Updates from: 02/09/2021 04:24:03
Category Microsoft Docs article Related commit history on GitHub Change details
business-video https://docs.microsoft.com/en-us/microsoft-365/business-video/moveto-microsoft-365/mover-migrate-files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/business-video/moveto-microsoft-365/mover-migrate-files.md
@@ -27,22 +27,22 @@ description: "Learn how to Migrate Google files to Microsoft 365 for business by
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4MhaD?autoplay=false]
-When you move to Microsoft 365 for business, youΓÇÖll want to migrate your files from Google Drive. You can use the Mover app to move files from personal and shared Drives. For more information, see [Mover Cloud Migration](https://docs.microsoft.com/sharepointmigration/mover-plan-migration)
+When you move to Microsoft 365 for business, you'll want to migrate your files from Google Drive. You can use the Mover app to move files from personal and shared Drives. For more information, see [Mover Cloud Migration](https://docs.microsoft.com/sharepointmigration/mover-plan-migration).
> [!NOTE] > Mover will make a copy of the files and move the copies to Microsoft 365 for business. The original files will stay in Google Drives also. ## Before you start
-All the users should have signed in to Microsoft 365 for business and set up their OneDrive for Business. To do this, go to [office.com](https://office.com), sign in with you Microsft 365 for business credentials, and then choose OneDrive.
+All the users should have signed in to Microsoft 365 for business and set up their OneDrive for Business. To do this, go to [office.com](https://office.com), sign in with your Microsoft 365 for business credentials, and then choose OneDrive.
## Try it! ### Install Mover
-1. Sign into your Google Workspace admin console at [admin.google.com](https://admin.google.com).
+1. Sign in to your Google Workspace admin console at [admin.google.com](https://admin.google.com).
-1. Choose **Apps**, **Google Workspace Marketplace apps**, Then **Add app to Domain Install list**.
+1. Choose **Apps** > **Google Workspace Marketplace apps** > **Add app to Domain Install list**.
1. Search for Mover and select it.
@@ -73,14 +73,14 @@ All the users should have signed in to Microsoft 365 for business and set up the
The Mover app will attempt to map drives from the Source Path in Google, to the Destination Path in Microsoft 365.
- If a drive doesnΓÇÖt map automatically, add its destination path to a CSV file, which weΓÇÖll use later to migrate the shared drive to a SharePoint document library.
+ If a drive doesn't map automatically, add its destination path to a CSV file, which we'll use later to migrate the shared drive to a SharePoint document library.
1. In this case, we have added a SharePoint site called Migrated files, and taken note of the URL for the documents page. 1. We then created a CSV file using the format of Source Path, Destination Path, and Tags. For details see [aka.ms/movercsv](https://docs.microsoft.com/sharepointmigration/mover-create-migration-csv).
- When adding the Destination Path URL, remove everything after Shared Documents for example For example, this full URL won't work:
+ When adding the Destination Path URL, remove everything after Shared Documents. For example, this full URL won't work:
`https://TENANT01.sharepoint.com/sites/SiteName/Shared Documents/Forms/AllItems.aspx` Change it to:
@@ -91,4 +91,4 @@ All the users should have signed in to Microsoft 365 for business and set up the
1. Select the user drives whose files you want to migrate, then choose **Start Migrating Users**. 1. Review the migration information, choose when to start the migration, agree to the **Terms and Conditions**, then select **Continue**.
-The Mover app will inform you when the migration process is complete.
+The Mover app will inform you when the migration process is complete.
commerce https://docs.microsoft.com/en-us/microsoft-365/commerce/billing-and-payments/e-invoice-of-your-subscription-in-taiwan https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/e-invoice-of-your-subscription-in-taiwan.md
@@ -1,68 +0,0 @@
- Title: "Understand your e-Invoice for Microsoft 365 for business (Taiwan)"-- NOCSH-----
-localization_priority: Normal
--- M365-subscription-management -- Adm_O365-- commerce-- Adm_NonTOC--- MET150-- MOE150-
-description: "Learn about the Microsoft 365 for business e-Invoice for Taiwan."
--
-# Understand your e-Invoice for Microsoft 365 for business (Taiwan)
-
-e-Invoice is electronic invoice issued by seller after buyer purchases in accordance with Taiwan Tax Authority's e-Invoice requirements. Information is transmitted to Taiwan Tax Authority's Electronic Invoice Cloud for record keeping. For Taiwan e-Invoice related information, please refer here: <a href="https://www.einvoice.nat.gov.tw/" target="_blank">財政部電子發票整合服務平台</a>
-
-A sample copy of e-Invoice is included here:
-
-![The Taiwan e-Invoice.](../../media/01a275ad-54a9-4b76-ac03-4b288508b161.png)
-
-## What is my tax rate?
-
-For commercial purchases, we apply taxes in addition to the quoted price of our subscriptions at a rate prescribed by Taiwan Tax Authority. For any tax related questions or planning, please work with your tax advisor.
-
-## When will e-Invoice start for my Microsoft 365 services?
-
-Microsoft will replace current computerized invoice with e-Invoice on **September 15th**. For billing prior to September 15th, paper copy tax invoices are mailed directly to customers. After September 15th, e-Invoice will be offered in your Microsoft 365 admin center for view, download, and print, and will no longer be mailed directly to you.
-
-## Where can I find my e-Invoice?
-
-You can view, download, and print your e-Invoice the day after your bill is ready, through your admin center, together with your monthly bill. [View your bill](view-your-bill-or-invoice.md).
-
-## How do I update my VAT ID?
-
-You can update your VAT ID at the time of onboarding, or through your admin center after you onboard.
-
-At the time of account creation, in **Step 1**, Welcome, Let's get to know you, **page 2**, Where will you be using this?, below **Service Recipient Address** information, you can add your 8 digit **VAT ID**. If you do not have a VAT ID, please enter "00000000".
-
-After you have created your account, you may update your VAT ID through your admin center by following these steps:
-
-1. In the admin center, go to the **Billing** \> <a href="https://go.microsoft.com/fwlink/p/?linkid=842054" target="_blank">Your products</a> page.
-
-2. Select a subscription, then select **More Actions**.
-
-3. Select **Update Service Recipient Address**, and update **TAX ID** information.
-
-## How do I request an e-Invoice paper copy?
-
-If your receipt won Lucky Draw (only available to customers without VAT ID), we will send a hard copy directly to the addresses on file by registered mail.
-
-Otherwise, if you need the official paper copy of your e-Invoice, please [contact support](../../admin/contact-support-for-business-products.md). After we receive your request, we will mail the paper copy of the e-Invoice to the address on file.
-
-## More questions?
-
-[連絡客戶支援](../../admin/contact-support-for-business-products.md)
commerce https://docs.microsoft.com/en-us/microsoft-365/commerce/billing-and-payments/pay-for-subscription-billing-profile https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/pay-for-subscription-billing-profile.md
@@ -0,0 +1,237 @@
+
+ Title: "Paying for your subscription with a billing profile"
+f1.keywords:
+- NOCSH
+++
+audience: Admin
++
+localization_priority: Normal
+
+- M365-subscription-management
+- Adm_O365
+search.appverid:
+- MET150
+description: "Learn what payment options are available to pay for your subscription with a billing profile."
+
+- okr_SMB
+- AdminSurgePortfolio
+- commerce
++
+# How to pay for your subscription with a billing profile
++
+> [!NOTE]
+> The admin center is changing. If your experience doesn't match the details presented here, see
+[About the new Microsoft 365 admin center](https://docs.microsoft.com/microsoft-365/admin/microsoft-365-admin-center-preview?view=o365-21vianet&preserve-view=true).
++
+When you buy a subscription, you pay for it with a billing profile. The billing profile is linked to a specific payment method and can be a credit or debit card, or an invoice, but not a bank account.
+
+If youΓÇÖre not sure if your account has a billing profile, see [Understand billing profiles](manage-billing-profiles.md). If you donΓÇÖt have a billing profile, see [How to pay for your subscription](pay-for-your-subscription.md).
+
+## Paying with recurring billing turned on or off
+
+By default, recurring billing is automatically turned on for all paid subscriptions that use recurring billing. Every billing period, we automatically charge the payment method associated with the billing profile to pay for any subscriptions that use that billing profile. If your payment method is declined, you can use the **Pay now** button on your invoice to make a one-time payment for your subscription.
+
+If recurring billing is turned off for a billing profile, you can use the **Pay now** button on your invoice to pay for it every billing period, regardless of what payment method is linked with the billing profile. You can also pay by check or electronic funds transfer (EFT). Instructions for how to do that are included on the PDF copy of your invoice.
+
+## Paying by invoice
+
+If you have a billing profile that is set up to be paid by invoice, you can pay for your subscription with a check or EFT. You can also use a credit card to make an online payment by using the **Pay now** button on your invoice.
+
+To be eligible to pay by invoice, you must:
+
+- Be an established customer
+- Have a subscription cost that exceeds a certain amount (this amount varies by service location)
+- Pass a credit check
+
+If a credit check is required, youΓÇÖre notified when you buy your subscription. If you agree to be contacted, you get an email that includes more information about applying for credit approval. Credit checks are usually completed within two business days.
+
+If your billing profile is backed by an invoice, you get an email when your billing statement is ready to view. This email doesnΓÇÖt contain a copy of your billing statement. However, you can choose to [receive a copy of your billing statement in email](view-your-bill-or-invoice.md#receive-a-copy-of-your-billing-statement-in-email). Your billing statement includes details about your options for making a payment, and where to send it. If you enter a purchase order (PO) number in your billing profile, the number appears on your billing statement. For information about accessing billing statements, see [View your bill or invoice](view-your-bill-or-invoice.md).
+
+## Where do I send my check or EFT payment?
+
+[Check your invoice](view-your-bill-or-invoice.md) for payment instructions. You can also use the drop-down below to find payment instructions for your country. If you're not sure how much you owe, you can check your bill and billing history online on the **Invoices** tab of the <a href="https://go.microsoft.com/fwlink/p/?linkid=2102895" target="_blank">Bills & payments</a> page.
+
+> [!NOTE]
+> Paying by check is only available in a few countries.
+
+ **Choose your "bill-to" country or region from the drop-down menu below.**
+
+> [!div class="op_single_selector"]
+> - **Choose your country or region**
+> - [Afghanistan](../pay/afghanistan.md)
+> - [Albania](../pay/albania.md)
+> - [Algeria](../pay/algeria.md)
+> - [Angola](../pay/angola.md)
+> - [Argentina](../pay/argentina.md)
+> - [Armenia](../pay/armenia.md)
+> - [Australia](../pay/australia.md)
+> - [Austria](../pay/austria.md)
+> - [Azerbaijan](../pay/azerbaijan.md)
+> - [Bahamas](../pay/bahamas.md)
+> - [Bahrain](../pay/bahrain.md)
+> - [Bangladesh](../pay/bangladesh.md)
+> - [Barbados](../pay/barbados.md)
+> - [Belarus](../pay/belarus.md)
+> - [Belgium](../pay/belgium.md)
+> - [Belize](../pay/belize.md)
+> - [Bermuda](../pay/bermuda.md)
+> - [Bolivia](../pay/bolivia.md)
+> - [Bosnia and Herzegovina](../pay/bosnia-and-herzegovina.md)
+> - [Botswana](../pay/botswana.md)
+> - [Brazil](../pay/brazil.md)
+> - [Brunei](../pay/brunei.md)
+> - [Bulgaria](../pay/bulgaria.md)
+> - [Cameroon](../pay/cameroon.md)
+> - [Canada](../pay/canada.md)
+> - [Cape Verde](../pay/cape-verde.md)
+> - [Cayman Islands](../pay/cayman-islands.md)
+> - [Chile](../pay/chile.md)
+> - [China (PRC)](../pay/china-prc.md)
+> - [Colombia](../pay/colombia.md)
+> - [Costa Rica](../pay/costa-rica.md)
+> - [C├┤te d'Ivoire](../pay/cote-divoire.md)
+> - [Croatia](../pay/croatia.md)
+> - [Curacao](../pay/curacao.md)
+> - [Cyprus](../pay/cyprus.md)
+> - [Czech Republic](../pay/czech-republic.md)
+> - [Democratic Republic of Congo](../pay/democratic-republic-of-congo.md)
+> - [Denmark](../pay/denmark.md)
+> - [Dominican Republic](../pay/dominican-republic.md)
+> - [Ecuador](../pay/ecuador.md)
+> - [Egypt](../pay/egypt.md)
+> - [El Salvador](../pay/el-salvador.md)
+> - [Estonia](../pay/estonia.md)
+> - [Ethiopia](../pay/ethiopia.md)
+> - [Faroe Islands](../pay/faroe-islands.md)
+> - [Fiji](../pay/fiji.md)
+> - [Finland](../pay/finland.md)
+> - [France](../pay/france.md)
+> - [French Guiana](../pay/french-guiana.md)
+> - [Georgia](../pay/georgia.md)
+> - [Germany](../pay/germany.md)
+> - [Ghana](../pay/ghana.md)
+> - [Greece](../pay/greece.md)
+> - [Grenada](../pay/grenada.md)
+> - [Guadeloupe](../pay/guadeloupe.md)
+> - [Guam](../pay/guam.md)
+> - [Guatemala](../pay/guatemala.md)
+> - [Guyana](../pay/guyana.md)
+> - [Haiti](../pay/haiti.md)
+> - [Honduras](../pay/honduras.md)
+> - [Hong Kong](../pay/hong-kong.md)
+> - [Hungary](../pay/hungary.md)
+> - [Iceland](../pay/iceland.md)
+> - [India](../pay/india.md)
+> - [Indonesia](../pay/indonesia.md)
+> - [Iraq](../pay/iraq.md)
+> - [Ireland](../pay/ireland.md)
+> - [Israel](../pay/israel.md)
+> - [Italy](../pay/italy.md)
+> - [Jamaica](../pay/jamaica.md)
+> - [Japan](../pay/japan.md)
+> - [Jordan](../pay/jordan.md)
+> - [Kazakhstan](../pay/kazakhstan.md)
+> - [Kenya](../pay/kenya.md)
+> - [Korea](../pay/korea.md)
+> - [Kuwait](../pay/kuwait.md)
+> - [Kyrgyzstan](../pay/kyrgyzstan.md)
+> - [Latvia](../pay/latvia.md)
+> - [Lebanon](../pay/lebanon.md)
+> - [Libya](../pay/libya.md)
+> - [Liechtenstein](../pay/liechtenstein.md)
+> - [Lithuania](../pay/lithuania.md)
+> - [Luxembourg](../pay/luxembourg.md)
+> - [Macao](../pay/macao.md)
+> - [Macedonia, Former Yugoslav Republic of](../pay/macedonia.md)
+> - [Malaysia](../pay/malaysia.md)
+> - [Malta](../pay/malta.md)
+> - [Mauritius](../pay/mauritius.md)
+> - [Mexico](../pay/mexico.md)
+> - [Moldova](../pay/moldova.md)
+> - [Monaco](../pay/monaco.md)
+> - [Mongolia](../pay/mongolia.md)
+> - [Montenegro](../pay/montenegro.md)
+> - [Morocco](../pay/morocco.md)
+> - [Namibia](../pay/namibia.md)
+> - [Nepal](../pay/nepal.md)
+> - [Netherlands](../pay/netherlands.md)
+> - [New Zealand](../pay/new-zealand.md)
+> - [Nicaragua](../pay/nicaragua.md)
+> - [Nigeria](../pay/nigeria.md)
+> - [Norway](../pay/norway.md)
+> - [Oman](../pay/oman.md)
+> - [Pakistan](../pay/pakistan.md)
+> - [Palestinian Authority](../pay/palestinian-authority.md)
+> - [Panama](../pay/panama.md)
+> - [Paraguay](../pay/paraguay.md)
+> - [Peru](../pay/peru.md)
+> - [Philippines](../pay/philippines.md)
+> - [Poland](../pay/poland.md)
+> - [Portugal](../pay/portugal.md)
+> - [Puerto Rico](../pay/puerto-rico.md)
+> - [Qatar](../pay/qatar.md)
+> - [Romania](../pay/romania.md)
+> - [Russia](../pay/russia.md)
+> - [Rwanda](../pay/rwanda.md)
+> - [Saint Kitts and Nevis](../pay/saint-kitts-and-nevis.md)
+> - [Saint Lucia](../pay/saint-lucia.md)
+> - [Saint Vincent and the Grenadines](../pay/saint-vincent-and-the-grenadines.md)
+> - [Saudi Arabia](../pay/saudi-arabia.md)
+> - [Senegal](../pay/senegal.md)
+> - [Serbia](../pay/serbia.md)
+> - [Singapore](../pay/singapore.md)
+> - [Slovakia](../pay/slovakia.md)
+> - [Slovenia](../pay/slovenia.md)
+> - [South Africa](../pay/south-africa.md)
+> - [Spain](../pay/spain.md)
+> - [Sri Lanka](../pay/sri-lanka.md)
+> - [Suriname](../pay/suriname.md)
+> - [Sweden](../pay/sweden.md)
+> - [Switzerland](../pay/switzerland.md)
+> - [Taiwan](../pay/taiwan.md)
+> - [Tajikistan](../pay/tajikistan.md)
+> - [Tanzania](../pay/tanzania.md)
+> - [Thailand](../pay/thailand.md)
+> - [Trinidad and Tobago](../pay/trinidad-and-tobago.md)
+> - [Turkmenistan](../pay/turkmenistan.md)
+> - [Tunisia](../pay/tunisia.md)
+> - [Turkey](../pay/turkey.md)
+> - [Uganda](../pay/uganda.md)
+> - [Ukraine](../pay/ukraine.md)
+> - [United Arab Emirates](../pay/united-arab-emirates.md)
+> - [United Kingdom](../pay/united-kingdom.md)
+> - [United States](../pay/united-states.md)
+> - [Uruguay](../pay/uruguay.md)
+> - [Uzbekistan](../pay/uzbekistan.md)
+> - [Venezuela](../pay/venezuela.md)
+> - [Vietnam](../pay/vietnam.md)
+> - [Virgin Islands, US](../pay/virgin-islands.md)
+> - [Yemen](../pay/yemen.md)
+> - [Zambia](../pay/zambia.md)
+> - [Zimbabwe](../pay/zimbabwe.md)
+
+## Can I pay my invoice online?
+
+If recurring billing is turned off for your billing profile, you can use a credit card to pay your invoice online. To make a payment, use the **Pay now** button on your invoice in the Microsoft 365 admin center. To find your invoice, see [View your bill or invoice](view-your-bill-or-invoice.md).
+
+## Can I change from my current payment method to paying by invoice?
+
+If your billing profile is backed by credit or debit card, you can only change the payment method to another credit or debit card. You canΓÇÖt change to paying by invoice.
+
+## Can I change from paying by invoice to using a different payment method?
+
+If your billing profile is backed by invoice payments, you canΓÇÖt change the payment method. You can use the **Pay now** button on your invoice to pay with a credit or debit card, or by check or EFT.
+
+## Related content
+
+[Manage payment methods](manage-payment-methods.md) (article)\
+[View your bill or invoice](view-your-bill-or-invoice.md) (article)\
+[Understand your bill or invoice](understand-your-invoice.md) (article)
commerce https://docs.microsoft.com/en-us/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription.md
@@ -33,7 +33,7 @@
::: moniker-end
-You can use a credit or debit card, or bank account to pay for your subscription. In some cases, you can pay by invoice, using check or electronic funds transfer (EFT). If you have a billing profile, your options are slightly different. If youΓÇÖre not sure if your account has a billing profile, see [Understand billing profiles](manage-billing-profiles.md).
+You can use a credit or debit card, or bank account to pay for your subscription. In some cases, you can pay by invoice, using check or electronic funds transfer (EFT). If you have a billing profile, your options are slightly different. For more information, see [How to pay for your subscription with a billing profile](pay-for-subscription-billing-profile.md). If youΓÇÖre not sure if your account has a billing profile, see [Understand billing profiles](manage-billing-profiles.md).
**Just want to find out where to send your invoice payment?** If you pay your invoice by check or electronic funds transfer (EFT), see [Where do I send my check or EFT payment?](#where-do-i-send-my-check-or-eft-payment)
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/get-started-with-sensitivity-labels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/get-started-with-sensitivity-labels.md
@@ -93,7 +93,9 @@ All scenarios require you to [Create and configure sensitivity labels and their
## End-user documentation for sensitivity labels
-The most effective end-user documentation will be customized guidance and instructions you provide for the label names and configurations you choose. See the following blog post for a download package that you can use to train users and drive adoption: [End User Training for Sensitivity Labels in M365 ΓÇô How to Accelerate Your Adoption](https://techcommunity.microsoft.com/t5/microsoft-security-and/end-user-training-for-sensitivity-labels-in-m365-how-to/ba-p/1750880).
+The most effective end-user documentation will be customized guidance and instructions you provide for the label names and configurations you choose. For built-in labeling, you can use the label policy setting **Provide users with a link to a custom help page** to specify an internal link for this documentation. Users can then easily access it by selecting **Learn More** from the **Sensitivity** button on the Office ribbon for Word, PowerPoint, Excel, and Outlook.
+
+To help you write your customized documentation, see the following blog post for a download package that you can use to train users and drive adoption: [End User Training for Sensitivity Labels in M365 ΓÇô How to Accelerate Your Adoption](https://techcommunity.microsoft.com/t5/microsoft-security-and/end-user-training-for-sensitivity-labels-in-m365-how-to/ba-p/1750880).
You can also use the following resources for basic instructions:
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-configure https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-management-configure.md
@@ -37,8 +37,8 @@ Before you get started with insider risk management, you should confirm your [Mi
- Microsoft 365 A3 subscription + the Microsoft 365 A5 Compliance add-on - Microsoft 365 A3 subscription + the Microsoft 365 A5 Insider Risk Management add-on - Microsoft 365 G5 subscription (paid or trial version)-- Microsoft 365 G5 subscription + the Microsoft 365 G5 Compliance add-on-- Microsoft 365 G5 subscription + the Microsoft 365 G5 Insider Risk Management add-on
+- Microsoft 365 G3 subscription + the Microsoft 365 G5 Compliance add-on
+- Microsoft 365 G3 subscription + the Microsoft 365 G5 Insider Risk Management add-on
Users included in insider risk management policies must be assigned one of the licenses above.
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/insider-risk-solution-overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/insider-risk-solution-overview.md
@@ -74,8 +74,8 @@ Insider risk management is available in the following subscriptions:
- Microsoft 365 A3 subscription + the Microsoft 365 A5 Compliance add-on - Microsoft 365 A3 subscription + the Microsoft 365 A5 Insider Risk Management add-on - Microsoft 365 G5 subscription (paid or trial version)-- Microsoft 365 G5 subscription + the Microsoft 365 G5 Compliance add-on-- Microsoft 365 G5 subscription + the Microsoft 365 G5 Insider Risk Management add-on
+- Microsoft 365 G3 subscription + the Microsoft 365 G5 Compliance add-on
+- Microsoft 365 G3 subscription + the Microsoft 365 G5 Insider Risk Management add-on
### Information barriers
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/retention-policies-teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/retention-policies-teams.md
@@ -103,7 +103,7 @@ However, if conversation history is turned on for Skype for Business and from th
Channel meeting messages are stored the same way as channel messages, so for this data, select the **Teams channel messages** location when you configure your retention policy.
-Impromptu meeting messages are stored in the same way as group chat messages, so for this data, select the **Teams chats** location when you configure your retention policy.
+Impromptu and scheduled meeting messages are stored in the same way as group chat messages, so for this data, select the **Teams chats** location when you configure your retention policy.
When external users are included in a meeting that your organization hosts:
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/sensitivity-labels-sharepoint-onedrive-files.md
@@ -99,6 +99,8 @@ Use the OneDrive sync app version 19.002.0121.0008 or later on Windows, and vers
- Labels configured for [other languages](create-sensitivity-labels.md#additional-label-settings-with-security--compliance-center-powershell) are not supported and display the original language only.
+- Screen captures can't be prevented for encrypted documents. For more information, see [Can Rights Management prevent screen captures?](/azure/information-protection/faqs-rms#can-rights-management-prevent-screen-captures)
+ - If you delete a label that's been applied to a document in SharePoint or OneDrive, rather than remove the label from the applicable label policy, the document when downloaded won't be labeled or encrypted. In comparison, if the labeled document is stored outside SharePoint or OneDrive, the document remains encrypted if the label is deleted. Note that although you might delete labels during a testing phase, it's very rare to delete a label in a production environment. ## How to enable sensitivity labels for SharePoint and OneDrive (opt-in)
compliance https://docs.microsoft.com/en-us/microsoft-365/compliance/tls-1-2-in-office-365-gcc https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/tls-1-2-in-office-365-gcc.md
@@ -1,6 +1,6 @@
Title: Deprecating TLS 1.0 and 1.1 in Office 365 GCC High and DoD
-description: Discusses how Microsoft is moving the date forward to discontinue support for TLS 1.1 and 1.0 in GCC High and DoD environments in Office 365 and preparing to use TLS 1.2.
+ Title: Disabling TLS 1.0 and 1.1 in Office 365 GCC High and DoD
+description: Discusses how Microsoft is disabling support for TLS 1.1 and 1.0 in GCC High and DoD environments in Microsoft 365.
localization_priority: Normal
@@ -16,19 +16,21 @@ appliesto:
- Office 365 Business
-# Deprecating TLS 1.0 and 1.1 in Office 365 GCC High and DoD
+# Disabling TLS 1.0 and 1.1 in Office 365 GCC High and DoD
## Summary
-In order to comply with the latest compliance standards for the Federal Risk and Authorization Management Program (FedRAMP), we are deprecating Transport Layer Security (TLS) versions 1.1 and 1.0 in Microsoft Office 365 for GCC High and DoD environments. This change was previously announced through Microsoft Support in [Preparing for the mandatory use of TLS 1.2 in Office 365](https://support.microsoft.com/help/4057306/preparing-for-tls-1-2-in-office-365).
+In order to comply with the latest compliance standards for the Federal Risk and Authorization Management Program (FedRAMP), we are disabling Transport Layer Security (TLS) versions 1.1 and 1.0 in Microsoft 365 for GCC High and DoD environments. This change was previously announced through Microsoft Support in [Preparing for the mandatory use of TLS 1.2 in Office 365](https://support.microsoft.com/help/4057306/preparing-for-tls-1-2-in-office-365).
The security of your data is important, and we are committed to transparency about changes that could affect your use of the service.
-Although the [Microsoft TLS 1.0 implementation](https://support.microsoft.com/help/3117336) has no known security vulnerabilities, we remain committed to the FedRAMP compliance standards. Therefore, we will deprecate TLS 1.1 and 1.0 in Office 365 in GCC High and DoD environments starting on January 15, 2020. For information about how to remove TLS 1.1 and 1.0 dependencies, see the following white paper:
+Although the [Microsoft TLS 1.0 implementation](https://support.microsoft.com/help/3117336) has no known security vulnerabilities, we remain committed to the FedRAMP compliance standards. Therefore, we disabled TLS 1.1 and 1.0 in Office 365 in GCC High and DoD environments on January 15, 2020. For information about how to remove TLS 1.1 and 1.0 dependencies, see the following white paper:
[Solving the TLS 1.0 problem](https://www.microsoft.com/download/details.aspx?id=55266)
-In preparing for this change for TLS 1.1 and 1.0, we recommend that you use TLS version 1.2 instead. For more information, see [Preparing for the mandatory use of TLS 1.2 in Office 365](https://support.microsoft.com/help/4057306/preparing-for-tls-1-2-in-office-365).
+You must use TLS version 1.2 instead. For more information, see [Preparing for the mandatory use of TLS 1.2 in Office 365](https://support.microsoft.com/help/4057306/preparing-for-tls-1-2-in-office-365).
+
+For SharePoint and OneDrive, you'll need to update and configure .NET to support TLS 1.2. For information, see [How to enable TLS 1.2 on clients](https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client).
