Docs update tracker

Updates from: 02/01/2023 05:54:23

Category	Microsoft Docs article	Related commit history on GitHub	Change details
admin	Gdpr Compliance	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/admin/security-and-compliance/gdpr-compliance.md	If you choose to store personal data in the cloud, such as through Microsoft 365 #### Microsoft 365 features that can help -You can use [Set up compliance features](../../business-premium/m365bp-set-up-compliance.md) to help to protect your business's sensitive information. Compliance Manager can help you get started right away! For example, you can [set up a DLP policy](/microsoft-365/compliance/create-a-dlp-policy-from-a-template) that uses the [GDPR template](/microsoft-365/compliance/what-the-dlp-policy-templates-include#general-data-protection-regulation-gdpr). +You can use [Set up compliance features](../../business-premium/m365bp-set-up-compliance.md) to help to protect your business's sensitive information. Compliance Manager can help you get started right away! For example, you can [Create and Deploy data loss prevention policies](../../compliance/dlp-create-deploy-policy.md) that uses the [GDPR template](/microsoft-365/compliance/what-the-dlp-policy-templates-include#general-data-protection-regulation-gdpr). ### Step 5: Keep documentation on your data processing activities
compliance	Audit Log Retention Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-log-retention-policies.md	You can create and manage audit log retention policies in the Microsoft Purview ## Default audit log retention policy -Audit (Premium) in Microsoft 365 provides a default audit log retention policy for all organizations. This policy retains all Exchange Online, SharePoint Online, OneDrive for Business, and Azure Active Directory audit records for one year. This default policy retains audit records that contain the value of Exchange, SharePoint, OneDrive, AzureActiveDirectory for the Workload property (which is the service in which the activity occurred). The default policy can't be modified. See the [More information](#more-information) section in this article for a list of record types for each workload that are included in the default policy. +Audit (Premium) in Microsoft 365 provides a default audit log retention policy for all organizations. This policy retains all Exchange Online, SharePoint Online, OneDrive for Business, and Azure Active Directory audit records for one year. This default policy retains audit records that contain the value of AzureActiveDirectory, Exchange, OneDrive, and SharePoint for the Workload property (which is the service in which the activity occurred). The default policy can't be modified. See the [More information](#more-information) section in this article for a list of record types for each workload that are included in the default policy. > [!NOTE] > The default audit log retention policy only applies to audit records for activity performed by users who are assigned an Office 365 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance or E5 eDiscovery and Audit add-on license. If you have non-E5 users or guest users in your organization, their corresponding audit records are retained for 90 days. Audit (Premium) in Microsoft 365 provides a default audit log retention policy f - You have to be assigned the Organization Configuration role in the compliance portal to create or modify an audit retention policy. - You can have a maximum of 50 audit log retention policies in your organization. - To retain an audit log for longer than 90 days (and up to 1 year), the user who generates the audit log (by performing an audited activity) must be assigned an Office 365 E5 or Microsoft 365 E5 license or have a Microsoft 365 E5 Compliance or E5 eDiscovery and Audit add-on license. To retain audit logs for 10 years, the user who generates the audit log must also be assigned a 10-year audit log retention add-on license in addition to an E5 license.+ + >[!NOTE] + >If the user generating the audit log doesn't meet these licensing requirements,data is retained according to the highest priority retention policy. This may be either the default retention policy for the user's license or the highest priority policy that matches the user and its record type. + - All custom audit log retention policies (created by your organization) take priority over the default retention policy. For example, if you create an audit log retention policy for Exchange mailbox activity that has a retention period that's shorter than one year, audit records for Exchange mailbox activities will be retained for the shorter duration specified by the custom policy. ## Create an audit log retention policy
compliance	Audit New Search	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-new-search.md	Some examples of different searches include the following criteria. Explore thes - Information about the date, IP Address, User, Activity, and Item can be found in the search job results page for each item - Select an activity to see a fly-out window with more details about the activity - The filtering feature for search job results can help to parse through results.-- Export is fully functional and exports all search job items to a .csv file. Export supports results up to 500 KB (500,000 rows). +- Export all search job items to a .csv file as needed. Export supports results up to 50 KB for Audit (Standard) and up to 500 KB (500,000 rows) for Audit (Premium). ## Frequently asked questions
compliance	Audit Premium Setup	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-premium-setup.md	If the command to enable the auditing of search queries was previously run in a ## Step 3: Set up audit retention policies -In additional to the default policy that retains Exchange, SharePoint, and Azure AD audit records for one year, you can create additional audit log retention policies to meet the requirements of your organization's security operations, IT, and compliance teams. For more information, see [Manage audit log retention policies](audit-log-retention-policies.md). +In additional to the default policy that retains Azure AD, Exchange, OneDrive, and SharePoint audit records for one year, you can create additional audit log retention policies to meet the requirements of your organization's security operations, IT, and compliance teams. For more information, see [Manage audit log retention policies](audit-log-retention-policies.md). ## Step 4: Search for Audit (Premium) events
compliance	Audit Premium	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-premium.md	This article provides an overview of Audit (Premium) capabilities and shows you ## Long-term retention of audit logs -Audit (Premium) retains all Exchange, SharePoint, and Azure Active Directory audit records for one year. This is accomplished by a default audit log retention policy that retains any audit record that contains the value of Exchange, SharePoint, or AzureActiveDirectory for the Workload property (which indicates the service in which the activity occurred) for one year. Retaining audit records for longer periods can help with on-going forensic or compliance investigations. For more information, see the "Default audit log retention policy" section in [Manage audit log retention policies](audit-log-retention-policies.md#default-audit-log-retention-policy). +Audit (Premium) retains all Exchange, SharePoint, and Azure Active Directory audit records for one year. This is accomplished by a default audit log retention policy that retains any audit record that contains the value of AzureActiveDirectory, Exchange, OneDrive, or SharePoint, for the Workload property (which indicates the service in which the activity occurred) for one year. Retaining audit records for longer periods can help with on-going forensic or compliance investigations. For more information, see the "Default audit log retention policy" section in [Manage audit log retention policies](audit-log-retention-policies.md#default-audit-log-retention-policy). In addition to the one-year retention capabilities of Audit (Premium), we've also released the capability to retain audit logs for 10 years. The 10-year retention of audit logs helps support long running investigations and respond to regulatory, legal, and internal obligations.
compliance	Audit Solutions Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/audit-solutions-overview.md	Microsoft Purview Audit (Standard) provides with you with the ability to log and Audit (Premium) builds on the capabilities of Audit (Standard) by providing audit log retention policies, longer retention of audit records, high-value crucial events, and higher bandwidth access to the Office 365 Management Activity API. - Audit log retention policies. You can create customized audit log retention policies to retain audit records for longer periods of time up to one year (and up to 10 years for users with required add-on license). You can create a policy to retain audit records based the service where the audited activities occur, specific audited activities, or the user who performs an audited activity.-- Longer retention of audit records. Exchange, SharePoint, and Azure Active Directory audit records are retained for one year by default. Audit records for all other activities are retained for 90 days by default, or you can use audit log retention policies to configure longer retention periods. +- Longer retention of audit records. Azure Active Directory, Exchange, OneDrive, and SharePoint audit records are retained for one year by default. Audit records for all other activities are retained for 90 days by default, or you can use audit log retention policies to configure longer retention periods. - High-value, crucial Audit (Premium) events. Audit records for crucial events can help your organization conduct forensic and compliance investigations by providing visibility to events such as when mail items were accessed, or when mail items were replied to and forwarded, or when and what a user searched for in Exchange Online and SharePoint Online. These crucial events can help you investigate possible breaches and determine the scope of compromise. - Higher bandwidth to the Office 365 Management Activity API. Audit (Premium) provides organizations with more bandwidth to access auditing logs through the Office 365 Management Activity API. Although all organizations (that have Audit (Standard) or Audit (Premium)) are initially allocated a baseline of 2,000 requests per minute, this limit will dynamically increase depending on an organization's seat count and their licensing subscription. This results in organizations with Audit (Premium) getting about twice the bandwidth as organizations with Audit (Standard).
compliance	Communication Compliance Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/communication-compliance-configure.md	You can also choose to enable anonymization for displayed usernames when investi ## Step 8 (optional): Test your communication compliance policy -After you create a communication compliance policy, it's a good idea to test it to make sure that the conditions you defined are being properly enforced by the policy. You may also want to [test your Microsoft Purview Data Loss Prevention (DLP) policies](/microsoft-365/compliance/create-test-tune-dlp-policy) if your communication compliance policies include sensitive information types. Make sure you give your policies time to activate so that the communications you want to test are captured. +After you create a communication compliance policy, it's a good idea to test it to make sure that the conditions you defined are being properly enforced by the policy. You may also want to [test your Microsoft Purview Data Loss Prevention (DLP) policies (preview)](dlp-test-dlp-policies.md) if your communication compliance policies include sensitive information types. Make sure you give your policies time to activate so that the communications you want to test are captured. Follow these steps to test your communication compliance policy:
compliance	Compliance Quick Tasks	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/compliance-quick-tasks.md	For step-by-step guidance to define custom sensitive information types, see [Cre [Microsoft Purview Data Loss Prevention (DLP) policies](/microsoft-365/compliance/dlp-learn-about-dlp) allow you to identify, monitor, and automatically protect sensitive information across your Microsoft 365 organization. Use DLP policies to identify sensitive items across Microsoft services, prevent the accidental sharing of sensitive items, and help users learn how to stay compliant without interrupting their workflow. -For step-by-step guidance to configure DLP policies, [Create, test, and tune a DLP policy](/microsoft-365/compliance/create-test-tune-dlp-policy). For data loss management licensing information, see [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#office-365-data-loss-prevention-for-exchange-online-sharepoint-online-and-onedrive-for-business). +For step-by-step guidance to configure DLP policies, [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md). For data loss management licensing information, see [Microsoft 365 licensing guidance for security & compliance](/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-365-security-compliance-licensing-guidance#office-365-data-loss-prevention-for-exchange-online-sharepoint-online-and-onedrive-for-business). ### Detect and act on insider risks
compliance	Create A Dlp Policy From A Template	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-dlp-policy-from-a-template.md	- Title: "Create a DLP policy from a template"-- NOCSH--- Previously updated : 6/29/2018--- 'ms.o365.cc.NewPolicyFromTemplate'---- tier1-- purview-compliance-- MET150--- seo-marvel-mar2020-- admindeeplinkCOMPLIANCE -description: In this article, you'll learn about how to create DLP policies using one of the templates included in Office 365. -- -# Create a DLP policy from a template - -The easiest, most common way to get started with DLP policies is to use one of the templates included in the Microsoft Purview compliance portal. You can use one of these templates as is, or customize the rules to meet your organization's specific compliance requirements. - -Microsoft 365 includes over 40 ready-to-use templates that can help you meet a wide range of common regulatory and business policy needs. See; [Policy templates](dlp-policy-reference.md#policy-templates) for a complete list. - -You can fine tune a template by modifying any of its existing rules or adding new ones. For example, you can add new types of sensitive information to a rule, modify the counts in a rule to make it harder or easier to trigger, allow people to override the actions in a rule by providing a business justification, or change who notifications and incident reports are sent to. A DLP policy template is a flexible starting point for many common compliance scenarios. - -You can also choose the Custom template, which has no default rules, and configure your DLP policy from scratch, to meet the specific compliance requirements for your organization. -- -## Permissions - -Members of your compliance team who will create DLP policies need permissions to the Compliance Center. By default, your tenant admin will have access can give compliance officers and other people access. Follow these steps: - -1. Create a group in Microsoft 365 and add compliance officers to it. - -2. Create a role group on the Permissions page of the Microsoft Purview compliance portal. - -3. While creating the role group, use the Choose Roles section to add the following role to the role group: DLP Compliance Management. - -4. Use the Choose Members section to add the Microsoft 365 group you created before to the role group. - -Use the View-Only DLP Compliance Management role to create role group with view-only privileges to the DLP policies and DLP reports. - -For more information, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md). - -These permissions are required to create and apply a DLP policy not to enforce policies. - -### Roles and Role Groups - -There are roles and role groups that you can use to fine tune your access controls. - -Here's a list of applicable roles. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md) --- Information Protection Admin-- Information Protection Analyst-- Information Protection Investigator-- Information Protection Reader- -Here's a list of applicable role groups. To learn more about the, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md) --- Information Protection-- Information Protection Admins-- Information Protection Analysts-- Information Protection Investigators-- Information Protection Readers- -### Create the DLP policy from a template - -1. Sign in to the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077149" target="_blank">Microsoft Purview compliance portal</a>. - -2. In the Microsoft Purview compliance portal \> left navigation \> Solutions \> Data loss prevention \> Policies \> + Create policy. - -3. Choose the DLP policy template that protects the types of sensitive information that you need \> Next. - -4. Name the policy \> Next. - -<!--In this example, you'll select Privacy \> U.S. Personally Identifiable Information (PII) Data because it already includes most of the types of sensitive information that you want to protect - you'll add a couple later. - - When you select a template, you can read the description on the right to learn what types of sensitive information the template protects. - - ![Page for choosing a DLP policy template.](../media/775266f6-ad87-4080-8d7c-97f2e7403b30.png)--> - -5. To choose the locations that you want the DLP policy to protect and either accept the default scope for each location or customize the scope. See, [Locations](dlp-policy-reference.md#locations) for scoping options. - -6. Choose \> Next. - -1. Do one of the following: - - - Choose All locations in Office 365 \> Next. - - Choose Let me choose specific locations \> Next. For this example, choose this. - - To include or exclude an entire location such as all Exchange email or all OneDrive accounts, switch the Status of that location on or off. - - To include only specific SharePoint sites or OneDrive for Business accounts, switch the Status to on, and then click the links under Include to choose specific sites or accounts. When you apply a policy to a site, the rules configured in that policy are automatically applied to all subsites of that site. - - ![Options for locations where a DLP policy can be applied.](../media/all-locations.png) - - In this example, to protect sensitive information stored in all OneDrive for Business accounts, turn off the Status for both Exchange email and SharePoint sites, and leave the Status on for OneDrive accounts. - -7. Choose Review and customize default settings from the template \> Next. - -8. A DLP policy template contains predefined rules with conditions and actions that detect and act upon specific types of sensitive information. You can edit, delete, or turn off any of the existing rules, or add new ones. When done, click Next. - - ![Rules expanded in US PII policy template.](../media/3bc9f1b6-f8ad-4334-863a-24448bb87687.png) - -9. Choose to detect when this content is shared inside your organization or outside your organization if you have selected any of these locations: - 1. Exchange - 1. SharePoint - 1. OneDrive - 1. Teams Chat and Channel Messages - -10. Choose Next. - -11. On the Protection actions page if you want, you can customize the policy tip notifications and notification emails. Enable When content matches the policy conditions, show policy tips to users and send them an email notification, then choose Customize the tip and email. -12. Choose Next. -- -<!-- In this example, the U.S. PII Data template includes two predefined rules: - - - Low volume of content detected U.S. PII This rule looks for files containing between 1 and 10 occurrences of each of three types of sensitive information (ITIN, SSN, and U.S. passport numbers), where the files are shared with people outside the organization. If found, the rule sends an email notification to the primary site collection administrator, document owner, and person who last modified the document. - - - High volume of content detected U.S. PII This rule looks for files containing 10 or more occurrences of each of the same three sensitive information types, where the files are shared with people outside the organization. If found, this action also sends an email notification, plus it restricts access to the file. For content in a OneDrive for Business account, this means that permissions for the document are restricted for everyone except the primary site collection administrator, document owner, and person who last modified the document. - - To meet your organization's specific requirements, you may want to make the rules easier to trigger, so that a single occurrence of sensitive information is enough to block access for external users. After looking at these rules, you understand that you don't need low and high count rulesΓÇöyou need only a single rule that blocks access if any occurrence of sensitive information is found. - - So you expand the rule named Low volume of content detected U.S. PII \> Delete rule. - - ![Delete rule button.](../media/bc36f7d2-0fae-4af1-92e8-95ba51077b12.png) - -9. Now, in this example, you need to add two sensitive information types (U.S. bank account numbers and U.S. driver's license numbers), allow people to override a rule, and change the count to any occurrence. You can do all of this by editing one rule, so select High volume of content detected U.S. PII \> Edit rule. - - ![Edit rule button.](../media/eaf54067-4945-4c98-8dd6-fb2c5d6de075.png) - -10. To add a sensitive information type, in the Conditions section \> Add or change types. Then, under Add or change types \> choose Add \> select U.S. Bank Account Number and U.S. Driver's License Number \> Add \> Done. - - ![Option to Add or change types.](../media/c6c3ae86-f7db-40a8-a6e4-db11692024be.png) - - ![Add or change types pane.](../media/fdbb96af-b914-4a6c-a97b-bbd014689965.png) - -11. To change the count (the number of instances of sensitive information required to trigger the rule), under Instance count \> choose the min value for each type \> enter 1. The minimum count cannot be empty. The maximum count can be empty; an empty max value convert to any. - - When finished, the min count for all of the sensitive information types should be 1 and the max count should be any. In other words, any occurrence of this type of sensitive information will satisfy this condition. - - ![Instance counts for sensitive information types.](../media/5c6e08cb-59a9-4558-b54b-d899836d4737.png) - -12. For the final customization, you don't want your DLP policies to block people from doing their work when they have a valid business justification or encounter a false positive, so you want the user notification to include options to override the blocking action. - - In the User notifications section, you can see that email notifications and policy tips are turned on by default for this rule in the template. - - In the User overrides section, you can see that overrides for a business justification are turned on, but overrides to report false positives are not. Choose Override the rule automatically if they report it as a false positive. - - ![User notifications section and User overrides section.](../media/62720e7a-a939-4c03-b414-67748f3d64a0.png) - -13. At the top of the rule editor, change the name of this rule from the default High volume of content detected U.S. PII to Any content detected with U.S. PII because it's now triggered by any occurrence of its sensitive information types. - -14. At the bottom of the rule editor \> Save. - -15. Review the conditions and actions for this rule \> Next. - - On the right, notice the Status switch for the rule. If you turn off an entire policy, all rules contained in the policy are also turned off. However, here you can turn off a specific rule without turning off the entire policy. This can be useful when you need to investigate a rule that is generating a large number of false positives. - -16. On the next page, read and understand the following, and then choose whether to turn on the rule or test it out first \> Next. - - Before you create your DLP policies, you should consider rolling them out gradually to assess their impact and test their effectiveness before you fully enforce them. For example, you don't want a new DLP policy to unintentionally block access to thousands of documents that people require to get their work done. - - If you're creating DLP policies with a large potential impact, we recommend following this sequence: - -17. Start in test mode without Policy Tips and then use the DLP reports to assess the impact. You can use DLP reports to view the number, location, type, and severity of policy matches. Based on the results, you can fine tune the rules as needed. In test mode, DLP policies will not impact the productivity of people working in your organization. - -18. Move to Test mode with notifications and Policy Tips so that you can begin to teach users about your compliance policies and prepare them for the rules that are going to be applied. At this stage, you can also ask users to report false positives so that you can further refine the rules. - -19. Turn on the policies so that the rules are enforced and the content's protected. Continue to monitor the DLP reports and any incident reports or notifications to make sure that the results are what you intend. - - ![Options for using test mode and turning on policy.](../media/49fafaac-c6cb-41de-99c4-c43c3e380c3a.png) - -20. Review your settings for this policy \> choose Create. - -After you create and turn on a DLP policy, it's deployed to any content sources that it includes, such as SharePoint Online sites or OneDrive for Business accounts, where the policy begins automatically enforcing its rules on that content. -- -## Example: Identify sensitive information across all OneDrive for Business sites and restrict access for people outside your organization - -OneDrive for Business accounts make it easy for people across your organization to collaborate and share documents. But a common concern for compliance officers is that sensitive information stored in OneDrive for Business accounts may be inadvertently shared with people outside your organization. A DLP policy can help mitigate this risk. - -In this example, you'll create a DLP policy that identifies U.S. PII data, which includes Individual Taxpayer Identification Numbers (ITIN), Social Security Numbers, and U.S. passport numbers. You'll get started by using a template, and then you'll modify the template to meet your organization's compliance requirementsΓÇöspecifically, you'll: --- Add a couple of types of sensitive informationΓÇöU.S. bank account numbers and U.S. driver's license numbersΓÇöso that the DLP policy protects even more of your sensitive data.--- Make the policy more sensitive, so that a single occurrence of sensitive information is enough to restrict access for external users.--- Allow users to override the actions by providing a business justification or reporting a false positive. This way, your DLP policy won't prevent people in your organization from getting their work done, provided they have a valid business reason for sharing the sensitive information.-- -## View the status of a DLP policy - -At any time, you can view the status of your DLP policies on the Policy page in the Data loss prevention section of the Microsoft Purview compliance portal. Here you can find important information, such as whether a policy was successfully enabled or disabled, or whether the policy is in test mode. - -Here are the different statuses and what they mean. - -<br> - -** - -\|Status\|Explanation\| -\|\|\| -\|Turning on...\|The policy is being deployed to the content sources that it includes. The policy is not yet enforced on all sources.\| -\|Testing, with notifications\|The policy is in test mode. The actions in a rule are not applied, but policy matches are collected and can be viewed by using the DLP reports. Notifications about policy matches are sent to the specified recipients.\| -\|Testing, without notifications\|The policy is in test mode. The actions in a rule are not applied, but policy matches are collected and can be viewed by using the DLP reports. Notifications about policy matches are not sent to the specified recipients.\| -\|On\|The policy is active and enforced. The policy was successfully deployed to all its content sources.\| -\|Turning off...\|The policy is being removed from the content sources that it includes. The policy may still be active and enforced on some sources. Turning off a policy may take up to 45 minutes.\| -\|Off\|The policy is not active and not enforced. The settings for the policy (sources, keywords, duration, etc) are saved.\| -\|Deleting...\|The policy is in the process of being deleted. The policy is not active and not enforced. It normally takes an hour for a policy to delete.\| -\| - -## Turn off a DLP policy - -You can edit or turn off a DLP policy at any time. Turning off a policy disables all of the rules in the policy. - -To edit or turn off a DLP policy, on the Policy page \> select the policy \> Edit policy. - -![Edit policy button.](../media/ce319e92-0519-44fe-9507-45a409eaefe4.png) - -In addition, you can turn off each rule individually by editing the policy and then toggling off the Status** of that rule, as described above. - -## More information --- [Learn about data loss prevention](dlp-learn-about-dlp.md)-- [Send notifications and show policy tips for DLP policies](use-notifications-and-policy-tips.md)-- [Create a DLP policy to protect documents with FCI or other properties](protect-documents-that-have-fci-or-other-properties.md)-- [What the DLP policy templates include](what-the-dlp-policy-templates-include.md)-- [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)
