 2](defender-for-office-365.md#whats-the-difference-between-microsoft-defender-for-office-365-plan-1-and-plan-2) were added to the Office 365 Management Activity API. In addition to including data about core investigation details such as ID, name and status, the API also contains high-level information about investigation actions and entities.

+ - Organizations with Defender for Office 365 Plan 1 (for example Microsoft 365 Business Premium or add-on subscriptions) have exactly the same policies as organizations with Defender for Office 365 Plan 2 (impersonation protection in anti-phishing policies, Safe Attachments policies, and Safe Links policies). The security policies from **allow mode** (Standard preset security policy) or **blocking mode** (evaluation policies) don't expire or stop working after 90 days. What ends after 90 days for these organizations are the [automation, investigation, remediation, and education capabilities](defender-for-office-365.md#whats-the-difference-between-microsoft-defender-for-office-365-plan-1-and-plan-2) of Plan 2 that aren't present in Plan 1.

+^\* The security policies from **allow mode** (Standard preset security policy) or **blocking mode** (evaluation policies) don't expire or stop working after 90 days. Only the [automation, investigation, remediation, and education capabilities](defender-for-office-365.md#whats-the-difference-between-microsoft-defender-for-office-365-plan-1-and-plan-2) that are exclusive to Defender for Office 365 Plan 2 stop working after 90 days.

+Did you know that Microsoft Defender for Office 365 is available in two plans? [Learn more about what each plan includes](defender-for-office-365.md#whats-the-difference-between-microsoft-defender-for-office-365-plan-1-and-plan-2).