## More information
contentunderstanding https://docs.microsoft.com/en-us/microsoft-365/contentunderstanding/import-term-set-skos https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/import-term-set-skos.md
@@ -15,7 +15,7 @@ localization_priority: Priority
# Import a term set using a SKOS-based format
-You can import a term set using a SKOS-based format. For details about the format, see [SharePoint taxonomy SKOS format reference](skos-format-reference.md).
+You can import a term set using a SKOS-based format. For details about the format, see [SharePoint taxonomy SKOS format reference](skos-format-reference.md). This feature requires a [SharePoint Syntex](index.md) license.
We recommend keeping your import files to less than 20,000 terms. Larger files can increase the time taken for validation and import.
contentunderstanding https://docs.microsoft.com/en-us/microsoft-365/contentunderstanding/push-content-type-to-hub https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/push-content-type-to-hub.md
@@ -23,7 +23,7 @@ localization_priority: Priority
</br>
-To make important content types more consistently available to SharePoint libraries and lists, you can push them to the hubs that you choose. Pushing the content types automatically adds them to any new lists and libraries created on the sites associated with the hub, and to any new sites added to the hub.
+To make important content types more consistently available to SharePoint libraries and lists, you can push them to the hubs that you choose. Pushing the content types automatically adds them to any new lists and libraries created on the sites associated with the hub, and to any new sites added to the hub. This feature requires a [SharePoint Syntex](index.md) license.
For this feature to work, the content types being pushed must already be published.
contentunderstanding https://docs.microsoft.com/en-us/microsoft-365/contentunderstanding/set-up-content-understanding https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/set-up-content-understanding.md
@@ -87,11 +87,11 @@ To assign licenses:
1. In the Microsoft 365 admin center, under **Users**, click **Active users**.
-2. Select the users that you want to license, and click **Manage product licenses**.
+2. Select the users that you want to license, and choose **Manage product licenses**.
-3. Select **Assign more**.
+3. Choose **Apps** from the drop-down menu.
-4. Select **SharePoint Syntex**. Under **Apps**, make sure **Common Data Service for SharePoint Syntex**, **SharePoint Syntex**, and **SharePoint Syntex - SPO type** are all selected.
+4. Select **Show apps for SharePoint Syntex**. Under **Apps**, make sure **Common Data Service for SharePoint Syntex**, **SharePoint Syntex**, and **SharePoint Syntex - SPO type** are all selected.
> [!div class="mx-imgBorder"] > ![SharePoint Syntex licenses in the Microsoft 365 admin center](../media/content-understanding/sharepoint-syntex-licenses.png)
contentunderstanding https://docs.microsoft.com/en-us/microsoft-365/contentunderstanding/term-store-analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/term-store-analytics.md
@@ -17,7 +17,9 @@ localization_priority: Priority
# Term store reports
-You can access reports for the term store in the SharePoint admin center. Expand **Reports**, and then click **Content services**.
+You can access reports for the term store in the SharePoint admin center. This feature requires a [SharePoint Syntex](index.md) license.
+
+Expand **Reports**, and then click **Content services**.
The following reports are available:
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/ms-cloud-germany-transition https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/ms-cloud-germany-transition.md
@@ -278,6 +278,52 @@ If you have questions, you can contact us or your partner:
- For Office 365, you may submit questions using the &quot;Need Help?&quot; link of the [Microsoft 365 admin center](https://portal.office.de/). - If you are Dynamics 365 Customer Engagement and Power BI customer and also have Office 365, you may submit questions using the &quot;Need Help?&quot; link of the [Microsoft 365 admin center](https://portal.office.de/). Dynamics 365 Customer Engagement support options are located [here](https://docs.microsoft.com/dynamics365/get-started/support/). Power BI support options are located [here](https://powerbi.microsoft.com/support/).
+### My customer already has a M365 tenant in the global Microsoft cloud in addition to a Microsoft Cloud Deutschland tenant. Can these two tenants be merged into one as part of the migration?
+
+No, there is no tenant merge capability. Tenants will remain separate and unique as every tenant has its own namespace and unique ID. Microsoft will migrate a Microsoft Cloud Deutschland tenant to the global cloud if desired or else the customer can cancel and abandon it.
++
+### What actions are required to be done by most end users as part of the migration?
+The migration is designed to have minimal impact to end users/customers.
+- Ensure that Office applications are running latest available versions.
+- Customers using Skype for Business will transition to Teams as part of the migration and may need to [download and install Teams](https://docs.microsoft.com/deployoffice/teams-install) on devices.
+- End users may need to log out of the Office applications and log back in once the migration is complete.
+- Customers running the OneDrive Sync client need to log out of their workstation and log in again to allow OneDrive Sync client to log in to the global Azure Active Directory service.
+- Be aware of new global URLs once migration is complete, notably Outlook Web Access (example: use outlook.office365.com). SharePoint Online clients will continue to successfully connect to the MCD namespace using the existing URL (example: contoso.sharepoint.de).
++
+### Which customers are affected by the Azure Active Directory migration?
+
+All customers of Office365 depend on Azure Active Directory to authenticate and store critical service components needed for operation of Microsoft hosted services.
++
+### What are the impacts of the Azure Active Directory Migration?
+
+The initial migration of Azure Active Directory in the early phase has no impact to the customer experience. After the final migration stage all services for the customer tenant are fully in the global service. After this final stage the Azure Active Directory service in Microsoft Cloud Deutschland may no longer accept authorization requests or provide access tokens to Office services.
++
+### What does it mean to ensure network connectivity to [Office 365 services URLs and IP addresses](https://aka.ms/o365urls)?
+
+This article describes the necessary URLs and IP addresses required for proper function of the global service to ensure a good customer experience. In relatively rare cases, some customers attempt to configure network perimeter security in such a way to minimize traffic flows and have restricted access to services to those only as part of the Microsoft Cloud Deutschland service IP ranges.
++
+### How do I manage the DNS changes for Exchange Online so mail will continue to flow?
+
+Microsoft-managed IP ranges and DNS zones are transitioned during and as part of the migration to the global service.
+
+Customer-managed DNS zones such as custom domain MX records are the responsibility of the customer, however, to simplify this migration the customer managed MX record points to an Office 365 service endpoint in the office.de zone and Microsoft manages the migration of this service endpoint automatically.
++
+### How do I manage the DNS changes for Skype for Business?
+
+All Skype For Business customers in will transition to Microsoft Teams. The transition of customer Skype DNS zones is not required in the migration to Teams. Customers will be able to sign-into Teams immediately with all functionality after migration.
+
+
+### Will Outlook for iOS and Android work after the migration?
+
+Yes. MicrosoftΓÇÖs recommendation is all customers run the latest available versions of Office clients including Outlook for iOS and Android clients. Upon completion of the migration to the Office 365 global service, all Office clients will need to log out and log back in to obtain a new Azure Active Directory access token from the global service.
++ ## Next step
enterprise https://docs.microsoft.com/en-us/microsoft-365/enterprise/office-365-network-mac-perf-overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-overview.md
@@ -40,7 +40,7 @@ On navigating to the network connectivity page, you will see an overview pane co
## Pre-requisites for network connectivity assessments to appear
-Whilst network connectivity can be evaluated across the organization, any network design improvements will need to be done for specific office locations. Network connectivity information is provided for each office location once those locations can be determined. There are three options for getting network assessments from your office locations:
+To get started, turn on your location opt-in setting to automatically collect data from devices using Windows Location Services, go to your Locations list to add or upload location data, or run the Microsoft 365 network connectivity test from your office locations. Whilst network connectivity can be evaluated across the organization, any network design improvements will need to be done for specific office locations. Network connectivity information is provided for each office location once those locations can be determined. There are three options for getting network assessments from your office locations:
### 1. Enable Windows Location Services
includes https://docs.microsoft.com/en-us/microsoft-365/includes/microsoft-365-content-updates https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-content-updates.md
@@ -2,6 +2,290 @@
+## Week of February 01, 2021
++
+| Published On |Topic title | Change |
+|||--|
+| 2/1/2021 | [Communication compliance feature reference](/microsoft-365/compliance/communication-compliance-feature-reference?view=o365-21vianet) | modified |
+| 2/1/2021 | [Double Key Encryption (DKE)](/microsoft-365/compliance/double-key-encryption?view=o365-21vianet) | modified |
+| 2/1/2021 | [How Exchange Online uses TLS to secure email connections](/microsoft-365/compliance/exchange-online-uses-tls-to-secure-email-connections?view=o365-21vianet) | modified |
+| 2/1/2021 | [Message Encryption FAQ](/microsoft-365/compliance/ome-faq?view=o365-21vianet) | modified |
+| 2/1/2021 | [What's new in Microsoft 365 compliance](/microsoft-365/compliance/whats-new?view=o365-21vianet) | modified |
+| 2/1/2021 | [Naming changes in the Microsoft 365 Defender advanced hunting schema](/microsoft-365/security/mtp/advanced-hunting-schema-changes?view=o365-21vianet) | modified |
+| 2/1/2021 | [Microsoft 365 encryption chains](/microsoft-365/compliance/encryption-office-365-certificate-chains?view=o365-21vianet) | modified |
+| 2/1/2021 | [Microsoft 365 for enterprise overview](/microsoft-365/enterprise/microsoft-365-overview?view=o365-21vianet) | modified |
+| 2/1/2021 | [Access the Admin portal](/microsoft-365/managed-desktop/get-started/access-admin-portal?view=o365-21vianet) | modified |
+| 2/1/2021 | [Buy or remove licenses](/microsoft-365/commerce/licenses/buy-licenses?view=o365-21vianet) | modified |
+| 2/1/2021 | [Create and publish sensitivity labels](/microsoft-365/compliance/create-sensitivity-labels?view=o365-21vianet) | modified |
+| 2/1/2021 | [Get started with sensitivity labels](/microsoft-365/compliance/get-started-with-sensitivity-labels?view=o365-21vianet) | modified |
+| 2/1/2021 | View label usage with label analytics | removed |
+| 2/1/2021 | [Learn about retention policies & labels to automatically retain or delete content](/microsoft-365/compliance/retention?view=o365-21vianet) | modified |
+| 2/1/2021 | [Use sensitivity labels in Office apps](/microsoft-365/compliance/sensitivity-labels-office-apps?view=o365-21vianet) | modified |
+| 2/1/2021 | [Manage information barrier policies](/microsoft-365/compliance/information-barriers-edit-segments-policies?view=o365-21vianet) | modified |
+| 2/1/2021 | [Define information barrier policies](/microsoft-365/compliance/information-barriers-policies?view=o365-21vianet) | modified |
+| 2/1/2021 | [Learn about information barriers in Microsoft 365](/microsoft-365/compliance/information-barriers?view=o365-21vianet) | modified |
+| 2/2/2021 | [SharePoint Syntex accessibility mode ](/microsoft-365/contentunderstanding/accessibility-mode) | added |
+| 2/2/2021 | [Upgrade distribution lists to Microsoft 365 Groups in Outlook](/microsoft-365/admin/manage/upgrade-distribution-lists?view=o365-21vianet) | modified |
+| 2/2/2021 | [Create distribution groups](/microsoft-365/admin/setup/create-distribution-lists?view=o365-21vianet) | modified |
+| 2/2/2021 | [Create a custom sensitive information type using PowerShell](/microsoft-365/compliance/create-a-custom-sensitive-information-type-in-scc-powershell?view=o365-21vianet) | modified |
+| 2/2/2021 | [Create custom sensitive information types with Exact Data Match](/microsoft-365/compliance/create-custom-sensitive-information-types-with-exact-data-match-based-classification?view=o365-21vianet) | modified |
+| 2/2/2021 | [Get started with content explorer](/microsoft-365/compliance/data-classification-content-explorer?view=o365-21vianet) | modified |
+| 2/2/2021 | [Get started with Microsoft 365 Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-getting-started?view=o365-21vianet) | modified |
+| 2/2/2021 | [Apply a document understanding model to a document library](/microsoft-365/contentunderstanding/apply-a-model) | modified |
+| 2/2/2021 | [Create an extractor](/microsoft-365/contentunderstanding/create-an-extractor) | modified |
+| 2/2/2021 | [Explanation types](/microsoft-365/contentunderstanding/explanation-types-overview) | modified |
+| 2/2/2021 | [Document understanding model usage analytics](/microsoft-365/contentunderstanding/model-usage-analytics) | modified |
+| 2/2/2021 | [Migrate advanced hunting queries from Microsoft Defender for Endpoint](/microsoft-365/security/mtp/advanced-hunting-migrate-from-mdatp?view=o365-21vianet) | modified |
+| 2/2/2021 | [Create and manage custom detection rules in Microsoft 365 Defender](/microsoft-365/security/mtp/custom-detection-rules?view=o365-21vianet) | modified |
+| 2/2/2021 | [Overview of custom detections in Microsoft 365 Defender](/microsoft-365/security/mtp/custom-detections-overview?view=o365-21vianet) | modified |
+| 2/2/2021 | [Evaluate Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/office-365-evaluation?view=o365-21vianet) | modified |
+| 2/2/2021 | [Use a PowerShell script to search the audit log](/microsoft-365/compliance/audit-log-search-script?view=o365-21vianet) | added |
+| 2/2/2021 | [Automatically apply a sensitivity label to content in Microsoft 365](/microsoft-365/compliance/apply-sensitivity-label-automatically?view=o365-21vianet) | modified |
+| 2/2/2021 | [Create and publish sensitivity labels](/microsoft-365/compliance/create-sensitivity-labels?view=o365-21vianet) | modified |
+| 2/2/2021 | [Keyword queries and search conditions for Content Search](/microsoft-365/compliance/keyword-queries-and-search-conditions?view=o365-21vianet) | modified |
+| 2/2/2021 | [Learn about retention policies & labels to automatically retain or delete content](/microsoft-365/compliance/retention?view=o365-21vianet) | modified |
+| 2/2/2021 | [Use sensitivity labels in Office apps](/microsoft-365/compliance/sensitivity-labels-office-apps?view=o365-21vianet) | modified |
+| 2/2/2021 | [Learn about sensitivity labels](/microsoft-365/compliance/sensitivity-labels?view=o365-21vianet) | modified |
+| 2/2/2021 | [Connect to all Microsoft 365 services in a single PowerShell window](/microsoft-365/enterprise/connect-to-all-microsoft-365-services-in-a-single-windows-powershell-window?view=o365-21vianet) | modified |
+| 2/2/2021 | [Top scoring in industry tests - Microsoft 365 Defender](/microsoft-365/security/mtp/top-scoring-industry-tests?view=o365-21vianet) | modified |
+| 2/2/2021 | [Set up Safe Attachments policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/set-up-atp-safe-attachments-policies?view=o365-21vianet) | modified |
+| 2/3/2021 | [Overview of Microsoft 365 Groups for administrators](/microsoft-365/admin/create-groups/office-365-groups?view=o365-21vianet) | modified |
+| 2/3/2021 | [About shared mailboxes](/microsoft-365/admin/email/about-shared-mailboxes?view=o365-21vianet) | modified |
+| 2/3/2021 | [Use a PowerShell script to search the audit log](/microsoft-365/compliance/audit-log-search-script?view=o365-21vianet) | modified |
+| 2/3/2021 | [Using Endpoint data loss prevention](/microsoft-365/compliance/endpoint-dlp-using?view=o365-21vianet) | modified |
+| 2/3/2021 | [Get started with insider risk management](/microsoft-365/compliance/insider-risk-management-configure?view=o365-21vianet) | modified |
+| 2/3/2021 | [Insider risk management policies](/microsoft-365/compliance/insider-risk-management-policies?view=o365-21vianet) | modified |
+| 2/3/2021 | [Insider risk management settings](/microsoft-365/compliance/insider-risk-management-settings?view=o365-21vianet) | modified |
+| 2/3/2021 | [Learn about insider risk management](/microsoft-365/compliance/insider-risk-management?view=o365-21vianet) | modified |
+| 2/3/2021 | [Learn about retention for Teams](/microsoft-365/compliance/retention-policies-teams?view=o365-21vianet) | modified |
+| 2/3/2021 | [Sensitive information type entity definitions](/microsoft-365/compliance/sensitive-information-type-entity-definitions?view=o365-21vianet) | modified |
+| 2/3/2021 | [Set up SharePoint Syntex](/microsoft-365/contentunderstanding/set-up-content-understanding) | modified |
+| 2/3/2021 | [Data move general FAQ](/microsoft-365/enterprise/data-move-faq?view=o365-21vianet) | modified |
+| 2/3/2021 | [Topic Experiences topic discovery and curation (Preview) ](/microsoft-365/knowledge/topic-experiences-discovery-curation) | modified |
+| 2/3/2021 | [Topic Experiences overview (Preview)](/microsoft-365/knowledge/topic-experiences-overview) | modified |
+| 2/3/2021 | [Microsoft Managed Desktop technologies](/microsoft-365/managed-desktop/intro/technologies?view=o365-21vianet) | modified |
+| 2/3/2021 | [Migrate advanced hunting queries from Microsoft Defender for Endpoint](/microsoft-365/security/mtp/advanced-hunting-migrate-from-mdatp?view=o365-21vianet) | modified |
+| 2/3/2021 | [Enable the Report Message add-in](/microsoft-365/security/office-365-security/enable-the-report-message-add-in?view=o365-21vianet) | modified |
+| 2/3/2021 | [Enable the Report Phish add-in](/microsoft-365/security/office-365-security/enable-the-report-phish-add-in?view=o365-21vianet) | modified |
+| 2/3/2021 | [Application Guard for Office 365 for admins](/microsoft-365/security/office-365-security/install-app-guard?view=o365-21vianet) | modified |
+| 2/3/2021 | [Microsoft 365 client and services app support](/microsoft-365/enterprise/microsoft-365-client-services-app-support?view=o365-21vianet) | added |
+| 2/3/2021 | [Microsoft 365 Client App Support: Multi-factor authentication](/microsoft-365/enterprise/microsoft-365-client-support-multi-factor-authentication?view=o365-21vianet) | renamed |
+| 2/3/2021 | [Hybrid Modern Authentication overview and prerequisites for use with on-premises Skype for Business and Exchange servers](/microsoft-365/enterprise/hybrid-modern-auth-overview?view=o365-21vianet) | modified |
+| 2/3/2021 | [Microsoft 365 Client App Support: Certificate-based Authentication](/microsoft-365/enterprise/microsoft-365-client-support-certificate-based-authentication?view=o365-21vianet) | modified |
+| 2/3/2021 | [Microsoft 365 Client App Support: Conditional Access](/microsoft-365/enterprise/microsoft-365-client-support-conditional-access?view=o365-21vianet) | modified |
+| 2/3/2021 | [Microsoft 365 Client App Support: Single Sign-On](/microsoft-365/enterprise/microsoft-365-client-support-single-sign-on?view=o365-21vianet) | modified |
+| 2/3/2021 | [Common identity and device access policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/identity-access-policies?view=o365-21vianet) | modified |
+| 2/3/2021 | [Prerequisite work for implementing identity and device access policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/identity-access-prerequisites?view=o365-21vianet) | modified |
+| 2/3/2021 | [Secure email recommended policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/secure-email-recommended-policies?view=o365-21vianet) | modified |
+| 2/3/2021 | [Recommended secure document policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/sharepoint-file-access-policies?view=o365-21vianet) | modified |
+| 2/3/2021 | [Recommended Teams policies - Microsoft 365 for enterprise \| Microsoft Docs](/microsoft-365/security/office-365-security/teams-access-policies?view=o365-21vianet) | modified |
+| 2/3/2021 | [Top 12 tasks for security teams to support working from home](/microsoft-365/security/top-security-tasks-for-remote-work?view=o365-21vianet) | modified |
+| 2/3/2021 | [Step 1. Increase sign-in security for remote workers with MFA](/microsoft-365/solutions/empower-people-to-work-remotely-secure-sign-in?view=o365-21vianet) | modified |
+| 2/3/2021 | [Troubleshoot eDiscovery hold distribution errors](/microsoft-365/compliance/hold-distribution-errors?view=o365-21vianet) | added |
+| 2/3/2021 | [Azure Information Protection support for Office 365 operated by 21Vianet](/microsoft-365/admin/services-in-china/parity-between-azure-information-protection?view=o365-21vianet) | modified |
+| 2/3/2021 | [Use the step-by-step guide to add Autopilot devices and profile](/microsoft-365/business/add-autopilot-devices-and-profile?view=o365-21vianet) | modified |
+| 2/3/2021 | [Microsoft Information Protection in Microsoft 365](/microsoft-365/compliance/information-protection?view=o365-21vianet) | modified |
+| 2/3/2021 | [Set up compliance boundaries for eDiscovery investigations](/microsoft-365/compliance/set-up-compliance-boundaries?view=o365-21vianet) | modified |
+| 2/3/2021 | [Microsoft 365 documentation # < 60 chars](/microsoft-365/index?view=o365-21vianet) | modified |
+| 2/3/2021 | [Report spam, non-spam, and phishing messages to Microsoft](/microsoft-365/security/office-365-security/report-junk-email-messages-to-microsoft?view=o365-21vianet) | modified |
+| 2/3/2021 | [About the Microsoft Defender for Office 365 trial](/microsoft-365/security/office-365-security/about-defender-for-office-365-trial?view=o365-21vianet) | added |
+| 2/4/2021 | [Multi-factor authentication for Microsoft 365](/microsoft-365/admin/security-and-compliance/multi-factor-authentication-microsoft-365?view=o365-21vianet) | modified |
+| 2/4/2021 | [Set up multi-factor authentication for users](/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide) | modified |
+| 2/4/2021 | [Set up Microsoft 365 for business](/microsoft-365/admin/setup/setup?view=o365-21vianet) | modified |
+| 2/4/2021 | [Get started with insider risk management](/microsoft-365/compliance/insider-risk-management-configure?view=o365-21vianet) | modified |
+| 2/4/2021 | [Insider risk solution](/microsoft-365/compliance/insider-risk-solution-overview?view=o365-21vianet) | modified |
+| 2/4/2021 | [Revoke email encrypted by Advanced Message Encryption](/microsoft-365/compliance/revoke-ome-encrypted-mail?view=o365-21vianet) | modified |
+| 2/4/2021 | [Use Microsoft Search to find topics in Microsoft Viva Topics](/microsoft-365/knowledge/search) | added |
+| 2/4/2021 | [Create a new topic in Microsoft Viva Topics](/microsoft-365/knowledge/create-a-topic) | modified |
+| 2/4/2021 | [Edit an existing topic in Microsoft Viva Topics ](/microsoft-365/knowledge/edit-a-topic) | modified |
+| 2/4/2021 | [Introduction to Microsoft Viva Topics](/microsoft-365/knowledge/index) | modified |
+| 2/4/2021 | [Manage topics in the Topic center in Microsoft Viva Topics](/microsoft-365/knowledge/manage-topics) | modified |
+| 2/4/2021 | [Plan for Microsoft Viva Topics](/microsoft-365/knowledge/plan-topic-experiences) | modified |
+| 2/4/2021 | [Restrict access to topics in Microsoft Viva Topics](/microsoft-365/knowledge/restrict-access-to-topics) | modified |
+| 2/4/2021 | [Set up Microsoft Viva Topics](/microsoft-365/knowledge/set-up-topic-experiences) | modified |
+| 2/4/2021 | [Topic center overview ](/microsoft-365/knowledge/topic-center-overview) | modified |
+| 2/4/2021 | [Change the name of the topic center in Microsoft Viva Topics](/microsoft-365/knowledge/topic-experiences-administration) | modified |
+| 2/4/2021 | [Microsoft Viva Topics topic discovery and curation ](/microsoft-365/knowledge/topic-experiences-discovery-curation) | modified |
+| 2/4/2021 | [Manage topic discovery in Microsoft Viva Topics](/microsoft-365/knowledge/topic-experiences-discovery) | modified |
+| 2/4/2021 | [Get your environment ready for Microsoft Viva Topics](/microsoft-365/knowledge/topic-experiences-get-ready) | modified |
+| 2/4/2021 | [Manage topic visibility in Microsoft Viva Topics](/microsoft-365/knowledge/topic-experiences-knowledge-rules) | modified |
+| 2/4/2021 | [Microsoft Viva Topics overview](/microsoft-365/knowledge/topic-experiences-overview) | modified |
+| 2/4/2021 | [Microsoft Viva Topics roles](/microsoft-365/knowledge/topic-experiences-roles) | modified |
+| 2/4/2021 | [Microsoft Viva Topics security and privacy](/microsoft-365/knowledge/topic-experiences-security-privacy) | modified |
+| 2/4/2021 | [Microsoft Viva Topics security trimming](/microsoft-365/knowledge/topic-experiences-security-trimming) | modified |
+| 2/4/2021 | [Manage topic permissions in Microsoft Viva Topics](/microsoft-365/knowledge/topic-experiences-user-permissions) | modified |
+| 2/4/2021 | [Get started driving adoption of Microsoft Viva Topics](/microsoft-365/knowledge/topics-adoption-getstarted) | modified |
+| 2/4/2021 | [Case study - Contoso quickly configures an offensive language policy for Microsoft Teams, Exchange, and Yammer communications](/microsoft-365/compliance/communication-compliance-case-study?view=o365-21vianet) | modified |
+| 2/4/2021 | [Get started with communication compliance](/microsoft-365/compliance/communication-compliance-configure?view=o365-21vianet) | modified |
+| 2/4/2021 | [Communication compliance feature reference](/microsoft-365/compliance/communication-compliance-feature-reference?view=o365-21vianet) | modified |
+| 2/4/2021 | [Investigate and remediate communication compliance alerts](/microsoft-365/compliance/communication-compliance-investigate-remediate?view=o365-21vianet) | modified |