compliance	Create Test Tune Dlp Policy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-test-tune-dlp-policy.md	- Title: "Create, test, and tune a DLP policy"-- NOCSH------ 'ms.o365.cc.NewPolicyFromTemplate'---- tier1 -- purview-compliance-- MET150--- seo-marvel-mar2020 -description: In this article, you'll learn how to create, test, and tune a DLP policy according to your organizational needs. -- -# Create, test, and tune a DLP policy - -Microsoft Purview Data Loss Prevention (DLP) helps you prevent the unintentional or accidental sharing of sensitive information. - -DLP examines email messages and files for sensitive information, like a credit card number. Using DLP you can detect sensitive information, and take action such as: --- Log the event for auditing purposes-- Display a warning to the end user who is sending the email or sharing the file-- Actively block the email or file sharing from taking place-- -## Permissions - -Members of your compliance team who will create DLP policies need permissions to the Microsoft Purview compliance portal. By default, your tenant admin will have access can give compliance officers and other people access. Follow the steps in [Add users to a compliance role group](microsoft-365-compliance-center-permissions.md#add-users-to-a-compliance-role-group) to add your users to the DLP Compliance Management role group. - -<!--1. Create a group in Microsoft 365 and add compliance officers to it. - -2. Create a role group on the Permissions page of the Microsoft Purview compliance portal. - -3. While creating the role group, use the Choose Roles section to add the following role to the role group: DLP Compliance Management. - -4. Use the Choose Members section to add the Microsoft 365 group you created before to the role group. - -Use the View-Only DLP Compliance Management role to create role group with view-only privileges to the DLP policies and DLP reports. - -For more information, see [Add users to a compliance role group](microsoft-365-compliance-center-permissions.md#add-users-to-a-compliance-role-group).--> - -### Roles and Role Groups - -There are roles and role groups that you can use to fine tune your access controls. - -Here's a list of applicable roles that you can use to fine tune your access controls. To learn more about them, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md). --- Information Protection Admin-- Information Protection Analyst-- Information Protection Investigator-- Information Protection Reader- -Here's a list of applicable role groups that you can use. To learn more, see [Permissions in the Microsoft Purview compliance portal](microsoft-365-compliance-center-permissions.md). --- Information Protection-- Information Protection Admins-- Information Protection Analysts-- Information Protection Investigators-- Information Protection Readers- -## How sensitive information is detected by DLP - -DLP finds sensitive information by regular expression (RegEx) pattern matching, in combination with other indicators such as the proximity of certain keywords to the matching patterns. For example, a VISA credit card number has 16 digits. But, those digits can be written in different ways, such as 1111-1111-1111-1111, 1111 1111 1111 1111, or 1111111111111111. - -Any 16-digit string isn't necessarily a credit card number, it could be a ticket number from a help desk system, or a serial number of a piece of hardware. To tell the difference between a credit card number and a harmless 16-digit string, a calculation is performed (checksum) to confirm that the numbers match a known pattern from the various credit card brands. - -If DLP finds keywords such as "VISA" or "AMEX", near date values that might be the credit card expiry date, DLP also uses that data to help it decide whether the string is a credit card number or not. - -In other words, DLP is smart enough to recognize the difference between these two strings of text in an email: --- "Can you order me a new laptop. Use my VISA number 1111-1111-1111-1111, expiry 11/22, and send me the estimated delivery date when you have it."-- "My laptop serial number is 2222-2222-2222-2222 and it was purchased on 11/2010. By the way, is my travel visa approved yet?"- -See [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md) that explains how each information type is detected. - -## Where to start with data loss prevention - -When the risks of data leakage aren't entirely obvious, it's difficult to work out where exactly you should start with implementing DLP. Fortunately, DLP policies can be run in "test mode", allowing you to gauge their effectiveness and accuracy before you turn them on. - -DLP policies for Exchange Online can be managed through the Exchange admin center. But you can configure DLP policies for all workloads through the Microsoft Purview compliance portal, so that's what I'll use for demonstrations in this article. In the Microsoft Purview compliance portal, you'll find the DLP policies under Data loss prevention > Policy. Choose Create a policy to start. - -Microsoft 365 provides a range of [DLP policy templates](what-the-dlp-policy-templates-include.md) you can use to create policies. Let's say that you're an Australian business. You can filter the templates on Australia, and choose Financial, Medical and Health, and Privacy. - -![Option to choose country or region.](../media/DLP-create-test-tune-choose-country.png) - -For this demonstration I'll choose Australian Personally Identifiable Information (PII) Data, which includes the information types of Australian Tax File Number (TFN) and Driver's License Number. - -![Option to choose a policy template.](../media/DLP-create-test-tune-choose-policy-template.png) - -Give your new DLP policy a name. The default name will match the DLP policy template, but you should choose a more descriptive name of your own, because multiple policies can be created from the same template. - -![Option to name your policy.](../media/DLP-create-test-tune-name-policy.png) - -Choose the locations that the policy will apply to. DLP policies can apply to Exchange Online, SharePoint Online, and OneDrive for Business. I'm going to leave this policy configured to apply to all locations. - -![Option to choose all locations.](../media/DLP-create-test-tune-choose-locations.png) - -At the first Policy Settings step, just accept the defaults for now. You can customize DLP policies, but the defaults are a fine place to start. - -![Options to customize the type of content to protect.](../media/DLP-create-test-tune-default-customization-settings.png) - -After clicking Next, you'll be presented with a more Policy Settings page with more customization options. For a policy that you are just testing, here's where you can start to make some adjustments. --- I've turned off policy tips for now, which is a reasonable step to take if you're just testing things out and don't want to display anything to users yet. Policy tips display warnings to users that they're about to violate a DLP policy. For example, an Outlook user will see a warning that the file they've attached contains credit card numbers and will cause their email to be rejected. The goal of policy tips is to stop the non-compliant behavior before it happens.-- I've also decreased the number of instances from 10 to 1, so that this policy will detect any sharing of Australian PII data, not just bulk sharing of the data.-- I've also added another recipient to the incident report email.- -![Additional policy settings.](../media/DLP-create-test-tune-more-policy-settings.png) - -Finally, I've configured this policy to run in test mode initially. Notice there's also an option here to disable policy tips while in test mode. This gives you the flexibility to have policy tips enabled in the policy, but then decide whether to show or suppress them during your testing. - -![Option to test out policy first.](../media/DLP-create-test-tune-test-mode.png) - -On the final review screen, click Create** to finish creating the policy. - -## Test a DLP policy - -You can sit and wait for the policy to be triggered by normal user activity, or you can try to trigger it yourself. Earlier I linked to [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md), which provides you with information about how to trigger DLP matches. - -As an example, the DLP policy I created for this article will detect Australian tax file numbers (TFN). According to the documentation, the match is based on the following criteria. - -![Documentation on Australia Tax File Number.](../media/DLP-create-test-tune-Australia-Tax-File-Number-doc.png) - -To demonstrate TFN detection in a rather blunt manner, an email with the words "Tax file number" and a nine digit string in close proximity will sail through without any issues. The reason it doesn't trigger the DLP policy is that the nine digit string must pass the checksum that indicates it's a valid TFN and not just a harmless string of numbers. - -![Australia tax file number that does not pass checksum.](../media/DLP-create-test-tune-email-test1.png) - -In comparison, an email with the words "Tax file number" and a valid TFN that passes the checksum will trigger the policy. For the record here, the TFN I'm using was taken from a website that generates valid, but not genuine, TFNs. Such sites are useful because one of the most common mistakes when testing a DLP policy is using a fake number that's not valid and won't pass the checksum (and therefore won't trigger the policy). - -![Australia tax file number that passes the checksum.](../media/DLP-create-test-tune-email-test2.png) - -The incident report email includes the type of sensitive information that was detected, how many instances were detected, and the confidence level of the detection. - -![Incident report showing tax file number detected.](../media/DLP-create-test-tune-email-incident-report.png) - -If you leave your DLP policy in test mode and analyze the incident report emails, you can start to get a feel for the accuracy of the DLP policy and how effective it will be when it's enforced. In addition to the incident reports, you can [use the DLP reports](view-the-dlp-reports.md) to see an aggregated view of policy matches across your tenant. - -## Tune a DLP policy - -As you analyze your policy hits, you might want to make some adjustments to how the policies behave. As a simple example, you might determine that one TFN in an email is not a problem (I think it still is, but let's go with it for the sake of demonstration), but two or more instances are a problem. Multiple instances could be a risky scenario such as an employee emailing a CSV export from the HR database to an external party, for example an external accounting service. Definitely something you would prefer to detect and block. - -In the Compliance Center you can edit an existing policy to adjust the behavior. - -![Option to edit policy.](../media/DLP-create-test-tune-edit-policy.png) - -You can adjust the location settings so that the policy is applied only to specific workloads, or to specific sites and accounts. - -![Options to choose specific locations.](../media/DLP-create-test-tune-edit-locations.png) - -You can also adjust the policy settings and edit the rules to better suit your needs. - -![Option to edit rule.](../media/DLP-create-test-tune-edit-rule.png) - -When editing a rule within a DLP policy, you can change: --- The conditions, including the type and number of instances of sensitive data that will trigger the rule.-- The actions that are taken, such as restricting access to the content.-- User notifications, which are policy tips that are displayed to the user in their email client or web browser.-- User overrides determine whether users can choose to proceed with their email or file sharing anyway.-- Incident reports, to notify administrators.- -![Options to edit parts of a rule.](../media/DLP-create-test-tune-editing-options.png) - -For this demonstration I've added user notifications to the policy (be careful of doing this without adequate user awareness training), and allowed users to override the policy with a business justification or by flagging it as a false positive. You can also customize the email and policy tip text if you want to include any additional information about your organization's policies, or prompt users to contact support if they have questions. - -![Options for user notifications and overrides.](../media/DLP-create-test-tune-user-notifications.png) - -The policy contains two rules for handling of high volume and low volume, so be sure to edit both with the actions that you want. This is an opportunity to treat cases differently depending on their characteristics. For example, you might allow overrides for low volume violations, but not allow overrides for high volume violations. - -![One rule for high volume and one rule for low volume.](../media/DLP-create-test-tune-two-rules.png) - -Also, if you want to actually block or restrict access to content that is in violation of policy, you need to configure an action on the rule to do so. - -![Option to restrict access to content.](../media/DLP-create-test-tune-restrict-access-action.png) - -After saving those changes to the policy settings, I also need to return to the main settings page for the policy and enable the option to show policy tips to users while the policy is in test mode. This is an effective way to introduce DLP policies to your end users, and do user awareness training, without risking too many false positives that impact their productivity. - -![Option to show policy tips in test mode.](../media/DLP-create-test-tune-show-policy-tips.png) - -On the server side (or cloud side if you prefer), the change may not take effect immediately, due to various processing intervals. If you're making a DLP policy change that will display new policy tips to a user, the user may not see the changes take effect immediately in their Outlook client, which checks for policy changes every 24 hours. If you want to speed things up for testing, you can use this registry fix to [clear the last download time stamp from the PolicyNudges key](https://support.microsoft.com/en-au/help/2823261/changes-to-a-data-loss-prevention-policy-don-t-take-effect-in-outlook?__hstc=18650278.46377037dc0a82baa8a30f0ef07a7b2f.1538687978676.1538693509953.1540315763430.3&__hssc=18650278.1.1540315763430&__hsfp=3446956451). Outlook will download the latest policy information the next time you restart it and begin composing an email message. - -If you have policy tips enabled, the user will begin to see the tips in Outlook, and can report false positives to you when they occur. - -![Policy tip with option to report false positive.](../media/DLP-create-test-tune-policy-tip-in-outlook.png) - -## Investigate false positives - -DLP policy templates aren't perfect straight out of the box. It's likely that you'll find some false positives occurring in your environment, which is why it's so important to ease your way into a DLP deployment, taking the time to adequately test and tune your policies. - -Here's an example of a false positive. This email is harmless. The user is providing their mobile phone number to someone, and including their email signature. - -![Email showing false positive information.](../media/DLP-create-test-tune-false-positive-email.png) - -But the user sees a policy tip warning them that the email contains sensitive information, specifically, an Australian driver's license number. - -![Option to report false positive in policy tip.](../media/DLP-create-test-tune-policy-tip-closeup.png) - -The user can report the false positive, and the administrator can look into why it has occurred. In the incident report email, the email is flagged as a false positive. - -![Incident report showing false positive.](../media/DLP-create-test-tune-false-positive-incident-report.png) - -This driver's license case is a good example to dig into. The reason this false positive has occurred is that the "Australian Driver's License" type will be triggered by any 9-digit string (even one that is part of a 10-digit string), within 300 characters proximity to the keywords "Sydney nsw" (not case sensitive). So it's triggered by the phone number and email signature, only because the user happens to be in Sydney. -- -One option is to remove the Australian driver's license information type from the policy. It's in there because it's part of the DLP policy template, but we're not forced to use it. If you're only interested in Tax File Numbers and not driver's licenses, you can just remove it. For example, you can remove it from the low volume rule in the policy, but leave it in the high volume rule so that lists of multiple drivers licenses are still detected. - -Another option is to increase the instance count, so that a low volume of driver's licenses is only detected when there are multiple instances. - -![Option to edit the instance count.](../media/DLP-create-test-tune-edit-instance-count.png) - -In addition to changing the instance count, you can also adjust the match accuracy (or confidence level). If your sensitive information type has multiple patterns, you can adjust the match accuracy in your rule, so that your rule matches only specific patterns. For example, to help reduce false positives, you can set the match accuracy of your rule so that it matches only the pattern with the highest confidence level. For more information on confidence levels, see [How to use confidence level to tune your rules](data-loss-prevention-policies.md#match-accuracy). - -Finally, if you want to get even a bit more advanced, you can customize any sensitive information type -- for example, you can remove "Sydney NSW" from the list of keywords for [Australia drivers license number](sit-defn-australia-drivers-license-number.md), to eliminate the false positive triggered above. To learn how to do this by using XML and PowerShell, see [customizing a built-in sensitive information type](customize-a-built-in-sensitive-information-type.md). - -## Turn on a DLP policy - -When you're happy that your DLP policy is accurately and effectively detecting sensitive information types, and that your end users are ready to deal with the policies being in place, then you can enable the policy. - -![Option to turn on policy.](../media/DLP-create-test-tune-turn-on-policy.png) - -If you're waiting to see when the policy will take effect, [Connect to Security & Compliance PowerShell](/powershell/exchange/connect-to-scc-powershell) and run the [Get-DlpCompliancePolicy cmdlet](/powershell/module/exchange/get-dlpcompliancepolicy) to see the DistributionStatus. - - ```powershell - Get-DlpCompliancePolicy "Testing -Australia PII" -DistributionDetail \| Select distributionstatus - ``` -After turning on the DLP policy, you should run some final tests of your own to make sure that the expected policy actions are occurring. If you're trying to test things like credit card data, there are websites online with information on how to generate sample credit card or other personal information that will pass checksums and trigger your policies. - -Policies that allow user overrides will present that option to the user as part of the policy tip. - -![Policy tip that allows user override.](../media/DLP-create-test-tune-override-option.png) - -Policies that restrict content will present the warning to the user as part of the policy tip, and prevent them from sending the email. - -![Policy tip that content is restricted.](../media/DLP-create-test-tune-restrict-warning.png) - -## Summary - -Data loss prevention policies are useful for organizations of all types. Testing some DLP policies is a low risk exercise due to the control you have over things like policy tips, end-user overrides, and incident reports. You can quietly test some DLP policies to see what type of violations are already occurring in your organization, and then craft policies with low false positive rates, educate your users on what is allowed and not allowed, and then roll out your DLP policies to the organization.
compliance	Customize A Built In Sensitive Information Type	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/customize-a-built-in-sensitive-information-type.md	To upload your rule, you need to do the following. Get-DlpSensitiveInformationType ``` -To start using the new rule to detect sensitive information, you need to add the rule to a DLP policy. To learn how to add the rule to a policy, see [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md). +To start using the new rule to detect sensitive information, you need to add the rule to a DLP policy. To learn how to add the rule to a policy, see [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md). ## Term glossary
compliance	Data Loss Prevention Policies	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-loss-prevention-policies.md	However, DLP reports need pull data from across Microsoft 365, including Exchang ## More information -- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md#create-and-deploy-data-loss-prevention-policies)) - [Send notifications and show policy tips for DLP policies](use-notifications-and-policy-tips.md)
compliance	Deploy Scanner Configure Install	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/deploy-scanner-configure-install.md	Using a data loss prevention policy enables the scanner to detect potential data - Enable DLP rules in your content scan job to reduce the exposure of any files that match your DLP policies. When your DLP rules are enabled, the scanner may reduce file access to data owners only, or reduce exposure to network-wide groups, such as Everyone, Authenticated Users, or Domain Users. -- In the Microsoft Purview compliance portal, determine whether you are just testing your DLP policy or whether you want your rules enforced and your file permissions changed according to those rules. For more information, see [Turn on a DLP policy](create-test-tune-dlp-policy.md#turn-on-a-dlp-policy). +- In the Microsoft Purview compliance portal, determine whether you are just testing your DLP policy or whether you want your rules enforced and your file permissions changed according to those rules. For more information, see [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) DLP policies are configured in the Microsoft Purview compliance portal. For more information about DLP licensing, see [Get started with the data loss prevention on-premises scanner](dlp-on-premises-scanner-get-started.md).
compliance	Device Onboarding Configure Proxy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-configure-proxy.md	However, if the connectivity check results indicate a failure, an HTTP error is - [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md) - [Using Endpoint data loss prevention](endpoint-dlp-using.md) - [Learn about data loss prevention](dlp-learn-about-dlp.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](/windows/security/threat-protection/) - [Onboarding tools and methods for Windows 10 machines](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints)
compliance	Device Onboarding Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/device-onboarding-overview.md	In this deployment scenario, you'll onboard Windows 10 or Windows 11 devices tha - [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md) - [Using Endpoint data loss prevention](endpoint-dlp-using.md) - [Learn about data loss prevention](dlp-learn-about-dlp.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](/windows/security/threat-protection/) - [Onboarding tools and methods for Windows 10 machines](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints)
compliance	Dlp Alerts Dashboard Get Started	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-alerts-dashboard-get-started.md	Here's a list of applicable role groups. To learn more about them, see [Permissi ## DLP alert configuration -To learn how to configure an alert in your DLP policy, see [Where to start with data loss prevention](create-test-tune-dlp-policy.md#where-to-start-with-data-loss-prevention). +To learn how to configure an alert in your DLP policy, see [Configure and view alerts for data loss prevention polices](dlp-configure-view-alerts-policies.md). > [!IMPORTANT] > Your organizations audit log retention policy configuration controls how long an alert remains visible in the console. See, [Manage audit log retention policies](audit-log-retention-policies.md#manage-audit-log-retention-policies) for more information. To work with the DLP alert management dashboard: ## See also - [Learn about data loss prevention alerts and the alerts dashboard](dlp-alerts-dashboard-learn.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md)
compliance	Dlp Alerts Dashboard Learn	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-alerts-dashboard-learn.md	Here are some of the events associated with an alert. In the UI, you can choose ## See Also - [Get started with the data loss prevention alert dashboard](dlp-alerts-dashboard-get-started.md)-- [Where to start with data loss prevention](create-test-tune-dlp-policy.md#where-to-start-with-data-loss-prevention) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md)
compliance	Dlp Chrome Get Started	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-chrome-get-started.md	To use Microsoft Purview Chrome Extension, the device must be onboarded into end - [Learn about Microsoft Purview Chrome Extension](dlp-chrome-learn-about.md) - [Learn about Microsoft Purview Data Loss Prevention](dlp-learn-about-dlp.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)-- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Learn about endpoint data loss prevention](endpoint-dlp-learn-about.md) - [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md) - [Onboarding tools and methods for Windows 10/11 devices](device-onboarding-overview.md) Now that you have onboarded devices and can view the activity data in Activity e - [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md) - [Using Endpoint data loss prevention](endpoint-dlp-using.md) - [Learn about data loss prevention](dlp-learn-about-dlp.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](/windows/security/threat-protection/) - [Onboarding tools and methods for Windows 10 machines](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints)
compliance	Dlp Chrome Learn About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-chrome-learn-about.md	description: "The Microsoft Purview Extension extends monitoring and control of # Learn about the Microsoft Purview Chrome Extension -[Endpoint data loss prevention (endpoint DLP)](endpoint-dlp-learn-about.md) extends the activity monitoring and protection capabilities of [Microsoft Purview data loss prevention (DLP)](dlp-learn-about-dlp.md) to sensitive items that are on Windows 10/11 devices. Once devices are onboarded into the Microsoft Purview solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](create-test-tune-dlp-policy.md). +[Endpoint data loss prevention (endpoint DLP)](endpoint-dlp-learn-about.md) extends the activity monitoring and protection capabilities of [Microsoft Purview data loss prevention (DLP)](dlp-learn-about-dlp.md) to sensitive items that are on Windows 10/11 devices. Once devices are onboarded into the Microsoft Purview solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [data loss prevention policies](dlp-learn-about-dlp.md). Once the Microsoft Purview Chrome Extension is installed on a Windows 10/11 device, organizations can monitor when a user attempts to access or upload a sensitive item to a cloud service using Google Chrome and enforce protective actions via DLP. activity \|description \| supported policy actions\| 1. [Get started with endpoint data loss prevention](endpoint-dlp-getting-started.md) 2. [Onboarding tools and methods for Windows 10/11 devices](device-onboarding-overview.md) 3. [Install the extension for Chrome on your Windows 10/11 devices](dlp-chrome-get-started.md) -4. [Create or edit DLP policies](create-test-tune-dlp-policy.md) that restrict upload to cloud service, or access by unallowed browsers actions and apply them to your Windows 10/11 devices +4. [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) that restrict upload to cloud service, or access by unallowed browsers actions and apply them to your Windows 10/11 devices ## Next steps See [Get started with the Microsoft Purview Chrome Extension](dlp-chrome-get-sta - [Getting started with Endpoint data loss prevention](endpoint-dlp-getting-started.md) - [Using Endpoint data loss prevention](endpoint-dlp-using.md) - [Learn about data loss prevention](dlp-learn-about-dlp.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](/windows/security/threat-protection/) - [Insider risk management](insider-risk-management.md)
compliance	Dlp Conditions And Exceptions	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-conditions-and-exceptions.md	To configure the sender address location at a DLP rule level, the parameter is * \|condition or exception in DLP\|condition/exception parameters in Security & Compliance PowerShell\|property type\|description\| \|\|\|\|\| -\|Content is shared with \|condition: AccessScope <br/><br/> \|Scope\|Messages that are sent to internal or external recipients.\| \|Recipient is\|condition: SentTo <br/><br/> exception: ExceptIfSentTo\|Addresses\|Messages where one of the recipients is the specified mailbox, mail user, or mail contact in the organization. The recipients can be in the To, Cc, or Bcc fields of the message.\| \|Recipient domain is\|condition: RecipientDomainIs <br/><br/> exception: ExceptIfRecipientDomainIs\|DomainName\|Messages where the domain of the recipient's email address matches the specified value.\| \|Recipient address contains words\|condition: AnyOfRecipientAddressContainsWords <br/><br/> exception: ExceptIfAnyOfRecipientAddressContainsWords\|Words\|Messages that contain the specified words in the recipient's email address. <br/><br/>Note: This condition doesn't consider messages that are sent to recipient proxy addresses. It only matches messages that are sent to the recipient's primary email address.\| To configure the sender address location at a DLP rule level, the parameter is * \|Sent to member of\|condition: SentToMemberOf <br/><br/> exception: ExceptIfSentToMemberOf\|Addresses\|Messages that contain recipients who are members of the specified distribution group, mail-enabled security group, or Microsoft 365 group. The group can be in the To, Cc, or Bcc fields of the message.\| \|The recipient's specified properties include any of these words \|RecipientADAttributeContainsWords <br/><br/> ExceptIfRecipientADAttributeContainsWords\|First property: `ADAttribute` <br/><br/> Second property: `Words`\|Messages where the specified Active Directory attribute of a recipient contains any of the specified words. <br/><br/> Note that the Country attribute requires the two-letter country code value (for example, DE for Germany).\| \|The recipient's specified properties match these text patterns \|RecipientADAttributeMatchesPatterns <br/><br/> ExceptIfRecipientADAttributeMatchesPatterns\|First property: `ADAttribute` <br/><br/> Second property: `Patterns`\|Messages where the specified Active Directory attribute of a recipient contains text patterns that match the specified regular expressions.\| -\|Recipient scope\|condition: AccessScope <br/><br/> exception: ExceptIfAccessScope\|UserScopeFrom\|Messages that are received by either internal or external recipients.\| +\|Recipient scope/Content is shared with\|condition: AccessScope <br/><br/> exception: ExceptIfAccessScope\|UserScopeFrom\|Messages that are received by either internal or external recipients.\| ### Message subject or body This table describes the actions that are available in DLP. \|action in DLP\|action parameters in Security & Compliance PowerShell\|property type\|description\| \|\|\|\|\| +\|Restrict access or encrypt content in Microsoft 365 locations\|BlockAccess\|First property: Boolean <br/><br/> Second property: BlockAccessScope\|This will allow you to block the access or encrypt the content to the specified users.\| \|Set header\|SetHeader\|First property: Header Name <br/><br/> Second property: Header Value\|The SetHeader parameter specifies an action for the DLP rule that adds or modifies a header field and value in the message header. This parameter uses the syntax "HeaderName:HeaderValue". You can specify multiple header name and value pairs separated by commas\| \|Remove header\|RemoveHeader\|First property: MessageHeaderField<br/><br/> Second property: String\|The RemoveHeader parameter specifies an action for the DLP rule that removes a header field from the message header. This parameter uses the syntax "HeaderName" or "HeaderName:HeaderValue".You can specify multiple header names or header name and value pairs separated by commas\| \|Redirect the message to specific users\|RedirectMessageTo\|Addresses\|Redirects the message to the specified recipients. The message isn't delivered to the original recipients, and no notification is sent to the sender or the original recipients.\|
compliance	Dlp Configure Endpoint Settings	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-configure-endpoint-settings.md	By default, when devices are onboarded, activity for Office, PDF, and CSV files File activity will always be audited for onboarded devices, regardless of whether they're included in an active policy. -> [!IMPORTANT] -> Before you can use [Printer groups (preview)](#printer-groups-preview), [Removable storage device groups](#removable-storage-device-groups-preview), [Network share groups](#network-share-groups-preview), and [VPN settings](#vpn-settings-preview) you must register [here](https://forms.office.com/r/GNVTFvxuZv). - ### Printer groups (preview) Use this setting to define groups of printers that you want to assign policy actions to that are different from the global printing actions. For example, say you want your DLP policy to block printing of contracts to all printers, except for printers that are in the legal department. Use this setting to define groups of printers that you want to assign policy act This feature is available for devices running any of the following Windows versions: - Windows 10 and later (20H2, 21H1, 21H2, and later) - [KB5020030](https://support.microsoft.com/en-us/topic/november-15-2022-kb5020030-os-builds-19042-2311-19043-2311-19044-2311-and-19045-2311-preview-237a9048-f853-4e29-a3a2-62efdbea95e2)-- Win 11 21H2, 22H2 - [KB5019157](https://support.microsoft.com/en-us/topic/november-15-2022-kb5019157-os-build-22000-1281-preview-d64fb317-3435-49ff-b2c4-d0356a51a6b0) +- Win 11 21H2 - [KB5019157](https://support.microsoft.com/en-us/topic/november-15-2022-kb5019157-os-build-22000-1281-preview-d64fb317-3435-49ff-b2c4-d0356a51a6b0) +- Win 11 22H2 - [KB5020044](https://support.microsoft.com/en-us/topic/november-29-2022-kb5020044-os-build-22621-900-preview-43f0bdf9-0b75-4110-bab3-3bd2433d84b3) - Windows Server 2022 - [KB5020032](https://support.microsoft.com/en-us/topic/november-22-2022-kb5020032-os-build-20348-1311-preview-7ca1be57-3555-4377-9eb1-0e4d714d9c68) You define a printer by these parameters: Use this setting to define groups of removable storage devices, like USB thumb d This feature is available for devices running any of the following Windows versions: -- Windows 10 and later (20H2, 21H1, 21H2) -- Win 11 21H2, 22H2 +- Windows 10 and later (20H2, 21H1, 21H2) with KB 5018482 +- Win 11 21H2, 22H2 with KB 5018483 - Windows 10 RS5 (KB 5006744) and Windows Server 2022 You can define removeable storage devices by these parameters: Use this setting to define groups of network share paths that you want to assign This feature is available for devices running any of the following Windows versions: -- Windows 10 and later (20H2, 21H1, 21H2) -- Win 11 21H2, 22H2 +- Windows 10 and later (20H2, 21H1, 21H2) with KB 5018482 +- Win 11 21H2, 22H2 with KB 5018483 - Windows 10 RS5 (KB 5006744) and Windows Server 2022 Use the VPN list to control only those actions that are being carried out over t This feature is available for devices running any of these versions of Windows: -- Windows 10 and later (20H2, 21H1, 21H2) -- Windows 11 21H2, 22H2 +- Windows 10 and later (20H2, 21H1, 21H2) with KB 5018482 +- Windows 11 21H2, 22H2 with KB 5018483 - Windows 10 RS5 (KB 5006744) When you list a VPN in VPN Settings you can assign these policy actions to them: See, [Scenario 8 Network exceptions](endpoint-dlp-using.md#scenario-8-network-ex - [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md) - [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md) - [Learn about data loss prevention](dlp-learn-about-dlp.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](/windows/security/threat-protection/) - [Onboard Windows 10 and Windows 11 devices into Microsoft Purview overview](/microsoft-365/compliance/device-onboarding-overview) See, [Scenario 8 Network exceptions](endpoint-dlp-using.md#scenario-8-network-ex - [Azure Active Directory (AAD) joined](/azure/active-directory/devices/concept-azure-ad-join) - [Download the new Microsoft Edge based on Chromium](https://support.microsoft.com/help/4501095/download-the-new-microsoft-edge-based-on-chromium) - [Get started with the default DLP policy](get-started-with-the-default-dlp-policy.md)-- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md)
compliance	Dlp Create Deploy Policy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-create-deploy-policy.md	This scenario requires that you already have devices onboarded and reporting int 1. Type in the appropriate value in the Add new service domains to this group. You can add multiple websites to a group and use wildcards to cover subdomains. For example, `www.contoso.com` for just the top level website or \.contoso.com for corp.contoso.com, hr.contoso.com, fin.contoso.com 1. Select Save. 1. Select Policies. -1. Create and scope a policy that is applied only to Devices. See, [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) for more information on how to create a policy. +1. Create and scope a policy that is applied only to Devices. See, [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md)) for more information on how to create a policy. 1. Create a rule that uses the the user accessed a sensitive site from Edge, and the action Audit or restrict activities when users access sensitive sites in Microsoft Edge browser on Windows devices. 1. In the action select Add or remove Sensitive site groups. 1. Select the Sensitive site groups* you want. Any website under the group(s) you select here will be redirected to Edge when opened in Chrome browser (with Purview extension installed).
