Updates from: 02/19/2022 02:15:36
Category Microsoft Docs article Related commit history on GitHub Change details
compliance Classifier Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/classifier-learn-about.md
Microsoft 365 comes with multiple pre-trained classifiers:
> We are deprecating the **Offensive Language** pre-trained classifier because it has been producing a high number of false positives. Don't use it and if you are currently using it, you should move your business processes off of it. We recommend using the **Threat**, **Profanity**, and **Harassment** pre-trained classifiers instead. - **Resumes**: detects docx, .pdf, .rtf, .txt items that are textual accounts of an applicant's personal, educational, professional qualifications, work experience, and other personally identifying information-- **Source Code**: detects items that contain a set of instructions and statements written in the top 25 used computer programming languages on GitHub: ActionScript, C, C#, C++, Clojure, CoffeeScript, Go, Haskell, Java, JavaScript, Lua, MATLAB, Objective-C, Perl, PHP, Python, R, Ruby, Scala, Shell, Swift, TeX, Vim Script.
+- **Source Code**: detects items that contain a set of instructions and statements written in the top 25 used computer programming languages on GitHub: ActionScript, C, C#, C++, Clojure, CoffeeScript, Go, Haskell, Java, JavaScript, Lua, MATLAB, Objective-C, Perl, PHP, Python, R, Ruby, Scala, Shell, Swift, TeX, Vim Script. Detects content in .msg, .as, .h, .c, .cs, .cc, .cpp, .hpp, .cxx, .hh, .c++, .clj, .edn, .cljc, .cljs, .coffee, .litcoffee, .go, .hs, .lhs, .java, .jar, .js, .mjs, .lua, .m, .mm, .pl, .pm, .t, .xs, .pod, .php, .phar, .php4, .pyc, .R, .r, .rda, .RData, .rds, .rb, .scala, .sc, .sh, .swift files.
> [!NOTE] > Source Code is trained to detect when the bulk of the text is source code. It does not detect source code text that is interspersed with plain text.
compliance Collection Statistics Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/collection-statistics-reports.md
This section of the **Summary** tab contains statistics and other information ab
- **Parent items**. The number of items returned by the collection that was used to collect the items that were added to the review set. This number corresponds to (and is equal to) the estimated number of items that is displayed in the **Collection parameters** section. The number of parent items he collection information that was used to collect the items that were added to the review set.
- A parent item might contain multiple child items. For example, an email message is a parent item if it contains an attached file or has a cloud attachment. In this case, the attached file or the target of the cloud attachment are considered child items. When you commit a collection, parent items and any corresponding child items are added to the review set as individual items or files.
+ A parent item might contain multiple child items. For example, an email message is a parent item if it contains an attached file or has a cloud attachment. In this case, the attached file or the target file of the cloud attachment is considered a child item. When you commit a collection, parent items and any corresponding child items (like attached files and cloud attachments) are added to the review set as individual items or files.
-- **Child items**. The number of child items added to the review set. Child items are attachments or other parts of a parent item. Child items include attached files, cloud attachments, images, and email signatures. When you commit a collection to a review set, child items are extracted, indexed, and added to the review set as individual files.
+- **Child items**. The number of child items added to the review set. Only child items that are file attachments and cloud attachments are added to the review set as individual files. Other types of child items, such as email signatures and images. are extracted from a parent item and then processed by Optical Character Recognition (OCR) to extract any text from the child item. Text extracted from these types of child items is then added to its parent item so you can view it in the review set. By not adding child items to the review set as a separate file, Advanced eDiscovery helps streamline the review process by limiting the number of potentially immaterial items in the review set.
- **Unique items**. The number of unique items added to the review set. Unique items are unique to the review set. All items are unique when the first collection is added to a new review set because there were no previous items in the review set. -- **Identified duplicate items**. The number of items from the collection that were not added to the review set because the same item already exists in the review set. Statistics about duplicate items can help explain the differences between the number of estimated items from a draft collection and the actual number of items added to the review set.
+- **Identified duplicate items**. The number of items from the collection that weren't added to the review set because the same item already exists in the review set. Statistics about duplicate items can help explain the differences between the number of estimated items from a draft collection and the actual number of items added to the review set.
### Indexing The **Indexing** section on the **Summary** tab of a committed review set contains indexing information about the items added to the review set.
-**New indexed items**. The number of items that were newly indexed before they were added to the review set. An example of a newly indexed item are child items that are extracted from a parent item then indexed before they're added to the review set. Also, items that aren't located in custodial data sources and non-custodial content locations listed on the **Data sources** tab in the case are indexed before they're added to the review. For example, newly indexed items would include items collected from additional locations.
+**New indexed items**. The number of items that were newly indexed before they were added to the review set. Examples of a newly indexed item are child items extracted from a parent item and then indexed before they're added to the review set. Also, items that aren't located in custodial data sources and non-custodial content locations listed on the **Data sources** tab in the case are indexed before they're added to the review. For example, newly indexed items would include items collected from additional locations.
**Updated indexed items**. The number of partially indexed items that were successfully indexed and added to the review set. This statistic indicates the partially indexed items from custodial and non-custodial content locations **Data sources** tab that were successfully indexed when the collection was committed to the review set.
The statistics displayed on the **Search statistics** tab are the same statistic
When you run a draft collection, an estimate of the number of items (and their total size) that meet the collection criteria is displayed on the **Summary** tab and in **Collection estimates** section of the **Search statistics** tab. After you commit a draft collection to a review set, the actual number of items (and their total size) added the review set are often different from the estimates. In most cases, more items are added to the review set than were estimated from the draft collection. The following list describes the most common reasons for these differences and tips for identifying them: -- **Child items**. Child items that are extracted from their parent items and added as individual files. The number of child items may significantly increase the number of items that are actually added to the review set. In general, the number of parent items identified in the **Collection contents** section on the **Summary** tab of a committed collection should be equal to the number of estimated items from the draft collection.
+- **Child items**. Child items (such as files attachments and cloud attachments) that are extracted from their parent items and added as individual files. The number of child items may increase the number of items that are actually added to the review set. In general, the number of parent items identified in the **Collection contents** section on the **Summary** tab of a committed collection should be equal to the number of estimated items from the draft collection.
- **Duplicate items**. Items from the draft collection that have already been added to the review set in a previous collection won't be added. As previously explained, the number of duplicate items in the collection is displayed in the **Collection contents** section on the **Summary** tab. -- **Collection configuration options**. When you commit a draft collection to a review set, you have to option to include conversation threads, cloud attachments, and document versions. Any of these items that are added to the review set aren't included in the estimates of the draft collection. They are identified and collected only when you commit the collection. Selecting these options will most likely increase the number of items added to the review set.
+- **Collection configuration options**. When you commit a draft collection to a review set, you have to option to include conversation threads, cloud attachments, and document versions. Any of these items that are added to the review set aren't included in the estimates of the draft collection. They're identified and collected only when you commit the collection. Selecting these options will most likely increase the number of items added to the review set.
- For example, multiple versions of SharePoint documents aren't included in the estimate for the draft collection. But if you select the option to include all document versions when you export the search results, which will increase the actual number (and total size) of items added to the review set.
+ For example, multiple versions of SharePoint documents aren't included in the estimate for the draft collection. But if you select the option to include all document versions when you commit a draft collection, the actual number (and total size) of items added to the review set will increase.
For more information about these options, see [Commit a draft collection to a review set](commit-draft-collection.md#commit-a-draft-collection-to-a-review-set-in-advanced-ediscovery).
compliance Collections Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/collections-overview.md
To get started using collections in Advanced eDiscovery, here's a basic workflow
3. **Revise and rerun a draft collection**. Based on the estimates and statistics returned by the collection, you can edit the draft collection by changing the data sources that are searched and the search query to expand or narrow the collection. You can update and rerun the draft collection until you're confident that collection contains the content that's most relevant to your case.
-4. **Commit a draft collection to a review set**. When you're satisfied that the collection returns the type content that is relevant to the case, you can commit the collection to the review set. When you commit a collection, you have the option to add conversation threads, cloud attachments, and document versions to the review set, all of which might be relevant to the case. The following things happen when you commit a collection:
+4. **Commit a draft collection to a review set**. When you're satisfied that the collection returns the type content that is relevant to the case, you can commit the collection to the review set. When you commit a collection, you have the option to add conversation threads, cloud attachments, and document versions to the review set, all of which might be relevant to the case.
- - Child items (such as email attachments, email signatures, and images) are extracted from a parent item (such as an email message, chat message, or document), indexed (in a process called *deep indexing*), and added to the review set as separate files.
-
- - Deep indexing is performed on items collected from additional data sources. These types of data sources are content locations other than the custodial and non-custodial data sources previously added to the case.
+ When you commit a collection, child items such as email signatures and images are extracted from a parent item (such as an email message, chat message, or document) and then processed by Optical Character Recognition (OCR) to extract any text from the child item. Text extracted from child items is then added to its parent item so you can view it in the review set. By not adding child items to the review set as a separate file, Advanced eDiscovery helps limit the number of potentially immaterial items added to the review set. For more information about how child items are handled, see [Collection statistics and reports](collection-statistics-reports.md#collection-contents).
For more information, see [Commit a draft collection to a review set](commit-draft-collection.md).
compliance Commit Draft Collection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/commit-draft-collection.md
When you're satisfied with the items you've collected in a draft collection and
3. Configure the additional collection settings:
- - **Teams and Yammer messages**: Select this option to add conversation threads to the collection that include the chat items returned by the search query in the collection. This means that the chat conversation that contains items that match the search criteria is reconstructed. This lets you review chat items in the context of the back and forth conversation. For more information, see [Conversation threading in Advanced eDiscovery](conversation-review-sets.md).
+ ![Configure additional collection settings.](../media/AeDAdditionalCollectionSettings.png).
- - **Cloud attachments**: Select this option to include modern attachments or linked files when the collection results are added to the review set. This means that the target file of a modern attachment or linked file is added to the review set.
+ a. **Teams and Yammer messages**: Select this option to add conversation threads to the collection that include the chat items returned by the search query in the collection. This means that the chat conversation that contains items that match the search criteria is reconstructed. This lets you review chat items in the context of the back and forth conversation. For more information, see [Conversation threading in Advanced eDiscovery](conversation-review-sets.md).
- - **SharePoint versions**: Select this option to enable the collection of all versions of a SharePoint document per the version limits and search parameters of the collection. Selecting this option will significantly increase the size of items that are added to the review set.
+ b. **Cloud attachments**: Select this option to include modern attachments or linked files when the collection results are added to the review set. This means the target file of a modern attachment or linked file is added to the review set.
+
+ > [!NOTE]
+ > The two options to collect contextual Teams and Yammer messages and cloud attachments are selected by default (and grayed out) for cases that were created using the new case format. For more information, see [Use the new case format](advanced-ediscovery-new-case-format.md).
+
+ c. **Partially indexed items**: Select this option to add partially indexed items from additional data sources to the review set. If the collection searched additional data sources (as specified on the **Additional locations** page in the collections wizard), there may be partially indexed items from these locations that you want to add to the review set. Custodial and non-custodial data sources typically don't have partially indexed items. That's because the Advanced indexing process reindexes items when custodial and non-custodial data sources are added to a case. Also, Adding partially indexed items will increase the number of items added to the review set. <p> After partially indexed items are added to the review set, you can apply a filter to specifically view these items. For more information, see [Filter partially indexed items](review-set-search.md#filter-partially-indexed-items)
+
+ d. **SharePoint versions**: Select this option to enable the collection of all versions of a SharePoint document per the version limits and search parameters of the collection. Selecting this option will significantly increase the size of items that are added to the review set. After document versions are added to the review set,
4. Configure the settings to define the scale of the collection to add to the review set:
When you commit a draft collection to a review set, the following things happen:
- All items in the search results are copied from the original data source in the live service, and copied to a secure Azure Storage location in the Microsoft cloud. -- All items (including the content and metadata) that aren't located in custodian or non-custodian data sources are reindexed (in a process called *deep indexing*) so that all data in the review set is fully searchable during the review of the case data. Reindexing the content in a collection results in thorough and fast searches when you search or filter the content in the review set during the case investigation.- - Encrypted SharePoint and OneDrive documents and encrypted files attached email messages that's returned in the search results are decrypted when you commit the collection to a review set. You can review and query the decrypted files in the review set. For more information, see [Decryption in Microsoft 365 eDiscovery tools](ediscovery-decryption.md). - Optical character recognition (OCR) functionality extracts text from images, and includes the image text with the content that's added to a review set. For more information, see the [Optical character recognition](#optical-character-recognition) section in this article.
compliance Create A Custom Sensitive Information Type In Scc Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-custom-sensitive-information-type-in-scc-powershell.md
audience: Admin
-ms.article: article
+ ms.localizationpriority: medium
Sensitive information types can also use built-in functions to identify corrobor
For example, an employee ID badge has a hire date on it, so this custom entity can use the built-in `Func_us_date` function to identify a date in the format that's commonly used in the US.
-For more information, see [What the DLP functions look for](what-the-dlp-functions-look-for.md).
+For more information, see [Sensitive information type functions](sit-functions.md).
![XML markup showing Match element referencing built-in function.](../media/dac6eae3-9c52-4537-b984-f9f127cc9c33.png)
In addition to confidenceLevel for each Pattern, the Entity has a recommendedCon
## Do you want to support other languages in the UI of the Compliance center? [LocalizedStrings element]
-If your compliance team uses the Microsoft 365 Compliance center to create polices policies in different locales and in different languages, you can provide localized versions of the name and description of your custom sensitive information type. When your compliance team uses Microsoft 365 in a language that you support, they'll see the localized name in the UI.
+If your compliance team uses the Microsoft 365 Compliance center to create policies in different locales and in different languages, you can provide localized versions of the name and description of your custom sensitive information type. When your compliance team uses Microsoft 365 in a language that you support, they'll see the localized name in the UI.
![Instance count and match accuracy configuration.](../media/11d0b51e-7c3f-4cc6-96d8-b29bcdae1aeb.png)
You can copy this markup, save it as an XSD file, and use it to validate your ru
- [Learn about data loss prevention](dlp-learn-about-dlp.md) - [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)-- [What the DLP functions look for](what-the-dlp-functions-look-for.md)
+- [Sensitive information type functions](sit-functions.md)
compliance Create A Custom Sensitive Information Type https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/create-a-custom-sensitive-information-type.md
Title: "Get started with custom sensitive information types"
+ Title: "Create a custom sensitive information types"
f1.keywords: - NOCSH
search.appverid: - MOE150 - MET150
-description: "Learn how to create, modify, remove, and test custom sensitive information types for DLP in the Security & Compliance Center."
+description: "Learn how to create, modify, remove, and test custom sensitive information types in the Compliance Center."
-# Get started with custom sensitive information types
+# Create custom sensitive information types in the Compliance center
If the pre-configured sensitive information types don't meet your needs, you can create your own custom sensitive information types that you fully define or you can copy one of the pre-configured ones and modify it.
There are two ways to create a new sensitive information type:
- [regular expressions](https://www.boost.org/doc/libs/1_68_0/libs/regex/doc/html/) - Microsoft 365 sensitive information types uses the Boost.RegEx 5.1.3 engine - keyword lists - you can create your own as you define your sensitive information type or choose from existing keyword lists - [keyword dictionary](create-a-keyword-dictionary.md)
- - [functions](what-the-dlp-functions-look-for.md)
+ - [Sensitive information type functions](sit-functions.md)
- [confidence levels](sensitive-information-type-learn-about.md#more-on-confidence-levels) - You must have Global admin or Compliance admin permissions to create, test, and deploy a custom sensitive information type through the UI. See [About admin roles](/office365/admin/add-users/about-admin-roles) in Office 365.
Use this procedure to create a new sensitive information type that you fully def
4. Choose the default confidence level for the pattern. The values are **Low confidence**, **Medium confidence**, and **High confidence**.
-5. Choose and define **Primary element**. The primary element can be a **Regular expression** with an optional validator, a **Keyword list**, a **Keyword dictionary**, or one of the pre-configured **Functions**. For more information on DLP functions, see [What the DLP functions look for](what-the-dlp-functions-look-for.md). For more information on the date and the checksum validators, see [More information on regular expression validators](#more-information-on-regular-expression-validators).
+5. Choose and define **Primary element**. The primary element can be a **Regular expression** with an optional validator, a **Keyword list**, a **Keyword dictionary**, or one of the pre-configured **Functions**. For more information on DLP functions, see [Sensitive information type functions](sit-functions.md). For more information on the date and the checksum validators, see [Sensitive Information Type regular expression validators](sit-regex-validators-additional-checks.md#sensitive-information-type-regular-expression-validators).
6. Fill in a value for **Character proximity**. 7. (Optional) Add supporting elements if you have any. Supporting elements can be a regular expression with an optional validator, a keyword list, a keyword dictionary or one of the pre-defined functions. Supporting elements can have their own **Character proximity** configuration.
-8. (Optional) Add any [**additional checks**](#more-information-on-additional-checks) from the list of available checks.
+8. (Optional) Add any [**additional checks**](sit-regex-validators-additional-checks.md#sensitive-information-type-additional-checks) from the list of available checks.
9. Choose **Create**.
Use this procedure to create a new sensitive information type that you fully def
Use this procedure to create a new sensitive information type that is based on an existing sensitive information type.
+> [!NOTE]
+> These SITs can't be copied:
+> - Canada driver's license number
+> - EU driver's license number
+> - EU national identification number
+> - EU passport number
+> - EU social security number or equivalent identification
+> - EU tax identification number
+> - International classification of diseases (ICD-10-CM)
+> - International classification of diseases (ICD-9-CM)
+> - U.S. driver's license number
+
+You can also create custom sensitive information types by using PowerShell and Exact Data Match capabilities. To learn more about those methods, see:
+- [Create a custom sensitive information type in Security & Compliance Center PowerShell](create-a-custom-sensitive-information-type-in-scc-powershell.md)
+- [Learn about exact data match based sensitive information types](sit-learn-about-exact-data-match-based-sits.md#learn-about-exact-data-match-based-sensitive-information-types)
+ 1. In the Compliance Center, go to **Data classification** \> **Sensitive info types** and choose the sensitive information type that you want to copy. 2. In the flyout, choose **Copy**.
Use this procedure to create a new sensitive information type that is based on a
7. You can choose to edit or remove the existing patterns and add new ones. Choose the default confidence level for the new pattern. The values are **Low confidence**, **Medium confidence**, and **High confidence**.
-8. Choose and define **Primary element**. The primary element can be a **Regular expression**, a **Keyword list**, a **Keyword dictionary**, or one of the pre-configured **Functions**. See, [What the DLP functions look for](what-the-dlp-functions-look-for.md).
+8. Choose and define **Primary element**. The primary element can be a **Regular expression**, a **Keyword list**, a **Keyword dictionary**, or one of the pre-configured **Functions**. See, [Sensitive information type functions](sit-functions.md).
9. Fill in a value for **Character proximity**.
-10. (Optional) If you have **Supporting elements** or any [**Additional checks**](#more-information-on-additional-checks) add them. If needed you can group your **Supporting elements**.