+| 2/4/2021 | [Learn about communication compliance](/microsoft-365/compliance/communication-compliance?view=o365-21vianet) | modified |
+| 2/4/2021 | [Resources to help you meet regulatory requirements for information governance and records management](/microsoft-365/compliance/retention-regulatory-requirements?view=o365-21vianet) | modified |
+| 2/4/2021 | [Use sensitivity labels in Office apps](/microsoft-365/compliance/sensitivity-labels-office-apps?view=o365-21vianet) | modified |
+| 2/4/2021 | [Migration phases actions and impacts for the migration from Microsoft Cloud Deutschland (general)](/microsoft-365/enterprise/ms-cloud-germany-transition-phases?view=o365-21vianet) | modified |
+| 2/4/2021 | [Access the Admin portal](/microsoft-365/managed-desktop/get-started/access-admin-portal?view=o365-21vianet) | modified |
+| 2/4/2021 | [Device requirements](/microsoft-365/managed-desktop/service-description/device-requirements?view=o365-21vianet) | modified |
+| 2/4/2021 | [Microsoft 365 solution and architecture center # < 60 chars](/microsoft-365/solutions/index?view=o365-21vianet) | modified |
+| 2/4/2021 | [Terms of use for the Microsoft Defender for Office 365 trial](/microsoft-365/security/office-365-security/terms-of-use-defender-for-office-365-trial?view=o365-21vianet) | added |
+| 2/4/2021 | Change your payment method | removed |
+| 2/4/2021 | [Change your billing addresses](/microsoft-365/commerce/billing-and-payments/change-your-billing-addresses?view=o365-21vianet) | modified |
+| 2/4/2021 | [Manage payment methods](/microsoft-365/commerce/billing-and-payments/manage-payment-methods?view=o365-21vianet) | modified |
+| 2/4/2021 | [Paying for your subscription](/microsoft-365/commerce/billing-and-payments/pay-for-your-subscription?view=o365-21vianet) | modified |
+| 2/4/2021 | Top billing questions for Microsoft 365 for business | removed |
+| 2/4/2021 | [Fix issues found by the readiness assessment tool](/microsoft-365/managed-desktop/get-ready/readiness-assessment-fix?view=o365-21vianet) | modified |
+| 2/4/2021 | [Add users and assign licenses](/microsoft-365/admin/add-users/add-users?view=o365-21vianet) | modified |
+| 2/4/2021 | [Remove a former employee](/microsoft-365/admin/add-users/remove-former-employee?view=o365-21vianet) | modified |
+| 2/4/2021 | [Restore a user](/microsoft-365/admin/add-users/restore-user?view=o365-21vianet) | modified |
+| 2/4/2021 | [Add another email alias for a user](/microsoft-365/admin/email/add-another-email-alias-for-a-user?view=o365-21vianet) | modified |
+| 2/4/2021 | [Change your email address to use your custom domain](/microsoft-365/admin/email/change-email-address?view=o365-21vianet) | modified |
+| 2/4/2021 | [Create, edit, or delete a security group in the Microsoft 365 admin center](/microsoft-365/admin/email/create-edit-or-delete-a-security-group?view=o365-21vianet) | modified |
+| 2/4/2021 | [Buy a domain name](/microsoft-365/admin/get-help-with-domains/buy-a-domain-name?view=o365-21vianet) | modified |
+| 2/4/2021 | [Remove a domain](/microsoft-365/admin/get-help-with-domains/remove-a-domain?view=o365-21vianet) | modified |
+| 2/4/2021 | [Assign licenses to users](/microsoft-365/admin/manage/assign-licenses-to-users?view=o365-21vianet) | modified |
+| 2/4/2021 | [Change your organization's address, technical contact, and more](/microsoft-365/admin/manage/change-address-contact-and-more?view=o365-21vianet) | modified |
+| 2/4/2021 | [Add custom tiles to the app launcher](/microsoft-365/admin/manage/customize-the-app-launcher?view=o365-21vianet) | modified |
+| 2/4/2021 | [Manage add-ins in the admin center](/microsoft-365/admin/manage/manage-addins-in-the-admin-center?view=o365-21vianet) | modified |
+| 2/4/2021 | [Deploy add-ins in the admin center](/microsoft-365/admin/manage/manage-deployment-of-add-ins?view=o365-21vianet) | modified |
+| 2/4/2021 | [Set up the Standard or Targeted release options](/microsoft-365/admin/manage/release-options-in-office-365?view=o365-21vianet) | modified |
+| 2/4/2021 | [Unassign licenses from users](/microsoft-365/admin/manage/remove-licenses-from-users?view=o365-21vianet) | modified |
+| 2/4/2021 | [Resolve license conflicts](/microsoft-365/admin/manage/resolve-license-conflicts?view=o365-21vianet) | modified |
+| 2/4/2021 | [Share sites and files with guest users](/microsoft-365/admin/manage/share-sites-with-external-users?view=o365-21vianet) | modified |
+| 2/4/2021 | [Update your admin phone number and email address](/microsoft-365/admin/manage/update-phone-number-and-email-address?view=o365-21vianet) | modified |
+| 2/4/2021 | [Top 10 ways to secure Microsoft 365 for business plans](/microsoft-365/admin/security-and-compliance/secure-your-business-data?view=o365-21vianet) | modified |
+| 2/4/2021 | [Apply for a Fapiao for Office 365 operated by 21Vianet](/microsoft-365/admin/services-in-china/apply-for-a-fapiao?view=o365-21vianet) | modified |
+| 2/4/2021 | [View your bill or get a Fapiao in Office 365 operated by 21Vianet](/microsoft-365/admin/services-in-china/view-your-bill-or-get-a-fapiao?view=o365-21vianet) | modified |
+| 2/4/2021 | [Add a domain to Microsoft 365](/microsoft-365/admin/setup/add-domain?view=o365-21vianet) | modified |
+| 2/4/2021 | [Customize the reports in Microsoft 365 usage analytics](/microsoft-365/admin/usage-analytics/customize-reports?view=o365-21vianet) | modified |
+| 2/4/2021 | [Enable Microsoft 365 usage analytics](/microsoft-365/admin/usage-analytics/enable-usage-analytics?view=o365-21vianet) | modified |
+| 2/4/2021 | [Navigate and utilize the reports in Microsoft 365 usage analytics](/microsoft-365/admin/usage-analytics/navigate-and-utilize-reports?view=o365-21vianet) | modified |
+| 2/4/2021 | [Add storage space for your subscription](/microsoft-365/commerce/add-storage-space?view=o365-21vianet) | modified |
+| 2/4/2021 | [Change your billing frequency](/microsoft-365/commerce/billing-and-payments/change-payment-frequency?view=o365-21vianet) | modified |
+| 2/4/2021 | [Understand your bill or invoice](/microsoft-365/commerce/billing-and-payments/understand-your-invoice?view=o365-21vianet) | modified |
+| 2/4/2021 | [Extend your trial](/microsoft-365/commerce/extend-your-trial?view=o365-21vianet) | modified |
+| 2/4/2021 | [Manage partner relationships](/microsoft-365/commerce/manage-partners?view=o365-21vianet) | modified |
+| 2/4/2021 | [Manage software-as-a-service apps for your organization](/microsoft-365/commerce/manage-saas-apps?view=o365-21vianet) | modified |
+| 2/4/2021 | [Cancel your subscription](/microsoft-365/commerce/subscriptions/cancel-your-subscription?view=o365-21vianet) | modified |
+| 2/4/2021 | [Manage self-service purchases (Admins)](/microsoft-365/commerce/subscriptions/manage-self-service-purchases-admins?view=o365-21vianet) | modified |
+| 2/4/2021 | [Manage self-service purchases (Users)](/microsoft-365/commerce/subscriptions/manage-self-service-purchases-users?view=o365-21vianet) | modified |
+| 2/4/2021 | [Move users to a different subscription](/microsoft-365/commerce/subscriptions/move-users-different-subscription?view=o365-21vianet) | modified |
+| 2/4/2021 | [Reactivate your subscription](/microsoft-365/commerce/subscriptions/reactivate-your-subscription?view=o365-21vianet) | modified |
+| 2/4/2021 | [Renew Microsoft 365 for business](/microsoft-365/commerce/subscriptions/renew-your-subscription?view=o365-21vianet) | modified |
+| 2/4/2021 | [Upgrade to a different business plan](/microsoft-365/commerce/subscriptions/upgrade-to-different-plan?view=o365-21vianet) | modified |
+| 2/4/2021 | [Manage audit log retention policies](/microsoft-365/compliance/audit-log-retention-policies?view=o365-21vianet) | modified |
+| 2/4/2021 | [What's new in Microsoft 365 compliance](/microsoft-365/compliance/whats-new?view=o365-21vianet) | modified |
+| 2/4/2021 | [About the Microsoft Defender for Office 365 trial](/microsoft-365/security/office-365-security/about-defender-for-office-365-trial?view=o365-21vianet) | modified |
+| 2/4/2021 | [Manage which ΓÇÄOfficeΓÇÄ features appear in What's New](/microsoft-365/admin/manage/show-hide-new-features?view=o365-21vianet) | modified |
+| 2/5/2021 | [Manage which ΓÇÄOfficeΓÇÄ features appear in What's New](/microsoft-365/admin/manage/show-hide-new-features?view=o365-21vianet) | modified |
+| 2/5/2021 | [Use a QR code to sign-in to the Outlook mobile apps](/microsoft-365/admin/manage/use-qr-code-download-outlook?view=o365-21vianet) | modified |
+| 2/5/2021 | [Microsoft Compliance Configuration Analyzer for Compliance Manager](/microsoft-365/compliance/compliance-manager-mcca?view=o365-21vianet) | modified |
+| 2/5/2021 | [Fix issues found by the readiness assessment tool](/microsoft-365/managed-desktop/get-ready/readiness-assessment-fix?view=o365-21vianet) | modified |
+| 2/5/2021 | [Manage who can create Microsoft 365 Groups](/microsoft-365/solutions/manage-creation-of-groups?view=o365-21vianet) | modified |
+| 2/5/2021 | [Retirement of Relevance module in Advanced eDiscovery](/microsoft-365/compliance/relevance-module-retirement?view=o365-21vianet) | added |
+| 2/5/2021 | [Create DNS records at GoDaddy for Microsoft](/microsoft-365/admin/dns/create-dns-records-at-godaddy?view=o365-21vianet) | modified |
+| 2/5/2021 | [Get help or support](/microsoft-365/business-video/get-help-support?view=o365-worldwide) | modified |
+| 2/5/2021 | [Install Microsoft Office apps](/microsoft-365/business-video/install-office?view=o365-21vianet) | modified |
+| 2/5/2021 | [Add another email alias for a user](/microsoft-365/admin/email/add-another-email-alias-for-a-user?view=o365-21vianet) | modified |
+| 2/5/2021 | [Configure shared mailbox settings](/microsoft-365/admin/email/configure-a-shared-mailbox?view=o365-21vianet) | modified |
+| 2/5/2021 | [Buy a domain name](/microsoft-365/admin/get-help-with-domains/buy-a-domain-name?view=o365-21vianet) | modified |
+| 2/5/2021 | [Gather the information you need to create DNS records](/microsoft-365/admin/get-help-with-domains/information-for-dns-records?view=o365-21vianet) | modified |
+| 2/5/2021 | [Set up your domain (host-specific instructions)](/microsoft-365/admin/get-help-with-domains/set-up-your-domain-host-specific-instructions?view=o365-21vianet) | modified |
+| 2/5/2021 | [Transfer a domain from Microsoft to another host](/microsoft-365/admin/get-help-with-domains/transfer-a-domain-from-microsoft-to-another-host?view=o365-21vianet) | modified |
+| 2/5/2021 | [Connect your domain to Microsoft 365](/microsoft-365/admin/misc/set-up-dns-records-vsb?view=o365-21vianet) | modified |
+| 2/5/2021 | [Quick help Types of users](/microsoft-365/admin/misc/types-of-users?view=o365-21vianet) | modified |
+| 2/5/2021 | [Set up Microsoft 365 Apps for business](/microsoft-365/admin/setup/setup-apps-for-business?view=o365-21vianet) | modified |
+| 2/5/2021 | [Set up Microsoft 365 Business Basic](/microsoft-365/admin/setup/setup-business-basic?view=o365-21vianet) | modified |
+| 2/5/2021 | [Set up Microsoft 365 Business Standard](/microsoft-365/admin/setup/setup-business-standard?view=o365-21vianet) | modified |
+| 2/5/2021 | [Set up Microsoft 365 for business](/microsoft-365/admin/setup/setup?view=o365-21vianet) | modified |
+| 2/5/2021 | [Review usage reports](/microsoft-365/business-video/act-on-report?view=o365-worldwide) | modified |
+| 2/5/2021 | [Add an admin](/microsoft-365/business-video/add-admin?view=o365-worldwide) | modified |
+| 2/5/2021 | [Add a domain](/microsoft-365/business-video/add-domain?view=o365-worldwide) | modified |
+| 2/5/2021 | [Add a user to Microsoft 365 for business](/microsoft-365/business-video/add-user?view=o365-worldwide) | modified |
+| 2/5/2021 | [Microsoft 365 admin center - Overview](/microsoft-365/business-video/admin-center-overview?view=o365-worldwide) | modified |
+| 2/5/2021 | [Get the Admin mobile app](/microsoft-365/business-video/admin-mobile?view=o365-21vianet) | modified |
+| 2/5/2021 | [Turn on malware protection](/microsoft-365/business-video/anti-malware?view=o365-worldwide) | modified |
+| 2/5/2021 | [Overview of Microsoft 365 Business Voice](/microsoft-365/business-video/business-voice?view=o365-21vianet) | modified |
+| 2/5/2021 | [Buy Microsoft 365 Business Voice](/microsoft-365/business-video/buy-business-voice?view=o365-worldwide) | modified |
+| 2/5/2021 | [Buy new licenses](/microsoft-365/business-video/buy-licenses?view=o365-worldwide) | modified |
+| 2/5/2021 | [Move users to different subscriptions](/microsoft-365/business-video/change-subscription?view=o365-worldwide) | modified |
+| 2/5/2021 | [Change a user's name or email address](/microsoft-365/business-video/change-user-name-email?view=o365-worldwide) | modified |
+| 2/5/2021 | [Choose a Microsoft 365 subscription](/microsoft-365/business-video/choose-subscription?view=o365-21vianet) | modified |
+| 2/5/2021 | [Collaborate by using Outlook and Teams](/microsoft-365/business-video/collab-outlook-teams?view=o365-21vianet) | modified |
+| 2/5/2021 | [Create a company-wide signature](/microsoft-365/business-video/company-wide-signature?view=o365-worldwide) | modified |
+| 2/5/2021 | [Connect PCs to Microsoft 365 Business Premium](/microsoft-365/business-video/connect?view=o365-21vianet) | modified |
+| 2/5/2021 | [Create sensitivity labels](/microsoft-365/business-video/create-sensitivity-labels?view=o365-worldwide) | modified |
+| 2/5/2021 | [Create a website for your business](/microsoft-365/business-video/create-web-site?view=o365-21vianet) | modified |
+| 2/5/2021 | [Delete a user from Microsoft 365 for business](/microsoft-365/business-video/delete-user?view=o365-worldwide) | modified |
+| 2/5/2021 | [Employee quick setup-guide](/microsoft-365/business-video/employee-quick-setup?view=o365-worldwide) | modified |
+| 2/5/2021 | [Move your files to OneDrive](/microsoft-365/business-video/files-to-onedrive?view=o365-21vianet) | modified |
+| 2/5/2021 | [Move company files to SharePoint](/microsoft-365/business-video/files-to-sharepoint?view=o365-21vianet) | modified |
+| 2/5/2021 | [Find answers and help](/microsoft-365/business-video/find-help-answers?view=o365-worldwide) | modified |
+| 2/5/2021 | [Create a group email address](/microsoft-365/business-video/group-email?view=o365-21vianet) | modified |
+| 2/5/2021 | [Import and redirect email](/microsoft-365/business-video/import-email?view=o365-21vianet) | modified |
+| 2/5/2021 | [Install Office apps on Android](/microsoft-365/business-video/install-apps-android?view=o365-21vianet) | modified |
+| 2/5/2021 | [Install Office apps on iOS](/microsoft-365/business-video/install-apps-ios?view=o365-21vianet) | modified |
+| 2/5/2021 | [Join a Microsoft Teams meeting with guests](/microsoft-365/business-video/join-guest-meeting?view=o365-21vianet) | modified |
+| 2/5/2021 | [Join a team as s guest](/microsoft-365/business-video/join-team-guest?view=o365-21vianet) | modified |
+| 2/5/2021 | [Add your Google Workspace domain](/microsoft-365/business-video/moveto-microsoft-365/add-google-domain?view=o365-worldwide) | modified |
+| 2/5/2021 | [Cancel Google Workspace (and keep your domain)](/microsoft-365/business-video/moveto-microsoft-365/cancel-google?view=o365-worldwide) | modified |
+| 2/5/2021 | [Connect your domain to Microsoft 365](/microsoft-365/business-video/moveto-microsoft-365/connect-domain-tom365?view=o365-worldwide) | modified |
+| 2/5/2021 | [Migrate business email and calendar from Google Workspace](/microsoft-365/business-video/moveto-microsoft-365/migrate-email?view=o365-worldwide) | modified |
+| 2/5/2021 | [Switch from Google Workspace to Microsoft 365 for business](/microsoft-365/business-video/moveto-microsoft-365/move-from-google-workspace-overview?view=o365-worldwide) | modified |
+| 2/5/2021 | [Migrate Google files to Microsoft 365 for business ](/microsoft-365/business-video/moveto-microsoft-365/mover-migrate-files?view=o365-worldwide) | modified |
+| 2/5/2021 | [Set up Microsoft 365 for Google Workspace migration](/microsoft-365/business-video/moveto-microsoft-365/set-up-microsoft-365-forgoogle?view=o365-worldwide) | modified |
+| 2/5/2021 | [Create an org-wide team](/microsoft-365/business-video/org-wide-team?view=o365-21vianet) | modified |
+| 2/5/2021 | [Microsoft Bookings - overview](/microsoft-365/business-video/overview-bookings?view=o365-21vianet) | modified |
+| 2/5/2021 | [Share your business files - overview](/microsoft-365/business-video/overview-file-sharing?view=o365-21vianet) | modified |
+| 2/5/2021 | [Overview of Microsoft 365 Business Premium Security](/microsoft-365/business-video/overview-m365-security?view=o365-worldwide) | modified |
+| 2/5/2021 | [Online meetings overview](/microsoft-365/business-video/overview-online-meetings?view=o365-21vianet) | modified |
+| 2/5/2021 | [Plan an event with Microsoft Planner](/microsoft-365/business-video/plan-event?view=o365-21vianet) | modified |
+| 2/5/2021 | [Create email rules for ransomware](/microsoft-365/business-video/prevent-ransom-in-email?view=o365-worldwide) | modified |
+| 2/5/2021 | [Reset user passwords](/microsoft-365/business-video/reset-user-passwords?view=o365-worldwide) | modified |
+| 2/5/2021 | [Manage safe attachments](/microsoft-365/business-video/safe-attachments?view=o365-worldwide) | modified |
+| 2/5/2021 | [Manage Safe Links](/microsoft-365/business-video/safe-links?view=o365-worldwide) | modified |
+| 2/5/2021 | [Schedule a Teams meeting with guests](/microsoft-365/business-video/schedule-guest-meeting?view=o365-21vianet) | modified |
+| 2/5/2021 | [Secure Office apps on iOS](/microsoft-365/business-video/secure-office-on-ios?view=o365-worldwide) | modified |
+| 2/5/2021 | [Manage Windows 10 Pro device policies with Microsoft 365 Business Premium](/microsoft-365/business-video/secure-win-10-pro-devices?view=o365-worldwide) | modified |
+| 2/5/2021 | [Secure your Windows 10 PCs](/microsoft-365/business-video/secure-win10-pcs?view=o365-21vianet) | modified |
+| 2/5/2021 | [Securely share files outside your business](/microsoft-365/business-video/securely-share-files-externally?view=o365-21vianet) | modified |
+| 2/5/2021 | [Prevent data loss](/microsoft-365/business-video/set-up-dlp?view=o365-worldwide) | modified |
+| 2/5/2021 | [Set up multi-factor sign-in on your phone](/microsoft-365/business-video/set-up-mfa?view=o365-worldwide) | modified |
+| 2/5/2021 | [Let users reset their passwords](/microsoft-365/business-video/set-up-self-serve-password-reset?view=o365-worldwide) | modified |
+| 2/5/2021 | [Set up Microsoft 365 Business Premium subscription](/microsoft-365/business-video/set-up?view=o365-21vianet) | modified |
+| 2/5/2021 | [Set up anti-phishing protection](/microsoft-365/business-video/setup-anti-phishing?view=o365-worldwide) | modified |
+| 2/5/2021 | [Set up Outlook for email](/microsoft-365/business-video/setup-outlook?view=o365-21vianet) | modified |
+| 2/5/2021 | [Overview of Microsoft 365 Business Premium setup](/microsoft-365/business-video/setup-overview?view=o365-21vianet) | modified |
+| 2/5/2021 | [Easily share files outside your business](/microsoft-365/business-video/share-files-externally?view=o365-21vianet) | modified |
+| 2/5/2021 | [Create a shared calendar](/microsoft-365/business-video/shared-calendar?view=o365-21vianet) | modified |
+| 2/5/2021 | [Sign up for Microsoft 365 Business Premium subscription](/microsoft-365/business-video/sign-up?view=o365-21vianet) | modified |
+| 2/5/2021 | [Start and pin chats in Microsoft Teams](/microsoft-365/business-video/start-and-pin-chats?view=o365-21vianet) | modified |
+| 2/5/2021 | [Stop auto-forwarding emails](/microsoft-365/business-video/stop-email-auto-forward?view=o365-worldwide) | modified |
+| 2/5/2021 | [Where to store files in Microsoft 365 for business](/microsoft-365/business-video/store-files?view=o365-21vianet) | modified |
+| 2/5/2021 | [Create a team with guests](/microsoft-365/business-video/team-with-guests?view=o365-21vianet) | modified |
+| 2/5/2021 | [Turn on multi-factor authentication](/microsoft-365/business-video/turn-on-mfa?view=o365-worldwide) | modified |
+| 2/5/2021 | [Update your payment method](/microsoft-365/business-video/update-payment?view=o365-worldwide) | modified |
+| 2/5/2021 | [Upgrade Windows 10 Home to Windows 10 Pro](/microsoft-365/business-video/upgrade?view=o365-21vianet) | modified |
+| 2/5/2021 | [View, download, or print your bill](/microsoft-365/business-video/view-bill?view=o365-worldwide) | modified |
+| 2/5/2021 | [What is an admin in Microsoft 365 for business](/microsoft-365/business-video/what-is-admin?view=o365-21vianet) | modified |
+| 2/5/2021 | [What is Microsoft 365 Business Premium](/microsoft-365/business-video/what-is-microsoft-365?view=o365-21vianet) | modified |
+| 2/5/2021 | [Work from anywhere - overview](/microsoft-365/business-video/work-from-anywhere?view=o365-21vianet) | modified |
+| 2/5/2021 | [Migrate from Microsoft 365 Business to Microsoft 365 E3](/microsoft-365/business/migrate-from-microsoft-365-business-to-microsoft-365-enterprise?view=o365-21vianet) | modified |
+| 2/5/2021 | [Understand your bill or invoice](/microsoft-365/commerce/billing-and-payments/understand-your-invoice?view=o365-21vianet) | modified |
+| 2/5/2021 | [Case study - Contoso quickly configures an offensive language policy for Microsoft Teams, Exchange, and Yammer communications](/microsoft-365/compliance/communication-compliance-case-study?view=o365-21vianet) | modified |
+| 2/5/2021 | [Attributes for information barrier policies](/microsoft-365/compliance/information-barriers-attributes?view=o365-21vianet) | modified |
+| 2/5/2021 | [Manage information barrier policies](/microsoft-365/compliance/information-barriers-edit-segments-policies?view=o365-21vianet) | modified |
+| 2/5/2021 | [Define information barrier policies](/microsoft-365/compliance/information-barriers-policies?view=o365-21vianet) | modified |
+| 2/5/2021 | [Troubleshooting information barriers](/microsoft-365/compliance/information-barriers-troubleshooting?view=o365-21vianet) | modified |
+| 2/5/2021 | [Learn about information barriers in Microsoft 365](/microsoft-365/compliance/information-barriers?view=o365-21vianet) | modified |
+| 2/5/2021 | [Plan for insider risk management](/microsoft-365/compliance/insider-risk-management-plan?view=o365-21vianet) | modified |
+| 2/5/2021 | [Insider risk management policies](/microsoft-365/compliance/insider-risk-management-policies?view=o365-21vianet) | modified |
+| 2/5/2021 | [Insider risk management settings](/microsoft-365/compliance/insider-risk-management-settings?view=o365-21vianet) | modified |
+| 2/5/2021 | [Get started with privileged access management](/microsoft-365/compliance/privileged-access-management-configuration?view=o365-21vianet) | modified |
+| 2/5/2021 | [Learn about privileged access management](/microsoft-365/compliance/privileged-access-management-overview?view=o365-21vianet) | modified |
+| 2/5/2021 | [Use a script to add users to a hold in a Core eDiscovery case](/microsoft-365/compliance/use-a-script-to-add-users-to-a-hold-in-ediscovery?view=o365-21vianet) | modified |
+| 2/5/2021 | [Privileged access management for your Microsoft 365 for enterprise test environment](/microsoft-365/enterprise/privileged-access-microsoft-365-enterprise-dev-test-environment?view=o365-21vianet) | modified |
++ ## Week of January 25, 2021
knowledge https://docs.microsoft.com/en-us/microsoft-365/knowledge/plan-topic-experiences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/plan-topic-experiences.md
@@ -29,7 +29,7 @@ Security and privacy of your data is respected, and topic experiences does not g
## Requirements
-You must be a global administrator or SharePoint administrator to access the Microsoft 365 admin center and set up Topics.
+You must be [subscribed to Viva Topics](https://www.microsoft.com/microsoft-viva/topics) and be a global administrator or SharePoint administrator to access the Microsoft 365 admin center and set up Topics.
All users who are going to use Topics require a **Topic Experiences** license. Assigning licenses is covered in [Set up Microsoft Viva Topics](set-up-topic-experiences.md).
knowledge https://docs.microsoft.com/en-us/microsoft-365/knowledge/set-up-topic-experiences https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/knowledge/set-up-topic-experiences.md
@@ -18,7 +18,7 @@ You can use the Microsoft 365 admin center to set up and configure [Topics](topi
It is important to plan the best way to set up and configure topics in your environment. Be sure to read [Plan for Microsoft Viva Topics](plan-topic-experiences.md) before you begin the procedures in this article.
-You must be a global administrator or SharePoint administrator to access the Microsoft 365 admin center and set up Topics.
+You must be [subscribed to Viva Topics](https://www.microsoft.com/microsoft-viva/topics) and be a global administrator or SharePoint administrator to access the Microsoft 365 admin center and set up Topics.
## Video demonstration
@@ -126,7 +126,7 @@ To assign licenses:
2. Select the users that you want to license, and click **Licenses and apps**.
-3. Under **Apps**, make sure **Graph Connectors Search with Index** and **Viva Topics** are both selected.
+3. Under **Apps**, make sure **Graph Connectors Search with Index** and **Topic Experiences** are both selected.
4. Click **Save changes**.
security https://docs.microsoft.com/en-us/microsoft-365/security/includes/microsoft-defender-for-office https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/includes/microsoft-defender-for-office.md
@@ -6,3 +6,6 @@ ms.prod: m365-security
+> [!IMPORTANT]
+> The improved [Microsoft 365 security center](https://security.microsoft.com) is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office, 365 Microsoft 365 Defender, and more into the Microsoft 365 security center. [Learn what's new](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center). This topic might apply to both Microsoft Defender for Office 365 and Microsoft 365 Defender. Refer to the **Applies To** section and look for specific call outs in this article where there might be differences.
+
security https://docs.microsoft.com/en-us/microsoft-365/security/includes/microsoft-defender https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/includes/microsoft-defender.md
@@ -6,3 +6,6 @@ ms.prod: m365-security
+> [!IMPORTANT]
+> The improved [Microsoft 365 security center](https://security.microsoft.com) is now available in public preview. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 security center. Security teams can now manage all endpoint, email and cross product investigations, configuration and remediation without the need to navigate to separate product portals. [Learn more about what's changed](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center).