compliance	Dlp Firefox Extension Get Started	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-firefox-extension-get-started.md	To use Microsoft Purview Extension, the device must be onboarded into endpoint D - [Learn about Microsoft Purview Firefox Extension](dlp-firefox-extension-learn.md) - [Learn about Microsoft Purview Data Loss Prevention](dlp-learn-about-dlp.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)-- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Learn about endpoint data loss prevention](endpoint-dlp-learn-about.md) - [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md) - [Onboarding tools and methods for Windows 10 devices](device-onboarding-overview.md) Now that you have onboarded devices and can view the activity data in Activity e - [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md) - [Using Endpoint data loss prevention](endpoint-dlp-using.md) - [Learn about data loss prevention](dlp-learn-about-dlp.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](/windows/security/threat-protection/) - [Onboarding tools and methods for Windows 10 machines](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints)
compliance	Dlp Firefox Extension Learn	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-firefox-extension-learn.md	description: "The Microsoft Purview Firefox Extension extends monitoring and con # Learn about the Microsoft Purview Firefox Extension (preview) -[Endpoint data loss prevention (endpoint DLP)](endpoint-dlp-learn-about.md) extends the activity monitoring and protection capabilities of [Microsoft Purview data loss prevention (DLP)](dlp-learn-about-dlp.md) to sensitive items that are on Windows 10 devices. Once devices are onboarded into the Microsoft Purview solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](create-test-tune-dlp-policy.md). +[Endpoint data loss prevention (endpoint DLP)](endpoint-dlp-learn-about.md) extends the activity monitoring and protection capabilities of [Microsoft Purview data loss prevention (DLP)](dlp-learn-about-dlp.md) to sensitive items that are on Windows 10 devices. Once devices are onboarded into the Microsoft Purview solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](dlp-learn-about-dlp.md). Once the Firefox extension is installed on a Windows 10 device, organizations can monitor when a user attempts to access or upload a sensitive item to a cloud service using Mozilla Firefox and enforce protective actions via DLP. activity \|description \| supported policy actions\| 1. [Get started with endpoint data loss prevention](endpoint-dlp-getting-started.md) 2. [Onboarding tools and methods for Windows 10 devices](device-onboarding-overview.md) 3. [Install the Firefox extension on your Windows 10 devices](dlp-firefox-extension-get-started.md) -4. [Create or edit DLP policies](create-test-tune-dlp-policy.md) that restrict upload to cloud service, or access by unallowed browsers actions and apply them to your Windows 10 devices +4. [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) that restrict upload to cloud service, or access by unallowed browsers actions and apply them to your Windows 10 devices ## Next steps See [Get started with the Microsoft Purview Firefox Extension](dlp-firefox-exten - [Getting started with Endpoint data loss prevention](endpoint-dlp-getting-started.md) - [Using Endpoint data loss prevention](endpoint-dlp-using.md) - [Learn about data loss prevention](dlp-learn-about-dlp.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](/windows/security/threat-protection/) - [Insider risk management](insider-risk-management.md)
compliance	Dlp Microsoft Teams	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-microsoft-teams.md	can't use the below image it contains a non-approved name. ## Related articles -- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Send email notifications and show policy tips for DLP policies](use-notifications-and-policy-tips.md)
compliance	Dlp Migrate Exo Policy To Unified Dlp	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-migrate-exo-policy-to-unified-dlp.md	The account that you use to run the migration wizard must have access to both th 1. If you're unfamiliar with DLP, the compliance portal DLP console, or the Exchange Admin center DLP console, you should familiarize yourself before attempting a policy migration. 1. [Exchange Online data loss prevention (DLP) policies](/exchange/security-and-compliance/data-loss-prevention/data-loss-prevention) 1. [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md) - 1. [Create, Test, and Tune a DLP policy](create-test-tune-dlp-policy.md) + 1. [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) 1. Evaluate your Exchange DLP and compliance portal policies by asking these questions: \|Question\|Action\|Migration procedure\| The migrated policies will now appear in the list of DLP policies in the complia Test and review your policies. -1. Follow the [Test a DLP policy](create-test-tune-dlp-policy.md#test-a-dlp-policy) procedures. +1. Follow the [Test a DLP policy](dlp-test-dlp-policies.md) procedures. 2. Review the events created by the policy in [Activity explorer](data-classification-activity-explorer.md). ## Review the policy matches between Exchange Admin Center DLP and Microsoft Purview Unified DLP Once you're satisfied with how your migrated policies are functioning, you can s - [Exchange Online data loss prevention (DLP) policies](/exchange/security-and-compliance/data-loss-prevention/data-loss-prevention) - [Learn about data loss prevention](dlp-learn-about-dlp.md) - [Get started with Activity explorer](data-classification-activity-explorer.md)-- [Create, Test, and Tune a DLP policy](create-test-tune-dlp-policy.md)-- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Exchange Online data loss prevention (DLP) policies](/exchange/security-and-compliance/data-loss-prevention/data-loss-prevention)
compliance	Dlp Migration Assistant For Symantec Get Started	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-migration-assistant-for-symantec-get-started.md	Now that you have installed Microsoft Purview Data Loss Prevention migration ass - [Learn about the Microsoft Purview Data Loss Prevention migration assistant for Symantec](dlp-migration-assistant-for-symantec-learn.md) - [Learn about data loss prevention](dlp-learn-about-dlp.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1)
compliance	Dlp Migration Assistant For Symantec Use	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-migration-assistant-for-symantec-use.md	After you've installed and launched the migration assistant, you need to log in. 2. Select Next. 2. Enter your username and select Login. 1. Enter your password in the browser window that opens and select Sign in. + + > [!NOTE] + > This application uses Exchange Online PowerShell module. Basic authentication must be enabled in WinRM on the local computer. For more information, see [Prerequisites for the Exchange Online PowerShell module](/powershell/exchange/exchange-online-powershell-v2#prerequisites-for-the-exchange-online-powershell-module). 3. You need to wait until your login is validated. Simultaneously, the migration assistant fetches information that will be required in later stages of the migration process. :::image type="content" source="../media/login-fetching-details.png" alt-text="Screenshot of the screen fetching details."::: 4. Once you're logged in, choose Next. There are also some features in the software that may enable you and Microsoft t - [Learn about Microsoft Purview Data Loss Prevention migration assistant for Symantec](dlp-migration-assistant-for-symantec-learn.md) - [Get started with Microsoft Purview Data Loss Prevention migration assistant for Symantec](dlp-migration-assistant-for-symantec-get-started.md) - [Learn about data loss prevention](dlp-learn-about-dlp.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md)
compliance	Dlp On Premises Scanner Get Started	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-on-premises-scanner-get-started.md	Here's a list of applicable role groups that are in preview. To learn more about 6. Open the [Data loss prevention page](https://compliance.microsoft.com/datalossprevention?viewid=policies) in the Microsoft Purview compliance portal. -7. Choose Create policy and create a test DLP policy. See [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md) if you need help creating a policy. Be sure to run it in test until you are comfortable with this feature. Use these parameters for your policy: +7. Choose Create policy and create a test DLP policy. See [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) if you need help creating a policy. Be sure to run it in test until you are comfortable with this feature. Use these parameters for your policy: 1. Scope the DLP on-premises scanner rule to specific locations if needed. If you scope locations to All, all files scanned by the scanner will be subject to the DLP rule matching and enforcement. 1. When specifying the locations, you can use either exclusion or inclusion list. You can either define that the rule is relevant only to paths matching one of the patterns listed in inclusion list or, all files, except the files matching the pattern listed in inclusion list. No local paths are supported. Here are some examples of valid paths: - \\\server\share Now that you have deployed a test policy for DLP on-premises locations and can v - [Learn about DLP on-premises scanner](dlp-on-premises-scanner-learn.md) - [Use DLP on-premises scanner](dlp-on-premises-scanner-use.md) - [Learn about data loss prevention](dlp-learn-about-dlp.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft 365 subscription](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans?rtc=1)
compliance	Dlp On Premises Scanner Learn	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-on-premises-scanner-learn.md	description: "The data loss prevention on-premises scanner extends monitoring of Data loss prevention on-premises scanner is part of the Microsoft Purview Data Loss Prevention (DLP) suite of features that you can use to discover and protect sensitive items across Microsoft 365 services. For more information about all of MicrosoftΓÇÖs DLP offerings, see [Learn about data loss prevention](dlp-learn-about-dlp.md). -The DLP on-premises scanner crawls on-premises data-at-rest in file shares and SharePoint document libraries and folders for sensitive items that, if leaked, would pose a risk to your organization or pose a risk of compliance policy violation. This gives you the visibility and control you need to ensure that sensitive items are used and protected properly, and to help prevent risky behavior that might compromise them. The DLP on-premises scanner detects sensitive information by using [built-in](sensitive-information-type-entity-definitions.md) or [custom sensitive information](create-a-custom-sensitive-information-type.md) types, [sensitivity labels](sensitivity-labels.md) or file properties. The information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](create-test-tune-dlp-policy.md). +The DLP on-premises scanner crawls on-premises data-at-rest in file shares and SharePoint document libraries and folders for sensitive items that, if leaked, would pose a risk to your organization or pose a risk of compliance policy violation. This gives you the visibility and control you need to ensure that sensitive items are used and protected properly, and to help prevent risky behavior that might compromise them. The DLP on-premises scanner detects sensitive information by using [built-in](sensitive-information-type-entity-definitions.md) or [custom sensitive information](create-a-custom-sensitive-information-type.md) types, [sensitivity labels](sensitivity-labels.md) or file properties. The information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](dlp-learn-about-dlp.md). [!INCLUDE [purview-preview](../includes/purview-preview.md)] Now that you've learned about DLP on-premises scanner, your next steps are: - [Getting started with the data loss prevention on-premises scanner](dlp-on-premises-scanner-get-started.md) - [Use the data loss prevention on-premises scanner](dlp-on-premises-scanner-use.md) - [Learn about data loss prevention](dlp-learn-about-dlp.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md)
compliance	Dlp On Premises Scanner Use	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-on-premises-scanner-use.md	To help familiarize you with Microsoft Purview Data Loss Prevention on-premises > > - [Learn about data loss prevention](dlp-learn-about-dlp.md) > - [Get started with the default DLP policy](get-started-with-the-default-dlp-policy.md) -> - [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md) -> - [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) +> - [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) ### Scenario: Discover files matching DLP rules If you want to enforce DLP rules on the scanned files, enforcement must be enabl - [Learn about DLP on-premises scanner](dlp-on-premises-scanner-learn.md) - [Get started with DLP on-premises scanner](dlp-on-premises-scanner-get-started.md) - [Learn about data loss prevention](dlp-learn-about-dlp.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md)
compliance	Dlp Policy Design	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-policy-design.md	Here's a video that shows how you'd map two complex policy intent statements to 9. Document the configuration of all the policy settings and review them with your stakeholders. You can re-use your policy intent statement mapping to configuration points, which is now fully fleshed out. -10. [Create a](create-test-tune-dlp-policy.md#create-test-and-tune-a-dlp-policy) draft policy and refer back to your [policy deployment](dlp-overview-plan-for-dlp.md#policy-deployment) plan. +10. [Create a](dlp-create-deploy-policy.md) draft policy and refer back to your [policy deployment](dlp-overview-plan-for-dlp.md#policy-deployment) plan. <!--## Policy design examples Here are some examples of more detailed policy intent statement to configuration - [Plan for data loss prevention (DLP)](dlp-overview-plan-for-dlp.md#plan-for-data-loss-prevention-dlp) - [Data Loss Prevention policy reference](dlp-policy-reference.md#data-loss-prevention-policy-reference) - [Data Loss Prevention policy tips reference](dlp-policy-tips-reference.md#data-loss-prevention-policy-tips-reference)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md#create-test-and-tune-a-dlp-policy) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md)
compliance	Dlp Policy Reference	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-policy-reference.md	A DLP policy can find and protect items that contain sensitive information acros \|On-premises repositories (file shares and SharePoint) \|repository \| data-at-rest \| - [Learn about the data loss prevention on-premises scanner](dlp-on-premises-scanner-learn.md) </br> - [Get started with the data loss prevention on-premises scanner](dlp-on-premises-scanner-get-started.md#get-started-with-the-data-loss-prevention-on-premises-scanner) \| \|Power BI\| workspaces \| data-in-use \| No\| -If you choose to include specific distribution groups in Exchange, the DLP policy will be scoped only to the members of that group. Similarly excluding a distribution group will exclude all the members of that distribution group from policy evaluation. You can choose to scope a policy to the members of distribution lists, dynamic distribution groups, and security groups. A DLP policy can contain no more than 50 such inclusions and exclusions. +If you choose to include specific distribution groups in Exchange, the DLP policy will be scoped only to the emails sent by members of that group. Similarly excluding a distribution group will exclude all the emails sent by the members of that distribution group from policy evaluation. You can choose to scope a policy to the members of distribution lists, dynamic distribution groups, and security groups. A DLP policy can contain no more than 50 such inclusions and exclusions. If you choose to include or exclude specific SharePoint sites or OneDrive accounts, a DLP policy can contain no more than 100 such inclusions and exclusions. Although this limit exists, you can exceed this limit by applying either an org-wide policy or a policy that applies to entire locations. If you have multiple rules in a policy, you can use the Additional options t - [Learn about data loss prevention](dlp-learn-about-dlp.md#learn-about-data-loss-prevention) - [Plan for data loss prevention (DLP)](dlp-overview-plan-for-dlp.md#plan-for-data-loss-prevention-dlp)-- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md#create-a-dlp-policy-from-a-template)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md#create-test-and-tune-a-dlp-policy) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md
compliance	Dlp Powerbi Get Started	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-powerbi-get-started.md	When a dataset matches a DLP policy: ## Configure a DLP policy for Power BI -Follow the procedures in [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md#create-test-and-tune-a-dlp-policy) and use the custom template. +Follow the procedures in [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) and use the custom template. > [!IMPORTANT] > When you select the locations for your DLP policy for Power BI, select only the Power BI location. Do not select any other locations, this configuration is not supported.
compliance	Dlp Teams Default Policy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-teams-default-policy.md	Admins can view this policy in the [Microsoft Purview compliance portal](https:/ ## Edit or delete the default policy -To [edit the default policy for better performance or to delete it](create-test-tune-dlp-policy.md#tune-a-dlp-policy), just use an account with DLP Compliance Management permissions. For more information, see, [Permissions](create-test-tune-dlp-policy.md#permissions). - +To [edit the default policy for better performance or to delete it](dlp-create-deploy-policy.md), just use an account with DLP Compliance Management permissions. For more information, see, [Permissions](dlp-create-deploy-policy.md#permissions).
compliance	Dlp Use Policies Non Microsoft Cloud Apps	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-use-policies-non-microsoft-cloud-apps.md	After you connect your cloud apps to Defender for Cloud Apps, you can create DLP ## Create a DLP policy scoped to a non-Microsoft cloud app -Refer to [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) for the procedures to create a DLP policy. Keep these points in mind as you configure your policy. +Refer to [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) for the procedures to create a DLP policy. Keep these points in mind as you configure your policy. - Select the turn on the Microsoft Defender for Cloud Apps location. - To select a specific app or instance, select Choose instance. If you don't select an instance, the policy will be scoped to all connected apps in your Microsoft Defender for Cloud Apps tenant. Refer to [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) f ## See Also -- [Create test and tune a DLP policy](./create-test-tune-dlp-policy.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Get started with the default DLP policy](./get-started-with-the-default-dlp-policy.md)-- [Create a DLP policy from a template](./create-a-dlp-policy-from-a-template.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md)
compliance	Endpoint Dlp Getting Started	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-getting-started.md	description: "Set up Endpoint data loss prevention to monitor file activities an Endpoint data loss prevention (Endpoint DLP) is part of the Microsoft Purview Data Loss Prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. For more information about all of MicrosoftΓÇÖs DLP offerings, see [Learn about data loss prevention](dlp-learn-about-dlp.md). To learn more about Endpoint DLP, see [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md) -Microsoft Endpoint DLP allows you to monitor [onboarded Windows 10, and Windows 11](device-onboarding-overview.md) and [onboarded macOS devices](device-onboarding-macos-overview.md) running three latest released versions. Once a device is onboarded, DLP will detect when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they are used and protected properly, and to help prevent risky behavior that might compromise them. +Microsoft Endpoint DLP allows you to monitor [onboarded Windows 10, and Windows 11](device-onboarding-overview.md) and [onboarded macOS devices](device-onboarding-macos-overview.md) running three latest released versions. Once a device is onboarded, DLP will detect when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they're used and protected properly, and to help prevent risky behavior that might compromise them. [!INCLUDE [purview-preview](../includes/purview-preview.md)] for full licensing details, see [Microsoft 365 licensing guidance for informatio ### Configure proxy on the Windows 10 or Windows 11 device -If you are onboarding Windows 10 or Windows 11 devices, check to make sure that the device can communicate with the cloud DLP service. For more information see, [Configure device proxy and internet connection settings for Information Protection](device-onboarding-configure-proxy.md#configure-device-proxy-and-internet-connection-settings-for-information-protection). +If you're onboarding Windows 10 or Windows 11 devices, check to make sure that the device can communicate with the cloud DLP service. For more information, see, [Configure device proxy and internet connection settings for Information Protection](device-onboarding-configure-proxy.md#configure-device-proxy-and-internet-connection-settings-for-information-protection). ## Windows 10 and Windows 11 Onboarding procedures For a general introduction to onboarding Windows devices, see: For specific guidance to onboarding Windows devices, see: -Topic \| Description +Article \| Description :\|: [Onboard Windows 10 or 11 devices using Group Policy](device-onboarding-gp.md) \| Use Group Policy to deploy the configuration package on devices. [Onboard Windows 10 or 11 devices using Microsoft Endpoint Configuration Manager](device-onboarding-sccm.md) \| You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices. For a general introduction to onboarding macOS devices, see: For specific guidance to onboarding macOS devices, see: -Topic \| Description +Article \| Description :\|: \|[Intune](device-onboarding-offboarding-macos-intune.md)\|For macOS devices that are managed through Intune \|[Intune for Microsoft Defender for Endpoint customers](device-onboarding-offboarding-macos-intune-mde.md) \|For macOS devices that are managed through Intune and that have Microsoft Defender for Endpoint (MDE) deployed to them \|[JAMF Pro)](device-onboarding-offboarding-macos-jamfpro.md) \| For macOS devices that are managed through JAMF Pro \|[JAMF Pro for Microsoft Defender for Endpoint customers)](device-onboarding-offboarding-macos-jamfpro-mde.md)\|For macOS devices that are managed through JAMF Pro and that have Microsoft Defender for Endpoint (MDE) deployed to them -Once a device is onboarded, it should be visible in the devices list and also start reporting audit activity to Activity explorer. +Once a device is onboarded, it should be visible in the devices list, and also start reporting audit activity to Activity explorer. <!--### Permissions Now that you have onboarded devices and can view the activity data in Activity e - [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md) - [Using Endpoint data loss prevention](endpoint-dlp-using.md) - [Learn about data loss prevention](dlp-learn-about-dlp.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](/windows/security/threat-protection/) - [Onboarding tools and methods for Windows machines](/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints)
compliance	Endpoint Dlp Learn About	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-learn-about.md	description: "Endpoint data loss prevention extends monitoring of file activitie You can use Microsoft Purview Data Loss Prevention (DLP) to monitor the actions that are being taken on items you've determined to be sensitive and to help prevent the unintentional sharing of those items. For more information on DLP, see [Learn about data loss prevention](dlp-learn-about-dlp.md). -Endpoint data loss prevention (Endpoint DLP) extends the activity monitoring and protection capabilities of DLP to sensitive items that are physically stored on Windows 10, Windows 11, and macOS (three latest released versions) devices. Once devices are onboarded into the Microsoft Purview solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](create-test-tune-dlp-policy.md). +Endpoint data loss prevention (Endpoint DLP) extends the activity monitoring and protection capabilities of DLP to sensitive items that are physically stored on Windows 10, Windows 11, and macOS (three latest released versions) devices. Once devices are onboarded into the Microsoft Purview solutions, the information about what users are doing with sensitive items is made visible in [activity explorer](data-classification-activity-explorer.md) and you can enforce protective actions on those items via [DLP policies](dlp-create-deploy-policy.md). > [!TIP] > If you are looking for device control for removable storage, see [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](../security/defender-endpoint/device-control-removable-storage-access-control.md#microsoft-defender-for-endpoint-device-control-removable-storage-access-control). > [!NOTE] -> In Microsoft Purview, DLP policy evaluation of sensitive items occurs centrally, so there is no time lag for policies and policy updates to be distributed to individual devices. When a policy is updated in compliance center, it generally takes about an hour for those updates to be synchronized across the service. Once policy updates are synchronized, items on targeted devices are automatically re-evaluated the next time they are accessed or modified. +> In Microsoft Purview, DLP policy evaluation of sensitive items occurs centrally, so there is no time lag for policies and policy updates to be distributed to individual devices. When a policy is updated in compliance center, it generally takes about an hour for those updates to be synchronized across the service. Once policy updates are synchronized, items on targeted devices are automatically re-evaluated the next time they are accessed or modified. (Preview) For Authorized Groups changes, the policy will need 24 hours to sync [!INCLUDE [purview-preview](../includes/purview-preview.md)] If you only want monitoring data from policy matches, you can turn off the Alw > If the Always audit file activity for devices** setting is on, activities on any Word, PowerPoint, Excel, PDF, and .csv file are always audited even if the device is not targeted by any policy. > [!TIP] -> To ensure activities are audited for all supported file types, create a [custom DLP policy](create-test-tune-dlp-policy.md). +> To ensure activities are audited for all supported file types, create a [custom DLP policy](dlp-create-deploy-policy.md). Endpoint DLP monitors activity-based on MIME type, so activities will be captured even if the file extension is changed for these files types: Now that you've learned about Endpoint DLP, your next steps are: - [Getting started with Microsoft Endpoint data loss prevention](endpoint-dlp-getting-started.md) - [Using Microsoft Endpoint data loss prevention](endpoint-dlp-using.md) - [Learn about data loss prevention](dlp-learn-about-dlp.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](../security/defender-endpoint/configure-machines-onboarding.md) - [Insider risk management](insider-risk-management.md)
compliance	Endpoint Dlp Using	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/endpoint-dlp-using.md	To help familiarize you with Endpoint DLP features and how they surface in DLP p > >- [Learn about Microsoft Purview Data Loss Prevention](dlp-learn-about-dlp.md) >- [Get started with the default DLP policy](get-started-with-the-default-dlp-policy.md) ->- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md) ->- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) +>- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) [!INCLUDE [purview-preview](../includes/purview-preview.md)] You can also audit, block with override, or block these user upload sensitive it 1. Type in the appropriate value in the Add new service domains to this group. You can add multiple websites to a group and use wildcards to cover subdomains. For example, `www.contoso.com` for just the top level website or \.contoso.com for corp.contoso.com, hr.contoso.com, fin.contoso.com 1. Select Save. 1. Select Policies. -1. Create and scope a policy that is applied only to Devices. See, [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) for more information on how to create a policy. +1. Create and scope a policy that is applied only to Devices. See, [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) for more information on how to create a policy. 1. Create a rule that uses the The user accessed a sensitive site from Edge, and the action Audit or restrict activities on devices. 1. In Service domain and browser activities* select Upload to a restricted cloud service domain or access from an unallowed browser and set the action to Audit only. This sets the overall action for all the site groups. 1. Select the Sensitive site groups you want. The user must be accessing the website through Microsoft Edge. 1. Type in the appropriate value in the Add new service domains to this group. You can add multiple websites to a group and use wildcards to cover subdomains. For example, `www.contoso.com` for just the top level website or \.contoso.com for corp.contoso.com, hr.contoso.com, fin.contoso.com 1. Select Save. 1. Select Policies. -1. Create and scope a policy that is applied only to Devices. See, [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) for more information on how to create a policy. +1. Create and scope a policy that is applied only to Devices. See, [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) for more information on how to create a policy. 1. Create a rule that uses the the user accessed a sensitive site from Edge, and the action Audit or restrict activities when users access sensitive sites in Microsoft Edge browser on Windows devices. 1. In the action select Add or remove Sensitive site groups. 1. Select the Sensitive site groups* you want. Any website under the group(s) you select here will be redirected to Edge when opened in Chrome browser (with Purview extension installed). Get-VpnConnection - [Learn about Endpoint data loss prevention](endpoint-dlp-learn-about.md) - [Get started with Endpoint data loss prevention](endpoint-dlp-getting-started.md) - [Learn about data loss prevention](dlp-learn-about-dlp.md)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) - [Get started with Activity explorer](data-classification-activity-explorer.md) - [Microsoft Defender for Endpoint](/windows/security/threat-protection/) - [Onboard Windows 10 and Windows 11 devices into Microsoft Purview overview](/microsoft-365/compliance/device-onboarding-overview) Get-VpnConnection - [Azure Active Directory (AAD) joined](/azure/active-directory/devices/concept-azure-ad-join) - [Download the new Microsoft Edge based on Chromium](https://support.microsoft.com/help/4501095/download-the-new-microsoft-edge-based-on-chromium) - [Get started with the default DLP policy](get-started-with-the-default-dlp-policy.md)-- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) +
compliance	Information Protection Solution	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/information-protection-solution.md	Deploy Microsoft Purview Data Loss Prevention (DLP) policies to govern and preve \|:\|:-\|:\| \|1\|Learn about DLP. <br /><br /> Organizations have sensitive information under their control, such as financial data, proprietary data, credit card numbers, health records, or social security numbers. To help protect this sensitive data and reduce risk, they need a way to prevent their users from inappropriately sharing it with people who shouldn't have it. This practice is called data loss prevention (DLP).\| [Learn about data loss prevention](dlp-learn-about-dlp.md)\| \|2\|Plan your DLP implementation. <br /><br /> Every organization will plan for and implement data loss prevention (DLP) differently, because every organization's business needs, goals, resources, and situation are unique to them. However, there are elements that are common to all successful DLP implementations. \| [Plan for data loss prevention](dlp-overview-plan-for-dlp.md)\| -\|3\|Design and create a DLP policy. <br /><br /> Creating a data loss prevention (DLP) policy is quick and easy, but getting a policy to yield the intended results can be time consuming if you have to do a lot of tuning. Taking the time to design a policy before you implement it will get you to the desired results faster, and with fewer unintended issues, than tuning by trial and error alone.\| [Design a DLP policy](dlp-policy-design.md) <p> [DLP policy reference](dlp-policy-reference.md) <p>[Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)\| -\|4\|Tune your DLP policies. <br /><br /> After you deploy a DLP policy, you'll see how well it meets the intended purpose. Use that information to adjust your policy settings for better performance. \| [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)\| +\|3\|Design and create a DLP policy. <br /><br /> Creating a data loss prevention (DLP) policy is quick and easy, but getting a policy to yield the intended results can be time consuming if you have to do a lot of tuning. Taking the time to design a policy before you implement it will get you to the desired results faster, and with fewer unintended issues, than tuning by trial and error alone.\| [Design a DLP policy](dlp-policy-design.md) <p> [DLP policy reference](dlp-policy-reference.md) <p>[Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md)\| +\|4\|Tune your DLP policies. <br /><br /> After you deploy a DLP policy, you'll see how well it meets the intended purpose. Use that information to adjust your policy settings for better performance. \| [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md)\| ## Training resources
compliance	Insider Risk Management Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-configure.md	A DLP policy is optional when using the following policy templates: - Data leaks - Data leaks by priority users -See the [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) article for step-by-step guidance to configure DLP policies for your organization. After you've configured a DLP policy, return to these configuration steps. +See the [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) article for step-by-step guidance to configure DLP policies for your organization. After you've configured a DLP policy, return to these configuration steps. ### Configure priority user groups
compliance	Insider Risk Management Plan	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-plan.md	If you don't have an existing Microsoft 365 Enterprise E5 plan and want to try i Policy template requirements: Depending on the policy template you choose, you need to be sure you understand the following requirements and plan accordingly prior to configuring insider risk management in your organization: - When using the Data theft by departing users template, you must configure a Microsoft 365 HR connector to periodically import resignation and termination date information for users in your organization. See the [Import data with the HR connector](import-hr-data.md) article for step-by-step guidance to configure the Microsoft 365 HR connector.-- When using the Data leaks template, you must configure at least one Microsoft Purview Data Loss Prevention (DLP) policy to define sensitive information in your organization and to receive insider risk alerts for High Severity DLP policy alerts. See the [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) article for step-by-step guidance to configure DLP policies. +- When using the Data leaks template, you must configure at least one Microsoft Purview Data Loss Prevention (DLP) policy to define sensitive information in your organization and to receive insider risk alerts for High Severity DLP policy alerts. See the [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) article for step-by-step guidance to configure DLP policies. - When using the Security policy violation template, you must enable Microsoft Defender for Endpoint for insider risk management integration in the Defender Security Center to import security violation alerts. For step-by-step guidance to enable Defender for Endpoint integration with insider risk management, see [Configure advanced features in Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/advanced-features). - When using the Risky user template, you must configure a Microsoft 365 HR connector to periodically import performance or demotion status information for users in your organization. See the [Import data with the HR connector](import-hr-data.md) article for step-by-step guidance to configure the Microsoft 365 HR connector.