+10. (Optional) If you have **Supporting elements** or any [**additional checks**](sit-regex-validators-additional-checks.md#sensitive-information-type-additional-checks) add them. If needed you can group your **Supporting elements**.
11. Choose **Create**.
For a scanned item to satisfy rule criteria, the number of unique instances of a
For example, if you want the rule to trigger a match when at least 500 unique instances of a SIT are found in a single item, set the **min** value to `500` and the **max** value to `Any`.
-## Modify custom sensitive information types in the Compliance Center
-
-1. In the Compliance Center, go to **Data classification** \> **Sensitive info types** and choose the sensitive information type from the list that you want to modify choose **Edit**.
-
-2. You can add other patterns, with unique primary and supporting elements, confidence levels, character proximity, and [**additional checks**](#more-information-on-additional-checks) or edit/remove the existing ones.
-
-## Remove custom sensitive information types in the Compliance Center
-
-> [!NOTE]
-> You can only remove custom sensitive information types; you can't remove built-in sensitive information types.
-
-> [!IMPORTANT]
-> Before your remove a custom sensitive information type, verify that no DLP policies or Exchange mail flow rules (also known as transport rules) still reference the sensitive information type.
-
-1. In the Compliance Center, go to **Data classification** \> **Sensitive info types** and choose the sensitive information type from the list that you want to remove.
-
-2. In the fly-out that opens, choose **Delete**.
-
-> [!NOTE]
-> These SITs can't be copied:
-> - Canada driver's license number
-> - EU driver's license number
-> - EU national identification number
-> - EU passport number
-> - EU social security number or equivalent identification
-> - EU tax identification number
-> - International classification of diseases (ICD-10-CM)
-> - International classification of diseases (ICD-9-CM)
-> - U.S. driver's license number
-
-You can also create custom sensitive information types by using PowerShell and Exact Data Match capabilities. To learn more about those methods, see:
-- [Create a custom sensitive information type in Security & Compliance Center PowerShell](create-a-custom-sensitive-information-type-in-scc-powershell.md)-- [Learn about exact data match based sensitive information types](sit-learn-about-exact-data-match-based-sits.md#learn-about-exact-data-match-based-sensitive-information-types)-
-## More information on regular expression validators
-
-### Checksum validator
-
-If you need to run a checksum on a digit in a regular expression, you can use the *checksum validator*. For example, say you need to create a SIT for an eight digit license number where the last digit is a checksum digit that is validated using a mod 9 calculation. You've set up the checksum algorithm like this:
-
-```console
-Sum = digit 1 * Weight 1 + digit 2 * weight 2 + digit 3 * weight 3 + digit 4 * weight 4 + digit 5 * weight 5 + digit 6 * weight 6 + digit 7 * weight 7 + digit 8 * weight 8
-Mod value = Sum % 9
-If Mod value == digit 8
- Account number is valid
-If Mod value != digit 8
- Account number is invalid
-```
-
-1. Define the primary element with this regular expression:
-
- ```console
- \d{8}
- ```
-
-2. Then add the checksum validator.
-
-3. Add the weight values separated by commas, the position of the check digit and the Mod value. For more information on the Modulo operation, see [Modulo operation](https://en.wikipedia.org/wiki/Modulo_operation).
-
- > [!NOTE]
- > If the check digit is not part of the checksum calculation then use 0 as the weight for the check digit. For example, in the above case weight 8 will be equal to 0 if the check digit is not to be used for calculating the check digit. Modulo_operation).
-
- :::image type="content" alt-text="screenshot of configured checksum validator." source="../media/checksum-validator.png" lightbox="../media/checksum-validator.png":::
-
-### Date validator
-
-If a date value that is embedded in regular expression is part of a new pattern you are creating, you can use the *date validator* to test that it meets your criteria. For example, say you want to create a SIT for a nine digit employee identification number. The first six digits are the date of hire in DDMMYY format and the last three are randomly generated numbers. To validate that the first six digits are in the correct format.
-
-1. Define the primary element with this regular expression:
-
- ```console
- \d{9}
- ```
-
-2. Then add the date validator.
-
-3. Select the date format and the start offset. Since the date string is the first six digits, the offset is `0`.
-
- :::image type="content" alt-text="screenshot of configured date validator." source="../media/date-validator.png" lightbox="../media/date-validator.png":::
-
-### Functional processors as validators
-
-You can use function processors for some of the most commonly used SITs as validators. This allows you to define your own regular expression while ensuring they pass the additional checks required by the SIT. For example, Func_India_Aadhar will ensure that the custom regular expression defined by you passes the validation logic required for Indian Aadhar card. For more information on DLP functions that can be used as validators, see [What the DLP functions look for](what-the-dlp-functions-look-for.md#what-the-dlp-functions-look-for).
-
-### Luhn check validator
-
-You can use the Luhn check validator if you have a custom Sensitive information type that includes a regular expression which should pass the [Luhn algorithm](https://en.wikipedia.org/wiki/Luhn_algorithm).
-
-## More information on additional checks
-
-Here are the definitions and some examples for the available additional checks.
-
-**Exclude specific matches**: This check lets you define keywords to exclude when detecting matches for the pattern you are editing. For example, you might exclude test credit card numbers like '4111111111111111' so that they're not matched as a valid number.
-
-**Starts or doesn't start with characters**: This check lets you define the characters that the matched items must or must not start with. For example, if you want the pattern to detect only credit card numbers that start with 41, 42, or 43, select **Starts with** and add 41, 42, and 43 to the list, separated by commas.
-
-**Ends or doesn't end with characters**: This check lets you define the characters that the matched items must or must not end with. For example, if your Employee ID number cannot end with 0 or 1, select **Doesn't end with** and add 0 and 1 to the list, separated by commas.
-
-**Exclude duplicate characters**: This check lets you ignore matches in which all the digits are the same. For example, if the six digit employee ID number cannot have all the digits be the same, you can select **Exclude duplicate characters** to exclude 111111, 222222, 333333, 444444, 555555, 666666, 777777, 888888, 999999, and 000000 from the list of valid matches for the employee ID.
-
-**Include or exclude prefixes**: This check lets you define the keywords that must or must not be found immediately before the matching entity. Depending on your selection, entities will be matched or not matched if they're preceded by the prefixes you include here. For example, if you **Exclude** the prefix **GUID:**, any entity that's preceded by **GUID:** won't be considered a match.
-
-**Include or exclude suffixes** This check lets you define the keywords that must or must not be found immediately after the matching entity. Depending on your selection, entities will be matched or not matched if they're followed by the suffixes you include here. For example, if you **Exclude** the suffix **:GUID**, any text that's followed by **:GUID** won't be matched.
-- > [!NOTE] > Microsoft 365 Information Protection supports double byte character set languages for: > - Chinese (simplified)
compliance Data Loss Prevention Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-loss-prevention-policies.md
However, DLP reports need pull data from across Microsoft 365, including Exchang
- [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md) -- [What the DLP functions look for](what-the-dlp-functions-look-for.md)
+- [Sensitive information type functions](sit-functions.md)
- [Create a custom sensitive information type](create-a-custom-sensitive-information-type.md)
compliance Dlp Chrome Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-chrome-get-started.md
Now that youΓÇÖve removed Chrome from the disallowed browsers/apps list, you can
### Known Issues and Limitations
-1. Block Override enforcement for cloud egress is not supported.
-2. Incognito mode is not supported and must be disabled.
+1. Incognito mode is not supported and must be disabled.
## Next steps
compliance Dlp Chrome Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/dlp-chrome-learn-about.md
The Microsoft Compliance Extension enables you to audit and manage the following
activity |description | supported policy actions| ||||
-|file copied to cloud | Detects when a user attempts to upload a sensitive item to a restricted service domain through the Chrome browser |audit, block|
+|file copied to cloud | Detects when a user attempts to upload a sensitive item to a restricted service domain through the Chrome browser |audit, block with override, block|
|file printed |Detects when a user attempts to print a sensitive item that is open in the Chrome browser to a local or network printer |audit, block with override, block| |file copied to clipboard |Detects when a user attempts to copy information from a sensitive item that is being viewed in the Chrome browser and then paste it into another app, process, or item. |audit, block with override, block| |file copied to removable storage | Detects when a user attempts to copy a sensitive item or information from a sensitive item that is open in the Chrome browser to removable media or USB device |audit, block with override, block|
compliance Document Metadata Fields In Advanced Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/document-metadata-fields-in-Advanced-eDiscovery.md
The following table lists the metadata fields for documents in a review set in a
|O365 authors||O365_authors|Author from SharePoint.| |O365 created by||O365_created_by|Created by from SharePoint.| |O365 date created||O365_date_created|Created date from SharePoint.|
-|O365 date modified||O365_date_modified|Last modified date from SharePoint.|
-|O365 modified by||O365_modified_by|Modified by from SharePoint.|
+|O365ModifiedDate||O365_date_modified|The date a document (or document version) collected from SharePoint or OneDrive for Business was modified. This is the same modified date as the one displayed in the version history in the SharePoint and OneDrive user experience.|
+|O365 modified by||O365_modified_by|Modified by from SharePoint or OneDrive.|
|Other custodians|DedupedCustodians|Deduped_custodians|List of custodians of documents that are exact duplicates (for email, based on content; for documents, based on hash).| |Other file IDs|DedupedFileIds|Deduped_file_IDs|List of file IDs of documents that are exact duplicates (for email, based on content; for documents, based on hash).| |Other paths|Dedupedcompoundpath|Deduped_compound_path|List of compound paths of documents that are exact duplicates (email: based on content, documents: based on hash).|
The following table lists the metadata fields for documents in a review set in a
|To|To|Email_to|To field for message types. Format is **DisplayName\<SmtpAddress>**| |Unique in email set|UniqueInEmailSet||**False** if there's a duplicate of the attachment in its email set.| |Version Group ID||Version_Group_Id|Groups together the different versions of the same document.|
+|VersionNumber||Version_Number|The version number of a document collected from SharePoint or OneDrive for Business. This is the same version number as the one displayed in the version history in the SharePoint and OneDrive user experience.|
|Was Remediated|WasRemediated|Was_Remediated|**True** if the item was remediated, otherwise **False**.| |Word count|WordCount|Word_count|Number of words in the item.| |||||
compliance Ediscovery https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/ediscovery.md
Here's a description of each eDiscovery capability.
- **Conversation threading**. When chat messages from Teams and Yammer conversations are added to a review set, you can collect the entire conversation thread. This means that the entire chat conversation that contains items that match the collection criteria is added to the review set. This lets you review chat items in the context of the back-and-forth conversation. -- **Collection statistics and reports**. After you create a draft collection or commit a commit a collection to a review set, you can view a rich set of statistics on the retrieved items, such as the content locations that contain the most items that matched the search criteria and the number of items returned by the search query. You can also preview a subset of the results. Additionally, this includes the number of child items extracted from their parent items and added as separate items to the review set.
+- **Collection statistics and reports**. After you create a draft collection or commit a commit a collection to a review set, you can view a rich set of statistics on the retrieved items, such as the content locations that contain the most items that matched the search criteria and the number of items returned by the search query. You can also preview a subset of the results.
- **Review set filtering**. After content is added to a review set, you can apply filters to display only the set of items that match your filtering criteria. Then you can save the filter sets as a query, which lets you quickly reapply the saved filters. Review set filtering and saved queries help you quickly cull content to the items that are most relevant to your investigation.
compliance Partially Indexed Items In Content Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/partially-indexed-items-in-content-search.md
As a workaround for this limitation, we recommend the following procedure.
```text <original query> AND ((IndexingErrorCode>0 OR IndexingErrorCode<0) AND sent:date1..date2) ```+ Adding this clause will return partially indexed items that match your original search query and that fall within a specific date range.<sup>2</sup> 4. Export the results of the search from step 3, and this time include partially indexed items in the export. To do this, you would select the **All items, including ones that have unrecognized format, are encrypted, or weren't indexed for other reasons** export option.
compliance Review Set Search https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/review-set-search.md
There are multiple types of filters:
- **Date**: A date filter is used for date fields such as "Last modified date". -- **Search options**: A search options filter provides a list of possible values (each value is displayed with a checkbox that you can select) for particular fields in the review. This filter is used for fields, such as "Sender", where there is a finite number of possible values in the review set.
+- **Search options**: A search options filter provides a list of possible values (each value is displayed with a checkbox that you can select) for particular fields in the review. This filter is used for fields, such as "Sender", where there's a finite number of possible values in the review set.
-- **Keyword**: A keyword condition is a specific instance of freetext condition that you can use to search for terms. You can also use KQL-like query language in this type of filter. For more information, see the Query language and Advanced query builder sections in this topic.
+- **Keyword**: A keyword condition is a specific instance of freetext condition that you can use to search for terms. You can also use KQL-like query language in this type of filter. For more information, see the Query language and Advanced query builder sections in this article.
## Include and exclude filter relationships
-You have the option to change the include and exclude relationship for a particular filter. For example, in the Tag filter, you can exclude items that are tagged with a particular tag by selecting **Equals none of** in the dropdown filter.
+You can change the include and exclude relationship for a particular filter. For example, in the Tag filter, you can exclude items that are tagged with a particular tag by selecting **Equals none of** in the dropdown filter.
![Exclude tag filter.](../media/TagFilterExclude.png) ## Save filters as queries
-After you are satisfied with your filters, you can save the filter combination as a filter query. This lets you apply the filter in the future review sessions.
+After you're satisfied with your filters, you can save the filter combination as a filter query. This lets you apply the filter in the future review sessions.
To save a filter, select **Save the query** and name it. You or other reviewers can run previously saved filter queries by selecting the **Saved filter queries** dropdown and selecting a filter query to apply to review set documents.
You can also build more advanced queries to search for documents in a review set
In this panel, you can create complex KQL queries by using the query builder. You can add conditions or add condition groups that are made up of multiple conditions that are logically connected by **AND** or **OR** relationships. ![Use query builder to configure complex filter queries.](../media/ComplexQuery.png)+
+## Filter partially indexed items
+
+If you selected the option to add partially indexed items from additional data sources when you committed the draft collection to a review set. You'll probably want to identify and view those items to determine if an item might be relevant to your investigation and whether you need to remediate the error that resulted in the item being partially indexed.
+
+At this time, there isn't a filter option in a review set to display partially indexed items. But we're working on it. Until then, here's a way you can filter and display the partially indexed items that you added to a review set.
+
+1. Create a collection and commit it to a new review set *without* adding partially indexed items from the additional data sources.
+
+2. Create a new collection by copying the collection from step 1.
+
+3. Commit the new collection to the same review set. But this time, add the partially indexed items from the additional data sources. Because items from the collection you created in step 1 have already been added to the review set, only the partially indexed items from the second collection are added to the review set.
+
+4. After both collections are added to the review set, go to the review set, and select **Manage** > **Load sets**.
+
+5. Copy or make note of the **Load Id** for the second collection (the one you created in step 2). The collection name is identified in the **Source info** column.
+
+6. Back in the review set, click **Filter**, expand the **IDs** section, and then select the **Load Id** checkbox.
+
+7. Expand the **Load Id** filter, and then select the checkbox for the load Id that corresponds to the second collection to display the partially indexed items.
compliance Sensitive Information Type Entity Definitions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitive-information-type-entity-definitions.md
A DLP policy has low confidence that it's detected this type of sensitive inform
## All full names
-This is a bundled named entity which detects full names for people from all supported countries/regions, which include Australia, China, Japan, U.S., and countries in the EU. Use this SIT to detect all possible matches of full names.
+All full names is a bundled named entity. It detects full names for people from all supported countries/regions, which include Australia, China, Japan, U.S., and countries in the EU. Use this SIT to detect all possible matches of full names.
### Format
No.
### Description
-This named entity SIT matches personal names that a human would identify as a name with high confidence. It uses three primary resources:
+This named entity SIT matches personal names that a human would identify as a name with high confidence. For example, if a string is found consisting of a given name and is followed by a family name then a match is made with high confidence. It uses three primary resources:
- A dictionary of given names. - A dictionary of family names. - Patterns of how names are formed.
-The three resources are different for each country. For example, for names in United States dictionary, if a string is found consisting of a given name and is followed by a family name then a match is made with high confidence. The strings *Olivia Wilson* would trigger a match.Common given/family names are given a higher confidence than rarer names. However, the pattern also allows partial matches. For example a given name from the dictionary followed by an family name that is not in the dictionary, like *Tomas Richard* would trigger a partial match. Partial matches are given lower confidence.
+The three resources are different for each country. The strings *Olivia Wilson* would trigger a match. Common given/family names are given a higher confidence than rarer names. However, the pattern also allows partial matches. If a given name from the dictionary is found and it's followed by a family name that isn't in the dictionary, then a partial match is triggered. For example, *Tomas Richard* would trigger a partial match. Partial matches are given lower confidence.
In addition, patterns that a human would see as indicative of names are also matched with appropriate confidence. Like *O. Wilson*, *O.P. Wilson*, *Dr. O. P. Wilson*, *Wilson, O.P.* or *T. Richard, Jr.* would be matches.
In addition, patterns that a human would see as indicative of names are also mat
## All medical terms and conditions
-This is a bundled named entity which detects medical terms and medical conditions. It detects English terms only. Use this SIT to detect all possible matches of medical terms and conditions.
+All medical terms and conditions is a bundled named entity that detects medical terms and medical conditions. It detects English terms only. Use this SIT to detect all possible matches of medical terms and conditions.
### Format
No
### Description
-This bundled named entity matches text that mentions medical conditions that are present in curated dictionaries. There is one curated dictionary per supported language. The dictionaries are from a number of international medical resources. The curated dictionaries incorporate as many medical conditions as possible without risking a large number of false positives. .Each entry contains the different forms that a single condition is commonly written in to ensure coverage, for example:
+This bundled named entity matches text that mentions medical conditions that are present in curated dictionaries. There is one curated dictionary per supported language. The dictionaries are from many international medical resources. The dictionaries include as many medical conditions as possible without risking a large number of false positives. Each entry contains the different forms that a single condition is commonly written in to ensure coverage, for example:
- *TB* - *tuberculosis*
This bundled named entity SIT contains these individual SITs.
## All Physical Addresses
-This is a bundled entity SIT which detects patterns related to physical addresses from all supported countries/regions.
+All physical addresses is a bundled entity SIT, which detects patterns related to physical addresses from all supported countries/regions.
### Format
No
### Description
-The matching of street addresses is designed to match strings that a human would identify as a street address. To do this it uses several primary resources:
+The matching of street addresses is designed to match strings that a human would identify as a street address. To do this, it uses several primary resources:
- A dictionary of settlements, counties and regions. - A dictionary of street suffixes, like Road, Street, or Avenue. - Patterns of postal codes. - Patterns of address formats.
-The resources are different for each country. The primary resources are the patterns of address formats that are used in a given country. The different formats are chosen to make sure that as many addresses as possible are matched, without risking a high number of false positives. These formats allow flexibility for example, an address may omit the postal code or omit a town name or have a street with no street suffix. In all cases such matches are used to increase the confidence of the match.