+
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-aadsignineventsbeta-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-aadsignineventsbeta-table.md
@@ -85,7 +85,7 @@ reference](https://docs.microsoft.com/windows/security/threat-protection/microso
| `ConditionalAccessPolicies` | string | Details of the conditional access policies applied to the sign-in event | | `ConditionalAccessStatus` | int | Status of the conditional access policies applied to the sign-in. Possible values are 0 (policies applied), 1 (attempt to apply policies failed), or 2 (policies not applied). | | `IPAddress` | string | IP address assigned to the endpoint and used during related network communications |
-| `CountryCode` | string | Two-letter code indicating the country where the client IP address is geolocated |
+| `Country` | string | Two-letter code indicating the country where the client IP address is geolocated |
| `State` | string | State where the sign-in occurred, if available | | `City` | string | City where the account user is located | | `Latitude` | string | The north to south coordinates of the sign-in location |
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-aadspnsignineventsbeta-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-aadspnsignineventsbeta-table.md
@@ -63,7 +63,7 @@ reference](https://docs.microsoft.com/windows/security/threat-protection/microso
| `ResourceId` | string | Unique identifier of the resource accessed | | `ResourceTenantId` | string | Unique identifier of the tenant of the resource accessed | | `IPAddress` | string | IP address assigned to the endpoint and used during related network communications |
-| `CountryCode` | string | Two-letter code indicating the country where the client IP address is geolocated |
+| `Country` | string | Two-letter code indicating the country where the client IP address is geolocated |
| `State` | string | State where the sign-in occurred, if available | | `City` | string | City where the account user is located | | `Latitude` | string | The north to south coordinates of the sign-in location |
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-alertevidence-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-alertevidence-table.md
@@ -54,6 +54,7 @@ For information on other tables in the advanced hunting schema, [see the advance
| `AccountDomain` | string | Domain of the account | | `AccountSid` | string | Security Identifier (SID) of the account | | `AccountObjectId` | string | Unique identifier for the account in Azure Active Directory |
+| `AccountUpn` | string | User principal name (UPN) of the account |
| `DeviceId` | string | Unique identifier for the device in the service | | `DeviceName` | string | Fully qualified domain name (FQDN) of the machine | | `LocalIP` | string | IP address assigned to the local device used during communication |
@@ -63,6 +64,9 @@ For information on other tables in the advanced hunting schema, [see the advance
| `Application` | string | Application that performed the recorded action | | `ProcessCommandLine` | string | Command line used to create the new process | | `AdditionalFields` | string | Additional information about the event in JSON array format |
+| `RegistryKey` |string | Registry key that the recorded action was applied to |
+| `RegistryValueName` |string | Name of the registry value that the recorded action was applied to |
+| `RegistryValueData` |string | Data of the registry value that the recorded action was applied to |
## Related topics - [Advanced hunting overview](advanced-hunting-overview.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-appfileevents-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-appfileevents-table.md
@@ -49,6 +49,7 @@ For information on other tables in the advanced hunting schema, [see the advance
| `Protocol` | string | Network protocol used | | `AccountName` | string | User name of the account | | `AccountDomain` | string | Domain of the account |
+| `AccountSid` | string | Security Identifier (SID) of the account |
| `AccountUpn` | string | User principal name (UPN) of the account | | `AccountObjectId` | string | Unique identifier for the account in Azure AD | | `AccountDisplayName` | string | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname. |
@@ -56,8 +57,10 @@ For information on other tables in the advanced hunting schema, [see the advance
| `DeviceType` | string | Type of device | | `OSPlatform` | string | Platform of the operating system running on the device. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | | `IPAddress` | string | IP address assigned to the endpoint and used during related network communications |
+| `Port` | string | TCP port used during communication |
| `DestinationDeviceName` | string | Name of the device running the server application that processed the recorded action | | `DestinationIPAddress` | string | IP address of the device running the server application that processed the recorded action |
+| `DestinationPort` | string | Destination port of related network communications |
| `Location` | string | City, country, or other geographic location associated with the event | | `Isp` | string | Internet service provider (ISP) associated with the endpoint IP address | | `ReportId` | long | Unique identifier for the event |
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-deviceevents-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-deviceevents-table.md
@@ -71,6 +71,8 @@ For information on other tables in the advanced hunting schema, [see the advance
| `FileOriginUrl` | string | URL where the file was downloaded from | | `FileOriginIP` | string | IP address where the file was downloaded from | | `AdditionalFields` | string | Additional information about the event in JSON array format |
+| `InitiatingProcessFileSize` | long | Size of the file that ran the process responsible for the event |
+| `FileSize` | long | Size of the file in bytes |
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event | | `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated ΓÇö use the SHA1 column when available. | | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
@@ -85,6 +87,8 @@ For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountUpn` | string | User principal name (UPN) of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountObjectId` | string | Azure AD object ID of the user account that ran the process responsible for the event |
| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-devicefileevents-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-devicefileevents-table.md
@@ -51,9 +51,13 @@ For information on other tables in the advanced hunting schema, [see the advance
| `FileOriginUrl` | string | URL where the file was downloaded from | | `FileOriginReferrerUrl` | string | URL of the web page that links to the downloaded file | | `FileOriginIP` | string | IP address where the file was downloaded from |
+| `PreviousFolderPath` | string | Original folder containing the file before the recorded action was applied |
+| `PreviousFileName` | string | Original name of the file that was renamed as a result of the action |
+| `FileSize` | long | Size of the file in bytes |
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountUpn` | string | User principal name (UPN) of the account that ran the process responsible for the event |
| `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event | | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event | | `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated ΓÇö use the SHA1 column when available. |
@@ -74,8 +78,10 @@ For information on other tables in the advanced hunting schema, [see the advance
| `RequestAccountName` | string | User name of account used to remotely initiate the activity | | `RequestAccountDomain` | string | Domain of the account used to remotely initiate the activity | | `RequestAccountSid` | string | Security Identifier (SID) of the account used to remotely initiate the activity |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
| `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| `AdditionalFields` | string | Additional information about the entity or event |
+| `InitiatingProcessFileSize` | long | Size of the file that ran the process responsible for the event |
| `SensitivityLabel` | string | Label applied to an email, file, or other content to classify it for information protection | | `SensitivitySubLabel` | string | Sublabel applied to an email, file, or other content to classify it for information protection; sensitivity sublabels are grouped under sensitivity labels but are treated independently | | `IsAzureInfoProtectionApplied` | boolean | Indicates whether the file is encrypted by Azure Information Protection |
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-deviceimageloadevents-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-deviceimageloadevents-table.md
@@ -53,6 +53,8 @@ For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountUpn` | string | User principal name (UPN) of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountObjectId` | string | Azure AD object ID of the user account that ran the process responsible for the event |
| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
@@ -68,6 +70,8 @@ For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| `InitiatingProcessFileSize` | long | Size of the file that ran the process responsible for the event |
+| `FileSize` | long | Size of the file in bytes |
## Related topics - [Advanced hunting overview](advanced-hunting-overview.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-deviceinfo-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-deviceinfo-table.md
@@ -47,9 +47,11 @@ For information on other tables in the advanced hunting schema, [see the advance
| `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7 | | `OSBuild` | string | Build version of the operating system running on the machine | | `IsAzureADJoined` | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
+| `DeviceObjectId` | string | Unique identifier for the device in Azure AD |
| `LoggedOnUsers` | string | List of all users that are logged on the machine at the time of the event in JSON array format | | `RegistryDeviceTag` | string | Machine tag added through the registry | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
+|`AdditionalFields` | string | Additional information about the event in JSON array format |
| `OSVersion` | string | Version of the operating system running on the machine | | `MachineGroup` | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine |
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-devicelogonevents-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-devicelogonevents-table.md
@@ -48,6 +48,8 @@ For information on other tables in the advanced hunting schema, [see the advance
| `AccountDomain` | string | Domain of the account | | `AccountName` | string | User name of the account | | `AccountSid` | string | Security Identifier (SID) of the account |
+| `Protocol` | string | Protocol used during the communication |
+| `FailureReason` | string | Information explaining why the recorded action failed |
| `LogonType` | string | Type of logon session, specifically:<br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen<br><br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients<br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed<br><br> - **Batch** - Session initiated by scheduled tasks<br><br> - **Service** - Session initiated by services as they start<br> | | `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | | `RemoteDeviceName` | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name or a host name without domain information |
@@ -55,9 +57,12 @@ For information on other tables in the advanced hunting schema, [see the advance
| `RemoteIPType` | string | Type of IP address, for example Public, Private, Reserved, Loopback, Teredo, FourToSixMapping, and Broadcast | | `RemotePort` | int | TCP port on the remote device that was being connected to | | `AdditionalFields` | string | Additional information about the event in JSON array format |
+| `InitiatingProcessFileSize` | long | Size of the file that ran the process responsible for the event |
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountUpn` | string | User principal name (UPN) of the account that ran the process responsible for the event |
+| ` InitiatingProcessAccountObjectId` | string | Azure AD object ID of the user account that ran the process responsible for the event |
| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | | `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event |
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-devicenetworkevents-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-devicenetworkevents-table.md
@@ -57,6 +57,7 @@ For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated ΓÇö use the SHA1 column when available. | | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event | | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
+| `InitiatingProcessFileSize` | long | Size of the file that ran the process responsible for the event |
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
@@ -67,10 +68,12 @@ For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountUpn` | string | User principal name (UPN) of the account that ran the process responsible for the event |
| `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| `AdditionalFields` | string | Additional information about the event in JSON array format |
## Related topics - [Advanced hunting overview](advanced-hunting-overview.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-deviceprocessevents-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-deviceprocessevents-table.md
@@ -53,15 +53,19 @@ For information on other tables in the advanced hunting schema, [see the advance
| `ProcessId` | int | Process ID (PID) of the newly created process | | `ProcessCommandLine` | string | Command line used to create the new process | | `ProcessIntegrityLevel` | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources |
-| `ProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
+| `ProcessTokenElevation` | string | Indicates the type of token elevation applied to the newly created process. Possible values: TokenElevationTypeLimited (restricted), TokenElevationTypeDefault (standard), and TokenElevationTypeFull (elevated) |
| `ProcessCreationTime` | datetime | Date and time the process was created | | `AccountDomain` | string | Domain of the account | | `AccountName` | string | User name of the account | | `AccountSid` | string | Security Identifier (SID) of the account |
+| `AccountUpn` | string | User principal name (UPN) of the account |
+| `AccountObjectId` | string | Unique identifier for the account in Azure AD |
| `LogonId` | string | Identifier for a logon session. This identifier is unique on the same machine only between restarts | | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountUpn` | string | User principal name (UPN) of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountObjectId` | string | Azure AD object ID of the user account that ran the process responsible for the event |
| `InitiatingProcessLogonId` | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. | | `InitiatingProcessIntegrityLevel` | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources | | `InitiatingProcessTokenElevation` | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
@@ -69,6 +73,7 @@ For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated ΓÇö use the SHA1 column when available. | | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event | | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
+| `InitiatingProcessFileSize` | long | Size of the file that ran the process responsible for the event |
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
@@ -78,6 +83,8 @@ For information on other tables in the advanced hunting schema, [see the advance
| `InitiatingProcessParentCreationTime` | datetime | Date and time when the parent of the process responsible for the event was started | | `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns | | `AppGuardContainerId` | string | Identifier for the virtualized container used by Application Guard to isolate browser activity |
+| `AdditionalFields` | string | Additional information about the event in JSON array format |
+| `FileSize` | long | Size of the file in bytes |
## Related topics - [Advanced hunting overview](advanced-hunting-overview.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-deviceregistryevents-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-deviceregistryevents-table.md
@@ -47,15 +47,19 @@ For information on other tables in the advanced hunting schema, [see the advance
| `RegistryValueType` | string | Data type, such as binary or string, of the registry value that the recorded action was applied to | | `RegistryValueName` | string | Name of the registry value that the recorded action was applied to | | `RegistryValueData` | string | Data of the registry value that the recorded action was applied to |
+| `PreviousRegistryKey` | string | Original registry key of the registry value before it was modified |
| `PreviousRegistryValueName` | string | Original name of the registry value before it was modified | | `PreviousRegistryValueData` | string | Original data of the registry value before it was modified | | `InitiatingProcessAccountDomain` | string | Domain of the account that ran the process responsible for the event | | `InitiatingProcessAccountName` | string | User name of the account that ran the process responsible for the event | | `InitiatingProcessAccountSid` | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountUpn` | string | User principal name (UPN) of the account that ran the process responsible for the event |
+| `InitiatingProcessAccountObjectId` | string | Azure AD object ID of the user account that ran the process responsible for the event |
| `InitiatingProcessSHA1` | string | SHA-1 of the process (image file) that initiated the event | | `InitiatingProcessSHA256` | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated ΓÇö use the SHA1 column when available. | | `InitiatingProcessMD5` | string | MD5 hash of the process (image file) that initiated the event | | `InitiatingProcessFileName` | string | Name of the process that initiated the event |
+| `InitiatingProcessFileSize` | long | Size of the file that ran the process responsible for the event |
| `InitiatingProcessId` | int | Process ID (PID) of the process that initiated the event | | `InitiatingProcessCommandLine` | string | Command line used to run the process that initiated the event | | `InitiatingProcessCreationTime` | datetime | Date and time when the process that initiated the event was started |
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md
@@ -46,8 +46,8 @@ For information on other tables in the advanced hunting schema, see [the advance
| `ConfigurationCategory` | string | Category or grouping to which the configuration belongs: Application, OS, Network, Accounts, Security controls| | `ConfigurationSubcategory` | string |Subcategory or subgrouping to which the configuration belongs. In many cases, this describes specific capabilities or features. | | `ConfigurationBenchmarks` | string | List of industry benchmarks recommending the same or similar configuration |
-| `RelatedMitreTechniques` | string | List of Mitre ATT&CK framework techniques related to the configuration |
-| `RelatedMitreTactics ` | string | List of Mitre ATT&CK framework tactics related to the configuration |
+| `Tags` | string | Labels representing various attributes used to identify or categorize a security configuration |
+| `RemediationOptions` | string | Recommended actions to reduce or address any associated risks |
## Related topics
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-emailattachmentinfo-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-emailattachmentinfo-table.md
@@ -41,6 +41,8 @@ For information on other tables in the advanced hunting schema, [see the advance
| `Timestamp` | datetime | Date and time when the event was recorded | | `NetworkMessageId` | string | Unique identifier for the email, generated by Microsoft 365 | | `SenderFromAddress` | string | Sender email address in the FROM header, which is visible to email recipients on their email clients |
+| `SenderDisplayName` | string | Name of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname |
+| `SenderObjectId` | string | Unique identifier for the senderΓÇÖs account in Azure AD |
| `RecipientEmailAddress` | string | Email address of the recipient, or email address of the recipient after distribution list expansion | | `RecipientObjectId` | string | Unique identifier for the email recipient in Azure AD | | `FileName` | string | Name of the file that the recorded action was applied to |
@@ -48,12 +50,10 @@ For information on other tables in the advanced hunting schema, [see the advance
| `SHA256` | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated ΓÇö use the SHA1 column when available. | | `MalwareFilterVerdict` | string | Verdict of the email filtering stack on whether the email contains malware: Malware, Not malware | | `MalwareDetectionMethod` | string | Method used to detect malware in the email: Antimalware engine, File reputation, Safe Attachments |
-| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
-| `SenderDisplayName` | string | Name of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname |
-| `SenderObjectId` | string | Unique identifier for the senderΓÇÖs account in Azure AD |
| `ThreatTypes` | string | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats | | `ThreatNames` | string | Detection name for malware or other threats found | | `DetectionMethods` | string | Methods used to detect malware, phishing, or other threats found in the email |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
## Related topics - [Advanced hunting overview](advanced-hunting-overview.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-emailevents-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-emailevents-table.md
@@ -26,11 +26,9 @@ ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - **Applies to:**-- Microsoft 365 Defender-
+- Microsoft 365 Defender
The `EmailEvents` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about events involving the processing of emails on Microsoft Defender for Office 365. Use this reference to construct queries that return information from this table.
@@ -42,16 +40,18 @@ For information on other tables in the advanced hunting schema, [see the advance
| Column name | Data type | Description | |-|--|-| | `Timestamp` | datetime | Date and time when the event was recorded |
-| `EmailId` | string | Unique email and recipient identifier |
| `NetworkMessageId` | string | Unique identifier for the email, generated by Microsoft 365 | | `InternetMessageId` | string | Public-facing identifier for the email that is set by the sending email system | | `SenderMailFromAddress` | string | Sender email address in the MAIL FROM header, also known as the envelope sender or the Return-Path address | | `SenderFromAddress` | string | Sender email address in the FROM header, which is visible to email recipients on their email clients |
+| `SenderDisplayName` | string | Name of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname |
+| `SenderObjectId` | string |Unique identifier for the senderΓÇÖs account in Azure AD |
| `SenderMailFromDomain` | string | Sender domain in the MAIL FROM header, also known as the envelope sender or the Return-Path address | | `SenderFromDomain` | string | Sender domain in the FROM header, which is visible to email recipients on their email clients | | `SenderIPv4` | string | IPv4 address of the last detected mail server that relayed the message | | `SenderIPv6` | string | IPv6 address of the last detected mail server that relayed the message | | `RecipientEmailAddress` | string | Email address of the recipient, or email address of the recipient after distribution list expansion |
+| `RecipientObjectId` | string | Unique identifier for the email recipient in Azure AD |
| `Subject` | string | Subject of the email | | `EmailClusterId` | string | Identifier for the group of similar emails clustered based on heuristic analysis of their contents | | `EmailDirection` | string | Direction of the email relative to your network: Inbound, Outbound, Intra-org |
@@ -61,25 +61,25 @@ For information on other tables in the advanced hunting schema, [see the advance
| `PhishDetectionMethod` | string | Method used to detect the email as a phish: Malicious URL reputation, Safe Links URL Detonation, Advanced phish filter, General phish filter, Anti-Spoof: Intra-org, Anti-spoof: external domain, Domain impersonation, User impersonation, Brand impersonation | | `MalwareFilterVerdict` | string | Verdict of the email filtering stack on whether the email contains malware: Malware, Not malware | | `MalwareDetectionMethod` | string | Method used to detect malware in the email: Antimalware engine, File reputation, Safe Attachments |
+| `ThreatTypes` | string | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats |
+| `ThreatNames` | string |Detection name for malware or other threats found |
+| `DetectionMethods` | string | Methods used to detect malware, phishing, or other threats found in the email |
+| `ConfidenceLevel` | string | List of confidence levels of any spam or phishing verdicts. For spam, this column shows the spam confidence level (SCL), indicating if the email was skipped (-1), found to be not spam (0,1), found to be spam with moderate confidence (5,6), or found to be spam with high confidence (9). For phishing, this column displays whether the confidence level is "High" or "Low". |
| `EmailAction` | string | Final action taken on the email based on filter verdict, policies, and user actions: Move message to junk mail folder, Add X-header, Modify subject, Redirect message, Delete message, send to quarantine, No action taken, Bcc message | | `EmailActionPolicy` | string | Action policy that took effect: Antispam high-confidence, Antispam, Antispam bulk mail, Antispam phishing, Anti-phishing domain impersonation, Anti-phishing user impersonation, Anti-phishing spoof, Anti-phishing graph impersonation, Antimalware, Safe Attachments, Enterprise Transport Rules (ETR) | | `EmailActionPolicyGuid` | string | Unique identifier for the policy that determined the final mail action | | `AttachmentCount` | int | Number of attachments in the email | | `UrlCount` | int | Number of embedded URLs in the email | | `EmailLanguage` | string | Detected language of the email content |
+| `Connectors` | string | Custom instructions that define organizational mail flow and how the email was routed |
| `OrgLevelAction` | string | Action taken on the email in response to matches to a policy defined at the organizational level | | `OrgLevelPolicy` | string | Organizational policy that triggered the action taken on the email | | `UserLevelAction` | string | Action taken on the email in response to matches to a mailbox policy defined by the recipient | | `UserLevelPolicy` | string | End-user mailbox policy that triggered the action taken on the email |
-| `Connectors` | string | Custom instructions that define organizational mail flow and how the email was routed |
-| `SenderDisplayName` | string | Name of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname |
-| `SenderObjectId` | string |Unique identifier for the senderΓÇÖs account in Azure AD |
-| `ThreatTypes` | string | Verdict from the email filtering stack on whether the email contains malware, phishing, or other threats |
-| `ThreatNames` | string |Detection name for malware or other threats found |
-| `DetectionMethods` | string | Methods used to detect malware, phishing, or other threats found in the email |
-
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
## Related topics+ - [Advanced hunting overview](advanced-hunting-overview.md) - [Learn the query language](advanced-hunting-query-language.md) - [Use shared queries](advanced-hunting-shared-queries.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-emailpostdeliveryevents-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-emailpostdeliveryevents-table.md
@@ -40,7 +40,6 @@ To get more information about individual email messages, you can also use the [`
| Column name | Data type | Description | |-|--|-| | `Timestamp` | datetime | Date and time when the event was recorded |
-| `EventId` | string | Unique identifier for the event |
| `NetworkMessageId` | string | Unique identifier for the email, generated by Microsoft 365 | | `InternetMessageId` | string | Public-facing identifier for the email that is set by the sending email system | | `Action` | string | Action taken on the entity |
@@ -49,6 +48,7 @@ To get more information about individual email messages, you can also use the [`
| `ActionResult` | string | Result of the action | | `RecipientEmailAddress` | string | Email address of the recipient, or email address of the recipient after distribution list expansion | | `DeliveryLocation` | string | Location where the email was delivered: Inbox/Folder, On-premises/External, Junk, Quarantine, Failed, Dropped, Deleted items |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns. |
## Supported event types This table captures events with the following `ActionType` values:
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-emailurlinfo-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-emailurlinfo-table.md
@@ -30,16 +30,17 @@ ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
-The `EmailUrlInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about URLs on emails and attachments processed by Microsoft Defender for Office 365. Use this reference to construct queries that return information from this table.
+The `EmailUrlInfo` table in the [advanced hunting](advanced-hunting-overview.md) schema contains information about URLs on emails and attachments processed by Microsoft Defender for Office 365. Use this reference to construct queries that return information from this table.
For information on other tables in the advanced hunting schema, [see the advanced hunting reference](advanced-hunting-schema-tables.md). | Column name | Data type | Description | |-|--|-| | `Timestamp` | datetime | Date and time when the event was recorded |
-| `UrlId` | string | Unique identifier for the URL in the email subject, body, or attachment |
| `NetworkMessageId` | string | Unique identifier for the email, generated by Microsoft 365 | | `Url` | string | Full URL in the email subject, body, or attachment |
+| `UrlDomain` | string | Domain name or host name of the URL |
+| `ReportId` | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the DeviceName and Timestamp columns |
## Related topics - [Advanced hunting overview](advanced-hunting-overview.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-identitylogonevents-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-identitylogonevents-table.md
@@ -58,8 +58,10 @@ For information on other tables in the advanced hunting schema, [see the advance
| `DeviceType` | string | Type of device | | `OSPlatform` | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. | | `IPAddress` | string | IP address assigned to the endpoint and used during related network communications |
+| `Port` | string | TCP port used during communication |
| `DestinationDeviceName` | string | Name of the device running the server application that processed the recorded action | | `DestinationIPAddress` | string | IP address of the device running the server application that processed the recorded action |
+| `DestinationPort` | string | Destination port of related network communications |
| `TargetDeviceName` | string | Fully qualified domain name (FQDN) of the device that the recorded action was applied to | | `TargetAccountDisplayName` | string | Display name of the account that the recorded action was applied to | | `Location` | string | City, country, or other geographic location associated with the event |
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-identityqueryevents-table https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-identityqueryevents-table.md
@@ -54,8 +54,10 @@ For information on other tables in the advanced hunting schema, [see the advance
| `AccountDisplayName` | string | Name of the account user displayed in the address book. Typically a combination of a given or first name, a middle initiation, and a last name or surname. | | `DeviceName` | string | Fully qualified domain name (FQDN) of the endpoint | | `IPAddress` | string | IP address assigned to the endpoint and used during related network communications |
+| `Port` | string | TCP port used during communication |
| `DestinationDeviceName` | string | Name of the device running the server application that processed the recorded action | | `DestinationIPAddress` | string | IP address of the device running the server application that processed the recorded action |
+| `DestinationPort` | string | Destination port of related network communications |
| `TargetDeviceName` | string | Fully qualified domain name (FQDN) of the device that the recorded action was applied to | | `TargetAccountUpn` | string | User principal name (UPN) of the account that the recorded action was applied to | | `TargetAccountDisplayName` | string | Display name of the account that the recorded action was applied to |
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-migrate-from-mdatp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-migrate-from-mdatp.md
@@ -109,7 +109,66 @@ AlertInfo
| where FileName == "powershell.exe" ```
+## Migrate custom detection rules
+When Microsoft Defender for Endpoint rules are edited on Microsoft 365 Defender, they continue to function as before if the resulting query looks at device tables only.
+
+For example, alerts generated by custom detection rules that query only device tables will continue to be delivered to your SIEM and generate email notifications, depending on how youΓÇÖve configured these in Microsoft Defender for Endpoint. Any existing suppression rules in Defender for Endpoint will also continue to apply.
+
+Once you edit a Defender for Endpoint rule so that it queries identity and email tables, which are only available in Microsoft 365 Defender, the rule is automatically moved to Microsoft 365 Defender.
+
+Alerts generated by the migrated rule:
+
+- Are no longer visible in the Defender for Endpoint portal (Microsoft Defender Security Center)
+- Stop being delivered to your SIEM or generate email notifications. To work around this change, configure notifications through Microsoft 365 Defender to get the alerts. You can use the [Microsoft 365 Defender API](api-incident.md) to receive notifications for customer detection alerts or related incidents.
+- Won't be suppressed by Microsoft Defender for Endpoint suppression rules. To prevent alerts from being generated for certain users, devices, or mailboxes, modify the corresponding queries to exclude those entities explicitly.
+
+If you edit a rule this way, you will be prompted for confirmation before such changes are applied.
+
+New alerts generated by custom detection rules in Microsoft 365 Defender portal are displayed in an alert page that provides the following information:
+
+- Alert title and description
+- Impacted assets
+- Actions taken in response to the alert
+- Query results that triggered the alert
+- Information on the custom detection rule
+
+![Image of new alert page](../../media/new-alert-page.png)
+
+## Write queries without DeviceAlertEvents
+
+In the Microsoft 365 Defender schema, the `AlertInfo` and `AlertEvidence` tables are provided to accommodate the diverse set of information that accompany alerts from various sources.
+
+To get the same alert information that you used to get from the `DeviceAlertEvents` table in the Microsoft Defender for Endpoint schema, filter the `AlertInfo` table by `ServiceSource` and then join each unique ID with the `AlertEvidence` table, which provides detailed event and entity information.
+
+See the sample query below:
+
+```kusto
+AlertInfo
+| where Timestamp > ago(7d)
+| where ServiceSource == "Microsoft Defender for Endpoint"
+| join AlertEvidence on AlertId
+```
+
+This query yields many more columns than `DeviceAlertEvents` in the Microsoft Defender for Endpoint schema. To keep results manageable, use `project` to get only the columns you are interested in. The example below projects columns you might be interested in when the investigation detected PowerShell activity:
+
+```kusto
+AlertInfo
+| where Timestamp > ago(7d)
+| where ServiceSource == "Microsoft Defender for Endpoint"
+ and AttackTechniques has "powershell"
+| join AlertEvidence on AlertId
+| project Timestamp, Title, AlertId, DeviceName, FileName, ProcessCommandLine
+```
+
+If you'd like to filter for specific entities involved in the alerts, you can do so by specifying the entity type in `EntityType` and the value you would like to filter for. The following example looks for a specific IP address:
+
+```kusto
+AlertInfo
+| where Title == "Insert_your_alert_title"
+| join AlertEvidence on AlertId
+| where EntityType == "Ip" and RemoteIP == "192.88.99.01"
+```
## See also - [Turn on Microsoft 365 Defender](advanced-hunting-query-language.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/config-mtpeval https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/config-mtpeval.md
@@ -158,14 +158,14 @@ There's a PowerShell Module called the *Office 365 Advanced Threat Protection Re
![Image of_the Microsoft Defender for Identity settings page where you should turn the Microsoft Defender for Endpoint toggle on](../../media/mtp-eval-52.png)
->[!NOTE]
->Windows Defender ATP has been rebranded as Microsoft Defender for Endpoint. Rebranding changes across all of our portals are being rolled out the for consistency.
+> [!NOTE]
+> Windows Defender ATP has been rebranded as Microsoft Defender for Endpoint. Rebranding changes across all of our portals are being rolled out the for consistency.
## Configure Microsoft Cloud App Security
->[!NOTE]
->Skip this step if you've already enabled Microsoft Cloud App Security.
+> [!NOTE]
+> Skip this step if you've already enabled Microsoft Cloud App Security.
1. Navigate to [Microsoft 365 Security Center](https://security.microsoft.com/info) > **More Resources** > **Microsoft Cloud App Security**.
@@ -286,5 +286,6 @@ Congratulations! You've just created your Microsoft 365 Defender trial lab or pi
Next, you can simulate an attack and see how the cross product capabilities detect, create alerts, and automatically respond to a fileless attack on an endpoint. ## Next step
-|[Attack simulation phase](mtp-pilot-simulate.md) | Run the attack simulation for your Microsoft 365 Defender pilot environment.
-|:-|:--|
+
+- [Generate a test alert](generate-test-alert.md) - Run an attack simulation in your Microsoft 365 Defender trial lab.