compliance	Insider Risk Management Policy Templates	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-policy-templates.md	When creating or modifying data loss prevention policies for use with insider ri Each insider risk management policy created from the Data leaks template can only have one DLP policy assigned when using this triggering event option. Consider creating a dedicated DLP policy that combines the different activities you want to detect and act as triggering events for insider risk policies that use the Data leaks template. -See the [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md) article for step-by-step guidance to configure DLP policies for your organization. +See the [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) article for step-by-step guidance to configure DLP policies for your organization. ### Data leaks by priority users (preview)
compliance	Mip Easy Trials	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/mip-easy-trials.md	This policy is unobtrusive to users with no policy tip visible and no messages b To see the results of this policy, use [DLP Activity Explorer](dlp-learn-about-dlp.md#dlp-activity-explorer). -If you want to edit the DLP policy, see [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md). +If you want to edit the DLP policy, see [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md). ## DLP for devices This policy is unobtrusive to users with no policy tip visible and no actions bl To see the results of this policy, use [DLP Activity Explorer](dlp-learn-about-dlp.md#dlp-activity-explorer). -If you want to edit the DLP policy, see [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md). +If you want to edit the DLP policy, see [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md). ## Additional resources
compliance	Named Entities Learn	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/named-entities-learn.md	description: "Learn how named entities help you detect sensitive items containin - [Microsoft Priva](/privacy/priv) - [Exact data match sensitive information types](sit-learn-about-exact-data-match-based-sits.md) -DLP makes special use of named entities in enhanced policy templates, which are pre-configured DLP policies that you can customize for your organizations needs. You can also [create your own DLP policies](create-test-tune-dlp-policy.md) from a [blank template](create-a-dlp-policy-from-a-template.md) - and use a named entity SIT as a condition. +DLP makes special use of named entities in enhanced policy templates, which are pre-configured DLP policies that you can customize for your organizations needs. You can also [create your own DLP policies](dlp-create-deploy-policy.md) from a blank template and use a named entity SIT as a condition. <!-- There are many other SITs that detect strings like social security, credit card, or bank account numbers to identify sensitive items. For more information, see [Sensitive information types entity definitions](sensitive-information-type-entity-definitions.md).--> Here are some examples of enhanced DLP policies that use named entity SITs. You - [Retention labels](retention.md) - [Communication compliance](communication-compliance.md) - [Autolabeling policies](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-for-office-apps)-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)-- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md)
compliance	Named Entities Use	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/named-entities-use.md	Named entity SITs and enhanced policies are not supported for: ## Create and edit enhanced policies -To create or edit a DLP policy, use the procedures in [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md). +To create or edit a DLP policy, use the procedures in [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md)). ## Workloads and services that support named entities Here are some practices you can use when you create or edit a policy that uses a ## For further information+ - [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md) - [Learn about named entities](named-entities-learn.md).-- [Create, test, and tune a DLP policy](create-test-tune-dlp-policy.md)-- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md)
compliance	Protect Documents That Have Fci Or Other Properties	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/protect-documents-that-have-fci-or-other-properties.md	For more information, see [Manually request crawling and re-indexing of a site, ## More information - [Learn about data loss prevention](dlp-learn-about-dlp.md)--- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md)- +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [Send notifications and show policy tips for DLP policies](use-notifications-and-policy-tips.md)- - [What the DLP policy templates include](what-the-dlp-policy-templates-include.md)- - [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)
compliance	Retention Cmdlets	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-cmdlets.md	Don't use these cmdlets when the locations are for Teams private channel message \|Cmdlet\|Description\|Applicable locations\| \|:--\|:--\|:--\|:--\| \|[Enable-ComplianceTagStorage](/powershell/module/exchange/enable-compliancetagstorage) <br /><br /> [Get-ComplianceTagStorage](/powershell/module/exchange/get-compliancetagstorage) \|A one-time operation to create storage, or view that storage for retention labels \|Exchange email <br /><br />SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups\| -\|[Get-ComplianceTag](/powershell/module/exchange/get-compliancetag)<br /><br> [New-ComplianceTag](/powershell/module/exchange/new-compliancetag) <br /><br> [Remove-ComplianceTag](/powershell/module/exchange/remove-compliancetag) <br /><br> [Set-ComplianceTag](/powershell/module/exchange/set-compliancetag) \|View, create, delete, configure retention labels for use with a retention label policy \|Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts<br /><br /> Microsoft 365 Groups\| +\|[Get-ComplianceTag](/powershell/module/exchange/get-compliancetag)<br /><br> [New-ComplianceTag](/powershell/module/exchange/new-compliancetag) <br /><br> [Remove-ComplianceTag](/powershell/module/exchange/remove-compliancetag) <br /><br> [Set-ComplianceTag](/powershell/module/exchange/set-compliancetag) \|View, create, delete, configure retention labels \|Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts<br /><br /> Microsoft 365 Groups\| \|[Get-RecordReviewNotificationTemplateConfig](/powershell/module/exchange/get-recordreviewnotificationtemplateconfig) <br /><br /> [Set-RecordReviewNotificationTemplateConfig](/powershell/module/exchange/set-recordreviewnotificationtemplateconfig) \|View or configure the disposition review notification and reminder settings \|Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups\| -\|[Get-RetentionCompliancePolicy](/powershell/module/exchange/get-retentioncompliancepolicy) <br /><br /> [New-RetentionCompliancePolicy](/powershell/module/exchange/new-retentioncompliancepolicy) <br /><br /> [Remove-RetentionCompliancePolicy](/powershell/module/exchange/remove-retentioncompliancepolicy) <br /><br /> [Set-RetentionCompliancePolicy](/powershell/module/exchange/set-retentioncompliancepolicy) \|View, create, delete, configure retention policies \|Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts<br /><br /> Microsoft 365 Groups <br /><br /> Skype for Business <br /><br /> Exchange public folders <br /><br /> Teams chat messages <br /><br /> Teams channel messages \| +\|[Get-RetentionCompliancePolicy](/powershell/module/exchange/get-retentioncompliancepolicy) <br /><br /> [New-RetentionCompliancePolicy](/powershell/module/exchange/new-retentioncompliancepolicy) <br /><br /> [Remove-RetentionCompliancePolicy](/powershell/module/exchange/remove-retentioncompliancepolicy) <br /><br /> [Set-RetentionCompliancePolicy](/powershell/module/exchange/set-retentioncompliancepolicy) \|View, create, delete, configure retention policies and retention label policies \|Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts<br /><br /> Microsoft 365 Groups <br /><br /> Skype for Business <br /><br /> Exchange public folders <br /><br /> Teams chat messages <br /><br /> Teams channel messages \| \|[Get-RetentionComplianceRule](/powershell/module/exchange/get-retentioncompliancerule) <br /><br /> [New-RetentionComplianceRule](/powershell/module/exchange/new-retentioncompliancerule) <br /><br /> [Set-RetentionComplianceRule](/powershell/module/exchange/set-retentioncompliancerule) <br /><br /> [Remove-RetentionComplianceRule](/powershell/module/exchange/remove-retentioncompliancerule) \| View, create, configure, delete settings (rules) for retention policies and retention labels \|Exchange email <br /><br /> SharePoint sites <br /><br /> OneDrive accounts <br /><br /> Microsoft 365 Groups <br /><br /> Skype for Business <br /><br /> Exchange public folders <br /><br /> Teams chat messages <br /><br /> Teams channel messages \| ## Retention cmdlets specific to Teams private channels and Yammer
compliance	Sensitivity Labels Sharepoint Onedrive Files	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files.md	Uploading a labeled document, and then extracting and displaying that sensitivit - User access to content expires is set to a value other than Never. - Double Key Encryption is selected. - For labels with any of these encryption configurations, the labels aren't displayed to users in Office for the web. Additionally, the new capabilities can't be used with labeled documents that already have these encryption settings. For example, these documents won't be returned in search results, even if they are updated. + For labels with any of these encryption configurations, the labels aren't displayed to users in Office for the web. If they are parent labels, this means that users wonΓÇÖt see that label's sublabels, even if the sublabels aren't configured to apply encryption. + + Additionally, the new capabilities can't be used with labeled documents that already have these encryption settings. For example, these documents won't be returned in search results, even if they are updated. - For performance reasons, when you upload or save a document to SharePoint and the file's label doesn't apply encryption, the Sensitivity column in the document library can take a while to display the label name. Factor in this delay if you use scripts or automation that depend on the label name in this column.
compliance	Sit Defn Canada Drivers License Number	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-defn-canada-drivers-license-number.md	Varies by province Various patterns covering: -- Alberta-- British Columbia-- Manitoba-- New Brunswick-- Newfoundland/Labrador-- Nova Scotia-- Ontario-- Prince Edward Island-- Quebec-- Saskatchewan +Alberta +- six digits +- a hyphen +- three digits + +Or + +- five to nine digits ++ +British Columbia +- seven digits + +Manitoba +- two letters +- optional hyphen +- two letters +- optional hyphen +- two letters +- optional hyphen +- one letter +- three digits +- two letters ++ +New Brunswick +- five to seven digits + +Newfoundland/Labrador +- one letter +- nine digits ++ +Nova Scotia +- five letters +- optional hyphen +- one digit from 0-3 <!--Please clarify what you mean here: 0 or 1 or 2 or 3? --> +- one digit +- one digit zero or one +- six digits + +Ontario +- one letter +- four digits +- optional hyphen +- five digits +- one digit +- one digit in 0/1/5/6 <!--Please clarify what you mean here--> +- one digit +- one digit from 0-3 <!--Please clarify what you mean here: 0 or 1 or 2 or 3? --> +- one digit ++ +Prince Edward Island +- five to six digits + +Quebec +- one letter +- twelve digits + +Saskatchewan +- eight digits + ## Checksum
compliance	Sit Get Started Exact Data Match Test	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-get-started-exact-data-match-test.md	You can see where your EDM SIT is being used and how accurate it is in productio Once you're satisfied with the results of your testing and tuning, your EDM based custom SIT is ready for use in information protection policies, like: -- [DLP policies](create-test-tune-dlp-policy.md#create-test-and-tune-a-dlp-policy) +- [DLP policies](dlp-create-deploy-policy.md) - [Auto-labeling policies](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-for-office-apps) - [Microsoft Defender for Cloud Apps](/cloud-app-security/data-protection-policies)
compliance	Use Notifications And Policy Tips	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/use-notifications-and-policy-tips.md	You can customize the text for policy tips separately from the email notificatio ## More information - [Learn about data loss prevention](dlp-learn-about-dlp.md)-- [Create a DLP policy from a template](create-a-dlp-policy-from-a-template.md) +- [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) - [DLP policy conditions, exceptions, and actions (preview)](./dlp-microsoft-teams.md) - [Create a DLP policy to protect documents with FCI or other properties](protect-documents-that-have-fci-or-other-properties.md) - [What the DLP policy templates include](what-the-dlp-policy-templates-include.md)
includes	Office 365 Worldwide Endpoints	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/office-365-worldwide-endpoints.md	<!--THIS FILE IS AUTOMATICALLY GENERATED. MANUAL CHANGES WILL BE OVERWRITTEN.--> <!--Please contact the Office 365 Endpoints team with any questions.--> -<!--Worldwide endpoints version 2022112900--> -<!--File generated 2022-11-29 08:00:04.4839--> +<!--Worldwide endpoints version 2023013100--> +<!--File generated 2023-01-31 08:00:04.3621--> ## Exchange Online ID \| Category \| ER \| Addresses \| Ports - \| \| \| - \| -- -1 \| Optimize<BR>Required \| Yes \| `outlook.office.com, outlook.office365.com`<BR>`13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128, 2a01:111:f400::/48` \| TCP: 443, 80<BR>UDP: 443 -2 \| Allow<BR>Required \| Yes \| `smtp.office365.com`<BR>`13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128, 2a01:111:f400::/48` \| TCP: 587 -5 \| Allow<BR>Optional<BR>Notes: Exchange Online IMAP4 migration \| Yes \| `.outlook.office.com, outlook.office365.com`<BR>`13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128, 2a01:111:f400::/48` \| TCP:* 143, 993 -6 \| Allow<BR>Optional<BR>Notes: Exchange Online POP3 migration \| Yes \| `.outlook.office.com, outlook.office365.com`<BR>`13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128, 2a01:111:f400::/48` \| TCP:* 995 + \| \| \| -- \| -- +1 \| Optimize<BR>Required \| Yes \| `outlook.office.com, outlook.office365.com`<BR>`13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128` \| TCP: 443, 80<BR>UDP: 443 +2 \| Allow<BR>Required \| Yes \| `smtp.office365.com`<BR>`13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128` \| TCP: 587 +5 \| Allow<BR>Optional<BR>Notes: Exchange Online IMAP4 migration \| Yes \| `.outlook.office.com, outlook.office365.com`<BR>`13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128` \| TCP:* 143, 993 +6 \| Allow<BR>Optional<BR>Notes: Exchange Online POP3 migration \| Yes \| `.outlook.office.com, outlook.office365.com`<BR>`13.107.6.152/31, 13.107.18.10/31, 13.107.128.0/22, 23.103.160.0/20, 40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14, 131.253.33.215/32, 132.245.0.0/16, 150.171.32.0/22, 204.79.197.215/32, 2603:1006::/40, 2603:1016::/36, 2603:1026::/36, 2603:1036::/36, 2603:1046::/36, 2603:1056::/36, 2620:1ec:4::152/128, 2620:1ec:4::153/128, 2620:1ec:c::10/128, 2620:1ec:c::11/128, 2620:1ec:d::10/128, 2620:1ec:d::11/128, 2620:1ec:8f0::/46, 2620:1ec:900::/46, 2620:1ec:a92::152/128, 2620:1ec:a92::153/128` \| TCP:* 995 8 \| Default<BR>Required \| No \| `.outlook.com` \| TCP:* 443, 80 -9 \| Allow<BR>Required \| Yes \| `.protection.outlook.com`<BR>`40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 52.238.78.88/32, 104.47.0.0/17, 2a01:111:f403::/48` \| TCP:* 443 +9 \| Allow<BR>Required \| Yes \| `.protection.outlook.com`<BR>`40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 52.238.78.88/32, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48` \| TCP:* 443 10 \| Allow<BR>Required \| Yes \| `.mail.protection.outlook.com`<BR>`40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 104.47.0.0/17, 2a01:111:f400::/48, 2a01:111:f403::/48` \| TCP:* 25 154 \| Default<BR>Required \| No \| `autodiscover.<tenant>.onmicrosoft.com` \| TCP: 443, 80 ID \| Category \| ER \| Addresses \| Ports 124 \| Default<BR>Optional<BR>Notes: Sway \| No \| `sway.com, www.sway.com` \| TCP: 443 125 \| Default<BR>Required \| No \| `.entrust.net, .geotrust.com, .omniroot.com, .public-trust.com, .symcb.com, .symcd.com, .verisign.com, .verisign.net, apps.identrust.com, cacerts.digicert.com, cert.int-x3.letsencrypt.org, crl.globalsign.com, crl.globalsign.net, crl.identrust.com, crl3.digicert.com, crl4.digicert.com, isrg.trustid.ocsp.identrust.com, mscrl.microsoft.com, ocsp.digicert.com, ocsp.globalsign.com, ocsp.msocsp.com, ocsp2.globalsign.com, ocspx.digicert.com, secure.globalsign.com, www.digicert.com, www.microsoft.com` \| TCP: 443, 80 126 \| Default<BR>Optional<BR>Notes: Connection to the speech service is required for Office Dictation features. If connectivity is not allowed, Dictation will be disabled. \| No \| `officespeech.platform.bing.com` \| TCP: 443 -128 \| Default<BR>Required \| No \| `.manage.microsoft.com` \| TCP:* 443 147 \| Default<BR>Required \| No \| `.office.com, www.microsoft365.com` \| TCP:* 443, 80 148 \| Default<BR>Required \| No \| `cdnprod.myanalytics.microsoft.com, myanalytics.microsoft.com, myanalytics-gcc.microsoft.com` \| TCP: 443, 80 152 \| Default<BR>Optional<BR>Notes: These endpoints enables the Office Scripts functionality in Office clients available through the Automate tab. This feature can also be disabled through the Office 365 Admin portal. \| No \| `.microsoftusercontent.com` \| TCP:* 443 ID \| Category \| ER \| Addresses \| Ports 158 \| Default<BR>Required \| No \| `.cortana.ai` \| TCP:* 443 159 \| Default<BR>Required \| No \| `admin.microsoft.com` \| TCP: 443, 80 160 \| Default<BR>Required \| No \| `cdn.odc.officeapps.live.com, cdn.uci.officeapps.live.com` \| TCP: 443, 80 +184 \| Default<BR>Required \| No \| `.cloud.microsoft` \| TCP:* 443, 80
security	Mdb Configure Security Settings	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-configure-security-settings.md	ms.localizationpriority: medium Previously updated : 01/26/2023 Last updated : 01/31/2023 f1.keywords: NOCSH Depending on whether you're using the Microsoft 365 Defender portal or Intune to \| Portal \| Procedure \| \|:\|:\| \| Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) \|<ol><li>Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.</li><li>In the navigation pane, choose Device configuration. Policies are organized by operating system and policy type.</li><li>Select an operating system tab (such as Windows clients).</li><li>Expand Next-generation protection to view your list of policies.</li><li>Select a policy to view more details about the policy.</li><li>To make changes or to learn more about policy settings, see the following articles: <ul><li>[View or edit device policies](mdb-view-edit-policies.md)</li><li>[Understand next-generation configuration settings](mdb-next-gen-configuration-settings.md)</li></ul></li><ol> \| -\| Microsoft Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) \|For help managing your security settings in Intune, start with [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security). <ol><li>Go to [https://intune.microsoft.com](https://intune.microsoft.com) and sign in. You're now in the Intune admin center.</li><li>Select Endpoint security.</li><li>Select Antivirus to view your policies in that category.</li></ol>\| +\| Microsoft Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) \|For help with managing your security settings in Intune, start with [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security). <ol><li>Go to [https://intune.microsoft.com](https://intune.microsoft.com) and sign in. You're now in the Intune admin center.</li><li>Select Endpoint security.</li><li>Select Antivirus to view your policies in that category.</li></ol>\| ## View or edit your firewall policies and custom rules Depending on whether you're using the Microsoft 365 Defender portal or Intune to \| Portal \| Procedure \| \|:\|:\| \| Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) \|<ol><li>Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), and sign in.</li><li>In the navigation pane, choose Device configuration. Policies are organized by operating system and policy type.</li><li>Select an operating system tab (such as Windows clients).</li><li>Expand Firewall to view your list of policies.</li><li>Select a policy to view the details. </li><li>To make changes or to learn more about policy settings, see the following articles:<ul><li>[View or edit device policies](mdb-view-edit-policies.md)</li><li>[Firewall settings](mdb-firewall.md)</li><li>[Manage your custom rules for firewall policies](mdb-custom-rules-firewall.md)</li><ul></li><ol> \| -\| Microsoft Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) \|For help managing your security settings in Intune, start with [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security). <ol><li>Go to [https://intune.microsoft.com](https://intune.microsoft.com) and sign in. You're now in the Intune admin center.</li><li>Select Endpoint security.</li><li>Select Firewall to view your policies in that category. Custom rules that are defined for firewall protection are listed as separate policies.</li></ol>\| +\| Microsoft Intune admin center ([https://intune.microsoft.com](https://intune.microsoft.com)) \|For help with managing your security settings in Intune, start with [Manage endpoint security in Microsoft Intune](/mem/intune/protect/endpoint-security). <ol><li>Go to [https://intune.microsoft.com](https://intune.microsoft.com) and sign in. You're now in the Intune admin center.</li><li>Select Endpoint security.</li><li>Select Firewall to view your policies in that category. Custom rules that are defined for firewall protection are listed as separate policies.</li></ol>\| ## Enable standard attack surface reduction rules -[Attack surface reduction capabilities in Microsoft Defender for Business](mdb-asr.md) +[Attack surface reduction capabilities](mdb-asr.md) in Defender for Business include: + +- Attack surface reduction rules (see [Enable your standard protection ASR rules](mdb-asr.md#enable-your-standard-protection-asr-rules)). +- Controlled folder access (see [Set up controlled folder access](mdb-asr.md#set-up-controlled-folder-access)). +- Network protection (on by default with [next-generation protection](mdb-next-gen-configuration-settings.md)). +- Web protection (on by default with [web content filtering](#set-up-web-content-filtering)). +- Firewall protection (on by default with [firewall policies](mdb-firewall.md)). + +There are three standard attack surface reduction rules you should turn on as soon as possible. See [Enable your standard protection ASR rules](mdb-asr.md#enable-your-standard-protection-asr-rules). ## Set up web content filtering
security	TOC	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/TOC.md	### [Compare Microsoft endpoint security plans](defender-endpoint-plan-1-2.md) ### [Minimum requirements](minimum-requirements.md) ### [Supported Microsoft Defender for Endpoint capabilities by platform](supported-capabilities-by-platform.md) -### [What's new]() -#### [What's new in Microsoft Defender for Endpoint?](whats-new-in-microsoft-defender-endpoint.md) -#### [What's new in Microsoft Defender for Endpoint on Windows](windows-whatsnew.md) +### [What's new in Microsoft Defender for Endpoint?](whats-new-in-microsoft-defender-endpoint.md) +### [What's new in Microsoft Defender for Endpoint on Windows](windows-whatsnew.md) +### [What's new in Microsoft Defender for Endpoint on other platforms]() +#### [What's new in Defender for Endpoint on macOS](mac-whatsnew.md) +#### [What's new in Defender for Endpoint on Linux](linux-whatsnew.md) +#### [What's new in Defender for Endpoint on Android](android-whatsnew.md) +#### [What's new in Defender for Endpoint on iOS](ios-whatsnew.md) ++ ### [Preview features](preview.md) ### [Data storage and privacy](data-storage-privacy.md) ### [Overview of Microsoft Defender Security Center](use.md) #### [Get started](mde-plan1-getting-started.md) #### [Maintenance and operations](mde-p1-maintenance-operations.md) ### [Microsoft Defender for Endpoint for US Government customers](gov.md) -### [Microsoft Defender for Endpoint on non-Windows platforms](non-windows.md) +### [Overview of Microsoft Defender for Endpoint on other platforms](non-windows.md) +#### [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md) +#### [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) +#### [Microsoft Defender for Endpoint on Android](microsoft-defender-endpoint-android.md) +#### [Microsoft Defender for Endpoint on iOS](microsoft-defender-endpoint-ios.md) + ### [Antivirus solution compatibility with Defender for Endpoint](defender-compatibility.md) -## [Evaluate capabilities](evaluation-lab.md) +## [Evaluate capabilities]() +### [Evaluate capabilities overview](evaluation-lab.md) ### [Microsoft defender for endpoint demonstrations]() #### [Microsoft Defender for Endpoint demonstration scenarios](defender-endpoint-demonstrations.md) #### [App reputation demonstration](defender-endpoint-demonstration-app-reputation.md) #### [Onboarding using Microsoft Endpoint Configuration Manager](onboarding-endpoint-configuration-manager.md) #### [Onboarding using Microsoft Endpoint Manager](onboarding-endpoint-manager.md) -## [Migration guides](migration-guides.md) +## [Migration guides]() +### [Migration guides overview](migration-guides.md) ### [Migrate Defender for Endpoint servers to Defender for Cloud](migrating-mde-server-to-cloud.md) ### [Migrate to Defender for Endpoint](switch-to-mde-overview.md) #### [Phase 1: Prepare](switch-to-mde-phase-1.md) #### [Phase 2: Setup](switch-to-mde-phase-2.md) #### [Phase 3: Onboard](switch-to-mde-phase-3.md) -#### [Troubleshooting](switch-to-mde-troubleshooting.md) -### [Manage Defender for Endpoint after migration](manage-mde-post-migration.md) + +### [Manage Defender for Endpoint after migration]() +#### [Overview](manage-mde-post-migration.md) #### [Use Intune (recommended)](manage-mde-post-migration-intune.md) #### [Use Configuration Manager](manage-mde-post-migration-configuration-manager.md) #### [Use Group Policy](manage-mde-post-migration-group-policy-objects.md) #### [Use PowerShell, WMI, or MPCmdRun.exe](manage-mde-post-migration-other-tools.md) #### [Updating MMA on Windows devices](update-agent-mma-windows.md) -#### [Server migration scenarios](server-migration.md) +#### [Server migration scenarios]() +##### [Overview](server-migration.md) ##### [Migrating servers from Microsoft Monitoring Agent to the unified solution](application-deployment-via-mecm.md) ## [Onboard and configure devices]() ### [Onboard devices and configure Microsoft Defender for Endpoint capabilities](onboard-configure.md) -### [Onboarding Windows Client](onboard-windows-client.md) -#### [Onboard Windows Client using Intune](configure-endpoints-mdm.md) -#### [Onboard Windows Client using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) -#### [Onboard Windows Client using Group Policy](configure-endpoints-gp.md) -#### [Onboard Windows Client using a local script](configure-endpoints-script.md) +### [Onboarding Windows Client]() +#### [Onboarding Windows Client overview](onboard-windows-client.md) +#### [Onboard Windows devices to Defender for Endpoint using Intune](configure-endpoints-mdm.md) +#### [Onboard Windows devices to Defender for Endpoint using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) +#### [Onboard Windows devices to Defender for Endpoint using Group Policy](configure-endpoints-gp.md) +#### [Onboard Windows devices to Defender for Endpoint using a local script](configure-endpoints-script.md) #### [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) #### [Onboard Windows 10 multi-session devices in Azure Virtual Desktop](onboard-windows-multi-session-device.md) #### [Onboard previous versions of Windows](onboard-downlevel.md) -- -### [Onboarding Windows Server](onboard-windows-server.md) +### [Onboarding Windows Server]() +#### [Onboarding Windows Server overview](onboard-windows-server.md) #### [Onboard Windows Server 2012 R2, 2016, Semi-Annual Channel, 2019, and 2022](configure-server-endpoints.md) -#### [Onboard Windows Server using Configuration Manager](configure-endpoints-sccm.md) -#### [Onboard Windows Server devices using Group Policy](configure-endpoints-gp.md) -#### [Onboard Windows Server using a local script](configure-endpoints-script.md) +#### [Onboard Windows devices using Configuration Manager](configure-endpoints-sccm.md) +#### [Onboard Windows devices using Group Policy](configure-endpoints-gp.md) +#### [Onboard Windows devices using a local script](configure-endpoints-script.md) #### [Onboard non-persistent virtual desktop infrastructure (VDI) devices](configure-endpoints-vdi.md) - -### [Microsoft Defender for Endpoint on other Operating Systems]() +### [Microsoft Defender for Endpoint on other platforms]() #### [Onboard non-Windows devices](configure-endpoints-non-windows.md)- #### [Microsoft Defender for Endpoint on macOS]() -##### [Overview of Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac.md) -##### [What's New](mac-whatsnew.md) - ##### [Deploy]() -###### [Microsoft Intune-based deployment](mac-install-with-intune.md) +###### [Deployment with Microsoft Endpoint Manager](mac-install-with-intune.md) ###### [JAMF Pro-based deployment]() ####### [Deploying Microsoft Defender for Endpoint on macOS using Jamf Pro](mac-install-with-jamf.md) ####### [Login to Jamf Pro](mac-install-jamfpro-login.md) ####### [Set up policies](mac-jamfpro-policies.md) ####### [Enroll devices](mac-jamfpro-enroll-devices.md) -###### [Deployment with a different Mobile Device Management (MDM) system](mac-install-with-other-mdm.md) +###### [Deployment with Mobile Device Management (MDM) systems](mac-install-with-other-mdm.md) ###### [Manual deployment](mac-install-manually.md) ##### [Update](mac-updates.md) -##### [Configure]() -###### [Configure and validate exclusions](mac-exclusions.md) -###### [Set preferences](mac-preferences.md) -###### [Detect and block Potentially Unwanted Applications](mac-pua.md) -###### [Protect macOS security settings using tamper protection](tamperprotection-macos.md) -###### [Device control]() -####### [Device control overview](mac-device-control-overview.md) -####### [JAMF examples](mac-device-control-jamf.md) -####### [Intune examples](mac-device-control-intune.md) -###### [Schedule scans](mac-schedule-scan.md) - -##### [Troubleshoot]() -###### [Troubleshoot installation issues](mac-support-install.md) -###### [Troubleshoot performance issues](mac-support-perf.md) -###### [Troubleshoot cloud connectivity](troubleshoot-cloud-connect-mdemac.md) -###### [Troubleshoot kernel extension issues](mac-support-kext.md) -###### [Troubleshoot license issues](mac-support-license.md) - -##### [Privacy](mac-privacy.md) -##### [Resources](mac-resources.md) - #### [Microsoft Defender for Endpoint on Linux]() -##### [Overview of Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) -##### [What's New](linux-whatsnew.md) ##### [Deploy]() -###### [Manual deployment](linux-install-manually.md) ###### [Puppet based deployment](linux-install-with-puppet.md) ###### [Ansible based deployment](linux-install-with-ansible.md) +###### [Chef based deployment](linux-deploy-defender-for-endpoint-with-chef.md) +###### [Manual deployment](linux-install-manually.md) ###### [Saltstack based deployment](linux-install-with-saltack.md) -###### [Deploy Defender for Endpoint on Linux with Chef](linux-deploy-defender-for-endpoint-with-chef.md) -##### [Update](linux-updates.md) -##### [Configure]() -###### [Configure and validate exclusions](linux-exclusions.md) -###### [Static proxy configuration](linux-static-proxy-configuration.md) -###### [Set preferences](linux-preferences.md) -###### [Detect and block Potentially Unwanted Applications](linux-pua.md) -###### [Schedule scans with Microsoft Defender for Endpoint on Linux](linux-schedule-scan-mde.md) -###### [Schedule antivirus scan in Defender for Endpoint on Linux](schedule-antivirus-scan-in-mde.md) -###### [Schedule an update of the Microsoft Defender for Endpoint (Linux)](linux-update-MDE-Linux.md) - -##### [Troubleshoot]() -###### [Troubleshoot installation issues](linux-support-install.md) -###### [Investigate agent health issues](health-status.md) -###### [Troubleshoot cloud connectivity issues](linux-support-connectivity.md) -###### [Troubleshoot RHEL 6 installation issues](linux-support-rhel.md) -###### [Troubleshoot performance issues](linux-support-perf.md) -###### [Troubleshoot missing events issues](linux-support-events.md) -###### [Troubleshoot AuditD performance issues](troubleshoot-auditd-performance-issues.md) - -##### [Privacy](linux-privacy.md) -##### [Resources](linux-resources.md) +##### [Update](linux-updates.md) #### [Mobile Threat Defense]() -##### [Mobile Threat Defense Overview](mtd.md) - -##### [Microsoft Defender for Endpoint on Android]() -###### [Overview of Microsoft Defender for Endpoint on Android](microsoft-defender-endpoint-android.md) -###### [What's new](android-whatsnew.md) - -###### [Deploy]() -####### [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](android-intune.md) - -###### [Configure]() -####### [Configure Microsoft Defender for Endpoint on Android features](android-configure.md) -####### [Configure Microsoft Defender for Endpoint risk signals using app protection policy](android-configure-mam.md) - -###### [Privacy]() -####### [Microsoft Defender for Endpoint on Android - Privacy information](android-privacy.md) - -###### [Troubleshoot]() -####### [Troubleshoot issues](android-support-signin.md) - -##### [Microsoft Defender for Endpoint on iOS]() -###### [Overview of Microsoft Defender for Endpoint on iOS](microsoft-defender-endpoint-ios.md) -###### [What's New](ios-whatsnew.md) - -###### [Deploy]() -####### [Deploy Microsoft Defender for Endpoint on iOS via Intune](ios-install.md) -####### [Deploy Microsoft Defender for Endpoint on iOS for unenrolled devices](ios-install-unmanaged.md) - -###### [Configure iOS features](ios-configure-features.md) - -###### [FAQs and Troubleshooting](ios-troubleshoot.md) - -###### [Privacy](ios-privacy.md) -- +##### [Deploy]() +###### [Deployment on Android with Microsoft Endpoint Manager](android-intune.md) +###### [Deployment on iOS via Microsoft Endpoint Manager](ios-install.md) +###### [Deployment on iOS with Mobile Application Manager](ios-install-unmanaged.md) ### [Integration with Microsoft Defender for Cloud](azure-server-integration.md) -### [Run a detection test on a newly onboarded device](run-detection-test.md) +### [Run a detection test on a newly onboarded Microsoft Defender for Endpoint](run-detection-test.md) ### [Run simulated attacks on devices](attack-simulations.md) ### [Onboard devices without Internet access](onboard-offline-machines.md) ### [Configure proxy and Internet connectivity settings](configure-proxy-internet.md)+ +### [Configure Microsoft Defender for Endpoint on macOS]() +#### [Configure and validate exclusions](mac-exclusions.md) +#### [Set preferences](mac-preferences.md) +#### [Detect and block Potentially Unwanted Applications](mac-pua.md) +#### [Protect macOS security settings using tamper protection](tamperprotection-macos.md) +#### [Device control]() +##### [Device control overview](mac-device-control-overview.md) +##### [JAMF examples](mac-device-control-jamf.md) +##### [Intune examples](mac-device-control-intune.md) + +#### [Schedule scans](mac-schedule-scan.md) + +### [Configure Microsoft Defender for Endpoint on Linux]() +#### [Configure and validate exclusions](linux-exclusions.md) +#### [Static proxy configuration](linux-static-proxy-configuration.md) +#### [Set preferences](linux-preferences.md) +#### [Detect and block Potentially Unwanted Applications](linux-pua.md) +#### [Schedule scans with Microsoft Defender for Endpoint on Linux](linux-schedule-scan-mde.md) +#### [Schedule antivirus scan in Defender for Endpoint on Linux](schedule-antivirus-scan-in-mde.md) +#### [Schedule an update of the Microsoft Defender for Endpoint (Linux)](linux-update-MDE-Linux.md) + +### [Configure Mobile Threat Defense]() +#### [Configure Microsoft Defender for Endpoint on Android features](android-configure.md) +#### [Configure Microsoft Defender for Endpoint on Android risk signals using app protection policy](android-configure-mam.md) +#### [Configure Microsoft Defender for Endpoint on iOS features](ios-configure-features.md) + ### [Create an onboarding or offboarding notification rule](onboarding-notification.md) -### [Manage Microsoft Defender for Endpoint configuration settings on devices with Microsoft Endpoint Manager](/mem/intune/protect/mde-security-integration?bc=%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fbreadcrumb%2Ftoc.json&toc=%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Ftoc.json) +### [Manage Microsoft Defender for Endpoint configuration settings on devices with Microsoft Endpoint Manager](security-config-management.md) -### [Troubleshoot onboarding issues]() -#### [Troubleshoot issues during onboarding](troubleshoot-onboarding.md) -#### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages.md) -#### [Troubleshoot security configuration management onboarding issues](troubleshoot-security-config-mgt.md) ### [Configure portal settings]() #### [Configure general Defender for Endpoint settings](preferences-setup.md) ### [Endpoint Attack Notifications](endpoint-attack-notifications.md) +### [Experts on Demand](experts-on-demand.md) + ## Reference ### [Understand threat intelligence concepts](threat-indicator-concepts.md) ### [Advanced deployment guidance - Microsoft Defender for Endpoint on Linux](comprehensive-guidance-on-linux-deployment.md) ###### [Get access with application context](exposed-apis-create-app-webapp.md) ###### [Get access with user context](exposed-apis-create-app-nativeapp.md) -- ##### [Microsoft Defender for Endpoint APIs Schema]() ###### [Supported Microsoft Defender for Endpoint APIs](exposed-apis-list.md) ###### [Common REST API error codes](common-errors.md) ###### [Using OData Queries](exposed-apis-odata-samples.md) ###### [Advanced Hunting with PowerShell API Guide](exposed-apis-full-sample-powershell.md) - #### [Raw data streaming API]() ##### [Raw data streaming](raw-data-export.md) ##### [Stream advanced hunting events to Azure Events hub](raw-data-export-event-hub.md) ###### [Using device groups](machine-groups.md) ###### [Create and manage device tags](machine-tags.md) ------ ### [Managed security service provider (MSSP) integration]() #### [Configure managed security service provider integration](configure-mssp-support.md) #### [Grant MSSP access to the portal](grant-mssp-access.md) ### [Access the Microsoft Defender for Endpoint Community Center](community.md) +### [Privacy for Microsoft Defender for Endpoint on macOS](mac-privacy.md) +### [Privacy for Microsoft Defender for Endpoint on Linux](linux-privacy.md) +### [Privacy for Microsoft Defender for Endpoint on Android](android-privacy.md) +### [Privacy for Microsoft Defender for Endpoint on ios](ios-privacy.md) ### [Helpful resources](helpful-resources.md) +### [Resources for Microsoft Defender for Endpoint on macOS](mac-resources.md) +### [Resources for Microsoft Defender for Endpoint on Linux](linux-resources.md) ## [Troubleshoot]() +### [Troubleshoot onboarding issues]() +#### [Troubleshoot issues during onboarding](troubleshoot-onboarding.md) +#### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages.md) +#### [Troubleshoot security configuration management onboarding issues](troubleshoot-security-config-mgt.md) + +### [Troubleshooting migration issues](switch-to-mde-troubleshooting.md) + ### [Troubleshoot sensor state]() #### [Check sensor state](check-sensor-status.md) #### [Fix unhealthy sensors](fix-unhealthy-sensors.md) #### [Inactive devices](fix-unhealthy-sensors.md#inactive-devices) #### [Misconfigured devices](fix-unhealthy-sensors.md#misconfigured-devices) -#### [Review sensor events and errors on machines with Event Viewer](event-error-codes.md) +#### [Review sensor events and errors on machines using Event Viewer](event-error-codes.md) + +### [Troubleshoot Microsoft Defender for Endpoint on macOS]() +#### [Troubleshoot installation issues](mac-support-install.md) +#### [Troubleshoot performance issues](mac-support-perf.md) +#### [Troubleshoot cloud connectivity](troubleshoot-cloud-connect-mdemac.md) +#### [Troubleshoot kernel extension issues](mac-support-kext.md) +#### [Troubleshoot license issues](mac-support-license.md) + +### [Troubleshoot Microsoft Defender for Endpoint on Linux]() +#### [Troubleshoot installation issues](linux-support-install.md) +#### [Investigate agent health issues](health-status.md) +#### [Troubleshoot cloud connectivity issues](linux-support-connectivity.md) +#### [Troubleshoot RHEL 6 installation issues](linux-support-rhel.md) +#### [Troubleshoot performance issues](linux-support-perf.md) +#### [Troubleshoot missing events issues](linux-support-events.md) +++ +### [Troubleshoot Mobile Threat Defense]() +#### [Troubleshoot Microsoft Defender for Endpoint on Android issues](android-support-signin.md) +#### [Troubleshoot Microsoft Defender for Endpoint on iOS issues](ios-troubleshoot.md) ### [Troubleshoot sensor health issues using Client Analyzer]() #### [Client analyzer overview](overview-client-analyzer.md) #### [Understand the analyzer HTML report](analyzer-report.md) #### [Provide feedback on the client analyzer tool](analyzer-feedback.md) - - ### [Troubleshoot Microsoft Defender for Endpoint service issues]() #### [Troubleshoot service issues](troubleshoot-mdatp.md) #### [Contact Microsoft Defender for Endpoint support](contact-support.md) ## [Defender for Business](../defender-business/index.yml) ## [Defender Vulnerability Management](../defender-vulnerability-management/index.yml) +++++++++++++++++++++++++++++++++++++++++++++++++++++ + +++++++
security	Android Configure Mam	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure-mam.md	Title: Configure Microsoft Defender for Endpoint risk signals using App Protection Policies (MAM) + Title: Configure Microsoft Defender for Endpoint on Android risk signals using App Protection Policies (MAM) description: Describes how to configure Microsoft Defender for Endpoint risk signals using App Protection policies keywords: microsoft, defender, Microsoft Defender for Endpoint, mde, android, configuration, MAM, App Protectection Policies, Managed app search.product: eADQiWindows 10XVcnh -# Configure Microsoft Defender for Endpoint risk signals using App Protection Policies (MAM) +# Configure Microsoft Defender for Endpoint on Android risk signals using App Protection Policies (MAM) [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security	Android Intune	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-intune.md	Title: Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune -description: Describes how to deploy Microsoft Defender for Endpoint on Android with Microsoft Intune + Title: Deploy Microsoft Defender for Endpoint on Android with Microsoft Endpoint Manager +description: Describes how to deploy Microsoft Defender for Endpoint on Android with Microsoft Endpoint Manager keywords: microsoft, defender, Microsoft Defender for Endpoint, mde, android, installation, deploy, uninstallation, ms.mktglfcycl: deploy search.appverid: met150 -# Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune +# Deploy Microsoft Defender for Endpoint on Android with Microsoft Endpoint Manager [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] search.appverid: met150 > Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-exposedapis-abovefoldlink) -Learn how to deploy Defender for Endpoint on Android on Intune Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll your device](/mem/intune/user-help/enroll-device-android-company-portal). +Learn how to deploy Defender for Endpoint on Android on Microsoft Endpoint Manager (also known as Intune) Company Portal enrolled devices. For more information about Microsoft Endpoint Manager device enrollment, see [Enroll your device](/mem/intune/user-help/enroll-device-android-company-portal). > [!NOTE] > Defender for Endpoint on Android is now available on [Google Play](https://play.google.com/store/apps/details?id=com.microsoft.scmx) > -> You can connect to Google Play from Intune to deploy Defender for Endpoint app across Device Administrator and Android Enterprise enrollment modes. +> You can connect to Google Play from Microsoft Endpoint Manager to deploy Defender for Endpoint app across Device Administrator and Android Enterprise enrollment modes. > > Updates to the app are automatic via Google Play. ## Deploy on Device Administrator enrolled devices -Learn how to deploy Defender for Endpoint on Android on Intune Company Portal - Device Administrator enrolled devices. +Learn how to deploy Defender for Endpoint on Android with Microsoft Endpoint Manager Company Portal - Device Administrator enrolled devices. ### Add as Android store app Learn how to deploy Defender for Endpoint on Android on Intune Company Portal - Defender for Endpoint on Android supports Android Enterprise enrolled devices. -For more information on the enrollment options supported by Intune, see [Enrollment Options](/mem/intune/enrollment/android-enroll). +For more information on the enrollment options supported by Microsoft Endpoint Manager (Intune), see [Enrollment Options](/mem/intune/enrollment/android-enroll). Currently, Personally owned devices with work profile and Corporate-owned fully managed user device enrollments are supported for deployment. Follow the steps below to add Microsoft Defender for Endpoint app into your mana :::image type="content" source="images/fa4ac18a6333335db3775630b8e6b353.png" alt-text="The page displaying the synced application" lightbox="images/fa4ac18a6333335db3775630b8e6b353.png"::: -9. Defender for Endpoint supports App configuration policies for managed devices via Intune. This capability can be leveraged to select different configurations for Defender. +9. Defender for Endpoint supports App configuration policies for managed devices via Microsoft Endpoint Manager (Intune). This capability can be leveraged to select different configurations for Defender. 1. In the Apps page, go to Policy > App configuration policies > Add > Managed devices. Follow the steps below to add Microsoft Defender for Endpoint app into your mana ### Auto Setup of Always-on VPN -Defender for Endpoint supports Device configuration policies for managed devices via Intune. This capability can be leveraged to Auto setup of Always-on VPN on Android Enterprise enrolled devices, so the end user does not need to set up VPN service while onboarding. +Defender for Endpoint supports Device configuration policies for managed devices via Microsoft Endpoint Manager (Intune). This capability can be leveraged to Auto setup of Always-on VPN on Android Enterprise enrolled devices, so the end user does not need to set up VPN service while onboarding. 1. On Devices, select Configuration Profiles \> Create Profile \> Platform \> Android Enterprise
security	Configure Proxy Internet	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-proxy-internet.md	However, if the connectivity check results indicate a failure, an HTTP error is - [Use Group Policy settings to configure and manage Microsoft Defender Antivirus](use-group-policy-microsoft-defender-antivirus.md) - [Onboard Windows devices](configure-endpoints.md) - [Troubleshoot Microsoft Defender for Endpoint onboarding issues](troubleshoot-onboarding.md) +- [Onboard devices without Internet access to Microsoft Defender for Endpoint](onboard-offline-machines.md)
security	Deployment Rings	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-rings.md	search.appverid: met150 Last updated : 01/31/2023 # Deploy Microsoft Defender for Endpoint in rings The following table shows the supported endpoints and the corresponding tool you \|Endpoint\|Deployment tool\| \|\|\| -\|Windows\|[Local script (up to 10 devices)](configure-endpoints-script.md) <br> NOTE: If you want to deploy more than 10 devices in a production environment, use the Group Policy method instead or the other supported tools listed below.<br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) \| +\|Windows\|[Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md)\| +\|Windows servers<br><br>Linux servers \| [Integration with Microsoft Defender for Cloud](azure-server-integration.md) \|macOS\|[Local script](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md)\| -\|Linux Server\|[Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)\| -\|iOS\|[Microsoft Endpoint Manager](ios-install.md)\| +\|Linux servers\|[Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md) <br> [Chef](linux-deploy-defender-for-endpoint-with-chef.md)<br> [Saltstack](linux-install-with-saltack.md)\| \|Android\|[Microsoft Endpoint Manager](android-intune.md)\| +\|iOS\|[Microsoft Endpoint Manager](ios-install.md) <br> [Mobile Application Manager](ios-install-unmanaged.md) \| + ### Full deployment
security	Deployment Strategy	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/deployment-strategy.md	The following table lists the supported endpoints and the corresponding deployme \|Endpoint\|Deployment tool\| \|\|\| \|Windows\|[Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md)\| +\|Windows servers<br><br>Linux servers \| [Integration with Microsoft Defender for Cloud](azure-server-integration.md) \|macOS\|[Local script](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md)\| -\|Linux Server\|[Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)\| -\|iOS\|[App-based](ios-install.md)\| +\|Linux servers\|[Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md) <br> [Chef](linux-deploy-defender-for-endpoint-with-chef.md)<br> [Saltstack](linux-install-with-saltack.md)\| \|Android\|[Microsoft Endpoint Manager](android-intune.md)\| +\|iOS\|[Microsoft Endpoint Manager](ios-install.md) <br> [Mobile Application Manager](ios-install-unmanaged.md) \| + ## Step 3: Configure capabilities
security	Device Control Removable Storage Access Control Faq	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control-faq.md	- tier3 Previously updated : 11/21/2022 Last updated : 01/31/2023 search.appverid: met150 DeviceFileEvents :::image type="content" alt-text="Screenshot of right-click menu for disk drives in Device Manager." source="https://user-images.githubusercontent.com/81826151/181859852-00bc8b11-8ee5-4d46-9770-fa29f894d13f.png"::: +Another way is to deploy an Audit policy to the organization, and see the events in advanced hunting or the device control report. ## How do I find Sid or ComputerSid for Azure AD group? Different from AD group, the Sid or ComputerSid is using Object Id for Azure AD ![image](https://user-images.githubusercontent.com/81826151/200895994-cc395452-472f-472e-8d56-351165d341a7.png) +## Why is my printer blocked in my organization? + +The Default Enforcement setting is for all device control components, which means if you set it to `Deny`, it will block all printers as well. You can either create custom policy to explictly allow printers or you can replace the Default Enforcement policy with a custom policy. + +## Can I use both Group Policy and Intune deploy policies? + +You can use Group Policy and Intune to manage device control, but for one machine, use either Group Policy or Intune. If a machine is covered by both, device control will only apply the Group Policy setting.
security	Device Control Report	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-report.md	ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium Previously updated : 11/30/2022 Last updated : 01/31/2023 search.appverid: met150 # Device control report +Microsoft Defender for Endpoint device control protects against data loss by monitoring and controlling media use by devices in your organization, such as using removable storage devices and USB drives. + +You can use device control events through Advanced hunting and Device control report. + +## Advanced hunting + Applies to: -- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) -Microsoft Defender for Endpoint device control protects against data loss by monitoring and controlling media use by devices in your organization, such as using removable storage devices and USB drives. +The [Microsoft 365 Defender portal](https://security.microsoft.com/advanced-hunting) shows events triggered by the Device Control Removable Storage Access Control and Printer Protection. To access the Microsoft 365 Defender portal, you must have the following subscription: + +- Microsoft 365 for E5 reporting + +- RemovableStoragePolicyTriggered: Shows the event triggered by Disk and file system level enforcement for both printer and removable storage when the `AuditAllowed` or `AuditDenied` is configured in your policy and Send event is selected in Options. +- RemovableStorageFileEvent: Shows the event triggered by the Evidence file feature for both printer and removable storage when Options 8 is configured in Allow Entry. + +The event will be sent to Advanced hunting or the device control report for every covered access (`AccessMask` in the entry), regardless of whether it was initiated by the system or by the user who signed in. + +```kusto +//RemovableStoragePolicyTriggered: event triggered by Disk and file system level enforcement for both Printer and Removable storage based on your policy +DeviceEvents +\| where ActionType == "RemovableStoragePolicyTriggered" +\| extend parsed=parse_json(AdditionalFields) +\| extend RemovableStorageAccess = tostring(parsed.RemovableStorageAccess) +\| extend RemovableStoragePolicyVerdict = tostring(parsed.RemovableStoragePolicyVerdict) +\| extend MediaBusType = tostring(parsed.BusType) +\| extend MediaClassGuid = tostring(parsed.ClassGuid) +\| extend MediaClassName = tostring(parsed.ClassName) +\| extend MediaDeviceId = tostring(parsed.DeviceId) +\| extend MediaInstanceId = tostring(parsed.DeviceInstanceId) +\| extend MediaName = tostring(parsed.MediaName) +\| extend RemovableStoragePolicy = tostring(parsed.RemovableStoragePolicy) +\| extend MediaProductId = tostring(parsed.ProductId) +\| extend MediaVendorId = tostring(parsed.VendorId) +\| extend MediaSerialNumber = tostring(parsed.SerialNumber) +\|project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, RemovableStorageAccess, RemovableStoragePolicyVerdict, MediaBusType, MediaClassGuid, MediaClassName, MediaDeviceId, MediaInstanceId, MediaName, RemovableStoragePolicy, MediaProductId, MediaVendorId, MediaSerialNumber, FolderPath, FileSize +\| order by Timestamp desc +``` + +```kusto +//information of the evidence file +DeviceEvents +\| where ActionType contains "RemovableStorageFileEvent" +\| extend parsed=parse_json(AdditionalFields) +\| extend Policy = tostring(parsed.Policy) +\| extend PolicyRuleId = tostring(parsed.PolicyRuleId) +\| extend MediaClassName = tostring(parsed.ClassName) +\| extend MediaInstanceId = tostring(parsed.InstanceId) +\| extend MediaName = tostring(parsed.MediaName) +\| extend MediaProductId = tostring(parsed.ProductId) +\| extend MediaVendorId = tostring(parsed.VendorId) +\| extend MediaSerialNumber = tostring(parsed.SerialNumber) +\| extend FileInformationOperation = tostring(parsed.DuplicatedOperation) +\| extend FileEvidenceLocation = tostring(parsed.TargetFileLocation) +\| project Timestamp, DeviceId, DeviceName, InitiatingProcessAccountName, ActionType, Policy, PolicyRuleId, FileInformationOperation, MediaClassName, MediaInstanceId, MediaName, MediaProductId, MediaVendorId, MediaSerialNumber, FileName, FolderPath, FileSize, FileEvidenceLocation, AdditionalFields +\| order by Timestamp desc +``` ++ +## Device control report + +Applies to: +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) With the device control report, you can view events that relate to media usage. Such events include: With the device control report, you can view events that relate to media usage. > [!NOTE] > The audit event to track media usage is enabled by default for devices onboarded to Microsoft Defender for Endpoint. -## Understanding the audit events +### Understanding the audit events The audit events include: The audit events include: - PnP: Plug and Play audit events are generated when removable storage, a printer, or Bluetooth media is connected. - Removable storage access control: Events are generated when a removable storage access control policy is triggered. It can be Audit, Block, or Allow. -## Monitor device control security +### Monitor device control security -Device control in Defender for Endpoint empowers security administrators with tools that enable them to track their organization's device control security through reports. You can find the device control report in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Go to Reports > General > Security report. Find Device control card, and select the link to open the report. +Device control in Defender for Endpoint empowers security administrators with tools that enable them to track their organization's device control security through reports. You can find the device control report in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)). Go to Reports > Endpoints. Find Device control card, and select the link to open the report. -The Device protection card on the Reports dashboard shows the number of audit events generated by media type, over the last 180 days. +The Device protection card on the Reports dashboard shows the number of audit events generated by media type, over the last 180 days; the raw events under the View details shows events over the last 30 days. -The View details button shows more media usage data in the device control report page. +The View details button shows more media usage data in the Device control report page. The page provides a dashboard with aggregated number of events per type and a list of events and shows 500 events per page, but Administrators can scroll down to see more events and can filter on time range, media class name, and device ID. To see the security of the device, select the Open device page button on the > [!div class="mx-imgBorder"] > :::image type="content" source="images/Devicesecuritypage.png" alt-text="The Device Entity Page" lightbox="images/Devicesecuritypage.png"::: -## Reporting delays +### Reporting delays There might be a delay of up to six hours from the time a media connection occurs to the time the event is reflected in the card or in the domain list.