+The resources are different for each country. The primary resources are the patterns of address formats that are used in a given country. Different formats are chosen to make sure that as many addresses as possible are matched. These formats allow flexibility, for example, an address may omit the postal code or omit a town name or have a street with no street suffix. In all cases, such matches are used to increase the confidence of the match.
-Note that the patterns are designed to match individual single addresses, not generic locations. So strings such as *Redmond, WA 98052* or *Main Street, Albuquerque* will not be matched.
+The patterns are designed to match individual single addresses, not generic locations. So strings such as *Redmond, WA 98052* or *Main Street, Albuquerque* will not be matched.
### Contains This bundled named entity SIT contains these individual SITs: -- Australia physical address-- Austria physical address-- Belgium physical address-- Brazil physical address-- Bulgaria physical address-- Canada physical address-- Croatia physical address-- Cyprus physical address-- Czech Republic physical address-- Denmark physical address-- Estonia physical address-- Finland physical address-- France physical address-- Germany physical address-- Greece physical address-- Hungary physical address-- Iceland physical address-- Ireland physical address-- Italy physical address-- Latvia physical address-- Liechtenstein physical address-- Lithuania physical address-- Luxembourg physical address-- Malta physical address-- Netherlands physical address-- New Zealand physical address-- Norway physical address-- Poland physical address-- Portugal physical address-- Romania physical address-- Slovakia physical address-- Slovenia physical address-- Spain physical address-- Sweden physical address-- Switzerland physical address-- Turkey physical address-- United Kingdom physical address-- United States physical address
+- Australia physical addresses
+- Austria physical addresses
+- Belgium physical addresses
+- Brazil physical addresses
+- Bulgaria physical addresses
+- Canada physical addresses
+- Croatia physical addresses
+- Cyprus physical addresses
+- Czech Republic physical addresses
+- Denmark physical addresses
+- Estonia physical addresses
+- Finland physical addresses
+- France physical addresses
+- Germany physical addresses
+- Greece physical addresses
+- Hungary physical addresses
+- Iceland physical addresses
+- Ireland physical addresses
+- Italy physical addresses
+- Latvia physical addresses
+- Liechtenstein physical addresses
+- Lithuania physical addresses
+- Luxembourg physical addresses
+- Malta physical addresses
+- Netherlands physical addresses
+- New Zealand physical addresses
+- Norway physical addresses
+- Poland physical addresses
+- Portugal physical addresses
+- Romania physical addresses
+- Slovakia physical addresses
+- Slovenia physical addresses
+- Spain physical addresses
+- Sweden physical addresses
+- Switzerland physical addresses
+- Turkey physical addresses
+- United Kingdom physical addresses
+- United States physical addresses
### Supported languages
A DLP policy has medium confidence that it's detected this type of sensitive inf
- First digit is in the range 2-6 - Ninth digit is a check digit - Tenth digit is the issue digit-- Eleventh digit (optional) is the individual number
+- 11th digit (optional) is the individual number
### Checksum
A DLP policy has low confidence that it's detected this type of sensitive inform
## Australia physical addresses
-Unbundled named entity, detects patterns related to physical address from Australia.
+Unbundled named entity, detects patterns related to physical address from Australia. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level medium
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Austria physical addresses
-This unbundled named entity detects patterns related to physical address from Austria.
+This unbundled named entity detects patterns related to physical address from Austria. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Belgium physical addresses
-This unbundled named entity detects patterns related to physical addresses from Belgium.
+This unbundled named entity detects patterns related to physical addresses from Belgium. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Blood test terms
-This unbundled named entity detects terms related to blood tests, such as *hCG*. It supports English terms only.
+This unbundled named entity detects terms related to blood tests, such as *hCG*. It supports English terms only. It is also included in the [All medical terms and conditions](#all-medical-terms-and-conditions) bundled named entity SIT.
### Confidence level
High
## Brand medication names
-This unbundled named entity detects names of brand medication, such as *Tylenol*. It supports English terms only.
+This unbundled named entity detects names of brand medication, such as *Tylenol*. It supports English terms only. It is also included in the [All medical terms and conditions](#all-medical-terms-and-conditions) bundled named entity SIT.
### Confidence level
A DLP policy has high confidence that it's detected this type of sensitive infor
## Brazil physical addresses
-This unbundled named entity detects patterns related to physical address from Brazil.
+This unbundled named entity detects patterns related to physical address from Brazil. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Bulgaria physical addresses
-This unbundled named entity detects patterns related to physical address from Bulgaria.
+This unbundled named entity detects patterns related to physical address from Bulgaria. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Canada physical addresses
-This unbundled named entity detects patterns related to physical address from Canada.
+This unbundled named entity detects patterns related to physical address from Canada. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Croatia physical addresses
-This unbundled named entity detects patterns related to physical address from Croatia.
+This unbundled named entity detects patterns related to physical address from Croatia. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Cyprus physical addresses
-This unbundled named entity detects patterns related to physical address from Cyprus.
+This unbundled named entity detects patterns related to physical address from Cyprus. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Czech Republic physical addresses
-This unbundled named entity detects patterns related to physical address from the Czech Republic.
+This unbundled named entity detects patterns related to physical address from the Czech Republic. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has low confidence that it's detected this type of sensitive inform
## Denmark physical addresses
-This unbundled named entity detects patterns related to physical address from Denmark.
+This unbundled named entity detects patterns related to physical address from Denmark. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
Medium
## Diseases
-This unbundled named entity detects text that match disease names, such as *diabetes*. It supports English terms only.
+This unbundled named entity detects text that matches disease names, such as *diabetes*. It supports English terms only. It is also included in the [All medical terms and conditions](#all-medical-terms-and-conditions) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Estonia physical addresses
-This unbundled named entity detects patterns related to physical address from Estonia.
+This unbundled named entity detects patterns related to physical address from Estonia. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Finland physical addresses
-This unbundled named entity detects patterns related to physical address from Finland.
+This unbundled named entity detects patterns related to physical address from Finland. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## France physical addresses
-This unbundled named entity detects patterns related to physical address from France.
+This unbundled named entity detects patterns related to physical address from France. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Generic medication names
-This unbundled named entity detects names of generic medications, such as *acetominophen*. It supports English terms only.
+This unbundled named entity detects names of generic medications, such as *acetaminophen*. It supports English terms only. It is also included in the [All medical terms and conditions](#all-medical-terms-and-conditions) bundled named entity SIT.
### Confidence level
A DLP policy has low confidence that it's detected this type of sensitive inform
## Germany physical addresses
-This unbundled named entity detects patterns related to physical address from Germany.
+This unbundled named entity detects patterns related to physical address from Germany. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Greece physical addresses
-This unbundled named entity detects patterns related to physical address from Greece.
+This unbundled named entity detects patterns related to physical address from Greece. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Hungary physical addresses
-This unbundled named entity detects patterns related to physical address from Hungary.
+This unbundled named entity detects patterns related to physical address from Hungary. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Iceland physical addresses
-This unbundled named entity detects patterns related to physical address from Iceland.
+This unbundled named entity detects patterns related to physical address from Iceland. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
Medium
## Impairments Listed In The U.S. Disability Evaluation Under Social Security
-This unbundled named entity detects names of impairments listed in the U.S. Disability Evaluation Under Social Security, such as *muscular dystrophy*. It supports English terms only.
+This unbundled named entity detects names of impairments listed in the U.S. Disability Evaluation Under Social Security, such as *muscular dystrophy*. It supports English terms only. It is also included in the [All medical terms and conditions](#all-medical-terms-and-conditions) bundled named entity SIT.
### Confidence level
A DLP policy has low confidence that it's detected this type of sensitive inform
### Pattern 12 digits:-- A digit which is not 0 or 1
+- A digit that is not 0 or 1
- Three digits - An optional space or dash - Four digits
A DLP policy has low confidence that it's detected this type of sensitive inform
## Ireland physical addresses
-This unbundled named entity detects patterns related to physical address from Ireland.
+This unbundled named entity detects patterns related to physical address from Ireland. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Italy physical addresses
-This unbundled named entity detects patterns related to physical address from Italy.
+This unbundled named entity detects patterns related to physical address from Italy. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Lab test terms
-This unbundled named entity detects terms related to lab tests, such as *Insulin C-peptide*. It supports English terms only.
+This unbundled named entity detects terms related to lab tests, such as *Insulin C-peptide*. It supports English terms only. It is also included in the [All medical terms and conditions](#all-medical-terms-and-conditions) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Latvia physical addresses
-This unbundled named entity detects patterns related to physical address from Latvia.
+This unbundled named entity detects patterns related to physical address from Latvia. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
Medium
## Liechtenstein physical addresses
-This unbundled named entity detects patterns related to physical address from Liechtenstein .
+This unbundled named entity detects patterns related to physical address from Liechtenstein. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
Medium
## Lifestyles that relate to medical conditions
-This unbundled named entity detects terms related to lifestyles that might result in a medical condition, such as *smoking*. It supports English terms only.
+This unbundled named entity detects terms related to lifestyles that might result in a medical condition, such as *smoking*. It supports English terms only. It is also included in the [All medical terms and conditions](#all-medical-terms-and-conditions) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Lithuania physical addresses
-This unbundled named entity detects patterns related to physical address from Lithuania.
+This unbundled named entity detects patterns related to physical address from Lithuania. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Luxemburg physical addresses
-This unbundled named entity detects patterns related to physical address from Luxemburg.
+This unbundled named entity detects patterns related to physical address from Luxemburg. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Malta physical addresses
-This unbundled named entity detects patterns related to physical address from Malta.
+This unbundled named entity detects patterns related to physical address from Malta. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has low confidence that it's detected this type of sensitive inform
## Medical specialities
-This unbundled named entity detects terms related to medical specialties, such as *dermatology*. It supports English terms only.
+This unbundled named entity detects terms related to medical specialties, such as *dermatology*. It supports English terms only. It is also included in the [All medical terms and conditions](#all-medical-terms-and-conditions) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Netherlands physical addresses
-This unbundled named entity detects patterns related to physical address from the Netherlands.
+This unbundled named entity detects patterns related to physical address from the Netherlands. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## New Zealand physical addresses
-This unbundled named entity detects patterns related to physical address from New Zealand.
+This unbundled named entity detects patterns related to physical address from New Zealand. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Norway physical addresses
-This unbundled named entity detects patterns related to physical address from Norway.
+This unbundled named entity detects patterns related to physical address from Norway. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has low confidence that it's detected this type of sensitive inform
## Poland physical addresses
-This unbundled named entity detects patterns related to physical address from Poland.
+This unbundled named entity detects patterns related to physical address from Poland. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Portugal physical addresses
-This unbundled named entity detects patterns related to physical address from Portugal.
+This unbundled named entity detects patterns related to physical address from Portugal. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Romania physical addresses
-This unbundled named entity detects patterns related to physical address from Romania.
+This unbundled named entity detects patterns related to physical address from Romania. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has low confidence that it's detected this type of sensitive inform
## Slovakia physical addresses
-This unbundled named entity detects patterns related to physical address from Slovakia.
+This unbundled named entity detects patterns related to physical address from Slovakia. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Slovenia physical addresses
-This unbundled named entity detects patterns related to physical address from Slovenia.
+This unbundled named entity detects patterns related to physical address from Slovenia. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Spain physical addresses
-This unbundled named entity detects patterns related to physical address from Spain.
+This unbundled named entity detects patterns related to physical address from Spain. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
This sensitive information type identifies these keywords by using a regular exp
## Surgical procedures
-This unbundled named entity detects terms related to surgical procedures, such as *appendectomy*. It supports English terms only.
+This unbundled named entity detects terms related to surgical procedures, such as *appendectomy*. It supports English terms only. It is also included in the [All medical terms and conditions](#all-medical-terms-and-conditions) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Sweden physical addresses
-This unbundled named entity detects patterns related to physical address from Sweden.
+This unbundled named entity detects patterns related to physical address from Sweden. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Switzerland physical addresses
-This unbundled named entity detects patterns related to physical address from Switzerland.
+This unbundled named entity detects patterns related to physical address from Switzerland. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has medium confidence that it's detected this type of sensitive inf
## Turkey physical addresses
-This unbundled named entity detects patterns related to physical address from Turkey.
+This unbundled named entity detects patterns related to physical address from Turkey. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
Medium
## Types of medication
-This unbundled named entity detects medication names, such as *insulin*. It supports English terms only.
+This unbundled named entity detects medication names, such as *insulin*. It supports English terms only. It is also included in the [All medical terms and conditions](#all-medical-terms-and-conditions) bundled named entity SIT.
### Confidence level
Combination of 18 letters and digits in the specified format
18 letters and digits: - Five letters (not case-sensitive) or the digit "9" in place of a letter. - One digit.-- Five digits in the date format MMDDY for date of birth. The seventh character is incremented by 50 if driver is female; for exampe, 51 to 62 instead of 01 to 12.
+- Five digits in the date format MMDDY for date of birth. The seventh character is incremented by 50 if driver is female; for example, 51 to 62 instead of 01 to 12.
- Two letters (not case-sensitive) or the digit "9" in place of a letter. - Five digits.
A DLP policy has medium confidence that it's detected this type of sensitive inf
## U.K. physical addresses
-This unbundled named entity detects patterns related to physical address from the U.K..
+This unbundled named entity detects patterns related to physical address from the U.K.. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
A DLP policy has low confidence that it's detected this type of sensitive inform
## U.S. physical addresses
-This unbundled named entity detects patterns related to physical address from the U.S..
+This unbundled named entity detects patterns related to physical address from the U.S.. It is also included in the [All Physical Addresses](#all-physical-addresses) bundled named entity SIT.
### Confidence level
compliance Sensitive Information Type Learn About https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitive-information-type-learn-about.md
Identifying and classifying sensitive items that are under your organizations co
- automated pattern recognition, like sensitive information types - [machine learning](classifier-learn-about.md)
-Sensitive information types are pattern-based classifiers. They detect sensitive information like social security, credit card, or bank account numbers to identify sensitive items, see [Sensitive information types entity definitions](sensitive-information-type-entity-definitions.md)
+Sensitive information types (SIT) are pattern-based classifiers. They detect sensitive information like social security, credit card, or bank account numbers to identify sensitive items, see [Sensitive information types entity definitions](sensitive-information-type-entity-definitions.md) for a complete list of all SITs.
+
+Microsoft provides a large number of pre-configured SITs or you can create your own.
## Sensitive information types are used in
Sensitive information types are pattern-based classifiers. They detect sensitive
- [Auto-labelling policies](apply-sensitivity-label-automatically.md#how-to-configure-auto-labeling-for-office-apps) - [Microsoft Priva](/privacy/priva)
+## Categories of sensitive information types
+
+### Built in sensitive information types
+
+These SITs are created by Microsoft show up in the compliance console by default. These SITs cannot be edited, but they can be used as templates and copied to create custom sensitive information types.
+
+### Named entity sensitive information types
+
+Named entity SITs also show up in the compliance console by default. They detect person names, physical addresses, and medical terms and conditions. They cannot be edited or copied. See, [Learn about named entities (preview)](named-entities-learn.md#learn-about-named-entities-preview) for more information. Named entity SITs come in two types:
+
+**un-bundled**
+
+These named entity SITs have a narrower focus, like a single country, or a single class of terms. Use them when you need a DLP policy with a narrower detection scope. See, [Examples of named entity SITs](named-entities-learn.md#examples-of-named-entity-sits).
+
+**bundled**
+
+Bundled named entity SITs detect all possible matches in a class, like All physical addresses. Use them as broad criteria in your DLP policies for detecting sensitive items. See, [Examples of named entity SITs](named-entities-learn.md#examples-of-named-entity-sits).
+
+### Custom sensitive information types
+
+If the pre-configured sensitive information types don't meet your needs, you can create your own custom sensitive information types that you fully define or you can copy one of the built-in ones and modify it. See, [Create a custom sensitive information type in Compliance center](create-a-custom-sensitive-information-type.md) for more information.
+
+### Exact data match sensitive information types
+
+All EDM-based SITs are created from scratch. You use them to detect items that have exact values which you define in a database of sensitive information. See, [Learn about exact data match based sensitive information types](sit-learn-about-exact-data-match-based-sits.md#learn-about-exact-data-match-based-sensitive-information-types) for more information.
+ ## Fundamental parts of a sensitive information type Every sensitive information type entity is defined by these fields:
Learn more about confidence levels in this video
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4Hx60] ++ ### Example sensitive information type
compliance Sit Custom Sit Filters https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-custom-sit-filters.md
The filters will be applied on **all** the instances classified by any of the pa
- [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md) -- [What the DLP functions look for](what-the-dlp-functions-look-for.md)
+- [Sensitive information type functions](sit-functions.md)
compliance Sit Functions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-functions.md
+
+ Title: "Sensitive information type functions"
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: Admin
++
+ms.localizationpriority: low
+
+- M365-security-compliance
+search.appverid:
+- MOE150
+- MET150
+
+- seo-marvel-apr2020
+recommendations: false
+description: Learn what the sensitive information type functions look for.
++
+# Sensitive information type functions
+
+Sensitive information types (SIT) can use functions as primary elements to identify sensitive items. For example, the Credit Card Number sensitive information type uses the Func_credit_card function to detect credit card number.