+
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/custom-roles https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/custom-roles.md
@@ -0,0 +1,98 @@
+
+ Title: Custom roles for role-based access control
+description: Learn how to manage custom roles in Microsoft 365 security center
+keywords: access, permissions, MTP, Microsoft Threat Protection, M365, security, MCAS, MDATP, Cloud App Security, Microsoft Defender Advanced Threat Protection, scope, scoping, RBAC, roles-based access, custom roles-based access, roles-based auth, RBAC in MDO, roles, rolegroups, permissions inheritance, fine-grained permissions
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
++
+search.appverid:
+ - MOE150
+ - MET150
+ms.technology: m365d
+
+# Custom roles in role-based access control for Microsoft 365 Defender
+++
+**Applies to:**
+
+- Microsoft 365 Defender
+
+There are two types of roles that can be used to access to Microsoft 365 Defender:
+- **Global Azure Active Directory (AD) roles**
+- **Custom roles**
+
+Access to Microsoft 365 Defender can be managed collectively by using [Global roles in Azure Active Directory (AAD)](mtp-permissions.md)
+
+If you need greater flexibility and control over access to specific product data, Microsoft 365 Defender access can also be managed with the creation of Custom roles through each respective security portal.
+
+For example, a Custom role created through Microsoft Defender for Endpoint would allow access to the relevant product data, including Endpoint data within the Microsoft 365 security center. Similarly, a Custom role created through Microsoft Defender for Office 365 would allow access to the relevant product data, including Email & collaboration data within the Microsoft 365 security center.
+
+Users with existing Custom roles may access data in the Microsoft 365 security center according to their existing workload permissions with no additional configuration required.
+
+## Create and manage custom roles
+Custom roles and permissions can be created and individually managed through each of the following security portals:
+
+- Microsoft Defender for Endpoint ΓÇô [Edit roles in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles)
+- Microsoft Defender for Office 365 ΓÇô [Permissions in the Security & Compliance Center](https://docs.microsoft.com/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center?view=o365-worldwide&preserve-view=true )
+- Microsoft Cloud App Security ΓÇô [Manage admin access](https://docs.microsoft.com/cloud-app-security/manage-admins)
+
+Each custom role created through an individual portal allows access to the data of the relevant product portal. For example, a custom role created through Microsoft Defender for Endpoint will only allow access to Defender for Endpoint data.
+
+> [!TIP]
+> Permissions and roles can also be accessed through the Microsoft 365 security center by selecting Permissions & roles from the navigation pane. Access to Microsoft Cloud App Security (MCAS) is managed through the MCAS portal and controls access to Microsoft Defender for Identity as well. See [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/manage-admins)
+
+> [!NOTE]
+> Custom roles created in Microsoft Cloud App Security have access to Microsoft Defender for Identity data as well. Users with User group admin, or App/instance admin Microsoft Cloud App Security roles are not able to access Microsoft Cloud App Security data through the Microsoft 365 security center.
+
+## Manage permissions and roles in the Microsoft 365 security center
+Permissions and roles can also be managed in the Microsoft 365 security center:
+
+1. Sign in to the Microsoft 365 security center at security.microsoft.com.
+2. In the navigation pane, select **Permissions & roles**.
+3. Under the **Permissions** header, select **Roles**.
+
+> [!NOTE]
+> This only applies to Defender for Office 365 and Defender for Endpoint. Access for other workloads must be done in their relevant portals.
++
+## Required roles and permissions
+The following table outlines the roles and permissions required to access each unified experience in each workload. Roles defined in the table below refer to custom roles in individual portals and are not connected to global roles in Azure AD, even if similarly named.
+
+> [!NOTE]
+> Incident management requires management permissions for all products that are part of the incident.
+
+| **One of the following roles are required for Microsoft 365 Defender** | **One of the following roles are required for Defender for Endpoint** | **One of the following roles are required for Defender for Office 365** | **One of the following roles are required for Cloud App Security** |
+|||||
+| Viewing investigation data: <ul><li>Alert page</li> <li>Alerts queue</li> <li>Incidents</li> <li>Incident queue</li> <li>Action center</li></ul>| View data- security operations | <ul><li>View-only Manage alerts </li> <li>Organization configuration</li><li>Audit logs</li> <li>View-only audit logs</li> <li>Security reader</li> <li>Security admin</li><li>View-only recipients</li></ul> | <ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li> <li>Global reader</li></ul> |
+| Viewing hunting data | View data- security operations | <ul><li>Security reader</li> <li>Security admin</li> <li>View-only recipients</li> | <ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li> <li>Global reader</li></ul> |
+| Managing alerts and incidents | Alerts investigation | <ul><li>Manage alerts</li> <li>Security admin</li> | <ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li></ul> |
+| Action center remediation | Active remediation actions ΓÇô security operations | Search and purge | |
+| Setting custom detections | Manage security settings |<ul><li>Manage alerts</li> <li>Security admin</li></ul> | <ul><li>Global admin</li> <li>Security admin</li> <li>Compliance admin</li> <li>Security operator</li> <li>Security reader</li> <li>Global reader</li></ul> |
+| Threat Analytics | Alerts and incidents data: <ul><li>View data- security operations</li></ul>TVM mitigations:<ul><li>View data - Threat and vulnerability management</li></ul> | Alerts and incidents data:<ul> <li>View-only Manage alerts</li> <li>Manage alerts</li> <li>Organization configuration</li><li>Audit logs</li> <li>View-only audit logs</li><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li> </ul> Prevented email attempts: <ul><li>Security reader</li> <li>Security admin</li><li>View-only recipients</li> | Not available for MCAS or MDI users |
+
+For example, to view hunting data from Microsoft Defender for Endpoint, View data security operations permissions are required.
+
+Similarly, to view hunting data from Microsoft Defender for Office 365, users would require one of the following roles:
+
+- View data security operations
+- Security reader
+- Security admin
+- View-only recipients
+
+## Related topics
+- [Manage access to Microsoft 365 Defender](mtp-permissions.md)
+- [Manage admin access for MCAS](https://docs.microsoft.com/cloud-app-security/manage-admins)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/get-started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/get-started.md
@@ -0,0 +1,64 @@
+
+ Title: Get started with Microsoft 365 Defender
+
+description: Learn what steps you need to take to get started with Microsoft 365 Defender
+keywords: get started, microsoft 365 defender, turn on, onboard, deploy
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365initiative-m365-defender
+
+ms.technology: m365d
++
+# Get started with Microsoft 365 for Defender
++
+**Applies to:**
+- Microsoft 365 Defender
++
+Microsoft 365 Defender is a unified experience where you can monitor and manage security across your enterprise. With the integrated alerts across identities, endpoints, data, apps, email, and collaboration tools - investigating and responding to threats now happen in a central location.
+
+Whether you're new to the Microsoft suite of security products or familiar with individual workflows, this topic will guide you in the simple steps you need to take to get started with Microsoft 365 Defender.
+
+![Image of getting started with Microsoft 365 Defender steps](../../media/mtp/get-started-m365d.png)
+
+In general, you'll need to take the following steps to get started:
+
+- **[Step 1: Turn on Microsoft 365 Defender](mtp-enable.md)** <br>
+ You'll first need to turn on the service by making sure you have the right license in place and roles are assigned so that you can access the portal.
+
+ You'll then go through some simple settings and then you can confirm that the service is on.
+
+- **[Step 2: Deploy supported services](deploy-supported-services.md)** <br>
+ After completing the initial steps, you'll need to deploy the supported services that come with Microsoft 365 Defender. Deploying services effectively increases your visibility in the signals from assets across your network.
++
+## Key capabilities
+Turning on Microsoft 365 Defender and deploying services will give you access to the following key capabilities:
++
+| Capability | Description |
+| | |
+| Microsoft Defender for Endpoint | Endpoint protection suite built around powerful behavioral sensors, cloud analytics, and threat intelligence |
+|Microsoft Defender for Office 365 | Advanced protection for your apps and data in Office 365, including email and other collaboration tools |
+| Microsoft Defender for Identity | Defend against advanced threats, compromised identities, and malicious insiders using correlated Active Directory signals |
+| Microsoft Cloud App Security | Identify and combat cyberthreats across your Microsoft and third-party cloud services |
+++++
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/investigate-alerts https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/investigate-alerts.md
@@ -0,0 +1,110 @@
+
+ Title: Investigate alerts in Microsoft 365 Defender
+description: Investigate alerts seen across devices, users, and mailboxes.
+keywords: incidents, alerts, investigate, correlation, attack, machines, devices, users, identities, identity, mailbox, email, 365, microsoft, m365
+search.product: eADQiWindows 10XVcnh
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365initiative-m365-defender
+
+search.appverid:
+ - MOE150
+ - MET150
+ms.technology: m365d
+
+# Investigate alerts in Microsoft 365 Defender
++
+**Applies to:**
+- Microsoft 365 Defender
++
+Alerts are the basis of all incidents and indicate the occurrence of malicious or suspicious events in your environment. Alerts are typically part of a broader attack and provide pieces of clues about an incident.
+
+In Microsoft 365 Defender, related alerts are aggregated together to form incidents. Incidents will always provide the broader context of an attack, however, investigating alerts can be valuable when deeper analysis is required.
+++
+## Using alert pages in investigations
+
+From the Alerts tab of any incident page, selecting an alert brings you to the individual alert pages. An alert page is composed of three sections: affected assets, alert story, and the details pane.
+
+![Image of example alert page](../../media/new-alert-page2.png)
+
+Throughout an alert page, you can select the three-dot icon (**...**) beside any entity so you can see available actions like opening the specific asset page or doing specific remediation steps.
+
+### Analyze affected assets
+The affected assets section lists mailboxes, devices, and users affected by this alert. Selecting any of the asset cards populates the details side pane with information, including other alerts that occurred involving the assets, if any.
++
+### Trace an alert's role in the alert story
+The alert story displays all assets or entities related to the alert in a process tree view. The alert in the title is the one in focus when you first land on your selected alert's page. Assets in the alert story are expandable and clickable. They provide additional information and expedite response by allowing you to take actions right in the context of the alert page.
+
+> [!NOTE]
+> The alert story section may contain more than one alert, with additional alerts related to the same execution tree appearing before or after the alert you've selected.
+
+### View more alert information in the details pane
+
+The details pane shows the details of the selected alert at first, with details and actions related to it. If you select any of the affected assets or entities in the alert story, the details pane changes to provide contextual information and actions for the selected object.
+
+Once you've selected an entity of interest, the details pane changes to display information about the selected entity type, historic information when it's available, and options to take action on this entity directly from the alert page.
+
+### Manage alerts
+
+Once you're done investigating the alerts, you can go back to the alert you started with, mark the alert's status as Resolved and classify it as either a False alert or True alert. Classifying alerts helps tune your product to provide more true alerts and less false alerts.
+
+> [!NOTE]
+> One way of managing alerts it through the use of tags. The tagging capability for Microsoft Defender for Office 365 in incrementally being rolled out and is currently in preview. <br>
+> Currently, modified tag names are only applied to alerts created *after* the update. Alerts that were generated prior to the modification will not reflect the updated tag name.
++
+## Manage the unified alert queue
+
+Selecting Alerts under Incidents & Alerts in the Microsoft 365 security center navigation pane brings you to the unified alert queue. Alerts from different Microsoft security solutions like Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft 365 Defender appear in this section.
+
+![Image of sample alert page](../../media/unified-alert-queue.png)
+
+The Alerts queue shows a list of alerts that were flagged in your network. By default, the queue displays alerts seen in the last 30 days. The most recent alerts are shown at the top of the list helping you see the most recent alerts first.
+
+> [!NOTE]
+> At the time of launch, the unified alerts queue will only have 7 daysΓÇÖ worth of Microsoft Defender for Office 365 alerts available.
+The queue will continue to build over time. If you need to triage alerts prior to the launch of the unified alerts queue, use the alerts queue in the [Security and Compliance Center](https://protection.office.com/viewalerts).
++
+On the top navigation, you can:
+
+- Apply filters
+- Customize columns to add or remove columns
+- Export data
+
+You can also filter alerts according to different criteria:
+
+- Severity
+- Status
+- Category
+- Detection source
+- Policy
+- Impacted assets
+- First activity
+- Last activity
++
+To start an investigation on an incident, read [Investigate incidents in Microsoft 365 Defender](investigate-incidents.md)
+## See also
+
+- [Incidents overview](incidents-overview.md)
+- [Investigate incidents](investigate-incidents.md)
+- [Manage incidents](manage-incidents.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/investigate-incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/investigate-incidents.md
@@ -69,7 +69,7 @@ You can view all the alerts related to the incident and other information about
![Image of the incident alerts page](../../media/incident-alerts.png)
-By default, the alerts are ordered chronologically, to allow you to first view how the attack played out over time. Clicking on each alert will lead you to the relevant alert page where you can conduct an in-depth investigation of that alert.
+By default, the alerts are ordered chronologically, to allow you to first view how the attack played out over time. Clicking on each alert will lead you to the relevant alert page where you can conduct an in-depth investigation of that alert. Learn how to use alert pages and the unified alert queue in [Investigate alerts](investigate-alerts.md)
## Devices
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/investigate-users https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/investigate-users.md
@@ -0,0 +1,48 @@
+
+ Title: Investigate users in Microsoft 365 security center
+description: investigate users in the Microsoft 365 security center
+keywords: security, malware, Microsoft 365, M365, security center, monitor, report, identities, data, devices, apps
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+f1.keywords:
+- NOCSH
+++ Last updated :
+audience: ITPro
+
+ - M365-security-compliance
+ - m365initiative-m365-defender
+
+search.appverid: met150
+
+ms.technology: m365d
+
+# Investigate users in Microsoft 365 security center
+++
+**Applies to:**
+
+- Microsoft 365 Defender
+
+As part of your investigation, you might find that a user has been compromised.
+
+The Microsoft 365 security center user page combines information from Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Cloud App Security (depending on what licenses you have). This page is the ideal starting place for investigating users and potential incidents.
+![User page](../../media/m3d-userpage.png)
+
+This page shows information specific to the security risk of a user. This includes a score that helps assess risk, recent events and alerts that contributed to the overall risk of the user, and more.
+
+You can access this page from multiple areas in the Microsoft 365 security center. You can access this page from a specific incident in the **Users** tab. Some alerts might include users as a specific affected asset. You can also search for users.
+
+Learn more about how to investigate users and potential risk [in this Cloud App Security tutorial](https://docs.microsoft.com/cloud-app-security/tutorial-ueba#:~:text=To%20identify%20who%20your%20riskiest,user%20page%20to%20investigate%20them).
+
+## Related topics
+
+- [Incidents overview](incidents-overview.md)
+- [Prioritize incidents](incident-queue.md)
+- [Manage incidents](manage-incidents.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-365-security-center-mde https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/microsoft-365-security-center-mde.md
@@ -0,0 +1,146 @@
+
+ Title: Microsoft Defender for Endpoint in the Microsoft 365 security center
+description: Learn about changes from the Microsoft Defender Security Center to the Microsoft 365 security center
+keywords: Getting started with the Microsoft 365 security center, OATP, MDATP, MDO, MDE, single pane of glass, converged portal, security portal, defender security portal
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+f1.keywords:
+- NOCSH
+++
+audience: ITPro
+
+search.appverid:
+- MOE150
+- MET150
+
+- M365-security-compliance
+- m365initiative-m365-defender
++
+# Microsoft Defender for Endpoint in the Microsoft 365 security center
+++
+**Applies to:**
+
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Office 365](https://go.microsoft.com/fwlink/?linkid=2148715)
+
+The improved [Microsoft 365 security center](overview-security-center.md) at [https://security.microsoft.com](https://security.microsoft.com) combines security capabilities that protect, detect, investigate, and respond to email, collaboration, identity, and device threats. This security center brings together functionality from existing Microsoft security portals, including Microsoft Defender Security Center and the Office 365 Security & Compliance center.
+
+If you're familiar with the Microsoft Defender Security Center, this article helps describe some of the changes and improvements in the improved Microsoft 365 security center. However there are some new and updated elements to be aware of.
+
+Historically, the [Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/portal-overview) has been the home for Microsoft Defender for Endpoint. Enterprise security teams have used it to monitor and help responding to alerts of potential advanced persistent threat activity or data breaches. To help reduce the number of portals, the Microsoft 365 security center will be the home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure.
+
+> [!IMPORTANT]
+> What you see in the Microsoft 365 security center depends on your current subscriptions. For example, if you don't have a license for Microsoft Defender for Office 365, then the Email & Collaboration section will not be shown.
+
+Take a look at the improved Microsoft 365 security center: [https://security.microsoft.com](https://security.microsoft.com).
+
+Learn more about the benefits: [Overview of the Microsoft 365 security center](overview-security-center.md)
+
+## What's changed
+
+This table is a quick reference of the changes between the Microsoft Defender Security Center and the Microsoft 365 security center.
+
+### Alerts and actions
+
+|**Area** |**Description of change** |
+|||
+| [Incidents & alerts](incidents-overview.md) | In the Microsoft 365 security center, you can manage incidents and alerts across all of your endpoints, email, and identities. We've converged the experience to help you find related events more easily. For more information, see [Incidents Overview](incidents-overview.md). |
+| [Hunting](advanced-hunting-overview.md) | Modifying custom detection rules created in Microsoft Defender for Endpoint to include identity and email tables automatically moves them to Microsoft 365 Defender. Their corresponding alerts will also appear in Microsoft 365 Defender. For more details about these changes, read [Migrate custom detection rules](advanced-hunting-migrate-from-mdatp.md#migrate-custom-detection-rules). The `DeviceAlertEvents` table for advanced hunting isn't available in Microsoft 365 Defender. To query device-specific alert information in Microsoft 365 Defender, you can use the `AlertInfo` and `AlertEvidence` tables to accommodate even more information from a diverse set of sources. Craft your next device-related query by following [Write queries without DeviceAlertEvents](advanced-hunting-migrate-from-mdatp.md#write-queries-without-devicealertevents).|
+|[Action center](mtp-action-center.md) | Lists pending and completed actions that were taken following automated investigations and remediation actions. Formerly, the Action center in the Microsoft Defender Security Center listed pending and completed actions for remediation actions taken on devices only, while Automated investigations listed alerts and status. In the improved Microsoft 365 security center, the Action center brings together remediation actions and investigations across email, devices, and usersΓÇöall in one location. |
+| [Threat analytics](threat-analytics.md) | Moved to the top of the navigation bar for easier discovery and use. Now includes threat information for both endpoints and email and collaboration. |
+
+### Endpoints
+
+|**Area** |**Description of change** |
+|||
+|Search | Instead of being in the heading, Microsoft Defender for Endpoint search bar is moving under the Endpoints section. You can continue to search for devices, files, users, URLs, IPs, vulnerabilities, software, and recommendations. |
+|[Dashboard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard) | This is your security operations dashboard. See an overview of how many active alerts were triggered, which devices are at risk, which users are at risk, and severity level for alerts, devices, and users. You can also see if any devices have sensor issues, your overall service health, and how any unresolved alerts were detected. |
+|Device inventory | No changes. |
+|[Vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt) | Name was shortened to fit in the navigation pane. It's the same as the threat and vulnerability management section, with all the pages underneath. |
+| Partners and APIs | No changes. |
+| Evaluations & tutorials | New testing and learning capabilities. |
+| Configuration management | No changes. |
+
+> [!NOTE]
+> **Automatic investigation and remediation** is now a part of incidents. You can see Automated investigation and remediation events in the **Incident > Investigation** tab.
+
+### Access and reporting
+
+|**Area** |**Description of change** |
+|||
+| Reports | See reports for endpoints and email & collaboration, including Threat protection, Device health and compliance, and Vulnerable devices. |
+| Health | Currently links out to the "Service health" page in the [Microsoft 365 admin center](https://admin.microsoft.com/). |
+| Settings | Manage your settings for the Microsoft 365 security center, Microsoft 365 Defender, Endpoints, Email & collaboration, Identities, and Device discovery. |
+
+## Microsoft 365 security navigation and capabilities
+
+The left navigation, or quick launch bar, will look familiar. However, there are some new and updated elements in this security center.
+
+### Incidents and alerts
+
+Brings together incident and alert management across your email, devices, and identities. The alert page provides full context to the alert by combining attack signals to construct a detailed story. A new, unified experience now brings together a consistent view of alerts across workloads. You can quickly triage, investigate, and take effective action.
+
+- [Learn more about incidents](incidents-overview.md)
+- [Learn more about managing alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts)
+
+![The Alerts and Actions quick launch bar](../../media/converge-1-alerts-and-actions.png)
+
+### Hunting
+
+Proactively search for threats, malware, and malicious activity across your endpoints, Office 365 mailboxes, and more by using [advanced hunting queries](advanced-hunting-overview.md). These powerful queries can be used to locate and review threat indicators and entities for both known and potential threats.
+
+[Custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules) can be built from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices.
++
+### Action center
+
+Action center shows you the investigations created by automated investigation and response capabilities. This automated, self-healing in Microsoft 365 Defender can help security teams by automatically responding to specific events.
+
+[Learn more about the Action center](mtp-action-center.md)
+
+### Threat Analytics
+
+Get threat intelligence from expert Microsoft security researchers. Threat Analytics helps security teams be more efficient when facing emerging threats. Threat Analytics includes:
+
+- Email-related detections and mitigations from Microsoft Defender for Office 365. This is in addition to the endpoint data already available from Microsoft Defender for Endpoint.
+- Incidents view related to the threats.
+- Enhanced experience for quickly identifying and using actionable information in the reports.
+
+You can access threat analytics either from the upper left navigation bar in the Microsoft 365 security center, or from a dedicated dashboard card that shows the top threats for your organization.
+
+Learn more about how to [track and respond to emerging threats with threat analytics](https://docs.microsoft.com/microsoft-365/security/mtp/threat-analytics)
+
+### Endpoints section
+
+View and manage the security of endpoints in your organization. If you've used the Microsoft Defender Security Center, it will look familiar.
+
+![The Endpoints quick launch bar](../../media/converge-2-endpoints.png)
+
+### Access and reports
+
+View reports, change your settings, and modify user roles.
+
+![The Access and Reporting quicklaunch bar](../../media/converge-4-access-and-reporting-new.png)
+
+### SIEM API connections
+
+If you use the [Defender for Endpoint SIEM API](/windows/security/threat-protection/microsoft-defender-atp/enable-siem-integration.md), you can continue to do so. WeΓÇÖve added new links on the API payload that point to the alert page or the incident page in the Microsoft 365 security portal. New API fields include LinkToMTP and IncidentLinkToMTP. For more information, see [Redirecting accounts from Microsoft Defender for Endpoint to the Microsoft 365 security center](/microsoft-365/security/mtp/microsoft-365-security-mde-redirection.md).
+
+### Email alerts
+
+You can continue to use email alerts for Defender for Endpoint. We've added new links in the emails that point to the alert page or the incident page in the Microsoft 365 security center. For more information, see [Redirecting accounts from Microsoft Defender for Endpoint to the Microsoft 365 security center](/microsoft-365/security/mtp/microsoft-365-security-mde-redirection.md).
+
+## Related information
+
+- [Microsoft 365 security center](overview-security-center.md)
+- [Microsoft Defender for Endpoint in the Microsoft 365 security center](microsoft-365-security-center-mde.md)
+- [Redirecting accounts from Microsoft Defender for Endpoint to the Microsoft 365 security center](microsoft-365-security-mde-redirection.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-365-security-center-mdo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/microsoft-365-security-center-mdo.md
@@ -0,0 +1,181 @@
+
+ Title: Microsoft Defender for Office 365 in the Microsoft 365 security center
+description: Learn about changes from the Office 365 Security and Compliance center to the Microsoft 365 security center.
+keywords: Microsoft 365 security, Getting started with the Microsoft 365 security center, OATP, MDATP, MDO, MDE, single pane of glass, new security portal, new defender security portal
Last updated : 02/02/2021+++
+audience: Admin
+
+localization_priority: Normal
+search.appverid:
+- MET150
+- MOE150
+
+- M365-security-compliance
+- m365initiative-m365-defender
+ms.technology: m365d
++
+# Microsoft Defender for Office 365 in the Microsoft 365 security center
+++
+**Applies to:**
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Office 365](https://go.microsoft.com/fwlink/?linkid=2148715)
+
+The improved [Microsoft 365 security center](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center) at [https://security.microsoft.com](https://security.microsoft.com) combines security capabilities from existing Microsoft security portals, including Microsoft Defender Security Center and the Office 365 Security & Compliance Center. This improved center helps security teams protect their organization from threats more effectively and efficiently.
+
+If you are familiar with the Office 365 Security and Compliance portal (protection.office.com), this article describes some of the changes and improvements in the Microsoft 365 security center.
+
+Learn more about the benefits: [Overview of the Microsoft 365 security center](overview-security-center.md)
+
+If you are looking for compliance-related items, visit the [Microsoft 365 compliance center](https://compliance.microsoft.com/homepage).
+
+## What's changed
+
+This table is a quick reference of Email & Collaboration areas where change has occurred between the **Security & Compliance center** and the **Microsoft 365 Security** portal. Click the links to read more about these areas.
+
+|**Area** |**Description of change** |
+|||
+| [Email entity page](/microsoft-365/security/office-365-security/mdo-email-entity-page) | This page **unifies** email information that had been scattered across different pages or views in the past. Investigating email for threats and trends is *centralized*. Header information and email preview are accessible through the same email page, along with other useful email-related information. Likewise, the detonation status for malicious file attachments or URLs can be found on a tab of the same page. The Email entity page empowers admins and security operations teams to understand an email threat and its status, fast, and then act quickly determine handling. |
+| [Investigation](/microsoft-365/security/office-365-security/office-365-air#changes-are-coming-soon-in-your-security-center) | Brings together AIR capabilities in [Defender for Office 365](/microsoft-365/security/office-365-security/office-365-atp) and [Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place. |
+| [Alert view](/microsoft-365/compliance/alert-policies) | The **View alerts** flyout pane in the Office Security and Compliance center now includes links to the Microsoft 365 security center. Click on the **Open Alert Page** link and the Microsoft 365 security center opens. You can access the **View alerts** page by clicking on any Office 365 alert in the Alerts queue. |
+| [Attack Simulation training](/microsoft-365/security/office-365-security/attack-simulation-training-insights) | Use Attack Simulation training to run realistic attack scenarios in your organization. These simulated attacks can help train your workforce before a real attack impacts your organization. Attack simulation training includes, more options, enhanced reports, and improved training flows help make your attack simulation and training scenarios easier to deliver and manage. |
+
+No changes to these areas:
+- [Explorer](/microsoft-365/security/office-365-security/threat-explorer)
+- [Policies & Rules](/microsoft-365/compliance/alert-policies)
+- [Campaign](/microsoft-365/security/office-365-security/campaigns)
+- [Submissions](/microsoft-365/security/office-365-security/admin-submission)
+- [Review](/microsoft-365/security/mtp/mtp-action-center)
+- [Threat Tracker](/microsoft-365/security/office-365-security/threat-trackers)
+
+Also, check the **Related Information** section at the bottom of this article.
+
+> [!IMPORTANT]
+> The Microsoft 365 Security portal (https://security.microsoft.com) combines security features in https://securitycenter.windows.com, and https://protection.office.com. However, what you see will depend on your subscription. If you only have Microsoft Defender for Office 365 Plan 1 or 2, as standalone subscriptions, for example, you won't see capabilities around Security for Endpoints and Defender for Office Plan 1 customers won't see items such as Threat Analytics.
+
+## Microsoft 365 security center Home page
+
+The Home page of the portal surfaces:
+
+- Secure Score ratings
+- the number of users and devices at risk
+- active incident lists
+- lists of privileged OAuth apps
+- device health data
+- tweets from MicrosoftΓÇÖs security intelligence twitter feed
+- and more summary information
+
+Using the **Guided tour** you can take a quick tour of Endpoint or Email & collaboration pages. Note that what you see here will depend on if you have license for Defender for Office 365 and/or Defender for Endpoint.
+
+Also included is a link to the **Office 365 Security and Compliance center** for comparison. The last link is to the **What's New** page that describes recent updates.