security	Host Firewall Reporting	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/host-firewall-reporting.md	ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium Last updated : 01/31/2023 audience: ITPro search.appverid: met150 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] Applies to: +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
security	Ios Install Unmanaged	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install-unmanaged.md	Title: Deploy Microsoft Defender for Endpoint on iOS features + Title: Deploy Microsoft Defender for Endpoint on iOS with Mobile Application Manager description: Describes how to deploy Microsoft Defender for Endpoint on unenrolled iOS devices. keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, configure, features, ios search.appverid: met150 -# Deploy Microsoft Defender for Endpoint on unenrolled iOS devices +# Deploy Microsoft Defender for Endpoint on iOS with Mobile Application Manager [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security	Ios Install	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install.md	Title: App-based deployment for Microsoft Defender for Endpoint on iOS + Title: Deploy Microsoft Defender for Endpoint on iOS with Microsoft Endpoint Manager -description: Describes how to deploy Microsoft Defender for Endpoint on iOS using an app +description: Describes how to deploy Microsoft Defender for Endpoint on iOS using an app. keywords: microsoft, defender, Microsoft Defender for Endpoint, ios, app, installation, deploy, uninstallation, intune ms.mktglfcycl: deploy search.appverid: met150 -# Deploy Microsoft Defender for Endpoint on iOS +# Deploy Microsoft Defender for Endpoint on iOS with Microsoft Endpoint Manager [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] search.appverid: met150 > Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-investigateip-abovefoldlink) -This topic describes deploying Defender for Endpoint on iOS on Intune Company Portal enrolled devices. For more information about Intune device enrollment, see [Enroll iOS/iPadOS devices in Intune](/mem/intune/enrollment/ios-enroll). +This topic describes deploying Defender for Endpoint on iOS on Microsoft Endpoint Manager (also known as Intune) Company Portal enrolled devices. For more information about Microsoft Endpoint Manager device enrollment, see [Enroll iOS/iPadOS devices in Microsoft Endpoint Manager](/mem/intune/enrollment/ios-enroll). ## Before you begin This topic describes deploying Defender for Endpoint on iOS on Intune Company Po This section covers: -1. Deployment steps (applicable for both Supervised and Unsupervised devices)- Admins can deploy Defender for Endpoint on iOS via Intune Company Portal. This step is not needed for VPP (volume purchase) apps. +1. Deployment steps (applicable for both Supervised and Unsupervised devices)- Admins can deploy Defender for Endpoint on iOS via Microsoft Endpoint Manager Company Portal. This step is not needed for VPP (volume purchase) apps. 1. Complete deployment (only for Supervised devices)- Admins can select to deploy any one of the given profiles. 1. Zero touch (Silent) Control Filter - Provides Web Protection without the local loopback VPN and also enables silent onboarding for users. App is automatically installed and activated without the need for user to open the app. This section covers: ## Deployment steps (applicable for both Supervised and Unsupervised devices) -Deploy Defender for Endpoint on iOS via Intune Company Portal. +Deploy Defender for Endpoint on iOS via Microsoft Endpoint Manager Company Portal. ### Add iOS store app Deploy Defender for Endpoint on iOS via Intune Company Portal. 1. In the Assignments section, go to the Required section and select Add group. You can then choose the user group(s) that you would like to target Defender for Endpoint on iOS app. Click Select and then Next. > [!NOTE] - > The selected user group should consist of Intune enrolled users. + > The selected user group should consist of Microsoft Endpoint Manager (Intune) enrolled users. :::image type="content" source="images/ios-deploy-2.png" alt-text="The Add group tab in the Microsoft Endpoint Manager Admin Center" lightbox="images/ios-deploy-2.png"::: The Microsoft Defender for Endpoint on iOS app has specialized ability on superv Admins can use the following steps to configure supervised devices. -### Configure Supervised Mode via Intune +### Configure Supervised Mode via Microsoft Endpoint Manager (Intune) Configure the supervised mode for Defender for Endpoint app through an App configuration policy and Device configuration profile.
security	Linux Support Perf	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-perf.md	Title: Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux description: Troubleshoot performance issues in Microsoft Defender for Endpoint on Linux. -keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, performance +keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, performance, AuditD, XMDEClientAnalyzer, installation, deploy, uninstallation ms.mktglfcycl: deploy ms.sitesec: library To run the client analyzer for troubleshooting performance issues, see [Run the >[!NOTE] >In case after following the above steps, the performance problem persists, please contact customer support for further instructions and mitigation. +## Troubleshoot AuditD performance issues + +Background: + +- Microsoft Defender for Endpoint on Linux OS distributions uses AuditD framework to collect certain types of telemetry events. + +- System events captured by rules added to `/etc/audit/rules.d/` will add to audit.log(s) and might affect host auditing and upstream collection. + +- Events added by Microsoft Defender for Endpoint on Linux will be tagged with `mdatp` key. + +- If the AuditD service is misconfigured or offline, then some events might be missing. To troubleshoot such an issue, refer to: [Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux.](linux-support-events.md) + +In certain server workloads, two issues might be observed: + +- High CPU resource consumption from *mdatp_audisp_plugin* process. + +- */var/log/audit/audit.log* becoming large or frequently rotating. + +These issues may occur on servers with many events flooding AuditD. + +This can happen if there are multiple consumers for AuditD, or too many rules with the combination of Microsoft Defender for Endpoint and third party consumers, or high workload that generates a lot of events. + +To troubleshoot such issues, begin by [collecting MDEClientAnalyzer logs](run-analyzer-macos-linux.md) on the sample affected server. + +> [!NOTE] +> As a general best practice, it is recommended to update the [Microsoft Defender for Endpoint agent to latest available version](linux-whatsnew.md) and confirming issue still persists before investigating further. + +> [!NOTE] +> That there are additional configurations that can affect AuditD subsystem CPU strain. <BR> +> Specifically, in [auditd.conf](https://linux.die.net/man/8/auditd.conf), the value for disp_qos can be set to "lossy" to reduce the high CPU consumption. <BR> +> However, this means that some events may be dropped during peak CPU consumption. <BR> + +### XMDEClientAnalyzer + +When you use [XMDEClientAnalyzer](run-analyzer-macos-linux.md), the following files will display output that provides insights to help you troubleshoot issues. +- auditd_info.txt +- auditd_log_analysis.txt ++ +#### auditd_info.txt + +Contains general AuditD configuration and will display: + +- What processes are registered as AuditD consumers. + +- Auditctl -s output with enabled=2 + + - Suggests auditd is in immutable mode (requires restart for any config changes to take effect). + +- Auditctl -l output + + - Will show what rules are currently loaded into the kernel (which may be different that what exists on disk in "/etc/auditd/rules.d/mdatp.rules"). + + - Will show which rules are related to Microsoft Defender for Endpoint. + +#### auditd_log_analysis.txt + +Contains important aggregated information that is useful when investigating AuditD performance issues. + +- Which component owns the most reported events (Microsoft Defender for Endpoint events will be tagged with `key=mdatp`). + +- The top reporting initiators. + +- The most common system calls (network or filesystem events, and others). + +- What file system paths are the noisiest. + +To mitigate most AuditD performance issues, you can implement AuditD exclusion. + +> [!NOTE] +> Exclusions should be made only for low threat and high noise initiators or paths. For example, do not exclude /bin/bash which risks creating a large blind spot. +> [Common mistakes to avoid when defining exclusions](/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus). ++ +### Exclusion Types + +The XMDEClientAnalyzer support tool contains syntax that can be used to add AuditD exclusion configuration rules: + +AuditD exclusion ΓÇô support tool syntax help: ++ +By initiator + +- -e/ -exe full binary path > Removes all events by this initiator + +By path + +- -d / -dir full path to a directory > Removes filesystem events targeting this directory + +Examples: + +If "`/opt/app/bin/app`" writes to "`/opt/app/cfg/logs/1234.log`", then you can use the support tool to exclude with various options: + +`-e /opt/app/bin/app` + +`-d /opt/app/cfg` + +`-x /usr/bin/python /etc/usercfg` + +`-d /usr/app/bin/` + +More examples: + +`./mde_support_tool.sh exclude -p <process id>` + +`./mde_support_tool.sh exclude -e <process name>` + +To exclude more than one item - concatenate the exclusions into one line: + +`./mde_support_tool.sh exclude -e <process name> -e <process name 2> -e <process name3>` + +The -x flag is used to exclude access to subdirectories by specific initiators for example: + +`./mde_support_tool.sh exclude -x /usr/sbin/mv /tmp` + +The above will exclude monitoring of /tmp subfolder, when accessed by mv process. + + +> [!NOTE] +> Please contact Microsoft support if you need assistance with analyzing and mitigating AuditD related performance issues, or with deploying AuditD exclusions at scale. + ## See also - [Investigate agent health issues](health-status.md)
security	Linux Updates	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-updates.md	sudo apt-get install --only-upgrade mdatp > [!IMPORTANT] > When integrating Microsoft Defender for Endpoint and Defender for Cloud, the mdatp agent will automatically receive updates by default.+ +To schedule an update of Microsoft Defender for Endpoint on Linux, see [Schedule an update of the Microsoft Defender for Endpoint (Linux)](linux-update-mde-linux.md)
security	Linux Whatsnew	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-whatsnew.md	This article is updated frequently to let you know what's new in the latest rele Known issues -- While upgrading mdatp to version 101.94.13, you may notice that health is false, with health_issues as "no active supplementary event provider". This may happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines needs to be fixed. Following steps can help you to identify such auditd rules (These commands needs to be run as super user). Please take backup of following file: /etc/audit/rules.d/audit.rules as these steps are only to identify failures.+ +- While upgrading mdatp to version 101.94.13, you may notice that health is false, with health_issues as "no active supplementary event provider". This may happen due to misconfigured/conflicting auditd rules on existing machines. To mitigate the issue, the auditd rules on the existing machines needs to be fixed. The following steps can help you to identify such auditd rules (these commands need to be run as super user). Please take backup of following file: /etc/audit/rules.d/audit.rules as these steps are only to identify failures. + ```bash echo -c >> /etc/audit/rules.d/audit.rules
security	Mac Install With Intune	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-with-intune.md	Title: Intune-based deployment for Microsoft Defender for Endpoint on Mac -description: Install Microsoft Defender for Endpoint on Mac, using Microsoft Intune. + Title: Deploy Microsoft Defender for Endpoint on macOS with Microsoft Endpoint Manager +description: Install Microsoft Defender for Endpoint on Mac, using Microsoft Endpoint Manager. keywords: microsoft, defender, Microsoft Defender for Endpoint, mac, installation, deploy, uninstallation, intune, jamf, macos, catalina, big sur, monterey, ventura, mde for mac ms.mktglfcycl: deploy search.appverid: met150 -# Intune-based deployment for Microsoft Defender for Endpoint on macOS +# Deploy Microsoft Defender for Endpoint on macOS with Microsoft Endpoint Manager [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] search.appverid: met150 - [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) - [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) -This topic describes how to deploy Microsoft Defender for Endpoint on macOS through Intune. A successful deployment requires the completion of all of the following steps: +This topic describes how to deploy Microsoft Defender for Endpoint on macOS through Microsoft Endpoint Manager (also known as Intune). A successful deployment requires the completion of all of the following steps: 1. [Download the onboarding package](#download-the-onboarding-package) 1. [Client device setup](#client-device-setup) Before you get started, see [the main Microsoft Defender for Endpoint on macOS p ## Overview -The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender for Endpoint on Macs, via Intune. More detailed steps are available below. +The following table summarizes the steps you would need to take to deploy and manage Microsoft Defender for Endpoint on Macs, via Microsoft Endpoint Manager. More detailed steps are available below. <br> This profile is needed for macOS 10.15 (Catalina) or older. It will be ignored o > [!CAUTION] > macOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender for Endpoint is not able to fully protect your device. > - > This configuration profile grants Full Disk Access to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Intune, we recommend you update the deployment with this configuration profile. + > This configuration profile grants Full Disk Access to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Microsoft Endpoint Manager, we recommend you update the deployment with this configuration profile. Download [fulldisk.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/fulldisk.mobileconfig) from [our GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles). Follow the instructions for [Onboarding blob](#onboarding-blob) from above, usin > [!CAUTION] > macOS 13 (Ventura) contains new privacy enhancements. Beginning with this version, by default, applications cannot run in background without explicit consent. Microsoft Defender for Endpoint must run its daemon process in background. > - > This configuration profile grants Background Service permissions to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Intune, we recommend you update the deployment with this configuration profile. + > This configuration profile grants Background Service permissions to Microsoft Defender for Endpoint. If you previously configured Microsoft Defender for Endpoint through Microsoft Endpoint Manager, we recommend you update the deployment with this configuration profile. Download [background_services.mobileconfig](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/background_services.mobileconfig) from [our GitHub repository](https://github.com/microsoft/mdatp-xplat/tree/master/macos/mobileconfig/profiles).
security	Mde P1 Setup Configuration	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mde-p1-setup-configuration.md	The following table describes key roles to consider for Defender for Endpoint in When you're ready to onboard your organization's endpoints, you can choose from several methods, as listed in the following table: <br/><br/> -\|Endpoint Operating System \| Onboarding methods\| +\|Endpoint\|Deployment tool\| \|\|\| -\| Windows 10 \| [Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Intune/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) \| -\| macOS \| [Local scripts](mac-install-manually.md) <br> [Intune](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md) \| -\| iOS \|[App-based](ios-install.md) \| -\| Android \| [Intune](android-intune.md) \| +\|Windows\|[Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md)\| +\|macOS\|[Local script](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md)\| +\|Android\|[Microsoft Endpoint Manager](android-intune.md)\| +\|iOS\|[Microsoft Endpoint Manager](ios-install.md) <br> [Mobile Application Manager](ios-install-unmanaged.md) \| + Then, proceed to configure your next-generation protection and attack surface reduction capabilities.
security	Minimum Requirements	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/minimum-requirements.md	When components are up-to-date on Microsoft Windows operating systems, Microsoft ### Other supported operating systems +- [macOS](microsoft-defender-endpoint-mac.md) +- [Linux](microsoft-defender-endpoint-linux.md) - [Android](microsoft-defender-endpoint-android.md) - [iOS](microsoft-defender-endpoint-ios.md)-- [Linux](microsoft-defender-endpoint-linux.md)-- [macOS](microsoft-defender-endpoint-mac.md)+ > [!NOTE] > You'll need to confirm the Linux distributions and versions of Android, iOS, and macOS are compatible with Defender for Endpoint for the integration to work.
security	Network Protection Macos	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/network-protection-macos.md	ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium Previously updated : 11/22/2022 Last updated : 01/31/2023 audience: ITPro search.appverid: met150 -<! jweston-1 to return as author and ms.author appx April/May 2023. > - # Network protection for macOS [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] search.appverid: met150 - [Microsoft Microsoft 365 Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/?linkid=2154037) - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804) -> [!IMPORTANT] -> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. - ## Overview -Microsoft is bringing Network protection functionality to macOS (min. macOS 11). +Network Protection for macOS will soon be available for all Microsoft Defender for Endpoint onboarded macOS devices which meet the minimum requirements. Microsoft will begin incrementally rolling out the functionality for all macOS devices to enable Network Protection on 1/31/2023 and expects to complete by 2/17/2023. When this feature rolls to production, all of your currently configured Network Protection and Web Threat Protection policies will be enforced on macOS devices where Network Protection is configured for block mode.┬á + +To prepare for the macOS network protection rollout, we recommend the following:┬á +- For Network Protection for macOS to be active on your devices, Network Protection must be enabled by your organization. We suggest deploying the audit or block mode policy to a small set of devices and verify there are no issues or broken workstreams before gradually deploying to a larger set of devices.┬á +- Verify the Network Protection configuration on your macOS devices is set to the desired state.┬á +- Understand the impact of your Web Threat Protection, Custom Indicators of Compromise, Web Content Filtering, and MDA Endpoint Enforcement polices which target those macOS devices where Network Protection is in Block mode. Microsoft Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host: Network protection expands the scope of Microsoft 365 Defender [SmartScreen](/wi - Licensing: Microsoft 365 Defender for Endpoint tenant (can be trial) - Onboarded Machines: - Minimum macOS version: 11 - - Product version 101.78.13 or later - - Your device must be in either the External (Preview) or InsiderFast (Beta) Microsoft AutoUpdate update channel. You can check the update channel using the following command: - -```bash -mdatp health --field release_ring -``` - -If your device isn't already in the External(Preview) update channel, execute the following command from the Terminal. The channel update takes effect next time the product starts (when the next product update is installed or when the device is rebooted). - -```bash -defaults write com.microsoft.autoupdate2 ChannelName -string Preview -``` - -Alternatively, if you are in a managed environment (JAMF or Intune), you can configure the device group remotely. For more information, see [Set preferences for Microsoft 365 Defender for Endpoint on macOS](mac-preferences.md). + - Product version 101.94.13 or later ## Deployment instructions ### Microsoft 365 Defender for Endpoint -After you've configured your device to be in the External(preview) update channel, install the most recent product version through Microsoft AutoUpdate. To open Microsoft AutoUpdate, run the following command from the Terminal: +Install the most recent product version through Microsoft AutoUpdate. To open Microsoft AutoUpdate, run the following command from the Terminal: ```bash open /Library/Application\ Support/Microsoft/MAU2.0/Microsoft\ AutoUpdate.app After you create this configuration profile, assign it to the devices where you ## Scenarios -The following scenarios are supported during public preview: +The following scenarios are supported. ### Web threat protection
security	Non Windows	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/non-windows.md	Title: Microsoft Defender for Endpoint for non-Windows platforms -description: Learn about Microsoft Defender for Endpoint capabilities for non-Windows platforms + Title: Microsoft Defender for Endpoint on other platforms +description: Learn about Microsoft Defender for Endpoint capabilities on other platforms keywords: non windows, mac, macos, linux, android search.product: eADQiWindows 10XVcnh search.appverid: met150 -# Microsoft Defender for Endpoint for non-Windows platforms +# Microsoft Defender for Endpoint on other platforms [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
security	Onboard Configure	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-configure.md	search.appverid: met150 Last updated : 01/31/2023 # Onboard devices and configure Microsoft Defender for Endpoint capabilities The following table lists the available tools based on the endpoint that you nee \| Endpoint \| Tool options \| \|--\|\| -\| Windows Client \| [Mobile Device Management / Microsoft Intune](configure-endpoints-mdm.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Local script (up to 10 devices)](configure-endpoints-script.md) <br>[VDI scripts](configure-endpoints-vdi.md) \| -\| Windows Server \| [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Onboard Windows servers to the Microsoft Defender for Endpoint service](configure-server-endpoints.md) \| -\| macOS \| [Local scripts](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md) \| -\| Linux Server \| [Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md) \| -\| iOS \| [Microsoft Endpoint Manager](ios-install.md) \| -\| Android \| [Microsoft Endpoint Manager](android-intune.md) \| +\|Windows\|[Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md)\| +\|Windows servers<br><br>Linux servers \| [Integration with Microsoft Defender for Cloud](azure-server-integration.md) +\|macOS\|[Local script](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md)\| +\|Linux servers\|[Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md) <br> [Chef](linux-deploy-defender-for-endpoint-with-chef.md)<br> [Saltstack](linux-install-with-saltack.md)\| +\|Android\|[Microsoft Endpoint Manager](android-intune.md)\| +\|iOS\|[Microsoft Endpoint Manager](ios-install.md) <br> [Mobile Application Manager](ios-install-unmanaged.md) \| > [!NOTE]
security	Onboard Offline Machines	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-offline-machines.md	For devices with no direct internet connection, the use of a proxy solution is t Depending on the operating system, the proxy to be used for Microsoft Defender for Endpoint can be configured automatically, typically through the use of autodiscovery or an autoconfig file, or statically specific to Defender for Endpoint services running on the device. -- For Windows devices, please reference [Configure device proxy and Internet connectivity settings](/microsoft-365/security/defender-endpoint/configure-proxy-internet)-- For Linux devices, please reference [Configure Microsoft Defender for Endpoint on Linux for static proxy discovery](/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration)-- For macOS devices, please reference [Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac#network-connections) +- For Windows devices, see [Configure device proxy and Internet connectivity settings](/microsoft-365/security/defender-endpoint/configure-proxy-internet) +- For Linux devices, see [Configure Microsoft Defender for Endpoint on Linux for static proxy discovery](/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration) +- For macOS devices, see [Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-mac#network-connections) ## Windows devices running the previous MMA-based solution
security	Onboarding	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding.md	After identifying your architecture, you'll need to decide which deployment meth The following table lists the available tools based on the endpoint that you need to onboard. -\| Endpoint \| Tool options \| -\|--\|\| -\| Windows \| [Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md) <br> [Integration with Microsoft Defender for Cloud](azure-server-integration.md) \| -\| macOS \| [Local scripts](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md) \| -\| Linux Server \| [Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md)\| -\| iOS \| [Microsoft Endpoint Manager](ios-install.md) \| -\| Android \| [Microsoft Endpoint Manager](android-intune.md) \| +\|Endpoint\|Deployment tool\| +\|\|\| +\|Windows\|[Local script (up to 10 devices)](configure-endpoints-script.md) <br> [Group Policy](configure-endpoints-gp.md) <br> [Microsoft Endpoint Manager/ Mobile Device Manager](configure-endpoints-mdm.md) <br> [Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) <br> [VDI scripts](configure-endpoints-vdi.md)\| +\|Windows servers<br><br>Linux servers \| [Integration with Microsoft Defender for Cloud](azure-server-integration.md) +\|macOS\|[Local script](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md)\| +\|Linux servers\|[Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md) <br> [Chef](linux-deploy-defender-for-endpoint-with-chef.md)<br> [Saltstack](linux-install-with-saltack.md)\| +\|Android\|[Microsoft Endpoint Manager](android-intune.md)\| +\|iOS\|[Microsoft Endpoint Manager](ios-install.md) <br> [Mobile Application Manager](ios-install-unmanaged.md) \| ## Step 2: Configure capabilities
security	Printer Protection Overview	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/printer-protection-overview.md	The table below lists the properties you can use in Entry: \|Type\|Defines the action for the removable storage groups in IncludedIDList. <ul><li>Enforcement: Allow or Deny</li><li>Audit: AuditAllowed or AuditDenied</li></ul>\|<ul><li>Allow</li><li>Deny</li><li>AuditAllowed: Defines event when access is allowed</li><li>AuditDenied: Defines notification and event when access is denied; has to work together with Deny entry.</li></ul> <p> When there are conflict types for the same media, the system will apply the first one in the policy. An example of a conflict type is Allow and Deny.\| \|Sid\|Local user Sid or user Sid group or the Sid of the AD object or the Object ID of the Azure AD object, defines whether to apply this policy over a specific user or user group. One entry can have a maximum of one SID and an entry without any SID means to apply the policy over the machine.\| \|ComputerSid\|Local computer Sid or computer Sid group or the Sid of the AD object or the Object ID of the AAD object, defines whether to apply this policy over a specific machine or machine group. One entry can have a maximum of one ComputerSID and an entry without any ComputerSID means to apply the policy over the machine. If you want to apply an Entry to a specific user and specific machine, add both SID and ComputerSID into the same Entry.\| -\|Options\|Defines whether to display notification or not\|When Type Allow is selected: <ul><li>0: nothing</li><li>4: disable AuditAllowed and AuditDenied for this Entry. Even if Allow happens and the AuditAllowed is setting configured, the system won't send events.</li><li>8: capture a copy of the file as evidence; must be used together with the Set location for a copy of the file setting.</li></ul> <p> When Type Deny is selected:<ul><li>0: nothing</li><li>4: disable AuditDenied for this entry. Even if Block happens and the AuditDenied is setting configured, the system won't show notifications.</li></ul> <p> When Type AuditAllowed is selected: <ul><li>0: nothing</li><li>1: nothing</li><li>2: send event</li></ul> <p> When Type AuditDenied is selected: </ul><li>0: nothing</li><li>1: show notification</li><li>2: send events</li><li>3: show notification and send events</li><li>4: print</li></ul>\| -\|AccessMask\|Defines the access.\|64: Print\| +\|Options\|Defines whether to display notification or not\|When Type Allow is selected: <ul><li>0: nothing</li><li>4: disable AuditAllowed and AuditDenied for this Entry. Even if Allow happens and the AuditAllowed is setting configured, the system won't send event.</li><li>8: create a copy of the file as evidence, and fire "RemovableStorageFileEvent" event, this has to be used together with 'Set location for a copy of the file' setting through Intune or Group Policy. </li></ul> <p> When Type Deny is selected:<ul><li>0: nothing</li><li>4: disable AuditDenied for this Entry. Even if Block happens and the AuditDenied is setting configured, the system won't show notification.</li></ul> <p> When Type AuditAllowed is selected: <ul><li>0: nothing</li><li>1: nothing</li><li>2: send event</li></ul> <p> When Type AuditDenied is selected: </ul><li>0: nothing</li><li>1: show notification</li><li>2: send event</li><li>3: show notification and send event</li><li>4: print</li></ul>\| +\|AccessMask\|Defines the access.\| \|Parameters\|Condition for this Entry, for example, network condition.\|Can add groups (non-devices type) or even put Parameters into Parameters. See Parameters properties table below for more details.\| The table below lists the properties you can use in Parameters:
security	Switch To Mde Phase 3	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/switch-to-mde-phase-3.md	- migrationguides - admindeeplinkDEFENDER Previously updated : 01/12/2023 Last updated : 01/17/2023 search.appverid: met150 Deployment methods vary, depending on operating system and preferred methods. Th \|Windows 10 or later<br/><br/>Windows Server 2019 or later<br/><br/>Windows Server, version 1803 or later<br/><br/>Windows Server 2016 or Windows Server 2012 R2<sup>[[1](#fn1)]<sup> \| [Microsoft Intune or Mobile Device Management](configure-endpoints-mdm.md)<br/><br/>[Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md)<br/><br/>[Group Policy](configure-endpoints-gp.md)<br/><br/>[VDI scripts](configure-endpoints-vdi.md)<br/><br/>[Local script (up to 10 devices)](configure-endpoints-script.md)<br/> Note that the local script method is suitable for a proof of concept but should not be used for production deployment. For a production deployment, we recommend using Group Policy, Microsoft Endpoint Configuration Manager, or Intune. \| \|Windows Server 2008 R2 SP1 \| [Microsoft Monitoring Agent (MMA)](onboard-downlevel.md#install-and-configure-microsoft-monitoring-agent-mma) or [Microsoft Defender for Cloud](/azure/security-center/security-center-wdatp) <br> Note that the Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent). \| \|Windows 8.1 Enterprise<br/><br/>Windows 8.1 Pro<br/><br/>Windows 7 SP1 Pro<br/><br/>Windows 7 SP1\| [Microsoft Monitoring Agent (MMA)](onboard-downlevel.md) <br>Note that the Microsoft Monitoring Agent is now Azure Log Analytics agent. To learn more, see [Log Analytics agent overview](/azure/azure-monitor/platform/log-analytics-agent). -\| macOS (see [System requirements](microsoft-defender-endpoint-mac.md) \| [Intune](mac-install-with-intune.md)<br/><br/>[JAMF Pro](mac-install-with-jamf.md)<br/><br/>[Mobile Device Management](mac-install-with-other-mdm.md)<br/><br/> [Local script](mac-install-manually.md) \| -\| Linux (see [System requirements](microsoft-defender-endpoint-linux.md#system-requirements)) \| [Puppet](linux-install-with-puppet.md) <br><br/> [Ansible](linux-install-with-ansible.md)<br/><br/>[Local script](linux-install-manually.md) \| -\| iOS \| [Intune](ios-install.md) \| -\|Android \| [Intune](android-intune.md) \| +\|Windows servers<br><br>Linux servers \| [Integration with Microsoft Defender for Cloud](azure-server-integration.md) +\|macOS\|[Local script](mac-install-manually.md) <br> [Microsoft Endpoint Manager](mac-install-with-intune.md) <br> [JAMF Pro](mac-install-with-jamf.md) <br> [Mobile Device Management](mac-install-with-other-mdm.md)\| +\|Linux Server\|[Local script](linux-install-manually.md) <br> [Puppet](linux-install-with-puppet.md) <br> [Ansible](linux-install-with-ansible.md) <br> [Chef](linux-deploy-defender-for-endpoint-with-chef.md)\| +\|Android\|[Microsoft Endpoint Manager](android-intune.md)\| +\|iOS\|[Microsoft Endpoint Manager](ios-install.md) <br> [Mobile Application Manager](ios-install-unmanaged.md) \| (<a id="fn1">1</a>) Windows Server 2016 and Windows Server 2012 R2 will need to be onboarded using the instructions in [Onboard Windows servers](configure-server-endpoints.md#windows-server-2012-r2-and-windows-server-2016).