+
+This article explains what these functions look for, to help you understand how the predefined sensitive information types work. For more information, see [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)
+
+## Table of functions
+
+|Function name | Function action | Is a validator|
+||-||
+|Func_aba_routing|detects ABA routing number|yes|
+|Func_alabama_drivers_license_number|detects Alabama driverΓÇÖs license number|no|
+|Func_alaska_delaware_oregon_drivers_license_number|detects Alaska, Delaware, Oregon driverΓÇÖs license number|no|
+|Func_alaska_drivers_license_number|detects Alaska driverΓÇÖs license number|no|
+|Func_alberta_drivers_license_number|detects Alberta driverΓÇÖs license number|no|
+|Func_argentina_Unique_Tax_Key|detects and validates Argentina Unique tax key|no|
+|Func_Argentina_Unique_Tax_Key|detects Argentina Unique tax key|no|
+|Func_arizona_drivers_license_number|detects Arizona driverΓÇÖs license number|no|
+|Func_arkansas_drivers_license_number|detects Arkansas driverΓÇÖs license number|no|
+|Func_australian_business_number|detects Australia business number|no|
+|Func_Australian_Company_Number|detects Australia company number|no|
+|Func_australian_medical_account_number|detects Australia medical account number|no|
+|Func_australian_tax_file_number|detects Australia tax file number|yes|
+|Func_austria_eu_ssn_or_equivalent|detects Austria social security number|no|
+|Func_austria_eu_tax_file_number|detects Austria tax file number|no|
+|Func_Austria_Value_Added_Tax|detects Austria Value Added Tax|no|
+|Func_belgium_national_number|detects Belgium national number|no|
+|Func_belgium_value_added_tax_number|detects Belgium value added tax number|no|
+|Func_brazil_cnpj|detects Brazil legal entity number (CNPJ)|yes|
+|Func_brazil_cpf|detects Brazil CPF|yes|
+|Func_brazil_rg|detects Brazil RG|no|
+|Func_british_columbia_drivers_license_number|detects British Columbia driverΓÇÖs license number|no|
+|Func_bulgaria_eu_national_id_card|detects Bulgaria uniform civil number|no|
+|Func_california_drivers_license_number|detects California driverΓÇÖs license number|no|
+|Func_canadian_sin|detects Canada sin|yes|
+|Func_chile_id_card|detects Chile ID card|no|
+|Func_china_resident_id|detects China-resident ID|no|
+|Func_colorado_drivers_license_number|detects Colorado driverΓÇÖs license number|no|
+|Func_connecticut_drivers_license_number|detects Connecticut driverΓÇÖs license number|no|
+|Func_credit_card|detects credit card|yes|
+|Func_croatia_id_card|detects Croatia ID card|no|
+|Func_croatia_oib_number|detects Croatia OIB number|no|
+|Func_cyprus_eu_tax_file_number|detects Cyprus tax file number|no|
+|Func_czech_id_card_new_format|detects Czech ID card in new format|no|
+|Func_czech_id_card|detects Czech ID card|no|
+|Func_dea_number|detects DEA number|yes|
+|Func_denmark_eu_tax_file_number|detects Denmark personal identification number|no|
+|Func_district_of_columbia_drivers_license_number|detects District of Columbia driverΓÇÖs license number|no|
+|Func_estonia_eu_national_id_card|detects Estonia Personal Identification Code|no|
+|Func_eu_debit_card|detects EU debit card|no|
+|Func_finnish_national_id|detects Finnish national ID|no|
+|Func_florida_drivers_license_number|detects Florida driverΓÇÖs license number|no|
+|Func_florida_maryland_michigan_minnesota_drivers_license_number|detects Florida, Maryland, Michigan, Minnesota driverΓÇÖs license number|no|
+|Func_formatted_itin|detects formatted US ITIN|yes|
+|Func_fr_insee|detects France INSEE|no|
+|Func_fr_passport|detects France passport|no|
+|Func_france_eu_tax_file_number|detects France tax file number|no|
+|Func_france_value_added_tax_number|detects France value added tax number|no|
+|Func_french_drivers_license|detects French driverΓÇÖs license|no|
+|Func_french_insee|detects French INSEE|no|
+|Func_georgia_drivers_license_number|detects Georgia driverΓÇÖs license number|no|
+|Func_german_drivers_license|detects Germany driverΓÇÖs license|no|
+|Func_german_passport_data|detects Germany passport|no|
+|Func_german_passport|detects Germany passport|no|
+|Func_germany_eu_tax_file_number|detects Germany tax file number|no|
+|Func_germany_value_added_tax_number|detects Germany value added tax number|no|
+|Func_greece_eu_ssn|detects Greece sin (AMKA)|no|
+|Func_hawaii_drivers_license_number|detects Hawaii driverΓÇÖs license number|no|
+|Func_hong_kong_id_card|detects Hong Kong ID card|no|
+|Func_hungarian_value_added_tax_number|detects Hungary value added tax number|no|
+|Func_hungary_eu_national_id_card|detects Hungary personal identification number|no|
+|Func_hungary_eu_ssn_or_equivalent|detects Hungary social security number|no|
+|Func_hungary_eu_tax_file_number|detects Hungary tax file number|no|
+|Func_iban|detects IBAN|yes|
+|Func_idaho_drivers_license_number|detects Idaho driverΓÇÖs license number|no|
+|Func_illinois_drivers_license_number|detects Illinois driverΓÇÖs license number|no|
+|Func_india_aadhaar|detects India aadhaar|yes|
+|Func_indiana_drivers_license_number|detects Indiana driverΓÇÖs license number|no|
+|Func_iowa_drivers_license_number|detects Iowa driverΓÇÖs license number|no|
+|Func_ireland_pps|detects Ireland PPS|no|
+|Func_israeli_national_id_number|detects Israel national ID number|no|
+|Func_italy_eu_national_id_card|detects Italy fiscal code|no|
+|Func_italy_value_added_tax_number|detects Italy value added tax number|no|
+|Func_japanese_my_number_corporate|detects Japan my number corporate|yes|
+|Func_japanese_my_number_personal|detects Japan my number personal|yes|
+|Func_jp_bank_account_branch_code|detects Japan bank account branch code|no|
+|Func_jp_bank_account|detects Japan bank account|no|
+|Func_jp_drivers_license_number|detects Japan driverΓÇÖs license number|no|
+|Func_jp_passport|detects Japan passport|no|
+|Func_jp_resident_registration_number|detects Japan-resident registration number|no|
+|Func_jp_sin_pre_1997|detects Japan sin pre 1997|no|
+|Func_jp_sin|detects Japan SIN|no|
+|Func_kansas_drivers_license_number|detects Kansas driverΓÇÖs license number|no|
+|Func_kentucky_drivers_license_number|detects Kentucky driverΓÇÖs license number|no|
+|Func_kentucky_massachusetts_virginia_drivers_license_number|detects Kentucky, Massachusetts, Virginia driverΓÇÖs license number|no|
+|Func_latvia_eu_national_id_card|detects Latvia personal code|no|
+|Func_lithuania_eu_tax_file_number|detects Lithuania personal code|no|
+|Func_louisiana_drivers_license_number|detects Louisiana driverΓÇÖs license number|no|
+|Func_luxemburg_eu_tax_file_number_non_natural|detects Luxemburg national identification number (non-natural persons)|no|
+|Func_luxemburg_eu_tax_file_number|detects Luxemburg national identification number (natural persons)|no|
+|Func_maine_drivers_license_number|detects Maine driverΓÇÖs license number|no|
+|Func_manitoba_drivers_license_number|detects Manitoba driverΓÇÖs license number|no|
+|Func_maryland_drivers_license_number|detects Maryland driverΓÇÖs license number|no|
+|Func_massachusetts_drivers_license_number|detects Massachusetts driverΓÇÖs license number|no|
+|Func_mexico_population_registry_code|detects Mexico population registry code|no|
+|Func_michigan_minnesota_drivers_license_number|detects Michigan, Minnesota driverΓÇÖs license number|no|
+|Func_minnesota_drivers_license_number|detects Minnesota driverΓÇÖs license number|no|
+|Func_mississippi_oklahoma_drivers_license_number|detects Mississippi, Oklahoma driverΓÇÖs license number|no|
+|Func_missouri_drivers_license_number|detects Missouri driverΓÇÖs license number|no|
+|Func_montana_drivers_license_number|detects Montana driverΓÇÖs license number|no|
+|Func_nebraska_drivers_license_number|detects Nebraska driverΓÇÖs license number|no|
+|Func_netherlands_bsn|detects Netherlands BSN|no|
+|Func_netherlands_eu_tax_file_number|detects Netherlands tax file number|no|
+|Func_netherlands_value_added_tax_number|detects Netherlands value added tax number|no|
+|Func_nevada_drivers_license_number|detects Nevada driverΓÇÖs license number|no|
+|Func_new_brunswick_drivers_license_number|detects New Brunswick driverΓÇÖs license number|no|
+|Func_new_hampshire_drivers_license_number|detects New Hampshire driverΓÇÖs license number|no|
+|Func_new_jersey_drivers_license_number|detects New Jersey driverΓÇÖs license number|no|
+|Func_new_mexico_drivers_license_number|detects New Mexico driverΓÇÖs license number|no|
+|Func_new_york_drivers_license_number|detects New York driverΓÇÖs license number|no|
+|Func_new_zealand_bank_account_number|detects New Zealand bank account number|no|
+|Func_new_zealand_inland_revenue_number|detects New Zealand inland revenue number|no|
+|Func_new_zealand_ministry_of_health_number|detects New Zealand ministry of health number|no|
+|Func_newfoundland_labrador_drivers_license_number|detects Newfoundland Labrador driverΓÇÖs license number|no|
+|Func_newzealand_driver_license_number|detects New Zealand driver license number|no|
+|Func_newzealand_social_welfare_number|detects New Zealand social welfare number|no|
+|Func_north_carolina_drivers_license_number|detects North Carolina driverΓÇÖs license number|no|
+|Func_north_dakota_drivers_license_number|detects North Dakota driverΓÇÖs license number|no|
+|Func_norway_id_number|detects Norway ID number|no|
+|Func_nova_scotia_drivers_license_number|detects Nova Scotia driverΓÇÖs license number|no|
+|Func_ohio_drivers_license_number|detects Ohio driverΓÇÖs license number|no|
+|Func_ontario_drivers_license_number|detects Ontario driverΓÇÖs license number|no|
+|Func_pennsylvania_drivers_license_number|detects Pennsylvania driverΓÇÖs license number|no|
+|Func_pesel_identification_number|detects Poland National ID (PESEL)|no|
+|Func_poland_eu_tax_file_number|detects Poland tax file number|no|
+|Func_polish_national_id|detects Poland identity card|no|
+|Func_polish_passport_number|detects Polish passport number|no|
+|Func_polish_regon_number|detects Polish REGON number|no|
+|Func_portugal_eu_tax_file_number|detects Portugal Tax Identification Number|no|
+|Func_prince_edward_island_drivers_license_number|detects Prince Edward Island driverΓÇÖs license number|no|
+|Func_quebec_drivers_license_number|detects Quebec driverΓÇÖs license number|no|
+|Func_randomized_formatted_ssn|detects randomized formatted US SSN|yes|
+|Func_randomized_unformatted_ssn|detects randomized unformatted US SSN|yes|
+|Func_rhode_island_drivers_license_number|detects Rhode Island driverΓÇÖs license number|no|
+|Func_romania_eu_national_id_card|detects Romania personal numeric code (CNP)|no|
+|Func_saskatchewan_drivers_license_number|detects Saskatchewan driverΓÇÖs license number|no|
+|Func_slovakia_eu_national_id_card|detects Slovakia personal number|no|
+|Func_slovenia_eu_national_id_card|detects Slovenia Unique Master Citizen Number|no|
+|Func_slovenia_eu_tax_file_number|detects Slovenia tax file number|no|
+|Func_south_africa_identification_number|detects South Africa identification number|yes|
+|Func_south_carolina_drivers_license_number|detects South Carolina driverΓÇÖs license number|no|
+|Func_south_dakota_drivers_license_number|detects South Dakota driverΓÇÖs license number|no|
+|Func_south_korea_resident_number|detects South Korea resident number|no|
+|Func_spain_eu_DL_and_NI_number_citizen|detects Spain DL and NI number citizen|no|
+|Func_spain_eu_DL_and_NI_number_foreigner|detects Spain DL and NI number foreigner|no|
+|Func_spain_eu_driver's_license_number|detects Spain driver's license number|no|
+|Func_spain_eu_tax_file_number|detects Spain tax file number|no|
+|Func_spanish_social_security_number|detects Spanish social security number|no|
+|Func_ssn|Function to detect non-randomized formatted US SSN|yes|
+|Func_sweden_eu_tax_file_number|detects Sweden tax file number|no|
+|Func_swedish_national_identifier|detects Swedish national identifier|yes|
+|Func_swiss_social_security_number_ahv|detects Swiss social security number AHV|no|
+|Func_taiwanese_national_id|detects Taiwanese national ID|no|
+|Func_tennessee_drivers_license_number|detects Tennessee driverΓÇÖs license number|no|
+|Func_texas_drivers_license_number|detects Texas driverΓÇÖs license number|no|
+|Func_Thai_Citizen_Id|detects Thai Citizen ID|no|
+|Func_Turkish_National_Id|detects Turkish National ID|yes|
+|Func_uk_drivers_license|detects UK driverΓÇÖs license|no|
+|Func_uk_eu_tax_file_number|detects UK unique taxpayer number|no|
+|Func_uk_nhs_number|detects UK NHS number|yes|
+|Func_uk_nino|detects UK NINO|no|
+|Func_unformatted_canadian_sin|detects unformatted Canadian SIN|no|
+|Func_unformatted_itin|detects unformatted US ITIN|yes|
+|Func_unformatted_ssn|detects non-randomized unformatted US SSN|yes|
+|Func_usa_uk_passport|detects USA and UK passport|yes|
+|Func_utah_drivers_license_number|detects Utah driverΓÇÖs license number|no|
+|Func_vermont_drivers_license_number|detects Vermont driverΓÇÖs license number|no|
+|Func_virginia_drivers_license_number|detects Virginia driverΓÇÖs license number|no|
+|Func_washington_drivers_license_number|detects Washington driverΓÇÖs license number|no|
+|Func_west_virginia_drivers_license_number|detects West Virginia driverΓÇÖs license number|no|
+|Func_wisconsin_drivers_license_number|detects Wisconsin driverΓÇÖs license number|no|
+|Func_wyoming_drivers_license_number|detects Wyoming driverΓÇÖs license number|no|
+
+## Func_us_date
+
+Func_us_date looks for dates in common U.S. formats. The common formats are "month/day/year", "month-day-year", and "month day year ". The names or abbreviations of months aren't case-sensitive.
+
+Examples:
+
+- December 2, 2016
+- Dec 2, 2016
+- dec 02 2016
+- 12/2/2016
+- 12/02/16
+- Dec-2-2016
+- 12-2-16
+
+Accepted month names:
+
+- English
+ - January, February, march, April, may, June, July, August, September, October, November, December
+ - Jan. Feb. Mar. Apr. May June July Aug. Sept. Oct. Nov. Dec.
+
+## Func_eu_date
+
+Fund_eu_dates looks for dates in common E.U. formats (and most places outside the U.S.), such as "day/month/year", "day-month-year", and "day month year". The names or abbreviations of months aren't case-sensitive.
+
+Examples:
+
+- 2 Dec 2016
+- 02 dec 2016
+- 2 Dec 16
+- 2/12/2016
+- 02/12/16
+- 2-Dec-2016
+- 2-12-16
+
+Accepted month names:
+
+- English
+ - January, February, march, April, may, June, July, August, September, October, November, December
+ - Jan. Feb. Mar. Apr. May June July Aug. Sept. Oct. Nov. Dec.
+- Dutch
+ - januari, februari, maart, April, mei, juni, juli, augustus, September, ocktober, October, November, December
+ - jan feb maart apr mei jun jul aug sep sept oct okt nov dec
+- French
+ - janvier, février, mars, avril, mai, juin juillet, août, septembre, octobre, novembre, décembre
+ - janv. févr. mars avril mai juin juil. août sept. oct. nov. déc.
+- German
+ - jänuar, februar, märz, April, mai, juni juli, August, September, oktober, November, dezember
+ - Jan./Jän. Feb. März Apr. Mai Juni Juli Aug. Sept. Okt. Nov. Dez.
+- Italian
+ - gennaio, febbraio, marzo, aprile, maggio, giugno, luglio, agosto, settembre, ottobre, novembre, dicembre
+ - genn. febbr. mar. apr. magg. giugno luglio ag. sett. ott. nov. dic.
+- Portuguese
+ - janeiro, fevereiro, março, marco, abril, maio, junho, julho, agosto, setembro, outubro, novembro, dezembro
+ - jan fev mar abr mai jun jul ago set out nov dez
+- Spanish
+ - enero, febrero, marzo, abril, mayo, junio, julio, agosto, septiembre, octubre, noviembre, diciembre
+ - enero feb. marzo abr. mayo jun. jul. agosto sept./set. oct. nov. dic.
+
+## Func_eu_date1 (deprecated)
+
+> [!NOTE]
+> This function is deprecated because it supports only Portuguese month names, which are now included in the `Func_eu_date` function above.
+
+This function looks for a date in the format commonly used in Portuguese. The format for this function is the same as `Func_eu_date`, differing only in the language used.
+
+Examples:
+
+- 2 Dez 2016
+- 02 dez 2016
+- 2 Dez 16
+- 2/12/2016
+- 02/12/16
+- 2-Dez-2016
+- 2-12-16
+
+Accepted month names:
+
+- Portuguese
+ - janeiro, fevereiro, março, marco, abril, maio, junho, julho, agosto, setembro, outubro, novembro, dezembro
+ - jan fev mar abr mai jun jul ago set out nov dez
+
+## Func_eu_date2 (deprecated)
+
+> [!NOTE]
+> This function is deprecated because it supports only Dutch month names, which are now included in the `Func_eu_date` function above.
+
+This function looks for a date in the format commonly used in Dutch. The format for this function is the same as `Func_eu_date`, differing only in the language used.
+
+Examples:
+
+- 2 Mei 2016
+- 02 mei 2016
+- 2 Mei 16
+- 2/12/2016
+- 02/12/16
+- 2-Mei-2016
+- 2-12-16
+
+Accepted month names:
+
+- Dutch
+ - januari, februari, maart, April, mei, juni, juli, augustus, September, ocktober, October, November, December
+ - jan feb maart apr mei jun jul aug sep sept out okt nov dec
+
+## Func_expiration_date
+
+Func_expiration_date looks for dates that are in formats commonly used by credit and debit cards. This function will match dates in format of "month/year", "month-year", "[month name] year", and "[month abbreviation] year". The names or abbreviations of months aren't case-sensitive.
+
+Examples:
+
+- MM/YY -- for example, 01/11 or 1/11
+- MM/YYYY -- for example, 01/2011 or 1/2011
+- MM-YY -- for example, 01-22 or 1-11
+- MM-YYYY -- for example, 01-2000 or 1-2000
+
+The following formats support YY or YYYY:
+
+- Month-YYYY -- for example Jan-2010 or january-2010 or Jan-10 or january-10
+- Month YYYY -- for example, 'january 2010' or 'Jan 2010' or 'january 10' or 'Jan 10'
+- MonthYYYY -- for example, 'january2010' or 'Jan2010' or 'january10' or 'Jan10'
+- Month/YYYY -- for example, 'january/2010' or 'Jan/2010' or 'january/10' or 'Jan/10'
+
+Accepted month names:
+
+- English
+ - January, February, march, April, may, June, July, August, September, October, November, December
+ - Jan Feb Mar Apr May June July Aug Sept Oct Nov Dec
+
+## Func_us_address
+
+Func_us_address looks for a U.S. state name or postal abbreviation followed by a valid zip code. The zip code must be one of the correct zip codes associated with the U.S. state name or abbreviation. The U.S. state name and zip code canΓÇÖt be separated by punctuation or letters.
+
+Examples:
+
+- Washington 98052
+- Washington 98052-9998
+- WA 98052
+- WA 98052-9998
compliance Sit Get Started Exact Data Match Create Rule Package https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-get-started-exact-data-match-create-rule-package.md
# Create exact data match sensitive information type/rule package
-You can create the exact data match (EDM) sensitive information type (SIT) by using the [the EDM schema and SIT wizard](#use-the-edm-schema-and-sit-wizard) in the Compliance center or create the rule package XML file [manually](#create-a-rule-package-manually). You can also combine both by using one method to create the schema and later edit it using the other method.