+
+## Improved capabilities
+
+The left navigation, or quick launch bar, will look familiar. However, there are some new and updated elements in this security center.
+
+### Incidents and alerts
+Brings together incident and alert management across your email, devices, and identities. Alerts are now available under the Investigation node, and help provide a broader view of an attack. The alert page provides full context to the alert, by combining attack signals to construct a detailed story. Previously, alerts were specific to different workloads. A new, unified experience now brings together a consistent view of alerts across workloads. You can quickly triage, investigate, and take effective action.
+
+- [Learn more about Investigations](incidents-overview.md)
+- [Learn more about managing alerts](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/review-alerts)
+
+![The Alerts and Actions quick launch bar](../../media/converge-1-alerts-and-actions.png)
++
+### Hunting
+Proactively search for threats, malware, and malicious activity across your endpoints, Office 365 mailboxes, and more by using [advanced hunting queries](advanced-hunting-overview.md). These powerful queries can be used to locate and review threat indicators and entities for both known and potential threats.
+
+[Custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules) can be built from advanced hunting queries to help you proactively watch for events that might be indicative of breach activity and misconfigured devices.
+
+### Action center
+
+Action center shows you the investigations created by automated investigation and response capabilities. This automated, self-healing in Microsoft 365 Defender can help security teams by automatically responding to specific events.
+
+[Learn more about Action Center](mtp-action-center.md)
+
+#### Threat Analytics
+Get threat intelligence from expert Microsoft security researchers. Threat Analytics helps security teams be more efficient when facing emerging threats. Threat Analytics includes:
+
+- Email-related detections and mitigations from Microsoft Defender for Office 365. This is in addition to the endpoint data already available from Microsoft Defender for Endpoint.
+- Incidents view related to the threats.
+- Enhanced experience for quickly identifying and using actionable information in the reports.
+You can access Threat analytics either from the upper left navigation bar in the Microsoft 365 security center, or from a dedicated dashboard card that shows the top threats for your organization.
+
+Learn more about how to [track and respond to emerging threats with threat analytics](https://docs.microsoft.com/microsoft-365/security/mtp/threat-analytics)
+
+### Email & collaboration
+
+Track and investigate threats to your users' email, track campaigns, and more. If you've used the Office 365 Security and Compliance center, this will be familiar.
++
+### Access and Reports
+
+View reports, change your settings, and modify user roles.
+++
+> [!NOTE]
+> For Defender for Office 365 users, you can now *manage and rotate* DomainKeys Identified Mail (DKIM) keys through the Microsoft 365 security center: https://security.microsoft.com/threatpolicy, or navigate to **Policy & rules > Threat policies > DKIM**.
+
+## Advanced Hunting example for Microsoft Defender for Office 365
+Want to get started searching for email threats using advanced hunting? Try this:
+
+The [Getting Started](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp#getting-started) section of the [Microsoft Defender for Office 365 article](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) has logical early configuration chunks that look like this:
+
+1. Configure everything with 'anti' in the name.
+- anti-malware
+- anti-phishing
+- anti-spam
+2. Set up everything with 'safe' in the name.
+- safe links
+- safe attachments
+3. Defend the workloads (ex. SharePoint Online, OneDrive, and Teams)
+4. Protect with Zero-Hour auto purge
+
+Along with a [link](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats) to jump right in and get configuration going on Day 1.
+
+The last step in **Getting Started** is protecting users with **Zero-Hour auto purge**, also known as ZAP. Knowing if your efforts to ZAP a suspicious or malicious mail, post-delivery, were successful can be very important.
+
+Quickly navigating to Kusto query language to hunt for issues is an advantage of converging these two security centers. Security teams can monitor ZAP misses by taking their next steps [here](https://security.microsoft.com/advanced-hunting), under **Hunting** > **Advanced Hunting**.
+
+1. On the Advanced Hunting page, click Query.
+1. Copy the query below into the query window.
+1. Select Run query.
++
+```kusto
+EmailPostDeliveryEvents
+| where Timestamp > ago(7d)
+//List malicious emails that were not zapped successfullyconverge-2-endpoints-new.png
+| where ActionType has "ZAP" and ActionResult == "Error"
+| project ZapTime = Timestamp, ActionType, NetworkMessageId , RecipientEmailAddress
+//Get logon activity of recipients using RecipientEmailAddress and AccountUpn
+| join kind=inner IdentityLogonEvents on $left.RecipientEmailAddress == $right.AccountUpn
+| where Timestamp between ((ZapTime-24h) .. (ZapTime+24h))
+//Show only pertinent info, such as account name, the app or service, protocol, the target device, and type of logon
+| project ZapTime, ActionType, NetworkMessageId , RecipientEmailAddress, AccountUpn,
+LogonTime = Timestamp, AccountDisplayName, Application, Protocol, DeviceName, LogonType
+```
++
+The data from this query will appear in the results panel below the query itself. Results include information like 'DeviceName', 'AccountDisplayName', and 'ZapTime' in a customizable result set. Results can also be exported for your records. If the query is one you'll need again, select **Save** > **Save As** and add the query to your list of queries, shared, or community queries.
+
+## Related information
+- [Microsoft Defender for Office 365 in the Microsoft 365 security center](microsoft-365-security-center-mdo.md)
+- [The Action center](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-action-center)
+- [Email & collaboration alerts](https://docs.microsoft.com/microsoft-365/compliance/alert-policies#default-alert-policies)
+- [Hunt for threats across devices, emails, apps, and identities](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-query-emails-devices)
+- [Custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules)
+- [Create a phishing attack simulation](https://docs.microsoft.com/microsoft-365/security/office-365-security/attack-simulation-training) and [create a payload for training your people](https://docs.microsoft.com/microsoft-365/security/office-365-security/attack-simulation-training-payloads)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-365-security-mde-redirection https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/microsoft-365-security-mde-redirection.md
@@ -0,0 +1,111 @@
+
+ Title: Redirecting accounts from Microsoft Defender for Endpoint to the Microsoft 365 security center
+description: How to redirect accounts and sessions from the Defender for Endpoint to the Microsoft 365 security center.
+keywords: Microsoft 365 security center, Getting started with the Microsoft 365 security center, security center redirection
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+ - NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+ - M365-security-compliance
+ - m365initiative-m365-defender
+
+ms.technology: m365d
+
+# Redirecting accounts from Microsoft Defender for Endpoint to the Microsoft 365 security center
+++
+**Applies to:**
+- Microsoft 365 Defender
+- Defender for Endpoint
+
+In alignment with MicrosoftΓÇÖs cross-domain approach to threat protection with SIEM and Extended detection and response (XDR), weΓÇÖve rebranded Microsoft Defender Advanced Threat Protection as Microsoft Defender for Endpoint and unified it into a single integrated portal - the Microsoft 365 security center.
+
+This guide explains how to route accounts to the Microsoft 365 security center by enabling automatic redirection from the former Microsoft Defender for Endpoint portal (securitycenter.windows.com or securitycenter.microsoft.com), to the Microsoft 365 security center portal (security.microsoft.com).
+
+## What to expect
+Once automatic redirection is enabled, accounts accessing the former Microsoft Defender for Endpoint portal at securitycenter.windows.com or securitycenter.microsoft.com, will be automatically routed to the Microsoft 365 security center portal at security.microsoft.com.
+
+Learn more about whatΓÇÖs changed: [Microsoft Defender for Endpoint in the Microsoft 365 security center](microsoft-365-security-center-mde.md).
+
+This includes redirection for direct access to the former portal via browser, including links pointing towards the former securitycenter.windows.com portal - such as links in email notifications, and links returned by SIEM API calls.
+
+ External links from email notifications or SIEM APIs currently contain links to both portals. Once redirection is enabled, both links will point to the Microsoft 365 security center until the old link is eventually removed. We encourage you to adopt the new link pointing to the Microsoft 365 security center.
+
+Refer to the table below for more on links and routing.
+## SIEM API routing
+
+|**Property** |**Destination when redirection is OFF** |**Destination when redirection is ON** |
+||||
+| LinkToWDATP | Alert page in securitycenter.windows.com | Alert page in security.microsoft.comΓÇ» |
+| IncidentLinkToWDATP | Incident page in securitycenter.windows.com  | Incident page in security.microsoft.com  |
+| LinkToMTP | Alert page in security.microsoft.com | Alert page in security.microsoft.com  |
+| IncidentLinkToMTP | Incident page in security.microsoft.com  | Incident page in security.microsoft.com 
+
+## Email alert notifications
+
+|**Property** |**Destination when redirection is OFF** |**Destination when redirection is ON** |
+||||
+| Alert pageΓÇ» | Alert page in securitycenter.windows.comΓÇ» | Alert page in security.microsoft.comΓÇ» |
+| Incident page  |Incident page in securitycenter.windows.com  | Incident page in security.microsoft.com 
+| Alert page in security center portal | Alert page in security.microsoft.com | Alert page in security.microsoft.com |
+| Incident page in security center portal | Incident page in security.microsoft.com  | Incident page in security.microsoft.com  |
+
+## When does this take effect?
+Once enabled, this update might take effect almost immediately for some accounts. But the redirection might take longer to propagate to every account in your organization. Accounts in active sessions while this setting is applied will not be ejected from their session and will only be routed to the Microsoft 365 security center after ending their current session and signing back in again.
+
+### Set up portal redirection
+To start routing accounts to the Microsoft 365 security center:
+1. Make sure youΓÇÖre a global administrator or have security administrator permissions in Azure Active directory
+
+2. [Sign in](https://security.microsoft.com/) to the Microsoft 365 security center.
+
+3. Navigate to **Settings** > **Endpoints** > **General** > **Portal redirection** or [click here](https://security.microsoft.com/preferences2/portal_redirection).
+
+4. Toggle the Automatic redirection setting to **On**.
+
+5. Click **Enable** to apply automatic redirection to the Microsoft 365 security center portal.
+
+>[!IMPORTANT]
+>Enabling this setting will not terminate active user sessions. Accounts who are in an active session while this setting is applied will only be directed to the Microsoft 365 security center after ending their current session and signing in again.
+
+>[!NOTE]
+>You must be a global administrator or have security administrator permissions in Azure Active Directory to enable or disable this setting.
+
+## Can I go back to using the former portal?
+If something isnΓÇÖt working for you or if thereΓÇÖs anything youΓÇÖre unable to complete through the Microsoft 365 security center portal, we want to hear about it. If youΓÇÖve encountered any issues with redirection, we encourage you to let us know by using the Give feedback submission form.
+
+To revert to the former Microsoft Defender for Endpoint portal:
+
+1. [Sign in](https://security.microsoft.com/) to the Microsoft 365 security center as a global administrator or using and account with security administrator permissions in Azure Active directory.
+
+2. Navigate to **Settings** > **Endpoints** > **General** > **Portal redirection** or [open the page here](https://security.microsoft.com/preferences2/portal_redirection).
+
+3. Toggle the Automatic redirection setting to **Off**.
+
+4. Click **Disable** & share feedback when prompted.
+
+This setting can be enabled again at any time.
+
+Once disabled, accounts will no longer be routed to security.microsoft.com, and you will once again have access to the former portal - securitycenter.windows.com or securitycenter.microsoft.com.
+
+## Related information
+- [Microsoft 365 security center overview](overview-security-center.md)
+- [Microsoft Defender for Endpoint in the Microsoft 365 security center](microsoft-365-security-center-mde.md)
+- [Microsoft delivers unified SIEM and XDR to modernize security operations](https://www.microsoft.com/security/blog/?p=91813)
+- [XDR versus SIEM infographic](https://afrait.com/blog/xdr-versus-siem/)
+- [The New Defender](https://afrait.com/blog/the-new-defender/)
+- [About Microsoft 365 Defender](https://www.microsoft.com/microsoft-365/security/microsoft-365-defender)
+- [Microsoft security portals and admin centers](portals.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-action-center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/mtp-action-center.md
@@ -8,20 +8,19 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.pagetype: security f1.keywords:
- - NOCSH
+- NOCSH
ms.localizationpriority: medium audience: ITPro
- - M365-security-compliance
- - m365initiative-m365-defender
-
+- M365-security-compliance
+- m365initiative-m365-defender
+ Previously updated : 12/09/2020 Last updated : 02/01/2021 # The Action center
@@ -32,10 +31,6 @@ ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
-Use the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) to see the results of current and past investigations across your organization's devices and mailboxes. Depending on the type of threat and resulting verdict, [remediation actions](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-remediation-actions) can occur automatically or upon approval by your organization's security operations team. All remediation actions, whether they are pending approval or were already approved, are consolidated in the Action center.
-
-![Action Center](../../media/air-actioncenter.png)
- ## A "single pane of glass" experience The Action center provides a "single pane of glass" experience for tasks, such as:
@@ -45,32 +40,54 @@ The Action center provides a "single pane of glass" experience for tasks, such a
Your security operations team can operate more effectively and efficiently, because the Action center provides a comprehensive view of Microsoft 365 Defender at work.
-## Go to the Action center
+## A new, unified Action center
-1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in.
+We are pleased to announce a new, unified Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center))!
-2. In the navigation pane, choose **Action center**.
-3. In the Action center, you'll see two tabs: **Pending** and **History**.
+The improved Action center lists pending and completed remediation actions for your devices, email & collaboration content, and identities in one location.
+- If you were previously using the Office 365 Security & Compliance Center ([https://protection.office.com](https://protection.office.com)), try the new, unified Action center in the Microsoft 365 security center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).
+- If you were using the Action Center in the Microsoft Defender Security Center ([https://securitycenter.windows.com/action-center](https://securitycenter.windows.com/action-center)), try the new, unified Action center in the Microsoft 365 security center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).
+- If you were already using the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), you'll see several improvements in the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)).
- - The **Pending** tab lists investigations that require review and approval by someone in your security operations team to continue. Make sure to review and take action on pending items you see here.
+The unified Action center brings together remediation actions across Defender for Endpoint and Defender for Office 365. It defines a common language for all remediation actions, and provides a unified investigation experience. The Action center provides your security operations team with a "single pane of glass" experience to view and manage remediation actions.
- - The **History** tab lists past investigations and remediation actions that were taken automatically. You can view data for the past day, week, month, or six months.
+You can use the unified Action center if you have appropriate permissions and one or more of the following subscriptions:
-4. To show only the columns you want to see, select **Customize columns**.<br/>![Action Center in Microsoft 365 Defender](../../media/mtp-action-center.png)
+- [Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)
+- [Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp)
+- [Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
-5. Select an item in the list to view more details about an investigation. The investigation details view opens.<br/>![Investigation details](../../media/mtp-air-investdetails.png)
+> [!TIP]
+> To learn more, see [Requirements](https://docs.microsoft.com/microsoft-365/security/mtp/prerequisites).
- - If the investigation pertains to email content (such as, the entity is a mailbox), investigation details open in the Security & Compliance Center ([https://protection.office.com/threatinvestigation](https://protection.office.com/threatinvestigation)).
+## Using the Action center
- - If the investigation involves a device, investigation details open in the security center ([https://security.microsoft.com](https://security.microsoft.com)).
+1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in.
+2. In the navigation pane, choose **Action center**.
-> [!TIP]
-> If you think something was missed or wrongly detected by automated investigation and response features in Microsoft 365 Defender, let us know! See [How to report false positives/negatives in automated investigation and response (AIR) capabilities in Microsoft 365 Defender](mtp-autoir-report-false-positives-negatives.md).
+When you visit the Action center, you see two tabs: Pending actions and History. The following table summarizes what you'll see on each tab:
-## Available actions
+|Tab |Description |
+|||
+|**Pending** | Displays a list of actions that require attention. You can approve or reject actions one at a time, or select multiple actions if they have the same type of action (such as Quarantine file). <p>**TIP**: Make sure to review and approve (or reject) pending actions as soon as possible so that your automated investigations can complete in a timely manner. |
+|**History** | Serves as an audit log for actions that were taken, such as: <br/>- Remediation actions that were taken as a result of automated investigations <br/>- Remediation actions that were taken on suspicious or malicious email messages, files, or URLs<br/>- Remediation actions that were approved by your security operations team <br/>- Commands that were run and remediation actions that were applied during Live Response sessions<br/>- Remediation actions that were taken by your antivirus protection <p>Provides a way to undo certain actions (see [Undo completed actions](mtp-autoir-actions.md#undo-completed-actions)). |
-As remediation actions are taken, they're listed on the **History** tab in the Action center. Such actions include the following:
+You can customize, sort, filter, and export data in the Action center.
++
+- Select a column heading to sort items in ascending or descending order.
+- Use the time period filter to view data for the past day, week, 30 days, or 6 months.
+- Choose the columns that you want to view.
+- Specify how many items to include on each page of data.
+- Use filters to view just the items you want to see.
+- Select **Export** to export results to a .csv file.
+
+## Actions tracked in the Action center
+
+All actions, whether they're pending approval or were already taken, are tracked in the Action center. Available actions include the following:
- Collect investigation package - Isolate device (this action can be undone)
@@ -82,14 +99,11 @@ As remediation actions are taken, they're listed on the **History** tab in the A
- Run antivirus scan - Stop and quarantine
-> [!NOTE]
-> In addition to remediation actions that are taken automatically, your security operations team can take manual actions to address detected threats. For more information about automatic and manual remediation actions, see [Remediation actions](mtp-remediation-actions.md).
+In addition to remediation actions that are taken automatically as a result of [automated investigations](mtp-autoir.md), the Action center also tracks actions your security team has taken to address detected threats, and actions that were taken as a result of threat protection features in Microsoft 365 Defender. For more information about automatic and manual remediation actions, see [Remediation actions](mtp-remediation-actions.md).
-## Action source
+## Viewing action source details
-(**NEW!**) As you know, Microsoft 365 Defender brings together automated investigation and response capabilities across multiple services, such as [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp). The new and improved Action center now includes an **Action source** column that tells you where each remediation action came from.
-
-The following table describes possible **Action source** values:
+(**NEW!**) The improved Action center now includes an **Action source** column that tells you where each action came from. The following table describes possible **Action source** values:
| Action source value | Description | |:--|:|
@@ -104,18 +118,16 @@ The following table describes possible **Action source** values:
## Required permissions for Action center tasks
-To approve or reject pending actions in the Action center, you must have permissions assigned as listed in the following table:
+To perform tasks, such as approving or rejecting pending actions in the Action center, you must have permissions assigned as listed in the following table:
|Remediation action |Required roles and permissions | |--|-|
-|Microsoft Defender for Endpoint remediation (devices) |Security Administrator role assigned in either Azure Active Directory ([https://portal.azure.com](https://portal.azure.com)) or the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))<br/> or <br/>Active remediation actions role assigned in Microsoft Defender for Endpoint <br/> <br/> To learn more, see the following resources: <br/>- [Administrator role permissions in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles)<br/>- [Create and manage roles for role-based access control (Microsoft Defender for Endpoint)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles) |
-|Microsoft Defender for Office 365 remediation (Office content and email) |Security Administrator role assigned in either Azure Active Directory ([https://portal.azure.com](https://portal.azure.com)) or the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))<br/> and <br/>Search and Purge role assigned the Security & Compliance Center ([https://protection.office.com](https://protection.office.com)) <br/><br/>**IMPORTANT**: If you have the Security Administrator role assigned only in the Security & Compliance Center, you will not be able to access the Action center or Microsoft 365 Defender capabilities. You must have the Security Administrator role assigned in Azure Active Directory or the Microsoft 365 admin center. <br/><br/>To learn more, see the following resources: <br/>- [Administrator role permissions in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles)<br/>- [Permissions in the Security & Compliance Center](https://docs.microsoft.com/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center) |
-
-> [!NOTE]
-> Users who have the Global Administrator role assigned in Azure Active Directory can approve or reject any pending action in the Action center. However, as a best practice, your organization should limit the number of people who have the Global Administrator role assigned. We recommend using the Security Administrator, Active remediation actions, and Search and Purge roles listed above for Action center permissions.
+|Microsoft Defender for Endpoint remediation (devices) |**Security Administrator** role assigned in either Azure Active Directory ([https://portal.azure.com](https://portal.azure.com)) or the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))<br/> or <br/>**Active remediation actions** role assigned in Microsoft Defender for Endpoint <br/> <br/> To learn more, see the following resources: <br/>- [Administrator role permissions in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles)<br/>- [Create and manage roles for role-based access control (Microsoft Defender for Endpoint)](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/user-roles) |
+|Microsoft Defender for Office 365 remediation (Office content and email) |**Security Administrator** role assigned in either Azure Active Directory ([https://portal.azure.com](https://portal.azure.com)) or the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com))<br/> and <br/>**Search and Purge** role assigned the Security & Compliance Center ([https://protection.office.com](https://protection.office.com)) <br/><br/>**IMPORTANT**: If you have the **Security Administrator** role assigned only in the Office 365 Security & Compliance Center ([https://protection.office.com](https://protection.office.com)), you will not be able to access the Action center or Microsoft 365 Defender capabilities. You must have the **Security Administrator** role assigned in Azure Active Directory or the Microsoft 365 admin center. <br/><br/>To learn more, see the following resources: <br/>- [Administrator role permissions in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles)<br/>- [Permissions in the Security & Compliance Center](https://docs.microsoft.com/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center) |
-## Next steps
+> [!TIP]
+> Users who have the **Global Administrator** role assigned in Azure Active Directory can approve or reject any pending action in the Action center. However, as a best practice, your organization should limit the number of people who have the **Global Administrator** role assigned. We recommend using the **Security Administrator**, **Active remediation actions**, and **Search and Purge** roles listed in the preceding table for Action center permissions.
-- [Approve or reject pending actions following an automated investigation](mtp-autoir-actions.md)-- [View the results of an automated investigation](mtp-autoir-results.md)
+## Next step
+- [Review and manage remediation actions](mtp-autoir-actions.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-autoir-actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/mtp-autoir-actions.md
@@ -1,6 +1,6 @@
Title: Approve or reject pending actions following an automated investigation
-description: Use the Action Center to manage actions related to automated investigation and response
+ Title: View and manage actions in the Action center
+description: Use the Action Center to view and manage remediation actions
keywords: action, center, autoair, automated, investigation, response, remediation search.appverid: met150 ms.prod: m365-security
@@ -8,23 +8,23 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.pagetype: security f1.keywords:
- - NOCSH
+- NOCSH
ms.localizationpriority: medium audience: ITPro
- - M365-security-compliance
- - m365initiative-m365-defender
-
+- M365-security-compliance
+- m365initiative-m365-defender
+ Previously updated : 12/09/2020 Last updated : 01/29/2021 ms.technology: m365d
-# Approve or reject pending actions following an automated investigation
+# View and manage actions in the Action center
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
@@ -32,35 +32,28 @@ ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
-When an automated investigation runs, it can result in one or more [remediation actions](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-remediation-actions) that require approval to proceed. For example, a cluster of email messages might need to be deleted, or a quarantined file might need to be removed. It's important to approve (or reject) pending actions as soon as possible so that your automated investigations can proceed and complete in a timely manner.
-
-> [!TIP]
-> If you think something was missed or wrongly detected by automated investigation and response features in Microsoft 365 Defender, let us know! See [How to report false positives/negatives in automated investigation and response (AIR) capabilities in Microsoft 365 Defender](mtp-autoir-report-false-positives-negatives.md).
-
-Pending actions can be reviewed and approved by using the [Action center](#review-a-pending-action-in-the-action-center) or the [investigation details view](#review-a-pending-action-in-the-investigation-details-view).
+Threat protection features in Microsoft 365 Defender can result in certain remediation actions. Here are some examples:
+- [Automated investigations](mtp-autoir.md) can result in remediation actions that are taken automatically or await approval.
+- Antivirus, antimalware, and other threat protection features can result in remediation actions, such as blocking a file, URL, or process, or sending an artifact to quarantine.
+- Your security operations team can take remediation actions manually, such as during [advanced hunting](advanced-hunting-overview.md) or while investigating [alerts](investigate-alerts.md) or [incidents](investigate-incidents.md).
> [!NOTE] > You must have [appropriate permissions](mtp-action-center.md#required-permissions-for-action-center-tasks) to approve or reject remediation actions. For more information, see [Prerequisites for automated investigation and response in Microsoft 365 Defender](mtp-configure-auto-investigation-response.md#prerequisites-for-automated-investigation-and-response-in-microsoft-365-defender).
-## Review a pending action in the Action center
-
-1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in.
-
-2. In the navigation pane, choose **Action center**.
-
-3. In the Action Center, on the **Pending** tab, select an item in the list.
-
- - If you select an item in the **Investigation number** column, the investigation details page opens. There, you can view the results of the investigation, and then either approve or reject the recommended action.
-
- - If you select a row in the list, a flyout opens, where you can view information about that item. <br/>![Approve or reject an action](../../media/air-actioncenter-itemselected.png)<br/>Use the links to view an associated alert or an investigation, and approve or reject the action.
-
-## Review a pending action in the investigation details view
+## Review pending actions in the Action center
-![Investigation details](../../media/mtp-air-investdetails.png)
+It's important to approve (or reject) pending actions as soon as possible so that your automated investigations can proceed and complete in a timely manner.
-1. On an [investigation details](mtp-autoir-results.md) page, select the **Pending actions** (or **Actions**) tab. Items that are pending approval are listed here.
+![Approve or reject an action](../../media/air-actioncenter-itemselected.png)
-2. Select an item in the list, and then choose **Approve** or **Reject**.
+1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in.
+2. In the navigation pane, choose **Action center**.
+3. In the Action Center, on the **Pending** tab, select an item in the list. Its flyout pane opens.
+4. Review the information in the flyout pane, and then take one of the following steps:
+ - Select **Open investigation page** to view more details about the investigation.
+ - Select **Approve** to initiate a pending action.
+ - Select **Reject** to prevent a pending action from being taken.
+ - Select **Go hunt** to go into [Advanced hunting](advanced-hunting-overview.md).
## Undo completed actions
@@ -70,23 +63,25 @@ If youΓÇÖve determined that a device or a file is not a threat, you can undo rem
|:|:| | - Automated investigation <br/>- Microsoft Defender Antivirus <br/>- Manual response actions | - Isolate device <br/>- Restrict code execution <br/>- Quarantine a file <br/>- Remove a registry key <br/>- Stop a service <br/>- Disable a driver <br/>- Remove a scheduled task |
-### To undo a remediation action
+### Undo one remediation action
1. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) and sign in.- 2. On the **History** tab, select an action that you want to undo.- 3. In the pane on the right side of the screen, select **Undo**.
+### Undo multiple remediation actions
+
+1. Go to the Action center (https://security.microsoft.com/action-center) and sign in.
+2. On the **History** tab, select the actions that you want to undo. Make sure to select items that have the same Action type. A flyout pane opens.
+3. In the flyout pane, select **Undo**.
+ ### To remove a file from quarantine across multiple devices 1. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) and sign in.- 2. On the **History** tab, select a file that has the Action type **Quarantine file**.- 3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**. ## Next steps - [View the details and results of an automated investigation](mtp-autoir-results.md)-- [Handle false positives/negatives in automated investigation and response capabilities](mtp-autoir-report-false-positives-negatives.md)
+- [Learn how to handle false positives/negatives (if you get one)](mtp-autoir-report-false-positives-negatives.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-autoir-report-false-positives-negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/mtp-autoir-report-false-positives-negatives.md
@@ -1,24 +1,24 @@
Title: Handle false positives or false negatives in AIR in Microsoft 365 Defender description: Was something missed or wrongly detected by AIR in Microsoft 365 Defender? Learn how to submit false positives or false negatives to Microsoft for analysis.