security	Troubleshoot Auditd Performance Issues	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-auditd-performance-issues.md	- Title: Troubleshoot AuditD performance issues with Microsoft Defender for Endpoint on Linux- -description: Describes how to troubleshoot AuditD related performance issues that you might encounter with Microsoft Defender for Linux. -keywords: microsoft, defender, Microsoft Defender for Endpoint, linux, troubleshoot, AuditD, XMDEClientAnalyzer, installation, deploy, uninstallation - -ms.sitesec: library -ms.pagetype: security ------ m365-security-- tier3---- -# Troubleshoot AuditD performance issues with Microsoft Defender for Endpoint on Linux - -This article provides guidance on how to troubleshoot AuditD related performance issues that you might encounter with Microsoft Defender for Endpoint on Linux. - -Background: --- Microsoft Defender for Endpoint on Linux OS distributions uses AuditD framework to collect certain types of telemetry events. --- System events captured by rules added to `/etc/audit/rules.d/` will add to audit.log(s) and might affect host auditing and upstream collection. --- Events added by Microsoft Defender for Endpoint on Linux will be tagged with `mdatp` key. --- If the AuditD service is misconfigured or offline, then some events might be missing. To troubleshoot such an issue, refer to: [Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux.](linux-support-events.md)- -In certain server workloads, two issues might be observed: --- High CPU resource consumption from *mdatp_audisp_plugin* process. --- */var/log/audit/audit.log* becoming large or frequently rotating. - -These issues may occur on servers with many events flooding AuditD. - -This can happen if there are multiple consumers for AuditD, or too many rules with the combination of Microsoft Defender for Endpoint and third party consumers, or high workload that generates a lot of events. - -To troubleshoot such issues, begin by [collecting MDEClientAnalyzer logs](run-analyzer-macos-linux.md) on the sample affected server. - -> [!NOTE] -> As a general best practice, it is recommended to update the [Microsoft Defender for Endpoint agent to latest available version](linux-whatsnew.md) and confirming issue still persists before investigating further. - -> [!NOTE] -> That there are additional configurations that can affect AuditD subsystem CPU strain. <BR> -> Specifically, in [auditd.conf](https://linux.die.net/man/8/auditd.conf), the value for disp_qos can be set to "lossy" to reduce the high CPU consumption. <BR> -> However, this means that some events may be dropped during peak CPU consumption. <BR> - -## XMDEClientAnalyzer - -When you use [XMDEClientAnalyzer](run-analyzer-macos-linux.md), the following files will display output that provides insights to help you troubleshoot issues. -- auditd_info.txt-- auditd_log_analysis.txt-- -### auditd_info.txt - -Contains general AuditD configuration and will display: --- What processes are registered as AuditD consumers. --- Auditctl -s output with enabled=2 - - - Suggests auditd is in immutable mode (requires restart for any config changes to take effect). --- Auditctl -l output - - - Will show what rules are currently loaded into the kernel (which may be different that what exists on disk in "/etc/auditd/rules.d/mdatp.rules"). - - - Will show which rules are related to Microsoft Defender for Endpoint. - -### auditd_log_analysis.txt - -Contains important aggregated information that is useful when investigating AuditD performance issues. --- Which component owns the most reported events (Microsoft Defender for Endpoint events will be tagged with `key=mdatp`). --- The top reporting initiators. --- The most common system calls (network or filesystem events, and others). --- What file system paths are the noisiest. - -To mitigate most AuditD performance issues, you can implement AuditD exclusion. - -> [!NOTE] -> Exclusions should be made only for low threat and high noise initiators or paths. For example, do not exclude /bin/bash which risks creating a large blind spot. -> [Common mistakes to avoid when defining exclusions](/microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus). --- -## Exclusion Types - -The XMDEClientAnalyzer support tool contains syntax that can be used to add AuditD exclusion configuration rules: - -AuditD exclusion ΓÇô support tool syntax help: -- -By initiator --- -e/ -exe full binary path > Removes all events by this initiator - -By path --- -d / -dir full path to a directory > Removes filesystem events targeting this directory - -Examples: - -If "`/opt/app/bin/app`" writes to "`/opt/app/cfg/logs/1234.log`", then you can use the support tool to exclude with various options: - -`-e /opt/app/bin/app` - -`-d /opt/app/cfg` - -`-x /usr/bin/python /etc/usercfg` - -`-d /usr/app/bin/` - -More examples: - -`./mde_support_tool.sh exclude -p <process id>` - -`./mde_support_tool.sh exclude -e <process name>` - -To exclude more than one item - concatenate the exclusions into one line: - -`./mde_support_tool.sh exclude -e <process name> -e <process name 2> -e <process name3>` - -The -x flag is used to exclude access to subdirectories by specific initiators for example: - -`./mde_support_tool.sh exclude -x /usr/sbin/mv /tmp` - -The above will exclude monitoring of /tmp subfolder, when accessed by mv process. - - -> [!NOTE] -> Please contact Microsoft support if you need assistance with analyzing and mitigating AuditD related performance issues, or with deploying AuditD exclusions at scale. --
security	Web Content Filtering	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/web-content-filtering.md	ms.pagetype: security ms.localizationpriority: medium Previously updated : 10/24/2022 Last updated : 01/31/2023 audience: ITPro Use the time range filter at the top left of the page to select a time period. Y Only Microsoft Edge is supported if your device's OS configuration is Server (cmd \> Systeminfo \> OS Configuration). Network Protection is only supported in Inspect mode on Server devices, which is responsible for securing traffic across supported third-party browsers. -Only Microsoft Edge is supported and network protection is not supported on Windows 10 Azure Virtual Desktop multi-session hosts. +Only Microsoft Edge is supported and network protection is not supported on Windows Azure Virtual Desktop multi-session hosts. Network protection does not currently support SSL inspection, which might result in some sites being allowed by web content filtering that would normally be blocked. Sites would be allowed due to a lack of visibility into encrypted traffic after the TLS handshake has taken place and an inability to parse certain redirects. This includes redirections from some web-based mail login pages to the mailbox page. As an accepted workaround, you can create a custom block indicator for the login page to ensure no users are able to access the site. Keep in mind, this might block their access to other services associated with the same website.
security	Compare Rbac Roles	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/compare-rbac-roles.md	Use the tables in the following sections to learn more about how your existing i \|Vulnerability management ΓÇô Manage security baselines assessment profiles\|Security posture \ posture management \ Security baselines assessment (manage)\| \|Live response capabilities\|Security operations \ Basic live response (manage)\| \|Live response capabilities - advanced\|Security operations \ Advanced live response (manage)\| -\|Manage security settings in the Security Center\|Configuration \ Security setting (All permissions)\| -\|Manage portal system settings\|Configuration \ System setting (All permissions)\| +\|Manage security settings in the Security Center\|Authorization and settings \ Security setting (All permissions)\| +\|Manage portal system settings\|Authorization and settings \ System setting (All permissions)\| \|Manage endpoint security settings in Microsoft Endpoint Manager\|Not supported - this permission is managed in the Microsoft Endpoint Management portal\| ### Map Defender for Office 365 (Exchange Online Protection) roles to the Microsoft 365 Defender RBAC permissions \|Defender for Office (EOP) role group\|Microsoft 365 Defender RBAC permission\| \|\|\|\| -\|Security reader\|Security operations \ Security data \Security data basics (read)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Security operations \ Security data \ Response (manage) </br>Configuration \ Security setting (read) </br>Configuration \ System setting (read)\| -\|Global reader\|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Security operations \ Security data \ Response (manage) </br>Configuration \ Security setting (read) </br>Configuration \ System setting (read)\| -\|Security administrator\|Security operations \ Security data \ Security data basics (read) </br>Security operations \ Security data \ Alerts (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Security operations \ Security data \ Response (manage) </br>Security operations \ Security data \ Email quarantine (manage)</br>Configuration \ Authorization (read) </br> Configuration \ Security setting (All permissions) </br>Configuration \ System setting (All permissions)\| -\|Organization Management\|Security operations \ Security data \ Security data basics (read) </br>Security operations \ Security data \ Alerts (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read) </br>Security operations \ Security data \ Response (manage) </br>Security operations \ Security data \ Email advanced actions (manage)</br>Security operations \ Security data \ Email quarantine (manage)</br>Configuration \ Authorization (All permissions) </br> Configuration \ Security setting (All permissions) </br>Configuration \ System setting (All permissions)\| +\|Security reader\|Security operations \ Security data \Security data basics (read)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Security operations \ Security data \ Response (manage) </br>Authorization and settings \ Security setting (read) </br>Authorization and settings \ System setting (read)\| +\|Global reader\|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Security operations \ Security data \ Response (manage) </br>Authorization and settings \ Security setting (read) </br>Authorization and settings \ System setting (read)\| +\|Security administrator\|Security operations \ Security data \ Security data basics (read) </br>Security operations \ Security data \ Alerts (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Security operations \ Security data \ Response (manage) </br>Security operations \ Security data \ Email quarantine (manage)</br>Authorization and settings \ Authorization (read) </br> Authorization and settings \ Security setting (All permissions) </br>Authorization and settings \ System setting (All permissions)\| +\|Organization Management\|Security operations \ Security data \ Security data basics (read) </br>Security operations \ Security data \ Alerts (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read) </br>Security operations \ Security data \ Response (manage) </br>Security operations \ Security data \ Email advanced actions (manage)</br>Security operations \ Security data \ Email quarantine (manage)</br>Authorization and settings \ Authorization (All permissions) </br> Authorization and settings \ Security setting (All permissions) </br>Authorization and settings \ System setting (All permissions)\| \|View-Only Recipients\|Security operations \ Security data \ Security data basics (read) </br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)\| \|Preview\|Security operations\ Security operations \ Raw data (Email & collaboration) \ Email content (read)\| \|Search and Purge\|Security operations \ Security data \ Email advanced actions (manage)\| Use the tables in the following sections to learn more about how your existing i \|View-only Audit Logs\|Security operations \ Security data \ Security data basics (read)\| \|Audit Logs\|Security operations \ Security data \ Security data basics (read)\| \|Quarantine\|Security operations \ Security data \ Email quarantine (manage)\| -\|Role Management\|Configuration \ Authorization (All permissions)\| +\|Role Management\|Authorization and settings \ Authorization (All permissions)\| ### Map Microsoft Defender for Identity permissions to the Microsoft 365 Defender RBAC permissions \|Defender for Identity permission\|Unified RBAC permission\| \|\|\|\| -\|MDI admin\|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage)</br>Configuration \ Authorization (All permissions) </br>Configuration \ Security setting (All permissions) </br>Configuration \ System setting (All permissions)\| -\|MDI user\|Security operations \ Security data \ Security data basics (read) </br>Security operations \ Security data \ Alerts (manage)</br>Configuration \ Security setting (All permissions) </br>Configuration \ System setting (read)\| -\|MDI viewer\|Security operations \ Security data \ Security data basics (read)</br>Configuration \ Security setting (read) </br>Configuration \ System setting (read)\| +\|MDI admin\|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage)</br>Authorization and settings \ Authorization (All permissions) </br>Authorization and settings \ Security setting (All permissions) </br>Authorization and settings \ System setting (All permissions)\| +\|MDI user\|Security operations \ Security data \ Security data basics (read) </br>Security operations \ Security data \ Alerts (manage)</br>Authorization and settings \ Security setting (All permissions) </br>Authorization and settings \ System setting (read)\| +\|MDI viewer\|Security operations \ Security data \ Security data basics (read)</br>Authorization and settings \ Security setting (read) </br>Authorization and settings \ System setting (read)\| > [!NOTE] > Defender for Identity experiences will also adhere to permissions granted from [Microsoft Defender for Cloud Apps](https://security.microsoft.com/cloudapps/permissions/roles). For more information, see [Microsoft Defender for Identity role groups](https://go.microsoft.com/fwlink/?linkid=2202729). Use this table to learn about the permissions assigned by default for each workl \|AAD role\|Microsoft 365 Defender RBAC assigned permissions for all workloads\|Microsoft 365 Defender RBAC assigned permissions ΓÇô workload specific\| \|\|\|\|\| -\|Global administrator\|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage) </br>Security operations \ Security data \ Response (manage)</br>Configuration \ Authorization \ (All permissions)</br>Configuration \ Security settings \ (All permissions)</br>Configuration \ System settings \ (All permissions)\|_Defender for Endpoint only permissions_ </br>Security operations \ Basic live response (manage)</br>Security operations \ Advanced live response (manage)</br>Security posture \ Posture management \ Vulnerability management (read)</br>Security posture \ Posture management \ Exception handling (manage)</br>Security posture \ Posture management \ Remediation handling (manage)</br>Security posture \ Posture management \ Application handling (manage)</br>Security posture \ Posture management \ Security baseline assessment (manage)</br></br> _Defender for Office only permissions_ </br> Security operations \ Security data \ Email quarantine (manage)</br>Security operations \ Security data \ Email advanced actions (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)\| +\|Global administrator\|Security operations \ Security data \ Security data basics (read)</br>Security operations \ Security data \ Alerts (manage) </br>Security operations \ Security data \ Response (manage)</br>Authorization and settings \ Authorization \ (All permissions)</br>Authorization and settings \ Security settings \ (All permissions)</br>Authorization and settings \ System settings \ (All permissions)\|_Defender for Endpoint only permissions_ </br>Security operations \ Basic live response (manage)</br>Security operations \ Advanced live response (manage)</br>Security posture \ Posture management \ Vulnerability management (read)</br>Security posture \ Posture management \ Exception handling (manage)</br>Security posture \ Posture management \ Remediation handling (manage)</br>Security posture \ Posture management \ Application handling (manage)</br>Security posture \ Posture management \ Security baseline assessment (manage)</br></br> _Defender for Office only permissions_ </br> Security operations \ Security data \ Email quarantine (manage)</br>Security operations \ Security data \ Email advanced actions (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)\| \|Security administrator\|Same as Global administrator\|Same as Global administrator\| -\|Global reader\|Security operations \ Security data \ Security data basics (read)\|_Defender for Endpoint only permissions_ </br>Security posture \ Posture management \ Vulnerability management (read)</br></br> _Defender for Office only permissions_ </br> Security operations \ Security data \ Response (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Configuration \ Authorization \ (read) </br></br>_Defender for Office and Defender for Identity only permissions_ </br>Configuration \ Security settings \ (read)</br>Configuration \ System settings \ (read)\| -\|Security reader\|Security operations \ Security data \ Security data basics (read)\|_Defender for Endpoint only permissions_ </br>Security posture \ Posture management \ Vulnerability management (read)</br></br> _Defender for Office only permissions_ </br> Security operations \ Security data \ Response (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read) </br></br>_Defender for Office and Defender for Identity only permissions_ </br>Configuration \ Security settings \ (read)</br>Configuration \ System settings \ (read)\| -\|Security operator\|Security operations \ Security data \ Security data basics (read) </br>Security operations \ Security data \ Alerts (manage) </br>Security operations \ Security data \ Response (manage)</br>Configuration \ Security settings \ (All permissions)\|_Defender for Endpoint only permissions_</br>Security operations \ Security data \ Basic live response (manage)</br>Security operations \ Security data \ Advanced live response (manage)</br>Security posture \ Posture management \ Vulnerability management (read)</br>Security posture \ Posture management \ Exception handling (manage)</br>Security posture \ Posture management \ Remediation handling (manage)</br></br>_Defender for Office only permissions_ </br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Configuration \ System settings \ (All permissions)</br></br>_Defender for Identity only permissions_ </br>Configuration \ System settings \ (read)\| +\|Global reader\|Security operations \ Security data \ Security data basics (read)\|_Defender for Endpoint only permissions_ </br>Security posture \ Posture management \ Vulnerability management (read)</br></br> _Defender for Office only permissions_ </br> Security operations \ Security data \ Response (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Authorization and settings \ Authorization \ (read) </br></br>_Defender for Office and Defender for Identity only permissions_ </br>Authorization and settings \ Security settings \ (read)</br>Authorization and settings \ System settings \ (read)\| +\|Security reader\|Security operations \ Security data \ Security data basics (read)\|_Defender for Endpoint only permissions_ </br>Security posture \ Posture management \ Vulnerability management (read)</br></br> _Defender for Office only permissions_ </br> Security operations \ Security data \ Response (manage)</br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read) </br></br>_Defender for Office and Defender for Identity only permissions_ </br>Authorization and settings \ Security settings \ (read)</br>Authorization and settings \ System settings \ (read)\| +\|Security operator\|Security operations \ Security data \ Security data basics (read) </br>Security operations \ Security data \ Alerts (manage) </br>Security operations \ Security data \ Response (manage)</br>Authorization and settings \ Security settings \ (All permissions)\|_Defender for Endpoint only permissions_</br>Security operations \ Security data \ Basic live response (manage)</br>Security operations \ Security data \ Advanced live response (manage)</br>Security posture \ Posture management \ Vulnerability management (read)</br>Security posture \ Posture management \ Exception handling (manage)</br>Security posture \ Posture management \ Remediation handling (manage)</br></br>_Defender for Office only permissions_ </br>Security operations \ Raw data (Email & collaboration) \ Email message headers (read)</br>Authorization and settings \ System settings \ (All permissions)</br></br>_Defender for Identity only permissions_ </br>Authorization and settings \ System settings \ (read)\| \|Compliance administrator\|not applicable\|_Defender for Office only permissions_ </br> Security operations \ Security data \ Security data basics (read)</br> Security operations \ Security data \ Alerts (manage)\| \|Compliance data administrator\|not applicable\|Same as Compliance administrator\| \|Billing admin\|not applicable\|not applicable\|
security	Create Custom Rbac Roles	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/create-custom-rbac-roles.md	To access and manage roles and permissions, without being a Global Administrator 3. Select Roles under Microsoft 365 Defender. 4. Select Create custom role. 5. Enter the Role name and description. -6. Select Next and choose the Configuration option. -7. On the Configuration category flyout, choose Select custom permissions and under Authorization select either: +6. Select Next and choose the Authorization and settings option. +7. On the Authorization and settings category flyout, choose Select custom permissions and under Authorization select either: - Select all permissions - users will be able to create and manage roles and permissions. - Read-only - uses will be able to access and view roles and permissions in a read-only mode.
security	Custom Permissions Details	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/custom-permissions-details.md	Permissions for managing the organization's security posture and performing thre \|Application handling\|Manage\|Manage vulnerable applications and software, including blocking and unblocking them in threat and vulnerability management.\| \|Security baseline assessment\|Manage\|Create and manage profiles so you can assess if your devices comply to security industry baselines.\| -### Configuration +### Authorization and settings Permissions to manages the security and system settings and to create and assign roles.