+You can create an exact data match (EDM) sensitive information type (SIT) by using the [the EDM schema and SIT wizard](#use-the-edm-schema-and-sit-wizard) in the Compliance center or create the rule package XML file [manually](#create-a-rule-package-manually). You can also combine both by using one method to create the schema and later edit it using the other method.
If you are not familiar with EDM based SITS or their implementation, you should familiarize yourself with:
Perform the steps in these articles:
- If you selected the Ignored Delimiters option for the primary element column in your schema, make sure the custom SIT you create will match data with and without the selected delimiters. - If you use a built in SIT, make sure it will detect exactly the strings you want to select, and not include any surrounding characters or exclude any valid part of the string as stored in your sensitive information table.
-See [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md#sensitive-information-type-entity-definitions) and [Get started with custom sensitive information types](create-a-custom-sensitive-information-type.md#get-started-with-custom-sensitive-information-types).
+See [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md#sensitive-information-type-entity-definitions) and [Create custom sensitive information types in Compliance center](create-a-custom-sensitive-information-type.md).
### Use the exact data match schema and sensitive information type pattern wizard
compliance Sit Manage Custom Sits Compliance Center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-manage-custom-sits-compliance-center.md
+
+ Title: "Manage custom sensitive information types in Compliance Center"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++ Last updated :
+ms.localizationpriority: medium
+
+- M365-security-compliance
+search.appverid:
+- MOE150
+- MET150
+description: "Learn how to modify, and remove custom sensitive information types in the Compliance Center."
++
+# Manage custom sensitive information types in the Compliance center
+
+This article walks you through the steps to modify and remove an existing custom sensitive information type in the Compliance center.
+
+## Modify custom sensitive information types in the Compliance Center
+
+1. In the Compliance Center, go to **Data classification** \> **Sensitive info types** and choose the sensitive information type from the list that you want to modify choose **Edit**.
+
+2. You can add other patterns, with unique primary and supporting elements, confidence levels, character proximity, and [**additional checks**](sit-regex-validators-additional-checks.md#sensitive-information-type-additional-checks) or edit/remove the existing ones.
+
+## Remove custom sensitive information types in the Compliance Center
+
+> [!NOTE]
+> You can only remove custom sensitive information types; you can't remove built-in sensitive information types.
+
+> [!IMPORTANT]
+> Before your remove a custom sensitive information type, verify that no DLP policies or Exchange mail flow rules (also known as transport rules) still reference the sensitive information type.
+
+1. In the Compliance Center, go to **Data classification** \> **Sensitive info types** and choose the sensitive information type from the list that you want to remove.
+
+2. In the fly-out that opens, choose **Delete**.
compliance Sit Modify A Custom Sensitive Information Type In Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-modify-a-custom-sensitive-information-type-in-powershell.md
To connect to Compliance Center PowerShell, see [Connect to Compliance Center Po
[System.IO.File]::WriteAllBytes('XMLFileAndPath', $rulepak.SerializedClassificationRuleCollection) ```
- This example export the rule package to the file named ExportedRulePackage.xml in the C:\My Documents folder.
+ This example exports the rule package to the file named ExportedRulePackage.xml in the C:\My Documents folder.
```powershell [System.IO.File]::WriteAllBytes('C:\My Documents\ExportedRulePackage.xml', $rulepak.SerializedClassificationRuleCollection)
For detailed syntax and parameter information, see [Set-DlpSensitiveInformationT
- [Learn about data loss prevention](dlp-learn-about-dlp.md) - [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md)-- [What the DLP functions look for](what-the-dlp-functions-look-for.md)
+- [Sensitive information type functions](sit-functions.md)
compliance Sit Regex Validators Additional Checks https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-regex-validators-additional-checks.md
+
+ Title: "Sensitive information type REGEX validators and additional checks"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++ Last updated :
+ms.localizationpriority: medium
+
+- M365-security-compliance
+search.appverid:
+- MOE150
+- MET150
+description: "Learn how to use REGEX validators and additional checks in your sentisitve information types."
++
+# Sensitive information type REGEX validators and additional check
+
+> [!IMPORTANT]
+> Microsoft Customer Service & Support can't assist with creating custom classifications or regular expression patterns. Support engineers can provide limited support for the feature, such as, providing sample regular expression patterns for testing purposes, or assisting with troubleshooting an existing regular expression pattern that's not triggering as expected, but can't provide assurances that any custom content-matching development will fulfill your requirements or obligations.
+
+## Sensitive Information Type regular expression validators
+
+### Checksum validator
+
+If you need to run a checksum on a digit in a regular expression, you can use the *checksum validator*. For example, say you need to create a SIT for an eight digit license number where the last digit is a checksum digit that is validated using a mod 9 calculation. You've set up the checksum algorithm like this:
+
+```console
+Sum = digit 1 * Weight 1 + digit 2 * weight 2 + digit 3 * weight 3 + digit 4 * weight 4 + digit 5 * weight 5 + digit 6 * weight 6 + digit 7 * weight 7 + digit 8 * weight 8
+Mod value = Sum % 9
+If Mod value == digit 8
+ Account number is valid
+If Mod value != digit 8
+ Account number is invalid
+```
+
+1. Define the primary element with this regular expression:
+
+ ```console
+ \d{8}
+ ```
+
+2. Then add the checksum validator.
+
+3. Add the weight values separated by commas, the position of the check digit and the Mod value. For more information on the Modulo operation, see [Modulo operation](https://en.wikipedia.org/wiki/Modulo_operation).
+
+ > [!NOTE]
+ > If the check digit is not part of the checksum calculation then use 0 as the weight for the check digit. For example, in the above case weight 8 will be equal to 0 if the check digit is not to be used for calculating the check digit.
+
+ :::image type="content" alt-text="screenshot of configured checksum validator." source="../media/checksum-validator.png" lightbox="../media/checksum-validator.png":::
+
+### Date validator
+
+If a date value that is embedded in regular expression is part of a new pattern you are creating, you can use the *date validator* to test that it meets your criteria. For example, say you want to create a SIT for a nine digit employee identification number. The first six digits are the date of hire in DDMMYY format and the last three are randomly generated numbers. To validate that the first six digits are in the correct format.
+
+1. Define the primary element with this regular expression:
+
+ ```console
+ \d{9}
+ ```
+
+2. Then add the date validator.
+
+3. Select the date format and the start offset. Since the date string is the first six digits, the offset is `0`.
+
+ :::image type="content" alt-text="screenshot of configured date validator." source="../media/date-validator.png" lightbox="../media/date-validator.png":::
+
+### Functional processors as validators
+
+You can use function processors for some of the most commonly used SITs as validators. This allows you to define your own regular expression while ensuring they pass the additional checks required by the SIT. For example, Func_India_Aadhar will ensure that the custom regular expression defined by you passes the validation logic required for Indian Aadhar card. For more information on DLP functions that can be used as validators, see [Sensitive information type functions](sit-functions.md).
+
+### Luhn check validator
+
+You can use the Luhn check validator if you have a custom Sensitive information type that includes a regular expression which should pass the [Luhn algorithm](https://en.wikipedia.org/wiki/Luhn_algorithm).
+
+## Sensitive information type additional checks
+
+Here are the definitions and some examples for the available additional checks.
+
+**Exclude specific matches**: This check lets you define keywords to exclude when detecting matches for the pattern you are editing. For example, you might exclude test credit card numbers like '4111111111111111' so that they're not matched as a valid number.
+
+**Starts or doesn't start with characters**: This check lets you define the characters that the matched items must or must not start with. For example, if you want the pattern to detect only credit card numbers that start with 41, 42, or 43, select **Starts with** and add 41, 42, and 43 to the list, separated by commas.
+
+**Ends or doesn't end with characters**: This check lets you define the characters that the matched items must or must not end with. For example, if your Employee ID number cannot end with 0 or 1, select **Doesn't end with** and add 0 and 1 to the list, separated by commas.
+
+**Exclude duplicate characters**: This check lets you ignore matches in which all the digits are the same. For example, if the six digit employee ID number cannot have all the digits be the same, you can select **Exclude duplicate characters** to exclude 111111, 222222, 333333, 444444, 555555, 666666, 777777, 888888, 999999, and 000000 from the list of valid matches for the employee ID.
+
+**Include or exclude prefixes**: This check lets you define the keywords that must or must not be found immediately before the matching entity. Depending on your selection, entities will be matched or not matched if they're preceded by the prefixes you include here. For example, if you **Exclude** the prefix **GUID:**, any entity that's preceded by **GUID:** won't be considered a match.
+
+**Include or exclude suffixes** This check lets you define the keywords that must or must not be found immediately after the matching entity. Depending on your selection, entities will be matched or not matched if they're followed by the suffixes you include here. For example, if you **Exclude** the suffix **:GUID**, any text that's followed by **:GUID** won't be matched.
compliance Sit Remove A Custom Sensitive Information Type In Powershell https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-remove-a-custom-sensitive-information-type-in-powershell.md
In Compliance center PowerShell, there are two methods to remove custom sensitiv
- [Sensitive information type entity definitions](sensitive-information-type-entity-definitions.md) -- [What the DLP functions look for](what-the-dlp-functions-look-for.md)
+- [Sensitive information type functions](sit-functions.md)
compliance Sit Use Exact Data Refresh Data https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sit-use-exact-data-refresh-data.md
Title: "Refresh your sensitive information source table file"
+ Title: "Refresh your exact data matchsensitive information source table file"
f1.keywords: - NOCSH
description: Refresh your sensitive information source table file.
-# Refresh your sensitive information source table file
+# Refresh your exact data match sensitive information source table file
-You can refresh your sensitive information database twice in every 24 hour period. You'll have to rehash and upload your sensitive information source table.
+You can refresh your sensitive information database up to 5 times in every 24 hour period. You'll have to rehash and upload your sensitive information source table.
1. Re-export the sensitive data to an app, such as Microsoft Excel, and save the file in .csv, .tsv format or pipe (|) delimited format. Keep the same file name and location you used when you previously hashed and uploaded the file. See, [Export source data for exact data match based sensitive information type](sit-get-started-exact-data-match-export-data.md#export-source-data-for-exact-data-match-based-sensitive-information-type) for details on exporting your sensitive data and getting it into the correct format.
contentunderstanding Create An Extractor https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/create-an-extractor.md
You need to create an extractor for each entity in the document that you want to
2. On the **New entity extractor** screen, type the name of your extractor in the **New extractor name** field. For example, name it **Service Start Date** if you want to extract the service start date from each Contract Renewal document. You can also choose to reuse a previously created column (for example, a managed metadata column).
+ By default, the column type is **Single line of text**. If you want to change the column type, select **Advanced settings** > **Column type**, and then select the type you want to use.
+
+ ![Screenshot of the Advanced settings portion of the New entity extractor panel showing the Column type option.](../media/content-understanding/advanced-settings-column-type.png)
+ > [!NOTE] > For extractors with the column type **Single line of text**, the maximum character limit is 255. Any characters that you type exceeding the limit get truncated.
contentunderstanding Use Content Center Site https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/use-content-center-site.md
+
+ Title: Use the Content Center site template for Microsoft SharePoint Syntex
+++
+audience: admin
++
+search.appverid:
+
+ - enabler-strategic
+ - m365initiative-syntex
+ms.localizationpriority: medium
+
+description: Learn how to provision and use the Content Center site template in Microsoft SharePoint Syntex.
++
+# Use the Content Center site template for Microsoft SharePoint Syntex
+
+The SharePoint Syntex Content Center site is a ready-to-deploy SharePoint site template designed to help you better understand SharePoint Syntex capabilities.
+
+You'll be introduced to the tools and information youΓÇÖll need to create and train your own models. You'll then be able to use this site as a central content repository or as the control center for managing your own SharePoint Syntex models.
+
+![Screenshot of the Content Center site template home page.](../media/content-understanding/content-center-site-home-page.png)
+
+In this site, models can be trained and evaluated using your own content. However, to apply the models to libraries, a license for SharePoint Syntex is required.
+
+## Provision the site
+
+The Content Center site can be provisioned from the [SharePoint look book service](https://lookbook.microsoft.com/).
+
+![Screenshot of the Content Center site template provisioning page.](../media/content-understanding/content-center-site-provisioning-page.png)
+
+> [!NOTE]
+> You must be a global administrator or SharePoint administrator in Microsoft 365 to provision the site.
+
+1. From the main page of the [SharePoint look book](https://lookbook.microsoft.com/), on the **View the designs** menu, select **SharePoint Syntex** > **SharePoint Syntex Content Center**.
+
+2. On the **Content Center** page, select **Add to your tenant**.
+
+ ![Screenshot of the Add to your tenant button on the Content Center site template provisioning page.](../media/content-understanding/content-center-site-add-to-your-tenant.png)
+
+3. Enter your email address (for a notification of when your site is ready to use), the site URL you want to use, and the title you want to use for your site.
+
+ ![Screenshot of the Add to your tenant button on the Content Center site template provisioning page.](../media/content-understanding/content-center-email-and-url.png)
+
+4. Select **Provision**, and in a short time your site will be ready for you to use. YouΓÇÖll get an email (sent to the email address you provided) indicating that your request to provision the Content Center site template is completed.
+
+5. Select **Open site**, and youΓÇÖll see your Content Center site. From here, you can explore the site and learn more about SharePoint Syntex.
+
+For more information about provisioning from the SharePoint look book service, see [Provision a new learning pathways solution](/office365/customlearning/custom_provision).
+
+## Explore the site
+
+The Content Center site includes pre-populated pages that walk you through the steps to begin using SharePoint Syntex in your organization.
+
+### Get started with SharePoint Syntex
+
+Get an introduction to SharePoint Syntex and learn how you can use it for your organization. Watch a video that gives you an overview of SharePoint Syntex, and find training to help you get started.
+
+### Learn about model types
+
+Learn about three types of models, and see how you can use them to resolve business issues for search, business processes, compliance, and more.
+
+### Take an interactive tour to create a model
+
+See how to build a document understanding model in the models library, and then enable a pretrained sample model.
+
+### SharePoint Syntex in six simple steps
+
+Begin with a content center, and then learn step-by-step how to create models to identify, classify, and extract the information you need.
+
+### Streamline everyday processes and tasks
+
+Learn how to use SharePoint Syntex to take what is manual and turn it into something automated and streamlined for your organization.
+
+### Manage compliance
+
+Implement steps to reduce risks and ensure the data and information your organization captures is used in a secure and thoughtful way.
+
+### View model activity
+
+See how content is used to illustrate model activity and to provide more information about how your models are being used.
+
+### Find additional resources
+
+Discover additional resources and scenarios to help you learn more about SharePoint Syntex.
++
contentunderstanding Use Contracts Management Site https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/use-contracts-management-site.md
+
+ Title: Use the Contracts Management site template for Microsoft SharePoint Syntex
+++
+audience: admin
++
+search.appverid:
+
+ - enabler-strategic
+ - m365initiative-syntex
+ms.localizationpriority: medium
+
+description: Learn how to provision, use, and customize the Contracts Management site template in Microsoft SharePoint Syntex.
++
+# Use the Contracts Management site template for Microsoft SharePoint Syntex
+
+The Contracts Management site is a ready-to-deploy and customizable SharePoint site template that helps your organization maximize the value of SharePoint Syntex. The site is designed to let you create a professional site to manage, process, and track the status of contracts in your organization.
+
+## Features of the site
+
+![Screenshot of the Contracts Management site template home page.](../media/content-understanding/contracts-management-site-home-page.png)
+
+The Contract Management site includes pre-populated pages, web parts, and site navigation. The site can be customized to incorporate your organization's own branding, employee information, policy and planning information, workflow, contacts, and resources.
+
+The site uses the power of a SharePoint Syntex model running on document libraries to classify documents and extract metadata. The site provides prebuilt document libraries to get you started quickly, but you can also create your own as needed. The site includes the following featured libraries:
+
+- **Regions** ΓÇô Classify contract documents by geographical area, country, or region.
+
+- **Templates** ΓÇô Select the appropriate contract template for the type of contract, such as non-disclosure agreements, service agreements, and statements of work.
+
+- **Contract requests** ΓÇô Launch a contract request directly to your contracts team.
+
+- **Clients** ΓÇô Find client information in one convenient location.
+
+- **Models** ΓÇô Use this library of models to classify documents and extract metadata. Users can create their own models to fit their needs and add them to this library.
+
+- **Sample contracts library** ΓÇô Find files that were classified and have had metadata extracted using the SharePoint Syntex model.
+
+There is a separate view in the library where you can track other metadata such as status, and that uses document library formatting to show it in a more visual way.
+
+## Provision the site
+
+The Contracts Management site can be provisioned from the [SharePoint look book service](https://lookbook.microsoft.com/).
+
+![Screenshot of the Contracts Management site template provisioning page.](../media/content-understanding/contracts-management-site-provisioning-page.png)
+
+> [!NOTE]
+> You must be a global administrator or SharePoint administrator in Microsoft 365 to provision the site. You also must have a SharePoint Syntex license to add this site template to your organization.
+
+1. From the main page of the [SharePoint look book](https://lookbook.microsoft.com/), on the **View the designs** menu, select **SharePoint Syntex** > **SharePoint Syntex Contracts Management**.
+
+2. On the **Contracts Management** page, select **Add to your tenant**.
+
+ ![Screenshot of the Add to your tenant button on the Contracts Management site template provisioning page.](../media/content-understanding/contracts-management-site-add-to-your-tenant.png)
+
+3. Enter your email address (for a notification of when your site is ready to use), the site URL you want to use, and the title you want to use for your site.
+
+ ![Screenshot of the email and site URL fields on the Contracts Management site template provisioning page.](../media/content-understanding/contracts-management-email-and-site-url.png)
+
+4. Select **Provision**, and in a short time your site will be ready for you to use. YouΓÇÖll get an email (sent to the email address you provided) indicating that your request to provision the Contracts Management site template is completed.
+
+5. Select **Open site**, and youΓÇÖll see your Contracts Management site. From here, you can explore the site and customize the pages and content.
+
+For more information about provisioning from the SharePoint look book service, see [Provision a new learning pathways solution](/office365/customlearning/custom_provision).
+
+## Customize the site
+
+Before you share the Contracts Management site with other users, you'll want to customize the site to meet your requirements.
+
+### Customize the look and feel of your site
+
+Customize the following elements of your site to fit the need of your organization:
+
+- Update the [branding](https://support.microsoft.com/office/customize-your-sharepoint-site-320b43e5-b047-4fda-8381-f61e8ac7f59b) on the Contracts Management site to align with your organization.
+- Customize the [Hero web part](https://support.microsoft.com/office/use-the-hero-web-part-d57f449b-19a0-4b0d-8ce3-be5866430645) to include images of real sites in your organization where possible.
+- Customize the [People web part](https://support.microsoft.com/office/show-people-profiles-on-your-page-with-the-people-web-part-7e52c5f6-2d72-48fa-a9d3-d2750765fa05) to include contact information for the contract managers or others.
+- Customize the [Text web part](https://support.microsoft.com/office/add-text-and-tables-to-your-page-with-the-text-web-part-729c0aa1-bc0d-41e3-9cde-c60533f2c801) to add paragraphs to and formatting options like styles, bullets, indentations, highlighting, and links.