-keywords: automated, investigation, alert, trigger, action, remediation, false positive, false negative
+keywords: automated, investigation, alert, remediation, false positive, false negative
search.appverid: met150 ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security f1.keywords:
- - NOCSH
+- NOCSH
Previously updated : 09/16/2020 Last updated : 01/29/2021 ms.localizationpriority: medium audience: ITPro
- - M365-security-compliance
- - m365initiative-m365-defender
-
+- M365-security-compliance
+- m365initiative-m365-defender
+ ms.technology: m365d
@@ -28,19 +28,16 @@ ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - **Applies to:** - Microsoft 365 Defender
-Did [automated investigation and response capabilities](mtp-autoir.md) in Microsoft 365 Defender miss or wrongly detect something? There are steps you can take to fix it. You can:
+False positives/negatives can occasionally occur with any threat protection solution. If [automated investigation and response capabilities](mtp-autoir.md) in Microsoft 365 Defender missed or wrongly detected something, there are steps your security operations team can take:
- [Report a false positive/negative to Microsoft](#report-a-false-positivenegative-to-microsoft-for-analysis);- - [Adjust your alerts](#adjust-an-alert-to-prevent-false-positives-from-recurring) (if needed); and - - [Undo remediation actions that were taken on devices](#undo-a-remediation-action-that-was-taken-on-a-device).
-Use this article as a guide.
+The following sections describe how to perform these tasks.
## Report a false positive/negative to Microsoft for analysis
@@ -56,31 +53,20 @@ Use this article as a guide.
|- An alert is triggered by legitimate use <br/>- An alert is inaccurate |[Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security)<br/> or <br/>[Azure Advanced Threat Detection](https://docs.microsoft.com/azure/security/fundamentals/threat-detection) |[Manage alerts in the Cloud App Security portal](https://docs.microsoft.com/cloud-app-security/managing-alerts) | |A file, IP address, URL, or domain is treated as malware on a device, even though it's safe|[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection) |[Create a custom indicator with an "Allow" action](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators) | - ## Undo a remediation action that was taken on a device
-If a remediation action was taken on a device (such as a Windows 10 device) and the item is actually not a threat, your security operations team can undo the remediation action in the [Action center](mtp-action-center.md).
-
-> [!IMPORTANT]
-> Make sure you have the [necessary permissions](mtp-action-center.md#required-permissions-for-action-center-tasks) before attempting to perform the following task.
+If a remediation action was taken on an entity (such as a device or an email message) and the affected entity is not actually a threat, your security operations team can undo the remediation action in the [Action center](mtp-action-center.md).
1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in. - 2. In the navigation pane, choose **Action center**.
+3. On the **History** tab, select an action that you want to undo. Its flyout pane opens.
+4. In the flyout pane, select **Undo**.
-3. On the **History** tab, select an action that you want to undo. This opens a flyout.<br/>
- > [!TIP]
- > Use filters to narrow down the list of results.
-
-4. In the flyout for the selected item, select **Open investigation page**.
-
-5. In the investigation details view, select the **Actions** tab.
-
-6. Select an item that has status of **Completed**, and look for a link, such as **Approved**, in the **Decisions** column. This opens a flyout with more details about the action.
-
-7. To undo the action, select **Delete remediation**.
+> [!TIP]
+> See [Undo completed actions](mtp-autoir-actions.md#undo-completed-actions).
## See also - [View the details and results of an automated investigation](mtp-autoir-results.md) - [Proactively hunt for threats with advanced hunting in Microsoft 365 Defender](advanced-hunting-overview.md)
+- [Address false positives/negatives in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/defender-endpoint-false-positives-negatives)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-autoir-results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/mtp-autoir-results.md
@@ -4,38 +4,44 @@ description: During and after an automated investigation, you can view the resul
keywords: automated, investigation, results, analyze, details, remediation, autoair search.appverid: met150 ms.prod: m365-security
+ms.technology: m365d
ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security f1.keywords:
- - NOCSH
+- NOCSH
ms.localizationpriority: medium audience: ITPro
- - M365-security-compliance
- - m365initiative-m365-defender
+- M365-security-compliance
+- m365initiative-m365-defender
Previously updated : 09/16/2020 Last updated : 02/08/2021 # Details and results of an automated investigation [!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - **Applies to:** - Microsoft 365 Defender
-When an automated investigation occurs in Microsoft 365 Defender, details about that investigation are available during and after the automated investigation process. If you have the [necessary permissions](mtp-action-center.md#required-permissions-for-action-center-tasks), you can view those details in an investigation details view. The investigation details view provides you with up-to-date status and the ability to approve any pending actions.
+With Microsoft 365 Defender, when an [automated investigation](mtp-autoir.md) runs, details about that investigation are available both during and after the automated investigation process. If you have the [necessary permissions](mtp-action-center.md#required-permissions-for-action-center-tasks), you can view those details in an investigation details view. The investigation details view provides you with up-to-date status and the ability to approve any pending actions.
![Investigation details](../../media/mtp-air-investdetails.png)
+## (NEW!) Unified investigation page
+
+The investigation page has recently been updated to include information across your devices, email, and collaboration content. The new, unified investigation page defines a common language and provides a unified experience for automatic investigations across [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) and [Microsoft Defender for Office 365](../office-365-security/office-365-atp.md). To access the unified investigation page, select the link in the yellow banner you'll see on:
+- Any investigation page in the Office 365 Security & Compliance Center ([https://protection.office.com](https://protection.office.com))
+- Any investigation page in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com))
+- Any incident or Action center experience in the improved Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com))
+ ## Open the investigation details view You can open the investigation details view by using one of the following methods:
@@ -44,25 +50,31 @@ You can open the investigation details view by using one of the following method
### Select an item in the Action center
-Use the Action center to view actions that are either pending approval (on the **Pending** tab) or were already approved (on the **History** tab).
+The improved [Action center](mtp-action-center.md) ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) brings together [remediation actions](mtp-remediation-actions.md) across your devices, email & collaboration content, and identities. Listed actions include remediation actions that were taken automatically or manually. In the Action center, you can view actions that are awaiting approval and actions that were already approved or completed. You can also navigate to more details, such as an investigation page.
-1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in.
+> [!TIP]
+> You must have [certain permissions](mtp-action-center.md#required-permissions-for-action-center-tasks) to approve, reject, or undo actions.
+1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in.
2. In the navigation pane, choose **Action center**. -
-3. On either the **Pending** or **History** tab, select an item. If you have the [necessary permissions](mtp-action-center.md#required-permissions-for-action-center-tasks), you can approve (or reject) pending actions.
+3. On either the **Pending** or **History** tab, select an item. Its flyout pane opens.
+4. Review the information in the flyout pane, and then take one of the following steps:
+ - Select **Open investigation page** to view more details about the investigation.
+ - Select **Approve** to initiate a pending action.
+ - Select **Reject** to prevent a pending action from being taken.
+ - Select **Go hunt** to go into [Advanced hunting](advanced-hunting-overview.md).
### Open an investigation from an incident details page Use an incident details page to view detailed information about an incident, including alerts that were triggered information about any affected devices, user accounts, or mailboxes.
-1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in.
-
-2. In the navigation pane, choose **Incidents**.
+![Incident details](../../media/mtp-incidentdetails-tabs.png)
-3. Select an item in the list to open the incident details view.<br/>![Incident details](../../media/mtp-incidentdetails-tabs.png)
-
-4. On the **Investigations** tab, select an investigation in the list.
+1. Go to [https://security.microsoft.com](https://security.microsoft.com) and sign in.
+2. In the navigation pane, choose **Incidents & alerts** > **Incidents**.
+3. Select an item in the list, and then choose **Open incident page**.
+4. Select the **Investigations** tab, and then select an investigation in the list. Its flyout pane opens.
+5. Select **Open investigation page**.
## Investigation details
@@ -72,17 +84,22 @@ Use the investigation details view to see past, current, and pending activity pe
In the Investigation details view, you can see information on the **Investigation graph**, **Alerts**, **Devices**, **Identities**, **Key findings**, **Entities**, **Log**, and **Pending actions** tabs, described in the following table.
+> [!NOTE]
+> The specific tabs you see in an investigation details page depends on what your subscription includes. For example, if your subscription does not include Microsoft Defender for Office 365 Plan 2, you won't see a **Mailboxes** tab.
+ | Tab | Description |
-|--|--|
-| **Investigation graph** | Provides a visual representation of the investigation. Depicts entities and lists threats found, along with alerts and whether any actions are awaiting approval.<br/>You can click an item on the graph to view more details. For example, clicking the **Threats found** icon takes you to the **Key findings** tab. |
-| **Alerts** | Lists alerts associated with the investigation. Alerts can come from threat protection features on a user's machine, in Office apps, Cloud App Security, and other Microsoft 365 Defender features.|
-| **Devices** | Lists machines included in the investigation along with remediation level.|
-| **Key findings** | Lists results from the investigation along with status and actions taken or pending. You can approve pending actions for devices and identities in on this tab.|
-| **Entities** | Lists user activities, files, processes, services, drivers, IP addresses, and persistence methods associated with the investigation, along with status and actions taken.|
-|**Log** | Provides a detailed view of all steps taken during the investigation, along with status.|
-| **Pending actions** | Lists items that require approval to proceed.|
+|:--|:--|
+| **Investigation graph** | Provides a visual representation of the investigation. Depicts entities and lists threats found, along with alerts and whether any actions are awaiting approval.<br/>You can select an item on the graph to view more details. For example, selecting the **Evidence** icon takes you to the **Evidence** tab, where you can see detected entities and their verdicts. |
+| **Alerts** | Lists alerts associated with the investigation. Alerts can come from threat protection features on a user's device, in Office apps, Cloud App Security, and other Microsoft 365 Defender features.|
+| **Devices** | Lists devices included in the investigation along with their remediation level. (Remediation levels correspond to [the automation level for device groups](mtp-configure-auto-investigation-response.md#review-or-change-the-automation-level-for-device-groups).) |
+| **Mailboxes** |Lists mailboxes that are impacted by detected threats. |
+| **Users** | Lists user accounts that are impacted by detected threats. |
+| **Evidence** | Lists pieces of evidence raised by alerts/investigations. Includes verdicts (*Malicious*, *Suspicious*, or *No threats found*) and remediation status. |
+| **Entities** | Provides details about each analyzed entity, including a verdict for each entity type (*Malicious*, *Suspicious*, or *No threats found*).|
+|**Log** | Provides a chronological, detailed view of all the investigation actions taken after an alert was triggered.|
+| **Pending actions** | Lists items that require approval to proceed. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) to approve pending actions. |
## Next steps -- [Approve or reject actions related to automated investigation and response](mtp-autoir-actions.md)-- [Review remediation actions](mtp-remediation-actions.md)
+- [Approve or reject remediation actions following an automated investigation](mtp-autoir-actions.md)
+- [Learn more about remediation actions](mtp-remediation-actions.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-autoir https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/mtp-autoir.md
@@ -8,18 +8,18 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.pagetype: security f1.keywords:
- - NOCSH
+- NOCSH
ms.localizationpriority: medium audience: ITPro
- - M365-security-compliance
- - m365initiative-m365-defender
+- M365-security-compliance
+- m365initiative-m365-defender
Previously updated : 12/09/2020 Last updated : 01/29/2021 ms.technology: m365d
@@ -28,18 +28,21 @@ ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] - **Applies to:** - Microsoft 365 Defender
+If your organization is using [Microsoft 365 Defender](microsoft-threat-protection.md), your security operations team receives an alert whenever a malicious or suspicious artifact is detected. Given the seemingly never-ending flow of threats that come in, security teams often face challenges in addressing the high volume of alerts. Fortunately, Microsoft 365 Defender includes automated investigation and remediation (AIR) capabilities that can help your security operations team address threats more efficiently and effectively.
+
+This article provides an overview of AIR and includes links to next steps and additional resources.
+
+> [!TIP]
> Want to experience Microsoft 365 Defender? You can [evaluate it in a lab environment](https://aka.ms/mtp-trial-lab) or [run your pilot project in production](https://aka.ms/m365d-pilotplaybook).
->
## How automated investigation and self-healing works As security alerts are triggered, it's up to your security operations team to look into those alerts and take steps to protect your organization. Prioritizing and investigating alerts can be very time consuming, especially when new alerts keep coming in while an investigation is going on. Security operations teams can feel overwhelmed by the sheer volume of threats they must monitor and protect against. Automated investigation and response capabilities, with self-healing, in Microsoft 365 Defender can help.
-Watch the following video to see how self-healing works:
+Watch the following video to see how self-healing works: <p>
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4BzwB]
@@ -50,33 +53,42 @@ In Microsoft 365 Defender, automated investigation and response with self-healin
## Your own virtual analyst
-Imagine having a virtual analyst in your Tier 1 / Tier 2 security operations team. The virtual analyst mimics the ideal steps that security operations would take to investigate and remediate threats. The virtual assistant could work 24x7, with unlimited capacity, and take on a significant load of investigations and threat remediation. Such a virtual assistant could significantly reduce the time to respond, freeing up your security operations team for other important strategic projects. If this scenario sounds like science fiction, it's not! Such a virtual analyst is part of your Microsoft 365 Defender suite, and its name is *automated investigation and response*.
+Imagine having a virtual analyst in your Tier 1 or Tier 2 security operations team. The virtual analyst mimics the ideal steps that security operations would take to investigate and remediate threats. The virtual assistant could work 24x7, with unlimited capacity, and take on a significant load of investigations and threat remediation. Such a virtual assistant could significantly reduce the time to respond, freeing up your security operations team for other important strategic projects. If this scenario sounds like science fiction, it's not! Such a virtual analyst is part of your Microsoft 365 Defender suite, and its name is *automated investigation and response*.
-Automated investigation and response enables your security operations team to dramatically increase your organization's capacity to deal with security alerts and incidents. With automated investigation and response, you can reduce the cost of dealing with investigation and remediation activities and get the most out of your threat protection suite. automated investigation and response helps your security operations team by:
+Automated investigation and response capabilities enable your security operations team to dramatically increase your organization's capacity to deal with security alerts and incidents. With automated investigation and response, you can reduce the cost of dealing with investigation and remediation activities and get the most out of your threat protection suite. Automated investigation and response capabilities help your security operations team by:
1. Determining whether a threat requires action;
-2. Performing (or recommending) any necessary remediation actions;
-3. Determining what additional investigations should occur; and
+2. Taking (or recommending) any necessary remediation actions;
+3. Determining whether and what other investigations should occur; and
4. Repeating the process as necessary for other alerts. ## The automated investigation process
-**Alert** > **incident** > **automated investigation** > **verdict** > **remediation action**
+An alert creates an incident, which can start an automated investigation. The automated investigation results in a verdict for each piece of evidence. Verdicts can be:
+- *Malicious*;
+- *Suspicious*; or
+- *No threats found*.
-A triggered alert creates an incident, which can start an automated investigation. That investigation can result in one or more remediation actions. In Microsoft 365 Defender, each automated investigation correlates signals across Microsoft Defender for Identity, Microsoft Defender for Endpoint, and Defender for Office 365, as summarized in the following table:
+Remediation actions for malicious or suspicious entities are identified. Examples of remediation actions include:
+- Sending a file to quarantine;
+- Stopping a process;
+- Isolating a device;
+- Blocking a URL; and
+- other actions. (See [Remediation actions in Microsoft 365 Defender](mtp-remediation-actions.md).)
-|Entities |Threat protection services |
-|||
-|Devices (also referred to as endpoints) |[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations)<br/>[Microsoft Defender for Identity](https://docs.microsoft.com/azure-advanced-threat-protection/what-is-atp) |
-|Email content (files and messages in mailboxes) |[Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) |
+Depending on [how automated investigation and response capabilities are configured](mtp-configure-auto-investigation-response.md) for your organization, remediation actions are taken automatically or only upon approval by your security operations team. All actions, whether pending or completed, are listed in the [Action center](mtp-action-center.md).
-Each investigation generates verdicts (*Malicious*, *Suspicious*, or *No threats found*) for each piece of evidence investigated. Depending on the type of threat and resulting verdict, remediation actions occur automatically or upon approval by your organization's security operations team. Pending and completed actions are listed in the [Action center](mtp-action-center.md).
+While an investigation is running, any other related alerts that arise are added to the investigation until it completes. If an incriminated entity is seen elsewhere, the automated investigation expands its scope to include that entity, and the investigation process repeats.
-While an investigation is running, any other related alerts that arise are added to the investigation until it completes. If an incriminated entity is seen elsewhere, the automated investigation will expand its scope to include that entity, and a general security playbook will run.
+In Microsoft 365 Defender, each automated investigation correlates signals across Microsoft Defender for Identity, Microsoft Defender for Endpoint, and Defender for Office 365, as summarized in the following table:
-> [!NOTE]
-> Not every alert triggers an automated investigation, and not every investigation results in automated remediation actions; this all depends on how automated investigation and response is configured for your organization. See [Configure automated investigation and response capabilities in Microsoft 365 Defender](mtp-configure-auto-investigation-response.md).
+|Entities |Threat protection services |
+|:|:|
+|Devices (also referred to as endpoints, and sometimes referred to as machines) |[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations)<br/>[Microsoft Defender for Identity](https://docs.microsoft.com/azure-advanced-threat-protection/what-is-atp) |
+|Email content (email messages that can contain files and URLs) |[Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) |
+> [!NOTE]
+> Not every alert triggers an automated investigation, and not every investigation results in automated remediation actions; it depends on how automated investigation and response is configured for your organization. See [Configure automated investigation and response capabilities in Microsoft 365 Defender](mtp-configure-auto-investigation-response.md).
## Next steps
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-configure-auto-investigation-response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/mtp-configure-auto-investigation-response.md
@@ -6,12 +6,13 @@
audience: ITPro-+ ms.prod: m365-security localization_priority: Normal
- - M365-security-compliance
- - m365initiative-m365-defender
+- M365-security-compliance
+- m365initiative-m365-defender
Last updated : 02/08/2021 f1.keywords: CSH
@@ -22,8 +23,7 @@ ms.technology: m365d
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] -
-Microsoft 365 Defender includes powerful [automated investigation and response capabilities](mtp-autoir.md) that can save your security operations team much time and effort. With self-healing, these capabilities mimic the steps a security analyst would take to investigate and respond to threats, only faster, and with more ability to scale. This article describes how to configure automated investigation and response in Microsoft 365 Defender.
+Microsoft 365 Defender includes powerful [automated investigation and response capabilities](mtp-autoir.md) that can save your security operations team much time and effort. With [self-healing](mtp-autoir.md#how-automated-investigation-and-self-healing-works), these capabilities mimic the steps a security analyst would take to investigate and respond to threats, only faster, and with more ability to scale. This article describes how to configure automated investigation and response in Microsoft 365 Defender.
To configure automated investigation and response capabilities, follow these steps:
@@ -32,28 +32,25 @@ To configure automated investigation and response capabilities, follow these ste
3. [Review your security and alert policies in Office 365](#review-your-security-and-alert-policies-in-office-365). 4. [Make sure Microsoft 365 Defender is turned on](#make-sure-microsoft-365-defender-is-turned-on).
-Then, after you're all set up, [review pending and completed actions in the Action center](#review-pending-and-completed-actions-in-the-action-center).
+Then, after you're all set up, [View and manage actions in the Action center](mtp-autoir-actions.md).
## Prerequisites for automated investigation and response in Microsoft 365 Defender |Requirement |Details |
-|--|--|
-|Subscription requirements |One of the subscriptions: <ul><li>Microsoft 365 E5</li><li>Microsoft 365 A5</li><li>Microsoft 365 E5 Security</li><li>Microsoft 365 A5 Security</li><li>Office 365 E5 plus Enterprise Mobility + Security E5 plus Windows E5</li></ul><p> See [Microsoft 365 Defender licensing requirements](https://docs.microsoft.com/microsoft-365/security/mtp/prerequisites?#licensing-requirements).|
-|Network requirements |<ul><li>[Microsoft Defender for Identity](https://docs.microsoft.com/azure-advanced-threat-protection/what-is-atp) enabled</li><li>[Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) configured</li><li>[Microsoft Defender for Identity integration](https://docs.microsoft.com/cloud-app-security/mdi-integration)</li></ul>|
-|Windows machine requirements |Windows 10, version 1709 or later installed (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/)) with the following threat protection services configured:<ul><li>[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints)</li><li>[Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features)</li></ul>|
+|:-|:-|
+|Subscription requirements |One of these subscriptions: <br/>- Microsoft 365 E5<br/>- Microsoft 365 A5<br/>- Microsoft 365 E5 Security<br/>- Microsoft 365 A5 Security<br/>- Office 365 E5 plus Enterprise Mobility + Security E5 plus Windows E5<p> See [Microsoft 365 Defender licensing requirements](https://docs.microsoft.com/microsoft-365/security/mtp/prerequisites?#licensing-requirements).|
+|Network requirements |- [Microsoft Defender for Identity](https://docs.microsoft.com/azure-advanced-threat-protection/what-is-atp) enabled<br/>- [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) configured<br/>- [Microsoft Defender for Identity integration](https://docs.microsoft.com/cloud-app-security/mdi-integration) |
+|Windows machine requirements |- Windows 10, version 1709 or later installed (See [Windows 10 release information](https://docs.microsoft.com/windows/release-information/)) <br/>- The following threat protection services configured:<br/>- [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints)<br/>- [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) |
|Protection for email content and Office files |[Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp#configure-atp-policies) configured |
-|Permissions |<ul><li>To configure automated investigation and response capabilities, you must have the Global Administrator or Security Administrator role assigned in either Azure Active Directory ([https://portal.azure.com](https://portal.azure.com)) or in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)).</li><p><li>To get the permissions needed to work with automated investigation and response capabilities, such as reviewing, approving, or rejecting pending actions, see [Required permissions for Action center tasks](mtp-action-center.md#required-permissions-for-action-center-tasks).</li></ul>|
+|Permissions | To configure automated investigation and response capabilities, you must have the Global Administrator or Security Administrator role assigned in either Azure Active Directory ([https://portal.azure.com](https://portal.azure.com)) or in the Microsoft 365 admin center ([https://admin.microsoft.com](https://admin.microsoft.com)).<p>To get the permissions needed to work with automated investigation and response capabilities, such as reviewing, approving, or rejecting pending actions, see [Required permissions for Action center tasks](mtp-action-center.md#required-permissions-for-action-center-tasks). |
## Review or change the automation level for device groups Whether automated investigations run, and whether remediation actions are taken automatically or only upon approval for your devices depend on certain settings, such as your organization's device group policies. Review the automation level set for your device group policies. 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.- 2. Go to **Settings** > **Permissions** > **Device groups**.- 3. Review your device group policies. In particular, look at the **Remediation level** column. We recommend using **Full - remediate threats automatically**. You might need to create or edit your device groups to get the level of automation you want. To get help with this task, see the following articles:- - [How threats are remediated](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations#how-threats-are-remediated) - [Create and manage device groups](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups)
@@ -65,40 +62,31 @@ Although certain alerts and security policies can trigger automated investigatio
Security settings in Office 365 help protect email and content. To view or change these settings, follow the guidance in [Protect against threats](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats).
-1. In the Microsoft 365 security center ([https://security.microsoft.com/](https://security.microsoft.com/)), go to **Policies** > **Threat protection**.
-
+1. In the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)), go to **Policies** > **Threat protection**.
2. Make sure all of the following policies are configured. To get help and recommendations, see [Protect against threats](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats).- - [Anti-malware (Office 365)](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#part-1anti-malware-protection) - [Anti-phishing in Defender for Office 365)](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#part-2anti-phishing-protection) - [Safe Attachments (Office 365)](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#atp-safe-attachments-policies) - [Safe Links (Office 365)](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#atp-safe-links-policies) - [Anti-spam (Office 365)](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#part-3anti-spam-protection)- 3. Make sure [Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#part-5turn-on-atp-for-sharepoint-onedrive-and-microsoft-teams-workloads) is turned on.- 4. Make sure [zero-hour auto purge for email](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats#zero-hour-auto-purge-for-email-in-eop) protection is in effect.-
-5. (This is optional.) Review your [Office 365 alert policies](https://docs.microsoft.com/microsoft-365/compliance/alert-policies) in the Microsoft 365 compliance center ([https://compliance.microsoft.com/compliancepolicies](https://compliance.microsoft.com/compliancepolicies)). Several default alert policies are in the Threat management category. Some of these alerts can trigger automated investigation and response. To learn more, see [Default alert policies](https://docs.microsoft.com/microsoft-365/compliance/alert-policies?#default-alert-policies).
+5. (This step is optional.) Review your [Office 365 alert policies](https://docs.microsoft.com/microsoft-365/compliance/alert-policies) in the Microsoft 365 compliance center ([https://compliance.microsoft.com/compliancepolicies](https://compliance.microsoft.com/compliancepolicies)). Several default alert policies are in the Threat management category. Some of these alerts can trigger automated investigation and response. To learn more, see [Default alert policies](https://docs.microsoft.com/microsoft-365/compliance/alert-policies?#default-alert-policies).
## Make sure Microsoft 365 Defender is turned on
-1. Go to the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
-
-2. In the navigation pane, look for **Incidents**, **Action center**, and **Hunting**, as shown in the following image:
-
- :::image type="content" source="../../media/mtp-enable/mtp-on.png" alt-text="MTP on":::
+1. Go to the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
+2. In the navigation pane, look for **Incidents**, **Action center**, and **Hunting**, as shown in the preceding image.
- If you see **Incidents**, **Action center**, and **Hunting**, Microsoft 365 Defender is turned on. See the procedure, [Review or change the automation level for device groups](#review-or-change-the-automation-level-for-device-groups) (in this article).
+ - If you do *not* see **Incidents**, **Action center**, or **Hunting**, then Microsoft 365 Defender might not be turned on. In this case, proceed to [Visit the Action center](mtp-action-center.md)).
+3. In the navigation pane, choose **Settings** > **Microsoft 365 Defender**. Confirm that Microsoft 365 Defender is turned on.
- - If you do *not* see **Incidents**, **Action center**, or **Hunting**, then Microsoft 365 Defender might not be turned on. In this case, proceed to the next step ([Review pending and completed actions](#review-pending-and-completed-actions-in-the-action-center), in this article).
-
-3. In the navigation pane, choose **Settings** > **Microsoft 365 Defender**. Confirm that Microsoft 365 Defender is turned on.
-
- Need help? See [Turn on Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable).
-
-## Review pending and completed actions in the Action center
+> [!TIP]
+> Need help? See [Turn on Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-enable).
-After you have configured automated investigation and response in Microsoft 365 Defender, your next step is to visit the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)). There, you can review and approve pending actions, and see remediation actions that were taken automatically or manually.
+## Next steps
-[Visit the Action center](mtp-action-center.md).
+- [Remediation actions in Microsoft 365 Defender](mtp-remediation-actions.md)
+- [Visit the Action center](mtp-action-center.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-enable https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/mtp-enable.md
@@ -50,19 +50,8 @@ Microsoft 365 Defender aggregates data from the various supported services that
To get the best protection and optimize Microsoft 365 Defender, we recommend deploying all applicable supported services on your network. For more information, [read about deploying supported services](deploy-supported-services.md).
-## Before starting the service
-
-Before you turn on the service, the Microsoft 365 security center ([security.microsoft.com](https://security.microsoft.com)) shows the Microsoft 365 Defender settings page when you select **Incidents**, **Action center**, or **Hunting** from the navigation pane. These navigation items are not shown if you are not eligible to use Microsoft 365 Defender.
-
-![Image of the Microsoft 365 Defender settings page shown if Microsoft 365 Defender has not been turned on](../../media/mtp-enable/mtp-settings.png)
-*Microsoft 365 Defender settings in Microsoft 365 security center*
-
-## Starting the service
-
-To turn on Microsoft 365 Defender, simply select **Turn on Microsoft 365 Defender** and apply the change. You can also access this option by selecting **Settings** ([security.microsoft.com/settings](https://security.microsoft.com/settings)) in the navigation pane and then selecting **Microsoft 365 Defender**.
-
-> [!NOTE]
-> If you don't see **Settings** in the navigation pane or couldn't access the page, check your permissions and licenses.
+## Onboard to the service
+Onboarding to Microsoft 365 Defender is simple. From the navigation menu, select any item under the Endpoints section, such as Incidents, Hunting, Action center, or Threat analytics to initiate the onboarding process.