security	Attack Simulation Training Training Campaigns	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-training-campaigns.md	+ + Title: Training campaigns in Attack simulation training +++ +audience: ITPro ++ +ms.localizationpriority: medium + + - m365-security + - m365initiative-defender-office365 +description: Admins can learn how to create training campaigns in Attack simulation training in Microsoft Defender for Office 365 Plan 2. + +search.appverid: met150 ++ +# Training campaigns in Attack simulation training ++ +Applies to + [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md) + +> [!NOTE] +> This article describes features that are in Public Preview, aren't available in all organizations, and are subject to change. + +In Attack simulation training in Microsoft Defender for Office 365 Plan 2, Training campaigns are a faster, more direct way to provide security training to users. Instead of creating and launching [simulated phishing attacks](attack-simulation-training-simulations.md) that eventually lead to training, you can also create and assign Training campaigns directly to users. + +A Training campaign contains one or more built-in Training modules that you select. Currently, there are over 70 Training modules to select from. For more information about Training modules, see [Training modules for Training campaigns in Attack simulation training](attack-simulation-training-training-modules.md). + +For getting started information about Attack simulation training, see [Get started using Attack simulation training](attack-simulation-training-get-started.md). + +To see the existing Training campaigns, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & collaboration \> Attack simulation training \> Training tab. To go directly to the Training tab, use <https://security.microsoft.com/attacksimulator?viewid=trainingcampaign>. + +The Training campaigns tab lists the Training campaigns that you've created. The list includes the following information for each Training campaign: + +- Name +- Description +- Duration (mins) +- Date of completion +- Training completion: The number of users who were included in the Training campaign and how many of them completed the training. The information is shown as a fraction (for example, 2/5) and in a corresponding horizontal bar graph. +- No. of training modules: The number of training modules that are included in the Training campaign. +- Created by +- Created time +- Status: One of the following values: + - Completed<sup>\</sup> + - In progress<sup>\</sup> + - Draft<sup>\</sup> + - Cancelled* + - Deleted + - Failed<sup>\</sup> + - Scheduled<sup>\</sup> +- Γï« Actions: + - ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) Delete + - ![View report icon.](../../media/m365-cc-sc-eye-icon.png) View report + +To find a Training campaign in the list, use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) Search box to find the name of the Training campaign. + +Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) Filter to filter the information on the page by the Status value of the Training campaign. + +<sup>\</sup> The total count of Training campaigns with these Status* values is also shown at the top of the page. But if you filter the information (for example, exclude on of these Status values), the count at the top of the page will be 0 for that excluded Status value. + +## Create Training campaigns + +To create a Training campaign, do the following steps: + +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & collaboration \> Attack simulation training \> Training tab. Or, to go directly to the Training tab, use <https://security.microsoft.com/attacksimulator?viewid=trainingcampaign>. + +2. On the Training tab, click ![Create new icon.](../../media/m365-cc-sc-filter-icon.png) Create new. + +3. The new Training campaign wizard opens. The rest of this sections describes the pages and the settings they contain. + +### Name Training campaign + +On the Name Training campaign page, configure the following settings: + +- Name: Enter a unique name. +- Description: Enter an optional description. + +When you're finished, click Next. + +### Target users + +On the Target users page, select one of the following values: + +- Include all users in my organization + +- Include only specific users and groups: When this value is selected, use the following options to find and select the users or groups to include in the Training campaign: + - ![Add users icon.](../../media/m365-cc-sc-filter-icon.png) Add users: In the Add users flyout that appears, use the following options to find and select users: + - Search for users or groups: In the ![Enter user or group name icon.](../../media/m365-cc-sc-search-icon.png) Search box, enter three or more letters of the user or group name, and then press Enter. The results (if any) are shown in the User list section that appears. + - To clear the search results without selecting any users or groups and return to all filters on the Add users flyout, click Add/Edit. + - To clear the text from the search box and the entries from the User list section but remain in user/group search mode, click ![Remove selection icon.](../../media/m365-cc-sc-search-icon.png) in the search box. + - To clear any selections in the User list section but preserve the text in the search box and the actual entries in the list, click Clear all selections. + - When you're done selecting entries from the User list section, click Add n user(s). You'll return to the Target users page where the selected users are shown in a list. To return to the Add users flyout, click ![Add users icon.](../../media/m365-cc-sc-filter-icon.png) Add users. + + Repeat this step as many times as required. + + - Filter users by categories: Use the following categories to filter and select users and groups. Multiple selections within the same category use the OR operator (for example, User tags equals Priority account OR User tags equals High risk profile). Selections from different categories use the AND operator (for example, City equals Redmond AND Department equals IT): + + - Suggested user groups: Select one or both of the following values: + - Users not targeted by a simulation in the last three months + - Repeat offenders + + - User tags: Select one or more of the following values. You'll need to click See all user tags to see all values, and custom [user tags](user-tags-about.md) aren't available: + - Priority accounts: For more information, see [Priority accounts](../../admin/setup/priority-accounts.md). + - High risk profile + - Medium risk profile + - Low risk profile + + - City, Department, or Title properties: In each section, the following options are available: + - ![Search by icon.](../../media/m365-cc-sc-search-icon.png) Search by: Type the property value and select it from the list of results. + - The first three values for each property are shown. To see all values for the specific property, click the All \<property> link. Select one or more values. + - Select All \<property\> to select all values for the specific property. + + After you select values from one or more categories, click Apply(n). The results (if any) are shown in the User list section that appears. + + - To not select any users or groups and return to all filters on the Add users flyout, click Add/Edit. + - To clear any selections in the User list section but preserve the actual entries in the list, click Clear all selections. + - When you're done selecting entries from the User list section, click Add n user(s). You'll return to the Target users page where the selected users are shown in a list. To return to the Add users flyout, click ![Add users icon.](../../media/m365-cc-sc-filter-icon.png) Add users. + + Repeat this step as many times as required. + + - ![Import icon.](../../media/m365-cc-sc-import-icon.png) Import: In the dialog that opens, find and select a .csv file. + +After you've selected one or more users or groups, the following information is shown for each entry on the Target users page: + +- Name +- Email +- Title +- Type: User or Group +- Delete: Use the ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) Delete icon to remove the entry from the list. Click Confirm in the confirmation dialog. + +Use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) Search box to find users or groups in the list. + +When you're finished, click Next. + +### Exclude users + +On the Exclude users page, you can exclude some of the previously selected users from the Training campaign by selecting Exclude some of the target users from this simulation. + +The selection options are identical to the previous step when you select ![Add users to exclude icon.](../../media/m365-cc-sc-filter-icon.png) Add users to exclude or ![Import icon.](../../media/m365-cc-sc-import-icon.png) Import. + +When you're finished, click Next. + +### Select courses + +On the Select courses page, click ![Add trainings icon.](../../media/m365-cc-sc-filter-icon.png) Add trainings. + +In the Add Training flyout that appears, select one or more Training modules to include in the Training campaign by clicking the blank area next to the module name, and then clicking Add. + +What you see and what you can do in the Add Training flyout is identical to what's available at Training modules on the Content library tab at <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>. For more information, see [Training modules for Training campaigns in Attack simulation training](attack-simulation-training-training-modules.md). + +After you've selected one or more Training modules, the following information is shown for each entry on the Select courses page: + +- Training name +- Source +- Duration (mins) +- Delete: Use the ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) Delete icon to remove the entry from the list. Click Confirm in the confirmation dialog. + +When you're finished, click Next. + +### Select end user notification + +On the Select end user notification page, select from the following notification options: + +- Microsoft default notification (recommended): The following additional settings are available on the page: + + - Select default language: The available values are: Chinese (Simplified), Chinese (Traditional), English, French, German, Italian, Japanese, Korean, Portuguese, Russian, Spanish, and Dutch. + + - By default, the following notifications are included: + - Microsoft default training only campaign-training assignment notification + - Microsoft default training only campaign-training reminder notification + + For each notification, the following information is available: + + - Notifications: The name of the notification. + - Language: If the notification contains multiple translations, the first two languages are shown directly. To see the remaining languages, hover over the numeric icon (for example, +10). + - Type: Training assignment notification or Training reminder notification. + - Delivery preferences: For Training reminder notification types, the values Twice a week and Weekly are available. + - Γï« Actions: If you click the ![View icon.](../../media/m365-cc-sc-view-icon.png) View icon, the Review notification page appears with the following information: + - Preview tab: View the notification message as users will see it. To view the message in different languages, use the Select notification language box. + - Details tab: View details about the notification: + - Notification description + - Source: For built-in notifications, the value is Global. + - Notification type: Training assignment notification or Training reminder notification based on the notification you originally selected: + - Modified by + - Last modified + + When you're finished, click Close. + + You're taken to the [Schedule](#schedule) page when you click Next. + +- Customized end user notifications: When you click Next, you're taken to the Training assignment notification page as described in the next sections. + +#### Training assignment notification + +The Training assignment notification page is available only if you selected Customized end user notifications on the [Select end user notification](#select-end-user-notification) page. + +This page shows the following notifications and their configured languages: + +- Microsoft default training assignment notification +- Microsoft default training only campaign-training assignment notification +- Any custom training assignment notifications that you previously created where the Type value is Training assignment notification. + + These notifications are also available in End user notifications on the Content library tab in Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>. The built-in notifications are available on the Global notifications tab. Custom training assignment notifications are available on the Tenant notifications tab. For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md). + +You can select an existing training assignment notification or create a new notification to use: + +- To select an existing notification, select the check box next to the notification name. If you click on the notification name, the notification is selected and a preview flyout appears. To deselect the notification, clear the check box next to the notification. +- To search for an existing notification on the page, use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) Search box to search for the name. + + Select the notification that you want to use, and then click Next. + +- To create and use a new notification, click ![Create new icon.](../../media/m365-cc-sc-create-icon.png) Create new. + +- To edit an existing custom notification, select it and then click the ![Edit notification icon.](../../media/m365-cc-sc-edit-icon.png) Edit notification icon that appears. + +##### Training assignment notification wizard + +If you click ![Create new icon.](../../media/m365-cc-sc-create-icon.png) Create new on the Training assignment notification page or select a custom notification and then click ![Edit notification icon.](../../media/m365-cc-sc-edit-icon.png) Edit notification, a notification creation wizard opens. + +The creation steps are identical as described in [Create end-user notifications](attack-simulation-training-end-user-notifications.md#create-end-user-notifications). + +> [!NOTE] +> On the Define details page, be sure to select the value Training assignment notification for Select notification type. + +When you're finished, you're taken back to the Training assignment notification page where the notification that you just created now appears in the list. + +Select the notification that you want to use, and then click Next. + +When you're finished, click Next. + +#### Training reminder notification + +The Training reminder notification page is available only if you selected Customized end user notifications on the [Select end user notification](#select-end-user-notification) page. + +- Set frequency for reminder notification: Select Weekly (default) or Twice a week. + - Reminder notifications will stop at the end of the campaign + +- Select a reminder notification: This section shows the following notifications and their configured languages: + + - Microsoft default training reminder notification + - Microsoft default training only campaign-training reminder notification + - Any custom training reminder notifications that you previously created where the Type value is Training reminder notification. + + These notifications are also available in End user notifications on the Simulation content library tab in Attack simulation training at <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>. The build-it notifications available on the Global notifications tab. Custom training reminder notifications are available on the Tenant notifications tab. For more information, see [End-user notifications for Attack simulation training](attack-simulation-training-end-user-notifications.md). + + You can select an existing training reminder notification or create a new notification to use: + +- To select an existing notification, select the check box next to the notification name. If you click on the notification name, the notification is selected and a preview flyout appears. To deselect the notification, clear the check box next to the notification. +- To search for an existing notification on the page, use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) Search box to search for the name. + + Select the notification that you want to use, and then click Next. + + - To create and use a new notification, click ![Create new icon.](../../media/m365-cc-sc-create-icon.png) Create new. + + - To edit an existing custom notification, select it and then click the ![Edit notification icon.](../../media/m365-cc-sc-edit-icon.png) Edit notification icon that appears. + +##### Training reminder notification wizard + +If you click ![Create new icon.](../../media/m365-cc-sc-create-icon.png) Create new on the Training reminder notification page or select a custom notification and then click ![Edit notification icon.](../../media/m365-cc-sc-edit-icon.png) Edit notification, a notification creation wizard opens. + +The creation steps are identical as described in [Create end-user notifications](attack-simulation-training-end-user-notifications.md#create-end-user-notifications). + +> [!NOTE] +> On the Define details page, be sure to select the value Training reminder notification for Select notification type. + +When you're finished, you're taken back to the Training reminder notification page where the notification that you just created now appears in the list. + +Select the notification that you want to use, and then click Next. + +### Schedule + +On the Schedule page, select the start date and end date for the Training campaign using one of the following values: + +- launch this Training campaign as soon as I'm done +- Schedule this Training campaign to be launched later: If this option is selected, Set the campaign launch date and Set launch time boxes appear for you to configure. + +Send training with an end date is selected by default, so Set the campaign end date and Set end time boxes are available for you to configure. If you clear Send training with an end date, the boxes disappear. + +> [!NOTE] +> If you clear the Send training with an end date box, no reminder notifications will be send to the targeted users outside of the initial assignment notice. + +When you're finished, click Next. + +## Review + +On the Review page, you can review the details of your Training campaign. + +You can select Edit in each section to modify the settings within the section. Or you can click Back or select the specific page in the wizard. + +When you're finished, click Submit. + +## View details and reports for Training campaigns + +To view the details and reports for a Training campaign, do the following steps: + +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & collaboration \> Attack simulation training \> Training tab. Or, to go directly to the Training tab, use <https://security.microsoft.com/attacksimulator?viewid=trainingcampaign>. + +2. On the Training tab, do one of the following steps: + - Select the Training campaign by selecting the check box next to it, and then click Γï« (Actions) \> ![View report icon.](../../media/m365-cc-sc-eye-icon.png) View report. You might need to scroll to the right to see Γï« (Actions). + - In the list of Training campaigns, click anywhere in the row without selecting the check box (for example, on the Name value). + +3. A details page for the Training campaign opens with the following tabs: + - Report + - Users + - Details + +These tabs are described in the following sections. + +### Report tab + +The Report tab of the Training campaign shows the following information: + +- Training completion section: + - Each Training module that's included in the Training campaign is shown with a bar graph and a fraction that shows how many people have completed the module (number of users / total number of users). + - Using the previous data, the top of the section shows: + - The percentage of users who completed all modules in the campaign. + - The percentage of users who completed some of the modules in the campaign. + - The percentage of users who haven't started any of the modules in the campaign. + +- All user activity section: + - Successfully received training notification: A bar graph and a fraction that shows how main people received notifications for the modules in the campaign. + +### Users tab + +The Users tab shows the following information about the users who were assigned the Training campaign: + +- Display name +- Training status: One of the following values: + - Not started: The user hasn't started any Training modules in the campaign. + - In progress: The user has completed some Training modules in the campaign. + - Completed: The user has completed all Training modules in the campaign. + - Overdue: The user hasn't completed all Training modules by the campaign end date/time. +- Training completion date +- Mail + +To add or remove the Training date status or Department columns, click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) Customize columns. + +To download the displayed results to a RecordExport.csv file in the local Downloads folder, click ![Export icon.](../../media/m365-cc-sc-download-icon.png) Export. + +If you select a user from the list, the following information appears in a details flyout: + +- User details section: + - Company + - IP address + - Job title + - Department + - Location + - Manager +- Status information for Training modules in the Training campaign for the user: + - Training name: The training module name. + - Training status: Not started, In progress, Completed, Training Already Completed, Training Previously Assigned, Overdue, or Not Completed. + - Training start date + - Training completed date + +To see details about other users in the Training campaign without leaving the details flyout, use ![Previous item and Next item icons.](../../media/updownarrows.png) Previous item and Next item. + +### Details tab + +The Details tab of the Training campaign shows the following information: + +- Description +- Schedule details: The launch date/time and the end date/time. +- Notifications: Whether training assignment notifications and training reminder notifications are enabled, and their delivery frequency. +- Selected modules: The Training modules in the Training campaign are listed, along with their durations. + +## Delete Training campaigns + +To delete an existing Training campaign, do the following steps: + +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & collaboration \> Attack simulation training \> Training tab. Or, to go directly to the Training tab, use <https://security.microsoft.com/attacksimulator?viewid=trainingcampaign>. + +2. On the Training tab, select the Training campaign by selecting the check box next to it, and then click Γï« (Actions) \> ![Delete icon.](../../media/m365-cc-sc-delete-icon.png) Delete. You might need to scroll to the right to see Γï« (Actions). + +3. Click Confirm in the warning dialog that opens. + +## Set the training threshold time period + +The training threshold time period is the number of days for which a training module will not be re-assigned to a user who meets either of the following criteria: + +- They've already completed the same training module during the threshold time period. +- They're actively assigned the same training module during the threshold time period. + +The training threshold starts from the time of user training module assignment. + +We recommend the number of days for the training threshold assignment to be greater than the number of days that a user would have to complete a training module assignment. + +In the training campaign user report, a user may have the following Status values: + +- Completed: The user has already completed their training module. +- In Progress: The user has started their training module. +- Not Started: The user hasn't started their training module. +- Training Already Completed: The user was previously assigned and completed the training module within the training threshold time period. +- Training Previously Assigned: The user currently has been assigned the training module within the training threshold time period, but hasn't completed the training. The user can still complete the training module to move it to a Completed state. +- Overdue: The user hasn't completed the training before the assigned module due date and has not been reassigned the same training module within the training threshold period. +- Not Completed: The user hasn't completed the training module within the assigned module due date and/ or is outside the training threshold period and is eligible for the same training module reassignment. + +To set the training threshold, do the following steps: + +1. In the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & collaboration \> Attack simulation training \> Settings tab. Or, to go directly to the Settings tab, use <https://security.microsoft.com/attacksimulator?viewid=setting>. + +2. Set the value in days for the training threshold time period. The default value is 90 days. To remove training threshold and always assign training, set value to 0. + +3. When you're finished, click Save.
security	Attack Simulation Training Training Modules	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/attack-simulation-training-training-modules.md	+ + Title: Training modules for Training campaigns in Attack simulation training +++ +audience: ITPro ++ +ms.localizationpriority: medium + + - m365-security + - m365initiative-defender-office365 +description: Admins can learn about the Training modules that are available to use in Training campaigns in Attack simulation training in Microsoft Defender for Office 365 Plan 2. + +search.appverid: met150 ++ +# Training modules for Training campaigns in Attack simulation training ++ +Applies to + [Microsoft Defender for Office 365 plan 2](defender-for-office-365.md) + +> [!NOTE] +> This article describes features that are in Public Preview, aren't available in all organizations, and are subject to change. + +In Attack simulation training in Microsoft Defender for Office 365 Plan 2, you select one or more Training modules to include in Training campaigns that you create and assign to users. For more information about Training campaigns, see [Training campaigns in Attack simulation training](attack-simulation-training-training-campaigns.md). + +To see the available Training modules, open the Microsoft 365 Defender portal at <https://security.microsoft.com>, go to Email & collaboration \> Attack simulation training \> Content library tab \> and then select Training modules. To go directly to the Content library tab where you can select Training modules, use <https://security.microsoft.com/attacksimulator?viewid=simulationcontentlibrary>. + +Training modules shows the following information for each module: + +- Training name +- Languages: The available values are: Arabic, Chinese(Simplified), Chinese(Traditional, Hong Kong), Chinese(Traditional, Taiwan), Czech, Danish, Dutch, English, English, Finnish, French, French, German, Hebrew, Hindi, Hungarian, Indonesian, Italian, Japanese, Korean, Malay, NorwegianBokm├Ñl, Persian, Polish, Portuguese, Portuguese, Russian, Slovakian, Spanish, Swedish, Thai, Turkish, Ukrainian, Vietnamese + +- Tags: Training modules are organized into one or more of the following categories: + - AttachmentMalware + - Basic + - Compliance + - Compromised + - CredentialHarvesting + - DriveByURL + - LinkInAttachment + - LinkToMalwareFile + - OAuthConsentGrant + - Phishing +- Source: All built-in modules have the value Global. +- Duration (mins) +- Last assigned date +- # times used +- Completion rate +- Preview: Click the Preview button in this column to watch the training. + +To find a Training module in the list, use the ![Search icon.](../../media/m365-cc-sc-search-icon.png) Search box to find the name of the module. + +Click ![Filter icon.](../../media/m365-cc-sc-filter-icon.png) Filter to filter the information on the page. The following filters are available in the flyout that opens: + +- Source +- Language +- Tags: Filter the results by the previously described Tags values. + +When you're finished configuring the filters, click Apply, Cancel, or ![Clear filters icon](../../media/m365-cc-sc-clear-filters-icon.png) Clear filters. + +To remove one or more columns that are displayed, click ![Customize columns icon.](../../media/m365-cc-sc-customize-icon.png) Customize columns. + +When you select a Training module from the list, a details flyout appears with the following information: + +- Description +- Source +- Languages +- Duration +- Preview: Click this button to watch the training. + +- Active Training campaigns and simulations: This section shows the following information about active Training campaigns that are using the selected module: + - Name + - Type + - Status + - End by
security	Monitor For Leaks Of Personal Data	https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/monitor-for-leaks-of-personal-data.md	- Title: Monitor for leaks of personal data - - NOCSH --- Previously updated : 02/07/2018-- - - Strat_O365_Enterprise - - Ent_O365 - - GDPR - - m365-security - - - MET150 -description: Learn about three tools you can use to monitor for leaks of personal data. --- -# Monitor for leaks of personal data - -There are many tools that can be used to monitor the use and transport of personal data. This topic describes three tools that work well. -- -In the illustration: --- Start with Microsoft Purview data loss prevention reports for monitoring personal data in SharePoint Online, OneDrive for Business, and email in transit. These reports provide the greatest level of detail for monitoring personal data. However, these reports don't include all services in Office 365.--- Next, use alert policies and the audit log to monitor activity across services. Set up ongoing monitoring or search the audit log to investigate an incident. The audit log works across servicesΓÇöSway, Power BI, eDiscovery, Dynamics 365, Power Automate, Microsoft Teams, Admin activity, OneDrive for Business, SharePoint Online, mail in transit, and mailboxes at rest. Skype conversations are included in mailboxes at rest.--- Finally, Use Microsoft Defender for Cloud Apps to monitor files with sensitive data in other SaaS providers. Coming soon is the ability to use sensitive information types and unified labels across Azure Information Protection and Office with Defender for Cloud Apps. You can set up policies that apply to all of your SaaS apps or specific apps (like Box). Defender for Cloud Apps doesn't discover files in Exchange Online, including files attached to email.- -## Data loss prevention reports - -After you create your data loss prevention (DLP) policies, you'll want to verify that they're working as you intended and helping you to stay compliant. With the DLP reports in Office 365, you can quickly view the number of DLP policy matches, overrides, or false positives; see whether they're trending up or down over time; filter the report in different ways; and view more details by selecting a point on a line on the graph. - -You can use the DLP reports to: --- Focus on specific time periods and understand the reasons for spikes and trends.-- Discover business processes that violate your organization's DLP policies.-- Understand any business impact of the DLP policies.-- View the justifications submitted by users when they resolve a policy tip by overriding the policy or reporting a false positive.-- Verify compliance with a specific DLP policy by showing any matches for that policy.-- View a list of files with sensitive data that matches your DLP policies in the details pane.- -In addition, you can use the DLP reports to fine-tune your DLP policies as you run them in test mode. - -DLP reports are in the Microsoft Purview compliance portal. Go to Reports \> Organizational data section to find the DLP policy matches, DLP incidents, and DLP false positives and overrides reports. - -For more information, see [View the reports for data loss prevention](../../compliance/view-the-dlp-reports.md). -- -## Audit log and alert policies - -The audit log contains events from Exchange Online, SharePoint Online, OneDrive for Business, Azure Active Directory, Microsoft Teams, Power BI, Sway, and other services. - -The Microsoft 365 Defender portal and the Microsoft Purview compliance portal provide two ways to monitor and report against the audit log: --- Set up alert policies, view alerts, and monitor trendsΓÇöUse the alert policy and alert dashboard tools in either the Microsoft 365 Defender portal or the Microsoft Purview compliance portal.-- Search the audit log directly: Search for all events in a specified date rage. Or you can filter the results based on specific criteria, such as the user who performed the action, the action, or the target object.- -Information compliance and security teams can use these tools to proactively review activities performed by both end users and administrators across services. Automatic alerts can be configured to send email notifications when certain activities occur on specific site collections - for example when content is shared from sites known to contain GDPR-related information. This allows those teams to follow up with users to ensure that corporate security policies are followed, or to provide additional training. - -Information security teams can also search the audit log to investigate suspected data breaches and determine both root cause and the extent of the breach. This built-in capability facilitates compliance with article 33 and 34 of the GDPR, which require notifications be provided to the GDPR supervisory authority and to the data subjects themselves of a data breach within a specific time period. Audit log entries are only retained for 90 days within the service - it is often recommended and many organizations required that these logs be retained for longer periods of time. - -Solutions are available that subscribe to the Unified Audit Logs through the Microsoft Management Activity API and can both store log entries as needed, and provide advanced dashboards and alerts. One example is [Microsoft Operations Management Suite (OMS)](/azure/operations-management-suite/oms-solution-office-365). - -More information about alert policies and searching the audit log: --- [Alert policies in Microsoft 365](../../compliance/alert-policies.md)-- [Search the audit log for user and admin activity in Office 365](../../compliance/search-the-audit-log-in-security-and-compliance.md) (introduction)-- [Turn audit log search on or off](../../compliance/turn-audit-log-search-on-or-off.md)-- [Search the audit log](../../compliance/search-the-audit-log-in-security-and-compliance.md)-- [Search-UnifiedAuditLog](/powershell/module/exchange/search-unifiedauditlog) (cmdlet)-- [Detailed properties in the audit log](../../compliance/audit-log-detailed-properties.md)- -## Microsoft Defender for Cloud Apps - -Microsoft Defender for Cloud Apps helps you discover other SaaS apps in use across your networks and sensitive data sent to and from these apps. - -Microsoft Defender for Cloud Apps is a comprehensive service providing deep visibility, granular controls, and enhanced threat protection for your cloud apps. It identifies more than 15,000 cloud applications in your network-from all devices-and provides risk scoring and ongoing risk assessment and analytics. No agents required: information is collected from your firewalls and proxies to give you complete visibility and context for cloud usage and shadow IT. - -To better understand your cloud environment, the Defender for Cloud Apps investigate feature provides deep visibility into all activities, files, and accounts for sanctioned and managed apps. You can gain detailed information on a file level and discover where data travels in the cloud apps. - -For examples, the following illustration demonstrates two Defender for Cloud Apps policies that can help with GDPR. -- -The first policy alerts when files with a predefined PII attribute or custom expression that you choose is shared outside the organization from the SaaS apps that you choose. - -The second policy blocks downloads of files to any unmanaged device. You choose the attributes within the files to look for and the SaaS apps you want the policy to apply to. - -These attribute types are coming soon to Defender for Cloud Apps: --- Sensitive information types-- Unified labels across Microsoft 365 and Azure Information Protection- -### Defender for Cloud Apps dashboard - -If you haven't yet started to use Defender for Cloud Apps, begin by starting it up. To access Defender for Cloud Apps: <https://portal.cloudappsecurity.com>. - -> [!NOTE] -> Be sure to enable 'Automatically scan files for Azure Information Protection classification labels' (in General settings) when getting started with Defender for Cloud Apps or before you assign labels. After setup, Defender for Cloud Apps does not scan existing files again until they are modified. -- -More information: --- [Deploy Defender for Cloud Apps](/cloud-app-security/getting-started-with-cloud-app-security)-- [More information about Microsoft Defender for Cloud Apps](https://www.microsoft.com/cloud-platform/cloud-app-security)-- [Block downloads of sensitive information using the Microsoft Defender for Cloud Apps proxy](/cloud-app-security/use-case-proxy-block-session-aad)- -## Example file and activity policies to detect sharing of personal data - -### Detect sharing of files containing PII ΓÇö Credit card number - -Alert when a file containing a credit card number is shared from an approved cloud app. - -\|Control\|Settings\| -\|\|\| -\|Policy type\|File policy\| -\|Policy template\|No template\| -\|Policy severity\|High\| -\|Category\|DLP\| -\|Filter settings\|Access level = Public (Internet), Public, External <p> App = \<select apps\> (use this setting if you want to limit monitoring to specific SaaS apps)\| -\|Apply to\|All files, all owners\| -\|Content inspection\|Includes files that match a present expression: All countries: Finance: Credit card number <p> Don't require relevant context: unchecked (this setting will match keywords as well as regex) <p> Includes files with at least 1 match <p> Unmask the last 4 characters of the violation: checked\| -\|Alerts\|Create an alert for each matching file: checked <p> Daily alert limit: 1000 <p> Select an alert as email: checked <p> To: infosec@contoso.com\| -\|Governance\|Microsoft OneDrive for Business <p> Make private: check Remove External Users <p> All other settings: unchecked <p> Microsoft SharePoint Online <p> Make private: check Remove External Users <p> All other settings: unchecked\| - -Similar policies: --- Detect sharing of Files containing PII - Email Address-- Detect sharing of Files containing PII - Passport Number- -### Detect Customer or HR Data in Box or OneDrive for Business - -Alert when a file labeled as Customer Data or HR Data is uploaded to OneDrive for Business or Box. - -Notes: --- Box monitoring requires a connector be configured using the API Connector SDK.-- This policy requires capabilities that are currently in private preview.- -\|Control\|Settings\| -\|\|\| -\|Policy type\|Activity policy\| -\|Policy template\|No template\| -\|Policy severity\|High\| -\|Category\|Sharing Control\| -\|Act on\|Single activity\| -\|Filter settings\|Activity type = Upload File <p> App = Microsoft OneDrive for Business and Box <p> Classification Label (currently in private preview): Azure Information Protection = Customer Data, Human ResourcesΓÇöSalary Data, Human ResourcesΓÇöEmployee Data\| -\|Alerts\|Create an alert: checked <p> Daily alert limit: 1000 <p> Select an alert as email: checked <p> To: infosec@contoso.com\| -\|Governance\|All apps <p> Put user in quarantine: check <p> All other settings: unchecked <p> Office 365 <p> Put user in quarantine: check <p> All other settings: unchecked\| - -Similar policies: --- Detect large downloads of Customer data or HR DataΓÇöAlert when a large number of files containing customer data or HR data have been detected being downloaded by a single user within a short period of time.-- Detect Sharing of Customer and HR DataΓÇöAlert when files containing Customer or HR Data are shared.