+- Customize the [Image web part](https://support.microsoft.com/office/use-the-image-web-part-a63b335b-ad0a-4954-a65d-33c6af68beb2) to add an image to a page.
+- Customize the [Quick Links web part](https://support.microsoft.com/office/use-the-quick-links-web-part-e1df7561-209d-4362-96d4-469f85ab2a82) to organize and display links to other resources.
+- Add [other web parts](https://support.microsoft.com/office/using-web-parts-on-sharepoint-pages-336e8e92-3e2d-4298-ae01-d404bbe751e0) to your site as needed.
+- Customize the [page layouts](https://support.microsoft.com/office/add-sections-and-columns-on-a-sharepoint-modern-page-fc491eb4-f733-4825-8fe2-e1ed80bd0899) as needed.
+- Add [new pages](https://support.microsoft.com/office/create-and-use-modern-pages-on-a-sharepoint-site-b3d46deb-27a6-4b1e-87b8-df851e503dec) to add additional support or informational resources.
+
+### Customize the site navigation
+
+You have control of the site navigation for the Contracts Management site. Use the following resources to help you make changes that align with your organization:
+
+- Customize the [site navigation](https://support.microsoft.com/office/customize-the-navigation-on-your-sharepoint-site-3cd61ae7-a9ed-4e1e-bf6d-4655f0bf25ca).
+- [Associate this site with a hub](https://support.microsoft.com/office/associate-a-sharepoint-site-with-a-hub-site-ae0009fd-af04-4d3d-917d-88edb43efc05).
+- Use [audience targeting](https://support.microsoft.com/office/target-navigation-news-and-files-to-specific-audiences-33d84cb6-14ed-4e53-a426-74c38ea32293) to target specific navigational links to specific users.
+- [Delete unwanted pages](https://support.microsoft.com/office/delete-a-page-from-a-sharepoint-site-1d4197b8-31b6-460d-906b-3fb492a51db1) if you need to.
+
+## Share the site with others
+
+[Share your site with others](https://support.microsoft.com/office/share-a-site-958771a8-d041-4eb8-b51c-afea2eae3658). Partner with others in your organization to ensure the Contracts Management site is widely known and adopted.
+
+Key success factors to managing the Contracts Management site:
+
+- Celebrate the launch of your Contracts Management site.
+- Create and post news announcing the new resource.
+- Ensure users have an outlet for questions and feedback.
+- Use insights from [site analytics](https://support.microsoft.com/office/view-usage-data-for-your-sharepoint-site-2fa8ddc2-c4b3-4268-8d26-a772dc55779e) to promote content on the home page, update navigation, or rewrite content for clarity.
+- Review the Contracts Management site as needed to ensure content is fresh and still relevant.
+
+## See also
+
+[Manage contracts using a Microsoft 365 solution](solution-manage-contracts-in-microsoft-365.md)
enterprise Network Planning And Performance https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/network-planning-and-performance.md
Title: "Network planning and performance tuning for Microsoft 365" - Previously updated : 8/19/2020+ Last updated : 2/18/2022 audience: Admin
Before you deploy for the first time or migrate to Microsoft 365, you can use th
Once you have Microsoft 365 deployed, you can optimize your performance by using the topics in this section. If you experience performance degradation you can also use these topics to troubleshoot issues.
- **[Tune Office 365 performance](tune-microsoft-365-performance.md)**: For information about using network address translation with Office 365, see [NAT support with Office 365](nat-support-with-microsoft-365.md). Also, take a look at the [top 10 tips for optimizing and troubleshooting your Office 365 network connectivity](/archive/blogs/onthewire/top-10-tips-for-optimising-troubleshooting-your-office-365-network-connectivity).
+ **[Tune Office 365 performance](tune-microsoft-365-performance.md)**: For information about using network address translation with Office 365, see [NAT support with Office 365](nat-support-with-microsoft-365.md). Also, take a look at the [top 10 tips for optimizing and troubleshooting your Office 365 network connectivity](/archive/blogs/onthewire/top-10-tips-for-optimising-troubleshooting-your-office-365-network-connectivity).
- **[Tune Exchange Online performance](tune-exchange-online-performance.md)**: Use these articles to fine tune Exchange Online performance.
+ **[Tune Exchange Online performance](tune-exchange-online-performance.md)**: Use these articles to fine tune Exchange Online performance.
+
+ **[Prepare your organization's network for Microsoft Teams](/microsoftteams/prepare-network)**: Use these articles to optimize your network for Teams.
- **[Tune Skype for Business Online performance](tune-skype-for-business-online-performance.md)**: Use these articles to fine tune Skype for Business Online performance.
+ **[Tune Skype for Business Online performance](tune-skype-for-business-online-performance.md)**: Use these articles to fine tune Skype for Business Online performance.
- **[Tune SharePoint Online performance](tune-sharepoint-online-performance.md)**: Use these articles to fine tune SharePoint Online performance.
+ **[Tune SharePoint Online performance](tune-sharepoint-online-performance.md)**: Use these articles to fine tune SharePoint Online performance.
- **[Tune Project Online performance](https://support.office.com/article/12ba0ebd-c616-42e5-b9b6-cad570e8409c)**: Use this article to fine tune Project Online performance.
+ **[Tune Project Online performance](https://support.office.com/article/12ba0ebd-c616-42e5-b9b6-cad570e8409c)**: Use this article to fine tune Project Online performance
managed-desktop Register Devices Self https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/get-started/register-devices-self.md
audience: Admin
Microsoft Managed Desktop can work with brand-new devices, or you can reuse devices you might already have. If you reuse devices, you must reimage them. You're able to register devices with Microsoft Managed Desktop in the Microsoft Endpoint Manager portal. > [!NOTE]
-> Working with a partner to obtain devices? If so, you don't need to worry about getting the hardware hashes; they'll take care of that for you. Make sure your partner establishes a relationship with you at the [Partner Center](https://partner.microsoft.com/dashboard). Your partner can learn more at [Partner Center help](/partner-center/request-a-relationship-with-a-customer). Once this relationship established, your partner will simply register devices on your behalf ΓÇô no further action required from you. If you want to see the details, or your partner has questions, see [Steps for Partners to register devices](register-devices-partner.md). Once the devices are registered, you can proceed with [checking the image](#check-the-image) and [delivering the devices](#deliver-the-device) to your users.
+> Working with a partner to obtain devices? If so, you don't need to worry about getting the hardware hashes; they'll take care of that for you. Make sure your partner establishes a relationship with you at the [Partner Center](https://partner.microsoft.com/dashboard). Your partner can learn more at [Partner Center help](/partner-center/request-a-relationship-with-a-customer). <br><br>Once this relationship established, your partner will simply register devices on your behalf ΓÇô no further action required from you. If you want to see the details, or your partner has questions, see [Steps for Partners to register devices](register-devices-partner.md). Once the devices are registered, you can proceed with [checking the image](#check-the-image) and [delivering the devices](#deliver-the-device) to your users.
## Prepare to register brand-new devices
managed-desktop Security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/security.md
<!--Security, also Onboarding doc: data handling/store, privileged account access -->
-Microsoft Managed Desktop uses several Microsoft technologies to help secure managed devices and data. In addition, the Microsoft Managed Desktop Security Operations Center uses various [processes](security-operations.md) in conjunction with these technologies.
+Microsoft Managed Desktop uses several Microsoft technologies to help secure managed devices and data. In addition, the Microsoft Managed Desktop Security Operations Center uses various [processes](security-operations.md) with these technologies. Specifically:
-Specifically:
--- [Device security](#device-security) ΓÇô security and protection on Microsoft Managed Desktop devices-- [Identity and Access Management](#identity-and-access-management) ΓÇô managing secure use of devices through Azure Active Directory identity services-- [Network security](#network-security) ΓÇô VPN information and Microsoft Managed Desktop recommended solution and settings-- [Information security](#information-security) ΓÇô optional available services to further protect sensitive information
+| Process | Description |
+| | |
+| [Device security](#device-security)| Security and protection on Microsoft Managed Desktop devices. |
+| [Identity and Access Management](#identity-and-access-management) | Managing secure use of devices through Azure Active Directory identity services. |
+| [Network security](#network-security)| VPN information and Microsoft Managed Desktop recommended solution and settings. |
+| [Information security](#information-security)| Optional available services to further protect sensitive information. |
For information about data storage, usage, and security practices used by Microsoft Managed Desktop, see our whitepaper at [https://aka.ms/mmd-data](https://aka.ms/mmd-data). - ## Device security Microsoft Managed Desktop ensures all managed devices are secured and protected, and detects threats as early as possible using the following
-Service | Description
- |
-Antivirus | Microsoft Defender Antivirus is installed and configured<br>Microsoft Defender Antivirus definitions are up to date
-Full Volume Encryption | Windows BitLocker is the volume encryption solution for Microsoft Managed Desktop devices.<br><br>Once an organization is onboarded into the service, devices will be encrypted using Windows BitLocker with built-in Trust Platform Module (TPM) to prevent unauthorized access to local data when the device is in sleep mode, or off.
-Monitoring | Microsoft Defender for Endpoint is used for security threat monitoring across all Microsoft Managed Desktop devices. Defender for Endpoint allows enterprise customers to detect, investigate, and respond to advanced threats in their corporate network. For more information, see [Microsoft Defender for Endpoint.](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection)
-Operating system updates | Microsoft Managed Desktop devices are always secured with the latest security updates.
-Secure Device Configuration | Microsoft Managed Desktop implements the Microsoft Security Baseline. For more information, see [Windows security baselines.](/windows/security/threat-protection/windows-security-baselines)
--
+| Service | Description |
+| -- | -- |
+| Antivirus | Microsoft Defender Antivirus is installed and configured<br>Microsoft Defender Antivirus definitions are up to date. |
+| Full Volume Encryption | Windows BitLocker is the volume encryption solution for Microsoft Managed Desktop devices.<br><br>Once an organization is enrolled into the service, devices will be encrypted using Windows BitLocker with built-in Trust Platform Module (TPM) to prevent unauthorized access to local data when the device is in sleep mode, or off.
+| Monitoring | Microsoft Defender for Endpoint is used for security threat monitoring across all Microsoft Managed Desktop devices. Defender for Endpoint allows enterprise customers to detect, investigate, and respond to advanced threats in their corporate network. For more information, see [Microsoft Defender for Endpoint.](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) |
+| Operating system updates | Microsoft Managed Desktop devices are always secured with the latest security updates. |
+| Secure Device Configuration | Microsoft Managed Desktop implements the Microsoft Security Baseline. For more information, see [Windows security baselines.](/windows/security/threat-protection/windows-security-baselines)|
## Identity and access management
-Identity and access management protects corporate assets and business-critical data. Microsoft Managed Desktop configures devices to ensure secure use with Azure Active Directory (Azure AD) managed identities. It is the customer's responsibility to maintain accurate information in their Azure AD tenant.
-
-Service | Description
- |
-Biometric Authentication | Windows Hello allows users to sign in by using their face or a PIN, making passwords harder to forget or steal. Customers are responsible for implementing the necessary pre-requisites for their on-premises Active Directory for use of this service in a hybrid configuration. For more information, see [Windows Hello.](/windows-hardware/design/device-experiences/windows-hello)
-Standard user permission | To protect the system and make it more secure, the user will be assigned Standard User Permissions. This permission is assigned as part of the Windows Autopilot out-of-box experience.
-
+Identity and access management protects corporate assets and business-critical data. Microsoft Managed Desktop configures devices to ensure secure use with Azure Active Directory (Azure AD) managed identities. It's the customer's responsibility to maintain accurate information in their Azure AD tenant.
+| Service | Description |
+| -- | -- |
+| Biometric Authentication | Windows Hello allows users to sign in by using their face or a PIN, making passwords harder to forget or steal. Customers are responsible for implementing the necessary pre-requisites for their on-premises Active Directory to use this service in a hybrid configuration. For more information, see [Windows Hello.](/windows-hardware/design/device-experiences/windows-hello) |
+| Standard user permission | To protect the system and make it more secure, the user will be assigned Standard User Permissions. This permission is assigned as part of the Windows Autopilot out-of-box experience.
## Network security
-Customers are responsible for network security.
+Customers are responsible for network security.
-Service | Description
- |
-VPN | Customers own their VPN infrastructure, to ensure limited corporate resources can be exposed outside the intranet.<br><br>Minimum requirement: Microsoft Managed Desktop requires a Windows 10 compatible and supported VPN solution. If your organization needs a VPN solution, it needs to support Windows 10 and be packaged and deployable through Intune. Contact your software publisher for more information.<br><br>Recommendation:<br>- Microsoft recommends a modern VPN solution that could be easily deployed through Intune to push VPN profiles. This approach provides an always-on, seamless, reliable, and secure way to access corporate network. For more information, see [[VPN settings in Intune]](/intune/vpn-settings-configure).<br>- Thick VPN clients, or older VPN clients, are not recommended by Microsoft while using Microsoft Managed Desktop as it can impact the user environment.<br>- Microsoft recommends that the outgoing web traffic goes directly to Internet without going through the VPN to avoid any performance issues.<br>- Ideally, Microsoft recommends the use of Azure Active Directory App Proxy instead of a VPN.
+| Service | Description |
+| -- | -- |
+| VPN | Customers own their VPN infrastructure, to ensure limited corporate resources can be exposed outside the intranet.<br><br>Minimum requirement: Microsoft Managed Desktop requires a Windows 10 compatible and supported VPN solution. If your organization needs a VPN solution, it needs to support Windows 10 and be packaged and deployable through Intune. Contact your software publisher for more information.<br><br>Recommendation:<br><ul><li> Microsoft recommends a modern VPN solution that could be easily deployed through Intune to push VPN profiles. This approach provides an always-on, seamless, reliable, and secure way to access corporate network. For more information, see [VPN settings in Intune](/intune/vpn-settings-configure).</li><li>Thick VPN clients, or older VPN clients, aren't recommended by Microsoft while using Microsoft Managed Desktop as it can affect the user environment.</li><li>Microsoft recommends that the outgoing web traffic goes directly to Internet without going through the VPN to avoid any performance issues.</li><li>Ideally, Microsoft recommends the use of Azure Active Directory App Proxy instead of a VPN.</li></ul>
## Information security
-You can configure these optional services to help protect corporate high-value assets.
+You can configure these optional services to help protect corporate high-value assets.
-Service | Description
- |
-Data recovery | Information stored in key folders on the device is backed up to OneDrive for Business. Microsoft Managed Desktop is not responsible for data that isnΓÇÖt synchronized with OneDrive for Business.
-Windows Information Protection | For companies that require high levels of information security, we recommend [Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip) and [Azure Information Protection.](https://www.microsoft.com/cloud-platform/azure-information-protection)
+| Service | Description |
+| -- | -- |
+| Data recovery | Information stored in key folders on the device is backed up to OneDrive for Business. Microsoft Managed Desktop isn't responsible for data that isn't synchronized with OneDrive for Business.
+| Windows Information Protection | For companies that require high levels of information security, we recommend [Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip) and [Azure Information Protection.](https://www.microsoft.com/cloud-platform/azure-information-protection)
managed-desktop Shared Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/managed-desktop/service-description/shared-devices.md
# Shared devices
-Microsoft Managed Desktop allows you to register devices in "shared device mode," similar to the shared device mode offered by [Microsoft Intune](/mem/intune/configuration/shared-user-device-settings). Devices in this mode are optimized for situations where users aren't tied down to a single desk and are frequently changing devices, typically frontline workers such as bank tellers or nursing staff. You can apply any of the Microsoft Managed Desktop [profiles](profiles.md) to devices in this mode. Devices registered in this mode have some important differences:
+Microsoft Managed Desktop allows you to register devices in "shared device mode," similar to the shared device mode offered by [Microsoft Intune](/mem/intune/configuration/shared-user-device-settings).
+
+Devices in this mode are optimized for situations where users aren't tied down to a single desk and are frequently changing devices. For example, frontline workers such as bank tellers or nursing staff. You can apply any of the Microsoft Managed Desktop [profiles](profiles.md) to devices in this mode. Devices registered in this mode have some important differences:
- [Device storage](#device-storage) is optimized for shared users. - [Inactive accounts](#deletion-of-inactive-accounts) are deleted. - [Guest accounts](#guest-accounts) aren't supported by default. - [Microsoft 365 Applications](#microsoft-365-apps-for-enterprise) for enterprise licensing is optimized for shared devices.
-Because you make the choice to use shared device mode at the point of registration into Microsoft Managed Desktop, if you want to change it out of this mode later, you'll have to de-register it and register it again.
+Because you make the choice to use shared device mode at the point of registration in Microsoft Managed Desktop, if you want to change out of this mode later, you must de-register it and register it again.
## When to use shared device mode Any situation where users are frequently changing devices.
-For example, bank tellers might be in one location managing deposits, but move to a back office to help customers with a mortgage. In each of those locations, the device runs different applications and is optimized for those tasks, though they are used by multiple people.
+For example, bank tellers might be in one location managing deposits, but move to a back office to help customers with a mortgage. In each of those locations, the device runs different applications and is optimized for those tasks, though they're used by multiple people.
-Nursing staff typically move between rooms and offices as they interact with patients, so they can sign into a workstation in an office, but connect to their remote desktop and take notes, only to repeat this in a different room with a different patient.
+Nursing staff typically move between rooms and offices as they interact with patients. They can sign into a workstation in an office, but connect to their remote desktop and take notes, and repeat this process in a different room with a different patient.
## When not to use shared device mode
If you're enrolling devices yourself, follow the steps in [Register new devices
If you're having a partner enroll devices, follow the steps in [Steps for Partners to register devices](../get-started/register-devices-partner.md), but append **-Shared** to the group tag, as shown in the following table:
-|Device profile |Group tag (standard mode) |Group tag (shared device mode) |
-||||
-|Sensitive date | Microsoft365Managed_SensitiveData | Microsoft365Managed_SensitiveData-Shared |
-| Power user | Microsoft365Managed_PowerUser | Not supported |
-|Standard | Microsoft365Managed_Standard | Microsoft365Managed_Standard-Shared |
+| Device profile | Autopilot group tag (standard mode) | Group tag (shared device mode) |
+| -- | -- | -- |
+| Sensitive data | Microsoft365Managed_SensitiveData | Microsoft365Managed_SensitiveData-Shared |
+| Power user | Microsoft365Managed_PowerUser | Not supported |
+| Standard | Microsoft365Managed_Standard | Microsoft365Managed_Standard-Shared |
## Consequences of shared device mode
In shared device mode, you can have only one [device profile](profiles.md) on a
### Apps and policies assigned to users
-On shared devices, you should assign any apps or policies that you are managing yourself to *device groups*, not user groups. Doing this ensures that each user has a more consistent experience. The exception is [Company Portal](#deploying-apps-with-company-portal).
+On shared devices, you should assign any apps or policies that you're managing yourself to *device groups*, not user groups. Assigning to device groups ensures that each user has a more consistent experience. The exception is [Company Portal](#deploying-apps-with-company-portal).
## Limitations of shared device mode
When Universal print installs a printer for a single user on a shared device tha
### Primary user
-Each Microsoft Intune device has a primary user, which gets assigned when a device is set up by Autopilot. But when devices are shared, Intune requires that the primary user be removed.
+Each Microsoft Intune device has a primary user, which is assigned when a device is set up by Autopilot. But when devices are shared, Intune requires that the primary user is removed.
> [!IMPORTANT] > While shared device mode is in public preview, be sure to remove the primary user by following these steps: sign in to the Microsoft Endpoint Manager admin center, select **Devices**>**All devices**, select a device, then select **Properties**>**Remove primary user**, and delete the user listed there. ### Deploying apps with Company Portal
-Some apps probably don't need to be present on all devices, so you might prefer that users only install those apps when they need them from [Company Portal](/mem/intune/user-help/install-apps-cpapp-windows). Microsoft Managed Desktop disables Company Portal by default for devices in shared device mode. If you want Company Portal enabled, you can file a [change request](../working-with-managed-desktop/admin-support.md), but you should be aware of some limitations in this feature in this public preview:
+Some apps probably don't need to be present on all devices, so you might prefer that users only install those apps when they need them from [Company Portal](/mem/intune/user-help/install-apps-cpapp-windows).
+
+Microsoft Managed Desktop disables Company Portal by default for devices in shared device mode. If you want the Company Portal enabled, you can file a [change request](../working-with-managed-desktop/admin-support.md). However,you should be aware of some limitations in this feature in this public preview:
- To make an app available to users in Company Portal, [assign a user group](/mem/intune/apps/apps-deploy) to that app in Intune and then add each user to that user group.-- Devices cannot have a [primary user](#primary-user).
+- Devices can't have a [primary user](#primary-user).
- To uninstall an app that a user installed through Company Portal, you must uninstall the app from all users on that device. > [!CAUTION]
Some apps probably don't need to be present on all devices, so you might prefer
### Redeployment of Microsoft 365 Apps for enterprise
-During public preview, if Microsoft 365 Apps need to be redeployed, users will have to contact their local support staff to request an agent elevate and reinstall Microsoft 365 Apps for enterprise on that device.
+During public preview, if Microsoft 365 Apps must be redeployed, users must contact their local support staff to request an agent elevate and reinstall Microsoft 365 Apps for enterprise on that device.
### Microsoft Teams
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
ms.technology: mde
- Windows Server 2019 and later - Windows Server 2019 core edition - Windows Server 2022-- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
[!include[Prerelease information](../../includes/prerelease.md)]
security Ios Whatsnew https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-whatsnew.md
Microsoft Defender for Endpoint on iOS now has specialized ability on supervised
## Microsoft Defender for Endpoint is now Microsoft Defender in the App store
-Microsoft Defender for Endpoint is now available as **Microsoft Defender** in the app store. With this update, the app will be available as preview for **Consumers in the US region**. Based on how you log into the app with your work or personal account, you will have access to features for Microsoft Defender for Endpoint or to features for Microsoft Defender for individuals. For more information, see [this blog](https://www.microsoft.com/microsoft-365/microsoft-defender-for-individuals).
+Microsoft Defender for Endpoint is now available as **Microsoft Defender** in the app store. With this update, the app will be available as preview for **Consumers in the US region**. Based on how you log into the app with your work or personal account, you will have access to features for Microsoft Defender for Endpoint or to features for Microsoft Defender for individuals. For more information, see [this blog](https://www.microsoft.com/en-us/microsoft-365/microsoft-defender-for-individuals).
## Threat and Vulnerability Management
security Eval Defender Investigate Respond Additional https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond-additional.md
Once you have performed an [incident response for a simulated attack](eval-defen
|Capability |Description | |:-|:--|
-| [Prioritize incidents](#prioritize-incidents) | Use filtering and sorting of the incidents queue to determine which incidents to address next. |
-| [Manage incidents](#manage-incidents) | Modify incident properties to ensure correct assignment, add tags and comments, and to resolve an incident. |
-| [Automated investigation and response](#examine-automated-investigation-and-response-with-the-action-center) | Automated investigation and response (AIR) capabilities that can help your security operations team address threats more efficiently and effectively. The Action center is a "single pane of glass" experience for incident and alert tasks such as approving pending remediation actions. |
-| [Advanced hunting](#advanced-hunting) | A query-based threat-hunting tool that lets you proactively inspect events in your network and locate threat indicators and entities. You also use advanced hunting during the investigation and remediation of an incident. |
+| [Prioritizing incidents](#prioritize-incidents) | Use filtering and sorting of the incidents queue to determine which incidents to address next. |
+| [Managing incidents](#manage-incidents) | Modify incident properties to ensure correct assignment, add tags and comments, and to resolve an incident. |
+| [Automated investigation and response](#examine-automated-investigation-and-response-with-the-action-center) | Use automated investigation and response (AIR) capabilities to help your security operations team address threats more efficiently and effectively. The Action center is a "single pane of glass" experience for incident and alert tasks such as approving pending remediation actions. |
+| [Advanced hunting](#use-advanced-hunting) | Use queries to proactively inspect events in your network and locate threat indicators and entities. You also use advanced hunting during the investigation and remediation of an incident. |
## Prioritize incidents
To examine the list of incidents and prioritize their importance for assignment
- Use filtering to focus on a specific scenario or threat. Applying filters on the incident queue can help determine which incidents require immediate attention.
-From the default incident queue, select **Filters** to see a **Filters** pane, from which you can specify a specific set of incidents. Here is an example.
+From the default incident queue, select **Filters** to see a **Filters** pane, from which you can specify a specific set of incidents. Here's an example.
:::image type="content" source="../../media/incidents-queue/incidents-ss-incidents-filters.png" alt-text="Example of the filters pane for the incident queue.":::
Here are the ways you can manage your incidents:
Add tags that your security team uses to classify incidents, which can be later filtered. -- Assign the incident to yourself
+- Assign the incident
- Assign it to your user account name, which can be later filtered.
+ Assign it to a user account name, which can be later filtered.
- Resolve an incident
Approve (or reject) pending actions as soon as possible so that your automated i
For more information, see [Automated investigation and response](m365d-autoir.md) and [Action center](m365d-action-center.md).
-## Advanced hunting
+## Use advanced hunting
> [!NOTE] > Before we walk you through the advanced hunting simulation, watch the following video to understand advanced hunting concepts, see where you can find it in the portal, and know how it can help you in your security operations.
There's a single internal mailbox and device required for this simulation. You'l
> [!NOTE] > Advanced hunting displays query results as tabular data. You can also opt to view the data in other format types such as charts.
- 1. Look at the results and see if you can identify the email you opened. It may take up to two hours for the message to show up in advanced hunting. To narrow down the results, you can add the **where** condition to your query to only look for emails that have "yahoo.com" as their SenderMailFromDomain. Here is an example.
+ 1. Look at the results and see if you can identify the email you opened. It may take up to two hours for the message to show up in advanced hunting. To narrow down the results, you can add the **where** condition to your query to only look for emails that have "yahoo.com" as their SenderMailFromDomain. Here's an example.
```console EmailEvents
Custom detections will run the query according to the frequency you set, and the
![Example of the email attachments page where you can see the status of the rule execution, triggered alerts and actions, edit the detection, and so on.](../../media/mtp/fig28.png)
-<!--
-
-### Advanced hunting walk-through exercises
-
-To learn more about advanced hunting, the following webcasts will walk you through the capabilities of advanced hunting within Microsoft 365 Defender to create cross-pillar queries, pivot to entities, and create custom detections and remediation actions.
-
-> [!NOTE]
-> Be prepared with your own GitHub account to run the hunting queries in your pilot test lab environment.
-
-|Title|Description|Download MP4|Watch on YouTube|CSL file to use|
-||||||
-|Episode 1: KQL fundamentals|We'll cover the basics of advanced hunting capabilities in Microsoft 365 Defender. Learn about available advanced hunting data and basic KQL syntax and operators.|[MP4](https://aka.ms/MTP15JUL20_MP4)|[YouTube](https://youtu.be/0D9TkGjeJwM)|[Episode 1: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%201%20-%20KQL%20Fundamentals.csl)|
-|Episode 2: Joins|We'll continue learning about data in advanced hunting and how to join tables together. Learn about inner, outer, unique, and semi joins, and the nuances of the default Kusto innerunique join.|[MP4](https://aka.ms/MTP22JUL20_MP4)|[YouTube](https://youtu.be/LMrO6K5TWOU)|[Episode 2: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%202%20-%20Joins.csl)|
-|Episode 3: Summarizing, pivoting, and visualizing data|Now that we're able to filter, manipulate, and join data, it's time to start summarizing, quantifying, pivoting, and visualizing. In this episode, we'll cover the summarize operator and some of the calculations you can perform while diving into additional tables in the advanced hunting schema. We turn our datasets into charts that can help improve analysis.|[MP4](https://aka.ms/MTP29JUL20_MP4)|[YouTube](https://youtu.be/UKnk9U1NH6Y)|[Episode 3: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%203%20-%20Summarizing%2C%20Pivoting%2C%20and%20Joining.csl)|
-|Episode 4: Let's hunt! Applying KQL to incident tracking|Time to track some attacker activity! In this episode, we'll use our improved understanding of KQL and advanced hunting in Microsoft 365 Defender to track an attack. Learn some of the tips and tricks used in the field to track attacker activity, including the ABCs of cybersecurity and how to apply them to incident response.|[MP4](https://aka.ms/MTP5AUG20_MP4)|[YouTube](https://youtu.be/2EUxOc_LNd8)|[Episode 4: CSL file in Git](https://github.com/microsoft/Microsoft-threat-protection-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%204%20-%20Lets%20Hunt.csl)|
-|
-> ### Expert training on advanced hunting
security Eval Defender Investigate Respond Simulate Attack https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond-simulate-attack.md
Title: Run an attack simulation in a Microsoft 365 Defender pilot environment
-description: Run attack simulations for Microsoft 365 Defender to see how how alerts and incidents are presented, insights are gained, and threats are quickly remediated.
+description: Run attack simulations for Microsoft 365 Defender to see how alerts and incidents are presented, insights are gained, and threats are quickly remediated.
search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: m365-security
Defender for Office 365 with Microsoft 365 E5 or Microsoft Defender for Office 3
1. Create a simulation
- For step by step instructions on how to create and send a new simulation, see [Simulate a phishing attack](/microsoft-365/security/office-365-security/attack-simulation-training).
+ For step by step instructions on how to create and launch a new simulation, see [Simulate a phishing attack](/microsoft-365/security/office-365-security/attack-simulation-training).
2. Create a payload
- For step by step instructions on how to create a payload for use within a simulation, see [Create a custom payload for Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-payloads).
+ For step by step instructions on how to create a payload for use within a simulation, see [Create a custom payload for attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-payloads).
3. Gaining insights
- For step by step instructions on how to gain insights with reporting, see [Gain insights through Attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-insights).
+ For step by step instructions on how to gain insights with reporting, see [Gain insights through attack simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-insights).
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWMhvB]
Here are the Defender for Endpoint simulations from Microsoft:
- Document drops backdoor - Automated investigation (backdoor)
-There are additional simulations from Attack IQ and SafeBreach. There are also a set of tutorials.
+There are additional simulations from third-party sources. There are also a set of tutorials.
For each simulation or tutorial:
-1. Download and read the corresponding walk through document provided with your selected simulation or scenario.
+1. Download and read the corresponding walk-through document provided.
2. Download the simulation file. You can choose to download the file or script on the test device but it's not mandatory.
-3. Run the simulation file or script on the test device as instructed in the walk through document.
+3. Run the simulation file or script on the test device as instructed in the walk-through document.
For more information, see [Experience Microsoft Defender for Endpoint through simulated attack](/microsoft-365/security/defender-endpoint/attack-simulations).
After the investigation is complete and confirmed to be remediated, you resolve
From the **Incident** page, select **Manage incident**. Set the status to **Resolve incident** and select **True alert** for the classification and **Security testing** for the determination.
-![Example of the incidents page with the open Manage incident panel where you can click the switch to resolve incident.](../../media/mtp/fig16.png)
+![Example of the incidents page with the open Manage incident panel where you can resolve the incident.](../../media/mtp/fig16.png)
When the incident is resolved, it resolves all of the associated alerts in the Microsoft 365 Defender portal and the related portals.
-This wraps up the attack simulation for incident analysis, automated investigation, and incident resolution.
+This wraps up attack simulations for incident analysis, automated investigation, and incident resolution.
## Next step
security Eval Defender Investigate Respond https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-investigate-respond.md
Use the following steps.
The following table describes the steps in the illustration.
-| |Step |Description |
-||||
-|1|[Simulate attacks](eval-defender-investigate-respond-simulate-attack.md) | Simulate attacks on your evaluation environment and use the Microsoft 365 Defender portal to perform incident response. |
-|2|[Try incident response capabilities ](eval-defender-investigate-respond-additional.md) | Try features and capabilities in Microsoft 365 Defender. |
-||||
+|Step |Description |
+|||
+| 1. [Simulate attacks](eval-defender-investigate-respond-simulate-attack.md) | Simulate attacks on your evaluation environment and use the Microsoft 365 Defender portal to perform incident response. |
+| 2. [Try incident response capabilities ](eval-defender-investigate-respond-additional.md) | Try additional incident response features and capabilities in Microsoft 365 Defender. |
+|||
### Navigation you may need
security First Incident Analyze https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-analyze.md
Analysts then initiate investigations based on the **Priority** criteria set by
Incident prioritization might vary depending on the organization. NIST recommends also considering the functional and informational impact of the incident, and recoverability.
-The following is just one approach to triage:
+The following is just one approach to triage to consider:
1. Go to the [incidents](incidents-overview.md) page to initiate triage. Here you can see a list of incidents affecting your organization. By default, they are arranged from the most recent to the oldest incident. From here, you can also see different columns for each incident showing their severity, category, number of active alerts, and impacted entities, among others. You can customize the set of columns and sort the incident queue by some of these columns by selecting the column name. You can also filter the incident queue according to your needs. For a full list of available filters, see [Prioritize incidents](incident-queue.md#available-filters).
The following is just one approach to triage:
## Analyze your first incident
-Understanding the context surrounding alerts is equally important. Often an alert is not a single independent event. There is a chain of processes created, commands, and actions that might not have occurred at the same time. Therefore, an analyst must look for the first and last activities of the suspicious entity in device timelines to understand the context of the alerts.
+Understanding the context surrounding alerts is equally important. Often an alert is not a single independent event. There is a chain of processes created, commands, and actions that might not have occurred at the same time. Therefore, you must look for the first and last activities of the suspicious entity in device timelines to understand the context of the alerts.
There are multiple ways to read and analyze data using Microsoft 365 Defender but the end goal for analysts is to respond to incidents as quickly as possible. While Microsoft 365 Defender can significantly reduce [Mean Time to Remediate (MTTR)](https://www.microsoft.com/security/blog/2020/05/04/lessons-learned-microsoft-soc-part-3c/) through the industry-leading [automated investigation and response](m365d-autoir.md) feature, there are always cases that require manual analysis. Here's an example:
-1. Once triage priority has been determined, an analyst begins an in-depth analysis by selecting the incident name. This page brings up the **Incident Summary** where data is displayed in tabs to assist with the analysis. Under the **Alerts** tab, the type of alerts are displayed. Analysts can click on each alert to drill down into the respective detection source.
+1. Once triage priority has been determined, you can begin an in-depth analysis by selecting the incident name. This page brings up the **Incident Summary** where data is displayed in tabs to assist with the analysis. Under the **Alerts** tab, the type of alerts are displayed. Analysts can click on each alert to drill down into the respective detection source.
:::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-summary-tab.png" alt-text="Example of the Summary tab of an incident."::: For a quick guide about which domain each detection source covers, review the [Detect](#detection-by-microsoft-365-defender) section of this article.
-2. From the **Alerts** tab, an analyst can pivot to the detection source to conduct a more in-depth investigation and analysis. For example, selecting Malware Detection with Microsoft Defender for Cloud Apps as the detection source takes the analyst to its corresponding alert page.
+2. From the **Alerts** tab, you can pivot to the detection source to conduct a more in-depth investigation and analysis. For example, selecting Malware Detection with Microsoft Defender for Cloud Apps as the detection source takes the analyst to its corresponding alert page.
:::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-select-alert.png" alt-text="Example of selecting an alert of an incident.":::
Here's an example:
:::image type="content" source="../../media/first-incident-analyze/first-incident-analyze-mcas-alert.png" alt-text="Example of alerts details for Microsoft Defender for Cloud Apps .":::
-6. By selecting other alerts, an analyst can get a complete picture of the attack.
+6. By selecting other alerts, you can get a complete picture of the attack.
## Next step
security First Incident Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-overview.md
ms.technology: m365d
An organization's incident response strategy determines its ability to deal with increasingly disruptive security incidents and cybercrime. While taking preventative measures is important, the ability to act quickly to contain, eradicate, and recover from detected incidents can minimize damage and business losses.
-This incident response walkthrough shows how you, as part of a security operations team, can perform most of the key incident response steps within Microsoft 365 Defender. Here are the steps:
+This incident response walkthrough shows how you, as part of a security operations (SecOps) team, can perform most of the key incident response steps within Microsoft 365 Defender. Here are the steps:
- Preparation of your security posture - For each incident:
This incident response walkthrough shows how you, as part of a security operatio
A security incident is defined by National Institute of Standards and Technology (NIST) as "an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system; or the information the system processes, stores, or transmits; or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies."
-Incidents in Microsoft 365 Defender are the logical starting points for analysis and incident response. Analyzing and remediating incidents typically makes up most of a security operations team's tasks.
+Incidents in Microsoft 365 Defender are the logical starting points for analysis and incident response. Analyzing and remediating incidents typically makes up most of a (SecOps) team's tasks and time.
## Next step
security First Incident Post https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-post.md
By mapping alerts to this industry framework, you can:
- Identify skill gaps in attack method awareness. - Create a Power Automate Playbook for faster remediation.
-Post-incident review activity can also result in fine-tuning your security configuration and security team's processes, enhancing your organizationΓÇÖs response capabilities.
+Post-incident review activity can also result in fine-tuning your security configuration and security team's processes to streamline your organizationΓÇÖs response capabilities.
## Next step
security First Incident Prepare https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-prepare.md
Microsoft 365 Defender can help address several aspects of incident prevention:
- Implementing a [Zero Trust](/security/zero-trust/) framework - Determining your security posture by assigning a score with [Microsoft Secure Score](microsoft-secure-score.md) - Preventing threats through vulnerability assessments in [Threat and Vulnerability Management](../defender-endpoint/next-gen-threat-and-vuln-mgt.md)-- Understanding the latest security threats so you can prepare for them
+- Understanding the latest security threats so you can prepare for them with [threat analytics](threat-analytics.md)
## Step 1. Implement Zero Trust
Threat analytics also looks at your configuration and alerts to determine how at
You can implement the recommendations of an emerging threat to strengthen your security posture and minimize your attack surface area.
-Make time in your schedule to regularly check the [Threat Analytics](threat-analytics.md) section of the Microsoft 365 Defender portal.
+Make time in your schedule to regularly check the [Threat Analytics](threat-analytics.md) section of the Microsoft 365 Defender portal. See the [example security operations for Microsoft 365 Defender](incidents-overview.md#example-security-operations-for-microsoft-365-defender) for more information.
## Next step
security First Incident Remediate https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/first-incident-remediate.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
-Microsoft 365 Defender not only provides detection and analysis capabilities but also provides containment and eradication of malware. Containment includes steps to reduce the impact of the attack while eradication ensures all traces of attacker activity are removed from the network. Microsoft 365 Defender offers several remediation actions which can be configured to [auto-remediate](m365d-autoir.md) depending on your operating system and the attack type.
+Microsoft 365 Defender not only provides detection and analysis capabilities but also provides containment and eradication of malware. Containment includes steps to reduce the impact of the attack while eradication ensures all traces of attacker activity are removed from the network. Microsoft 365 Defender offers several remediation actions that can be configured to [auto-remediate](m365d-autoir.md) depending on the operating system of affected devices and the attack type.
-Microsoft 365 Defender offers several remediation actions that analysts can manually initiate. Actions are separated into two categories, Actions on devices and Actions on files. Some actions can be used to immediately stop the threat while other actions assist in further forensic analysis.
+Microsoft 365 Defender offers several remediation actions that analysts can manually initiate. Actions are separated into two categories, Actions on devices and actions on files. Some actions can be used to immediately stop the threat while other actions assist in further forensic analysis.
## Actions on devices
Here's an example.
:::image type="content" source="../../media/first-incident-remediate/first-incident-power-automate.png" alt-text="Example of a Power Automate custom robotic process automation flow.":::
-Playbooks can also be created during [post-incident review](first-incident-post.md) to create remediation actions from incidents for faster remediation actions.
+Playbooks can also be created during [post-incident review](first-incident-post.md) to create remediation actions from resolved incidents.
## Next step
security Incident Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incident-queue.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
-Microsoft 365 Defender applies correlation analytics and aggregates related alerts and automated investigations from different products into an incident. Microsoft 365 Defender also triggers unique alerts on activities that can only be identified as malicious given the end-to-end visibility that Microsoft 365 Defender has across the entire suite of products. This view gives your security analysts the broader attack story, which help them better understand and deal with complex threats across your organization.
+Microsoft 365 Defender applies correlation analytics and aggregates related alerts and automated investigations from different products into an incident. Microsoft 365 Defender also triggers unique alerts on activities that can only be identified as malicious given the end-to-end visibility that Microsoft 365 Defender has across the entire suite of products. This view gives your security analysts the broader attack story, which helps them better understand and deal with complex threats across your organization.
The **Incident queue** shows a collection of incidents that were created across devices, users, and mailboxes. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision. This is also known as incident triage.
For additional visibility at a glance, automatic incident naming generates incid
For example: *Multi-stage incident on multiple endpoints reported by multiple sources.* > [!NOTE]
-> Incidents that existed prior the rollout of automatic incident naming will not have their name changed.
+> Incidents that existed prior to the rollout of automatic incident naming will not have their name changed.
The incident queue also exposes multiple filtering options, that when applied, enable you to perform a broad sweep of all existing incidents in your environment, or decide to focus on a specific scenario or threat. Applying filters on the incident queue can help determine which incident requires immediate attention.
security Incident Response Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incident-response-overview.md
Here are the primary investigate and respond tasks for Microsoft 365 Defender:
Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. However, attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result is multiple alerts for multiple entities in your tenant. Because piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft 365 Defender automatically aggregates the alerts and their associated information into an incident.
-On an ongoing basis, identify the highest priority incidents for analysis and resolution in the incident queue and get them ready for response. This is a combination of:
+On an ongoing basis, you need to identify the highest priority incidents for analysis and resolution in the incident queue and get them ready for response. This is a combination of:
-- [Triaging](incident-queue.md) to determining the highest priority incidents through filtering and sorting of the incident queue.-- [Managing](manage-incidents.md) incidents by modifying their title, assigning them to an analyst, and adding tags and comments.
+- [Prioritizing](incident-queue.md) to determining the highest priority incidents through filtering and sorting of the incident queue. This is also known as triaging.
+- [Managing](manage-incidents.md) incidents by modifying their title, assigning them to an analyst, adding tags and comments, and when resolved, classifying them.
For each incident, use your incident response workflow to analyze the incident and its alerts and data to contain the attack, eradicate the threat, recover from the attack, and learn from it. See [this example](incidents-overview.md#example-incident-response-workflow-for-microsoft-365-defender) for Microsoft 365 Defender.
For each incident, use your incident response workflow to analyze the incident a
If your organization is using Microsoft 365 Defender, your security operations team receives an alert within the Microsoft 365 Defender portal whenever a malicious or suspicious activity or artifact is detected. Given the never-ending flow of threats that can come in, security teams often face the challenge of addressing the high volume of alerts. Fortunately, Microsoft 365 Defender includes automated investigation and response (AIR) capabilities that can help your security operations team address threats more efficiently and effectively.
-When an automated investigation completes, a verdict is reached for every piece of evidence for an incident involved. Depending on the verdict, remediation actions are identified. In some cases, remediation actions are taken automatically; in other cases, remediation actions await approval through the Microsoft 365 Defender Action center.
+When an automated investigation completes, a verdict is reached for every piece of evidence of an incident. Depending on the verdict, remediation actions are identified. In some cases, remediation actions are taken automatically; in other cases, remediation actions await approval through the Microsoft 365 Defender Action center.
See [Automated investigation and response in Microsoft 365 Defender](m365d-autoir.md) for more information.
Threat analytics is a threat intelligence capability in Microsoft 365 Defender d
Threat analytics also includes information on related incidents and impacted assets within your Microsoft 365 tenant for each identified threat.
-Each identified threat includes an analyst report, a comprehensive analysis of the threat written by Microsoft security researchers who are at the forefront of cybersecurity detection and analysis and can provide information on how the attacks appear in Microsoft 365 Defender.
+Each identified threat includes an analyst report, a comprehensive analysis of the threat written by Microsoft security researchers who are at the forefront of cybersecurity detection and analysis. These reports can also provide information on how the attacks appear in Microsoft 365 Defender.
For more information, see [Threat analytics in Microsoft 365 Defender](threat-analytics.md).
security Incidents Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/incidents-overview.md
You manage incidents from **Incidents & alerts > Incidents** on the quick launch
:::image type="content" source="../../media/incidents-queue/incidents-ss-incidents.png" alt-text="The Incidents page in the Microsoft 365 Defender portal." lightbox="../../media/incidents-queue/incidents-ss-incidents.png":::
-Selecting an incident name displays a summary of the incident and provides access to tabs with additional information.
+Selecting an incident name displays a summary of the incident and provides access to tabs with additional information. HereΓÇÖs an example.
:::image type="content" source="../../media/incidents-overview/incidents-ss-incident-summary.png" alt-text="Example of the Summary page for an incident in the Microsoft 365 Defender portal" lightbox="../../media/incidents-overview/incidents-ss-incident-summary.png":::
The additional tabs for an incident are:
- Evidence and Response
- All the supported events and suspicious entities in the alerts in the incident.
+ All the supported events and suspicious entities in the alerts of the incident.
- Graph (Preview)
On an ongoing basis, identify the highest priority incidents for analysis and re
- [Triaging](incident-queue.md) to determining the highest priority incidents through filtering and sorting of the incident queue. - [Managing](manage-incidents.md) incidents by modifying their title, assigning them to an analyst, and adding tags and comments.
+Consider these steps for your own incident response workflow:
+ 1. For each incident, begin an [attack and alert investigation and analysis](investigate-incidents.md):
- 1. View the summary of the incident to understand it's scope and severity and what entities are affected with the **Summary** and **Graph** (Preview) tabs.
+ 1. View the summary of the incident to understand its scope and severity and what entities are affected with the **Summary** and **Graph** (Preview) tabs.
1. Begin analyzing the alerts to understand their origin, scope, and severity with the **Alerts** tab.
The email notification contains important details about the incident like the in
You can add or remove recipients in the email notifications. New recipients get notified about incidents after they're added. >[!NOTE]
->You need the 'Manage security settings' permission to configure email notification settings. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications for you. <br> <br>
+>You need the **Manage security settings** permission to configure email notification settings. If you've chosen to use basic permissions management, users with Security Administrator or Global Administrator roles can configure email notifications. <br> <br>
Likewise, if your organization is using role-based access control (RBAC), you can only create, edit, delete, and receive notifications based on device groups that you are allowed to manage. ### Create a rule for email notifications
security Investigate Alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-alerts.md
From the default alerts queue, you can select **Filter** to see a **Filter** pan
:::image type="content" source="../../media/investigate-alerts/alerts-ss-alerts-filter.png" lightbox="../../media/investigate-alerts/alerts-ss-alerts-filter.png" alt-text="Example of the filters pane for the alerts queue in the Microsoft 365 Defender portal.":::
-<!--
-UPDATE SCREENSHOT
> - You can filter alerts according to these criteria: - Severity
The **Manage alert** pane allows you to view or specify:
- The alert status (New, Resolved, In progress). - The user account that has been assigned the alert.-- The alert's classification (Not set, True alert, False Alert).
+- The alert's classification (Not set, True alert, False Alert).
- For the classification as a true alert, the type of threat for the alert in **Determination** field. - A comment on the alert.
security Investigate Users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/investigate-users.md
ms.technology: m365d
- Microsoft 365 Defender
-Part of your incident investigation can include user accounts. Start with the **Users** tab for an incident from **Incidents & alerts** \> ***incident*** \> **Users**.
+Part of your incident investigation can include user accounts. You can see the details of user accounts identified in the alerts of an incident in the Microsoft 365 Defender portal from **Incidents & alerts** \> ***incident*** \> **Users**. Here's an example.
:::image type="content" source="../../media/investigate-incidents/incident-users.png" alt-text="Example of a Users page for an incident." lightbox="../../media/investigate-incidents/incident-users.png":::
To get a quick summary of a user account for the incident, select the check mark
:::image type="content" source="../../media/investigate-users/incidents-ss-user-pane.png" alt-text="Example of the user account summary pane for an incident." lightbox="../../media/investigate-users/incidents-ss-user-pane.png"::: > [!NOTE]
-> The User page shows Azure Active Directory (Azure AD) organization as well as groups, helping you understand the groups and permissions associated with a user.
+> The user page shows Azure Active Directory (Azure AD) organization as well as groups, helping you understand the groups and permissions associated with a user.
-In this fly-out page, you can review user threat information, including any current incidents, active alerts, and risk level as well as user exposure, accounts, devices, and more.
+In this pane, you can review user threat information, including any current incidents, active alerts, and risk level as well as user exposure, accounts, devices, and more.
-In addition, you can take action directly in the Microsoft 365 Defender portal to address a compromised user, confirming the user is compromised or requiring them to sign in again.
+In addition, you can take action directly in the Microsoft 365 Defender portal to address a compromised user, such as confirming the user account is compromised or requiring a new sign-in.
From here, you can select **Go to user page** to see the details of a user account. Here's an example.
From here, you can select **Go to user page** to see the details of a user accou
You can also see this page by selecting the name of the user account from the list on the **Users** page.
-You can see group membership for the user, by selecting the number under **Groups**.
+You can see group membership for the user by selecting the number under **Groups**.
:::image type="content" source="../../media/investigate-users/user-group-membership.png" alt-text="Example of the group membership for a user." lightbox="../../media/investigate-users/user-group-membership.png":::
By selecting the icon under **Manager**, you can see where the user is in the or
The Microsoft 365 Defender portal user page combines information from Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps (depending on what licenses you have).
-This page shows information specific to the security risk of a user account. This includes a score that helps assess risk and recent events and alerts that contributed to the overall risk of the user.
+This page shows information specific to the security risk of a user account, which includes a score that helps assess risk and recent events and alerts that contributed to the overall risk.
From this page, you can do these additional actions: - Mark the user account as compromised - Require the user to sign in again - Suspend the user account-- See the Azure Active Directory (Azure AD) user account settings
+- See the Azure AD user account settings
- View the files owned by the user account - View files shared with this user.
Here's an example.
:::image type="content" source="../../media/investigate-users/incidents-ss-user-details-actions.png" alt-text="Example of the actions on a user account for an incident." lightbox="../../media/investigate-users/incidents-ss-user-details-actions.png":::
-<!--
-You can access this page from multiple areas in the Microsoft 365 Defender portal. You can access this page from a specific incident in the **Users** tab. Some alerts might include users as a specific affected asset. You can also search for users.
-
-Learn more about how to investigate users and potential risk [in this Cloud App Security tutorial](/cloud-app-security/tutorial-ueba#:~:text=To%20identify%20who%20your%20riskiest,user%20page%20to%20investigate%20them).
->- ## View lateral movement paths By selecting the **Lateral movement paths** tab, you can view a fully dynamic and clickable map that provides you with a visual representation of the lateral movement paths to and from this user that can be used to infiltrate your network.
security Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/manage-incidents.md
ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
-Incident management is critical in ensuring that threats are contained and addressed.
+Incident management is critical to ensuring that incidents are named, assigned, and tagged to optimize time in your incident workflow and more quickly contain and address threats.
You can manage incidents from **Incidents & alerts > Incidents** on the quick launch of the Microsoft 365 Defender portal ([security.microsoft.com](https://security.microsoft.com)). Here's an example.
You can edit the incident name from the **Incident name** field on the **Manage
You can add custom tags to an incident, for example to flag a group of incidents with a common characteristic. You can later filter the incident queue for all incidents that contain a specific tag.
-When you start typing, you have the option to select from a list of selected tags.
+When you start typing, you have the option to select from a list of previously-used and selected tags.
## Assign an incident
security Microsoft 365 Defender Train Security Staff https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender-train-security-staff.md
With the urgency of protecting your organization and its data from attackers, yo
## Microsoft 365 Defender Ninja training
-[Microsoft 365 Defender Ninja training](https://techcommunity.microsoft.com/t5/microsoft-365-defender/become-a-microsoft-365-defender-ninja/ba-p/1789376) is a set of organized sections and modules to step you through the features and functions of Microsoft 365 Defender ΓÇô everything that goes across the workloads, but not the individual workloads themselves.
+[Microsoft 365 Defender Ninja training](https://techcommunity.microsoft.com/t5/microsoft-365-defender/become-a-microsoft-365-defender-ninjash;but does not cover the individual sources themselves.
The content is structured into three different knowledge levels, with multiple modules: Fundamentals, Intermediate, and Expert. Each level includes a knowledge check to test your understanding of the material.
Use these Microsoft Learn learning paths and their modules to build an understan
The [Microsoft 365 Defender portal learning hub](https://security.microsoft.com/learning) includes these learning paths: ----
+- Getting started with the Microsoft 365 security center
+- How to Investigate Using Microsoft 365 Defender
+- Microsoft 365 Defender Basic Training
+- Microsoft Defender for Endpoint Basic Training
+- Microsoft Defender for Office 365 Best Practices
+- Setup
## Hands-on with a trial environment
security Configure Your Spam Filter Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/configure-your-spam-filter-policies.md
Creating a custom anti-spam policy in the Microsoft 365 Defender portal creates
5. On the **Bulk email threshold & spam properties** page that appears, configure the following settings:
- - **Bulk email threshold**: Specifies the bulk complaint level (BCL) of a message that triggers the specified action for the **Bulk** spam filtering verdict that you configure on the next page (greater than the specified value, not greater than or equal to). A higher value indicates the message is less desirable (more likely to resemble spam). The default value is 7. For more information, see [Bulk complaint level (BCL) in EOP](bulk-complaint-level-values.md) and [What's the difference between junk email and bulk email?](what-s-the-difference-between-junk-email-and-bulk-email.md).
+ - **Bulk email threshold**: Specifies the bulk complaint level (BCL) of a message that triggers the specified action for the **Bulk** spam filtering verdict that you configure on the next page. A higher value indicates the message is less desirable (more likely to resemble spam). The default value is 7. For more information, see [Bulk complaint level (BCL) in EOP](bulk-complaint-level-values.md) and [What's the difference between junk email and bulk email?](what-s-the-difference-between-junk-email-and-bulk-email.md).
By default, the PowerShell only setting _MarkAsSpamBulkMail_ is `On` in anti-spam policies. This setting dramatically affects the results of a **Bulk** filtering verdict:
- - **_MarkAsSpamBulkMail_ is On**: A BCL that's greater than the threshold is converted to an SCL 6 that corresponds to a filtering verdict of **Spam**, and the action for the **Bulk** filtering verdict is taken on the message.
+ - **_MarkAsSpamBulkMail_ is On**: A BCL that's greater than or equal to the threshold is converted to an SCL 6 that corresponds to a filtering verdict of **Spam**, and the action for the **Bulk** filtering verdict is taken on the message.
- **_MarkAsSpamBulkMail_ is Off**: The message is stamped with the BCL, but _no action_ is taken for a **Bulk** filtering verdict. In effect, the BCL threshold and **Bulk** filtering verdict action are irrelevant. - **Increase spam score**, **Mark as spam**<sup>\*</sup> and **Test mode**: Advanced Spam Filter (ASF) settings that are turned off by default.
solutions Cloud Architecture Models https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/solutions/cloud-architecture-models.md
What IT architects need to know about security in Microsoft cloud services and p
| Item | Description | |:--|:--|
-|[![Microsoft cloud security for enterprise architects model thumbnail.](../media/solutions-architecture-center/msft-cloud-security-model-thumb.png)](https://download.microsoft.com/download/6/D/F/6DFD7614-BBCF-4572-A871-E446B8CF5D79/MSFT_cloud_architecture_security.pdf) <br/> [PDF](https://download.microsoft.com/download/6/D/F/6DFD7614-BBCF-4572-A871-E446B8CF5D79/MSFT_cloud_architecture_security.pdf) <br/> Updated December 2021 | This model contains: <ul><li>Microsoft and customer security responsibilities</li><li>Identity and device access</li><li>Threat protection</li><li>Information protection </li><li>Cloud app protection </li></ul><br/>|
+|[![Microsoft cloud security for enterprise architects model thumbnail.](../media/solutions-architecture-center/msft-cloud-security-model-thumb.png)](https://download.microsoft.com/download/6/D/F/6DFD7614-BBCF-4572-A871-E446B8CF5D79/MSFT_cloud_architecture_security.pdf) <br/> [PDF](https://download.microsoft.com/download/6/D/F/6DFD7614-BBCF-4572-A871-E446B8CF5D79/MSFT_cloud_architecture_security.pdf) <br/> Updated February 2022 | This model contains: <ul><li>Microsoft and customer security responsibilities</li><li>Identity and device access</li><li>Threat protection</li><li>Information protection </li><li>Cloud app protection </li></ul><br/>|
<a name="networking"></a> ### Microsoft cloud networking for IT architects