### Data center location
@@ -78,15 +67,16 @@ Select **Need help?** in the Microsoft 365 security center to contact Microsoft
Once the service is provisioned, it adds: - [Incidents management](incidents-overview.md)
+- [Alerts queue](investigate-alerts.md)
- An action center for managing [automated investigation and response](mtp-autoir.md) - [Advanced hunting](advanced-hunting-overview.md) capabilities
+- Threat analytics
![Image of Microsoft 365 security center navigation pane with Microsoft 365 Defender features](../../media/mtp-enable/mtp-on.png) *Microsoft 365 security center with incidents management and other Microsoft 365 Defender capabilities*
-### Getting Microsoft Defender for Identity data
-
-To share Microsoft Defender for Identity data with Microsoft 365 Defender, ensure that Microsoft Cloud App Security and Microsoft Defender for Identity integration is turned on. [Learn more about this integration](https://docs.microsoft.com/cloud-app-security/mdi-integration).
+### Getting Microsoft Defender for Identity data
+To enable the integration with Microsoft Cloud App Security, you'll need to login to the Microsoft Cloud App Security at least once.
## Get assistance
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/mtp-permissions.md
@@ -22,7 +22,7 @@ search.appverid:
ms.technology: m365d
-# Manage access to Microsoft 365 Defender
+# Manage access to Microsoft 365 Defender with Azure Active Directory global roles
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
@@ -30,7 +30,11 @@ ms.technology: m365d
**Applies to:** - Microsoft 365 Defender
-Accounts assigned the following Azure Active Directory (AD) roles can access Microsoft 365 Defender functionality and data:
+There are two ways to manage access to Microsoft 365 Defender
+- **Global Azure Active Directory (AD) roles**
+- **Custom role access**
+
+Accounts assigned the following **Global Azure Active Directory (AD) roles** can access Microsoft 365 Defender functionality and data:
- Global administrator - Security administrator - Security Operator
@@ -39,6 +43,11 @@ Accounts assigned the following Azure Active Directory (AD) roles can access Mic
To review accounts with these roles, [view Permissions in the Microsoft 365 security center](https://security.microsoft.com/permissions).
+**Custom role** access is a new capability in Microsoft 365 Defender and allows you to manage access to specific data, tasks, and capabilities in Microsoft Defender 365. Custom roles offer more control than global Azure AD roles, providing users only the access they need with the least-permissive roles necessary. Custom roles can be created in addition to global Azure AD roles. [Learn more about custom roles](custom-roles.md).
+
+> ![NOTE]
+> This article applies only to managing global Azure Active Directory roles. For more information about using custom role-based access control, see [Custom roles for role-based access control](custom-roles.md)
+ ## Access to functionality Access to specific functionality is determined by your [Azure AD role](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles). Contact a global administrator if you need access to specific functionality that requires you or your user group be assigned a new role.
@@ -54,7 +63,7 @@ For example, if you belong to only one user group with a Microsoft Defender for
During the preview, Microsoft 365 Defender does not enforce access controls based on Cloud App Security settings. Access to Microsoft 365 Defender data is not affected by these settings. ## Related topics--- [Azure AD roles](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles)
+- [Custom roles in role-based access control for Microsoft 365 Defender](custom-roles.md)
+- [Azure AD roles](/azure/active-directory/users-groups-roles/directory-assign-admin-roles)
- [Microsoft Defender for Endpoint RBAC](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/rbac) - [Cloud App Security roles](https://docs.microsoft.com/cloud-app-security/manage-admins)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/mtp-remediation-actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/mtp-remediation-actions.md
@@ -19,7 +19,7 @@
- m365initiative-m365-defender Previously updated : 12/09/2020 Last updated : 01/29/2021 ms.technology: m365d
@@ -45,7 +45,7 @@ During and after an automated investigation in Microsoft 365 Defender, remediati
The following table summarizes remediation actions that are currently supported in Microsoft 365 Defender: |Device (endpoint) remediation actions |Email remediation actions |
-|||
+|:|:|
|- Collect investigation package <br/>- Isolate device (this action can be undone)<br/>- Offboard machine <br/>- Release code execution <br/>- Release from quarantine <br/>- Request sample <br/>- Restrict code execution (this action can be undone) <br/>- Run antivirus scan <br/>- Stop and quarantine |- Block URL (time-of-click)<br/>- Soft delete email messages or clusters<br/>- Quarantine email<br/>- Quarantine an email attachment<br/>- Turn off external mail forwarding | Remediation actions, whether pending approval or already complete, can be viewed in the [Action Center](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-action-center).
@@ -78,5 +78,5 @@ In addition to remediation actions that follow automated investigations, your se
## Next steps - [Visit the Action center](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-action-center)-- [Approve or reject pending actions](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir-actions)
+- [View and manage remediation actions](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir-actions)
- [Handle false positives/negatives in automated investigation and response capabilities](mtp-autoir-report-false-positives-negatives.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/overview-security-center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/overview-security-center.md
@@ -1,14 +1,15 @@
Title: Overview - Microsoft 365 security center
-description: Describes monitoring and managing security across your Microsoft identities, data, devices, and apps with Microsoft 365 security.
+ Title: Microsoft 365 security center overview
+description: Advantages in the Microsoft 365 security center, combining Microsoft Defender for Office 365 (MDO) and Microsoft Defender for Endpoint (MDE), with Microsoft Defender for Identity (MDI) and Microsoft Cloud App Security (MCAS). This article outlines Microsoft 365 security center advances for administrators.
keywords: security, malware, Microsoft 365, M365, security center, monitor, report, identities, data, devices, apps ms.prod: m365-security ms.mktglfcycl: deploy ms.localizationpriority: medium
- - NOCSH
--
+f1.keywords:
+- NOCSH
Last updated : 02/02/2021++ audience: ITPro
@@ -20,65 +21,152 @@
ms.technology: m365d
-# Overview of the Microsoft 365 security center
+# The unified Microsoft 365 security center overview
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] +
+**Applies to:**
+
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Office 365](https://go.microsoft.com/fwlink/?linkid=2148715)
+ > Want to experience Microsoft 365 Defender? You can [evaluate it in a lab environment](https://aka.ms/mtp-trial-lab) or [run your pilot project in production](https://aka.ms/m365d-pilotplaybook).
->
-Managing the security of your business to protect against an ever-evolving threat landscape brings many challenges. You might have too many security solutions with various places to configure lots of controls. You may struggle with knowing which controls are the most effective and which will introduce new challenges for your workforce. It can be difficult for security teams to find the right balance of security and productivity.
-Enter Microsoft 365 security center - the new home for monitoring and managing security across your Microsoft identities, data, devices, apps, and infrastructure. Here you can easily view the security health of your organization, act to configure devices, users, and apps, and get alerts for suspicious activity. The Microsoft 365 security center is intended to help security admins and security operations teams manage and protect their organization.
+The improved **Microsoft 365 security center** ([https://security.microsoft.com](https://security.microsoft.com)) combines protection, detection, investigation, and response to *email*, *collaboration*, *identity*, and *device* threats, in a central portal.
-The new Microsoft 365 security center and [Microsoft 365 compliance center](https://docs.microsoft.com/microsoft-365/compliance/microsoft-365-compliance-center) are specialized workspaces designed to meet the needs of security and compliance teams. These solutions are integrated across Microsoft 365 services and provide actionable insights to help reduce risks and safeguard your digital estate.
+Microsoft 365 security center brings together functionality from existing Microsoft security portals, like Microsoft Defender Security Center and the Office 365 Security & Compliance center. The security center emphasizes quick access to information, simpler layouts, and bringing related information together for easier use. This center includes:
->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4BmvV]
+- **[Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp)** Microsoft Defender for Office 365 helps organizations secure their enterprise with a set of prevention, detection, investigation and hunting features to protect email, and Office 365 resources.
+- **[Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection)** delivers preventative protection, post-breach detection, automated investigation, and response for devices in your organization.
+- **[Microsoft 365 Defender](microsoft-threat-protection.md)**
+is part of MicrosoftΓÇÖs *Extended Detection and Response* (XDR) solution that leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, and build a picture of an attack on a single dashboard.
-Visit the Microsoft 365 security center at [https://security.microsoft.com](https://security.microsoft.com).
+If you need information about what's changed from the Office 365 Security & Compliance center or the Microsoft Defender Security Center, see:
-> [!NOTE]
-> You must be assigned an appropriate role, such as Global Administrator, Security Administrator, Security Operator, or Security Reader in Azure Active Directory to access the Microsoft 365 security center.
+- [Defender for Office 365 in the Microsoft 365 security center](microsoft-365-security-center-mdo.md)
+- [Defender for Endpoint in the Microsoft 365 security center](microsoft-365-security-center-mde.md)
+
+## What to expect
+
+All the security content that you use in the Office 365 Security and Compliance Center (protection.office.com) and the Microsoft Defender security center (securitycenter.microsoft.com) can now be found in the *Microsoft 365 security center*.
+
+Microsoft 365 security center helps security teams investigate and respond to attacks by brining in signals from different workloads into a single, unified experiences:
+
+- Incidents & alerts
+- Hunting
+- Action Center
+- Threat analytics
+
+The Microsoft 365 security center emphasizes *unity, clarity, and common goals* as it merges Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. The merge was based on the priorities listed below, and made without sacrificing the capabilities that each security suite brought to the combination:
+
+- common building blocks
+- common terminology
+- common entities
+- feature parity with other workloads
+
+## Unified investigations
+
+Streamlining security centers creates a single pane for investigating any incidents across a Microsoft 365 organization. A primary example is the **Incidents** node on the quick launch of the Microsoft 365 security center.
++
+As an example, double-clicking on an incident name with **High** severity brings you to a page that demonstrates the advantage of converging centers.
+
+![Multi-stage incident involving privilege escalation on multiple endpoints, showing see 16 impacted devices and 9 impacted users.](../../media/converged-incident-info-3.png)
+
+> [!TIP]
+> The converged **Users** tab is a good place to begin your inquiries. This single page surfaces information for users from converged workloads (Microsoft Defender for Endpoint, Microsoft Defender for Identity, and MCAS, if you leverage it) and a range of sources such as on-premises Active Directory, Azure Active Directory, synced, local, and third-party users. Learn more about [the new Users experience](investigate-users.md).
+
+Incident information shows user/identity specifics and at-risk devices, beside affected mailboxes. It also relates any **Investigation information** and gathered **Evidence**. This makes it easier for admins and security operation teams to pivot from one high-risk alert to the affected users and mailboxes. Looking at the **Incident** tabs at the top of this page, there are other key security pivots available from this single location.
+
+> [!IMPORTANT]
+> Along the top of any page for a specific Incident, you'll see the **Summary**, **Alerts**, **Devices**, **Users**, **Mailboxes**, **Investigations**, and **Evidence** tabs.
+
+Selecting **Investigations** opens a page that features a graphic of the analysis taking place and lists a status (such as **pending approval**) for remediation. Take time to select specific incidents in your environment, drill down into these tabs, and practice building a profile for different kinds of threats. Familiarity will benefit any later pressing investigations.
-## At-a-glance view of your Microsoft 365 environment
+## Improved processes
+
+Common controls and content either appear in the same place, or are condensed into one feed of data making it easier to find. For example, unified settings.
+
+### Unified settings
+
+![clicked 'Roles' and opened the Settings page, which includes General settings, Permissions, APIs and Rules. Open Permissions and then Roles. Shows all roles](../../media/converged-add-role-9.png)
+
+### Permissions & roles
+
+![Permissions & Roles page showing Endpoints roles & groups, Roles, and Device groups.](../../media/converged-roles-5.png)
+
+ Access the Microsoft 365 security center is configured with Azure Active Directory global roles or by using custom roles. For Defender for Endpoint, see [Assign user access to Microsoft Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/assign-portal-access). For Defender for Office 365, see [Permissions in the Microsoft 365 compliance center and Microsoft 365 security center](../office-365-security/permissions-microsoft-365-compliance-security.md).
+
+- Learn more about how to [manage access to Microsoft 365 Defender](mtp-permissions.md)
+- Learn more about how to [create custom roles](custom-roles.md) in Microsoft 365 security center
+
+### Integrated reports
+
+Reports are also unified in the Microsoft 365 security center. Admins can start with a general security report, and branch into specific reports about endpoints, email & collaboration. The links here are dynamically generated based upon workload configuration.
+
+### Quickly view your Microsoft 365 environment
The **Home** page shows many of the common cards that security teams need. The composition of cards and data is dependent on the user role. Because the Microsoft 365 security center uses role-based access control, different roles will see cards that are more meaningful to their day to day jobs. This at-a-glance information helps you keep up with the latest activities in your organization. The Microsoft 365 security center brings together signals from different sources to present a holistic view of your Microsoft 365 environment.
-Loosely, the cards fall into these categories:
+The cards fall into these categories:
-- **Identities**- Monitor the identities in your organization and keep track of suspicious or risky behaviors. [Learn more about identity protection](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection)
+- **Identities**- Monitor the identities in your organization and keep track of suspicious or risky behaviors. [Learn more about identity protection](https://docs.microsoft.com/azure/active-directory/identity-protection/overview-identity-protection).
- **Data** - Help track user activity that could lead to unauthorized data disclosure. - **Devices** - Get up-to-date information on alerts, breach activity, and other threats on your devices.-- **Apps** - Gain insight into how cloud apps are being used in your organization. [Learn more about Cloud App Security discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps)
+- **Apps** - Gain insight into how cloud apps are being used in your organization. [Learn more about Cloud App Security discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps).
+
+## A centralized Learning Hub
+
+The Microsoft 365 security center includes a learning hub that bubbles up official guidance from resources such as the Microsoft security blog, the Microsoft security community on YouTube, and the official documentation at docs.microsoft.com.
+
+Inside the learning hub, Email & Collaboration (Microsoft Defender for Office 365 or MDO) guidance is side-by-side with Endpoint (Microsoft Defender for Endpoint or MDE), and Microsoft 365 Defender learning resources.
+
+The learning hub opens with Learning paths organized around topics such as ΓÇ£How to Investigate Using Microsoft 365 Defender?ΓÇ¥ and ΓÇ£Microsoft Defender for Office 365 Best PracticesΓÇ¥. This section is currently curated by the security Product Group inside Microsoft. Each Learning path reflects a projected time it takes to get through the concepts. For example 'Steps to take when a Microsoft Defender for Office 365 user account is compromised' is projected to take 8 minutes, and is valuable learning on the fly.
+
+After clicking through to the content, it may be useful to bookmark this site and organize bookmarks into a 'Security' or 'Critical' folder. To see all Learning paths, click the Show all link in the main panel.
+
+> [!NOTE]
+> There are helpful **filters** along the top of the Microsoft 365 security center learning hub that will let you choose between products (currently Microsoft 365 Defender, Microsoft Defender for Endpoint, and Microsoft Defender for Office 365). Notice that the number of learning resources for each section is listed, which can help learners keep track of how many resources they have at hand for training and learning.
+>
+> Along with the Product filter, current topics, types of resources (from videos to webinars), levels of familiarity or experience with security areas, security roles, and product features are listed.
+
+## Send us your feedback
-## Explore what the security center has to offer
+We need your feedback. We're always looking to improve, so if there's something you'd like to see, [send us your Microsoft 365 Defender feedback](https://www.microsoft.com/videoplayer/embed/RE4K5Ci).
-The Microsoft 365 security center includes:
+You can also leave feedback from this article. In the 'Feedback' section at the end under 'Submit and view feedback for', the options are *This product*, or *This page*.
-* **Home** ΓÇô Get at-a-glance view of the overall security health of your organization.
-* **Incidents** - See the broader story of an attack by connecting the dots seen on individual alerts on entities. You'll know exactly where an attack started, what devices are impacted, who was affected, and where the threat has gone.
-* **Alerts** ΓÇô Have greater visibility into all the alerts across your Microsoft 365 environment. Includes alerts from Microsoft Cloud App Security, Microsoft Defender for Office 365, Azure Active Directory, Microsoft Defender for Identity, and Microsoft Defender for Endpoint. Available to E3 and E5 customers.
-* **Action center** - Reduce the volume of alerts your security team must address manually, allowing your security operations team to focus on more sophisticated threats and other high-value initiatives.
-* **Reports** ΓÇô Get the detail and information you need to better protect your users, devices, apps, and more.
-* **Secure score** ΓÇô Improve your overall security posture with Microsoft Secure Score. This page provides an all up summary of the different security features and capabilities you've enabled and includes recommendations for areas to improve.
-* **Advanced hunting** ΓÇô Proactively search for malware, suspicious files, and activities in your Microsoft 365 organization.
-* **Classification** ΓÇô Help protect data loss by adding labels to classify documents, email messages, documents, sites, and more. When a label is applied (automatically or by the user), the content or site is protected based on the settings you choose. For example, you can create labels that encrypt files, add content marking, and control user access to specific sites.
-* **Policies** - Set up policies to manage devices, protect against threats, and receive alerts about various activities in your org.
-* **Permissions** - Manage who in your organization has access to view content and perform tasks in the Microsoft 365 security center. You can also assign Microsoft 365 permissions in the Azure AD Portal.
+Use the **This product** button for *product* feedback:
-## Learn more
+1. Select *This product* at the bottom of the article.
+ 1. Right-click the button and 'Open in a new tab' if you want to keep reading these directions.
+2. This will navigate to the **UserVoice forum**.
+3. You have 2 options:
+ 1. Scroll down to the text box *How can we improve compliance or protect your users better in Office 365?* and paste in *Microsoft 365 security center*. You can search the results for an idea like yours and up-vote it, or use the button for **Post a new idea**.
+ 1. If you feel certain this issue is already reported, and want to raise its profile with a vote (or votes), use the *Give Feedback* box on the right side of UserVoice. Search for *Microsoft 365 security center*, **find the issue, and use the vote button** to raise its status.
-Explore these topics about monitoring, reviewing, and responding to your security needs:
+Use *This page* for feedback on the article itself. Thanks for your feedback. Your voice helps us improve products.
-- Connect the dots on alerts through [Incidents](incident-queue.md)-- Automatically remediate threats using [Automated investigation and remediation](mtp-autoir.md)-- Review and improve your security posture holistically withΓÇ»[Microsoft Secure Score](microsoft-secure-score.md)-- View [devices](device-profile.md) on your network-- [Report](monitoring-and-reporting.md) the status of your identities, data, devices, apps, and infrastructure-- [Proactively hunt for threats](advanced-hunting-overview.md) for intrusion attempts and breach activity affecting your email, data, devices, and accounts-- [Understand the latest attack campaigns](latest-attack-campaigns.md) and techniques with threat analytics
+### Explore what the security center has to offer
-## See also
+Keep exploring the features and capabilities in the Microsoft 365 security center:
-- [Microsoft security portals](portals.md)
+- [Manage incidents and alerts](manage-incidents.md)
+- [Track and respond to emerging threats with threat analytics](threat-analytics.md)
+- [The Action center](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-action-center)
+- [Hunt for threats across devices, emails, apps, and identities](https://docs.microsoft.com/microsoft-365/security/mtp/advanced-hunting-query-emails-devices)
+- [Custom detection rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules)
+- [Email & collaboration alerts](https://docs.microsoft.com/microsoft-365/compliance/alert-policies#default-alert-policies)
+- [Create a phishing attack simulation](https://docs.microsoft.com/microsoft-365/security/office-365-security/attack-simulation-training) and [create a payload for training your teams](https://docs.microsoft.com/microsoft-365/security/office-365-security/attack-simulation-training-payloads)
+
+### Related information
+- [Microsoft 365 security center](overview-security-center.md)
+- [Microsoft Defender for Office 365 in the Microsoft 365 security center](microsoft-365-security-center-mdo.md)
+- [Microsoft Defender for Endpoint in the Microsoft 365 security center](microsoft-365-security-center-mde.md)
+- [Redirecting accounts from Microsoft Defender for Endpoint to the Microsoft 365 security center](microsoft-365-security-mde-redirection.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/preview.md
@@ -47,17 +47,17 @@ Turn on the preview experience setting to be among the first to try upcoming fea
2. Select **Microsoft 365 Defender**. - 3. Select **Preview features** > **Turn on preview features**.
-3. Select **Save**.
+4. Select **Save**.
You'll know you have preview features turned on when you see that the **Turn on preview features** check box is selected. ## Preview features The following features and enhancements are currently available on preview: -- **[Microsoft 365 Defender APIs](api-overview.md)** - The lop-level Microsoft 365 Defender APIs will enable you to automate workflows based on the shared incident and advanced hunting tables.
+- **[Microsoft 365 Defender threat analytics report](threat-analytics.md)** - Threat analytics helps you respond to and minimize the impact of active attacks. You can also learn about attack attempts blocked by Microsoft 365 Defender solutions and take preventive actions that mitigate the risk of further exposure and increase resiliency. As part of the unified security experience, threat analytics is now available for Microsoft Defender for Endpoint and Microsoft Defender for Office E5 license holders.
+- **[Microsoft 365 Defender APIs](api-overview.md)** - The top-level Microsoft 365 Defender APIs will enable you to automate workflows based on the shared incident and advanced hunting tables.
- **[Take action in advanced hunting](advanced-hunting-take-action.md)**ΓÇöQuickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md). - **[In-portal schema reference](advanced-hunting-schema-tables.md#get-schema-information-in-the-security-center)**ΓÇöGet information about advanced hunting schema tables directly in the security center. In addition to table and column descriptions, this reference includes supported event types (`ActionType` values) and sample queries. - **[DeviceFromIP() function](advanced-hunting-devicefromip-function.md)**ΓÇöGet information about which devices have been assigned a specific IP address or addresses at a given time range.
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/threat-analytics-analyst-reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/threat-analytics-analyst-reports.md
@@ -0,0 +1,108 @@
+
+ Title: Understand the analyst report section in threat analytics
+
+description: Learn about the analyst report section of each threat analytics report. Understand how it provides information about threats, mitigations, detections, advanced hunting queries, and more.
+keywords: analyst report, threat analytics, detections, advanced hunting queries, mitigations,
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
++++
+# Understand the analyst report in threat analytics
++
+**Applies to:**
+- Microsoft 365 Defender
+
+> Want to experience Microsoft 365 Defender? You can [evaluate it in a lab environment](https://aka.ms/mtp-trial-lab) or [run your pilot project in production](https://aka.ms/m365d-pilotplaybook).
+>
+
+> [!IMPORTANT]
+> **Microsoft 365 Defender Threat analytics is currently in public preview**<br>
+> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain capabilities might not be supported or might have limitations.<br>
+> For more information, see [Preview features in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/preview).
++
+Each [threat analytics report](threat-analytics.md) includes dynamic sections and a comprehensive written section called the _analyst report_. To access this section, open the report about the tracked threat and select the **Analyst report** tab.
+
+![Image of the analyst report section of a threat analytics report](../../media/threat-analytics/ta_analystreport_mtp.png)
+
+_Analyst report section of a threat analytics report_
+
+## Scan the analyst report
+Each section of the analyst report is designed to provide actionable information. While reports vary, most reports include the sections described in the following table.
+
+| Report section | Description |
+|--|--|
+| Executive summary | Overview of the threat, including when it was first seen, its motivations, notable events, major targets, and distinct tools and techniques. You can use this information to further assess how to prioritize the threat in the context of your industry, geographic location, and network. |
+| Analysis | Technical information about the threats, including the details of an attack and how attackers might utilize a new technique or attack surface |
+| MITRE ATT&CK techniques observed | How observed techniques map to the [MITRE ATT&CK attack framework](https://attack.mitre.org/) |
+| [Mitigations](#apply-additional-mitigations) | Recommendations that can stop or help reduce the impact of the threat. This section also includes mitigations that aren't tracked dynamically as part of the threat analytics report. |
+| [Detection details](#understand-how-each-threat-can-be-detected) | Specific and generic detections provided by Microsoft security solutions that can surface activity or components associated with the threat. |
+| [Advanced hunting](#find-subtle-threat-artifacts-using-advanced-hunting) | [Advanced hunting queries](advanced-hunting-overview.md) for proactively identifying possible threat activity. Most queries are provided to supplement detections, especially for locating potentially malicious components or behaviors that couldn't be dynamically assessed to be malicious. |
+| References | Microsoft and third-party publications referenced by analysts during the creation of the report. Threat analytics content is based on data validated by Microsoft researchers. Information from publicly available, third-party sources are identified clearly as such. |
+| Change log | The time the report was published and when significant changes were made to the report. |
+
+## Apply additional mitigations
+Threat analytics dynamically tracks the [status of security updates and secure configurations](threat-analytics.md#mitigations-review-list-of-mitigations-and-the-status-of-your-devices). This information is available as charts and tables in the **Mitigations** tab.
+
+In addition to these tracked mitigations, the analyst report also discusses mitigations that are _not_ dynamically monitored. Here are some examples of important mitigations that are not dynamically tracked:
+
+- Block emails with _.lnk_ attachments or other suspicious file types
+- Randomize local administrator passwords
+- Educate end users about phishing email and other threat vectors
+- Turn on specific [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
+
+While you can use the **Mitigations** tab to assess your security posture against a threat, these recommendations let you take additional steps towards improving your security posture. Carefully read all the mitigation guidance in the analyst report and apply them whenever possible.
+
+## Understand how each threat can be detected
+The analyst report also provides the detections from Microsoft Defender for Endpoint antivirus and _endpoint detection and response_ (EDR) capabilities.
+
+### Antivirus detections
+These detections are available on devices with [Microsoft Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) turned on. When these detections occur on devices that have been onboarded to Microsoft Defender for Endpoint, they also trigger alerts that light up the charts in the report.
+
+>[!NOTE]
+>The analyst report also lists **generic detections** that can identify a wide-range of threats, in addition to components or behaviors specific to the tracked threat. These generic detections don't reflect in the charts.
+
+### Endpoint detection and response (EDR) alerts
+EDR alerts are raised for [devices onboarded to Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/onboard-configure). These alerts generally rely on security signals collected by the Microsoft Defender for Endpoint sensor and other endpoint capabilitiesΓÇösuch as antivirus, network protection, tamper protectionΓÇöthat serve as powerful signal sources.
+
+Like the list of antivirus detections, some EDR alerts are designed to generically flag suspicious behavior that might not be associated with the tracked threat. In such cases, the report will clearly identify the alert as "generic" and that it doesn't influence any of the charts in the report.
+
+### Email-related detections and mitigations
+Email-related detections and mitigations from Microsoft Defender for Office 365, are included in analyst reports in addition to the endpoint data already available from Microsoft Defender for Endpoint.
+
+Prevented email attempt information gives you insights on whether your organization were a target of the threat tackled in the analyst report even if the attack has been effectively blocked before delivery or delivered to the junk mail folder.
+
+## Find subtle threat artifacts using advanced hunting
+While detections allow you to identify and stop the tracked threat automatically, many attack activities leave subtle traces that require additional inspection. Some attack activities exhibit behaviors that can also be normal, so detecting them dynamically can result in operational noise or even false positives.
+
+[Advanced hunting](advanced-hunting-overview.md) provides a query interface based on Kusto Query Language that simplifies locating subtle indicators of threat activity. It also allows you to surface contextual information and verify whether indicators are connected to a threat.
+
+Advanced hunting queries in the analyst reports have been vetted by Microsoft analysts and are ready for you to run in the [advanced hunting query editor](https://security.microsoft.com/advanced-hunting). You can also use the queries to create [custom detection rules](custom-detection-rules.md) that trigger alerts for future matches.
++
+>[!NOTE]
+> Threat analytics is also available in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-analytics). However, it does not have the data integration between Microsoft Defender for Office and Microsoft Defender for Endpoint that Microsoft 365 Defender Threat analytics has.
++
+## Related topics
+- [Threat analytics overview](threat-analytics.md)
+- [Proactively find threats with advanced hunting](advanced-hunting-overview.md)
+- [Custom detection rules](custom-detection-rules.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/threat-analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/threat-analytics.md
@@ -0,0 +1,179 @@
+
+ Title: Track and respond to emerging threats with threat analytics
+
+description: Learn about emerging threats and attack techniques and how to stop them. Assess their impact to your organization and evaluate your organizational resilience.
+keywords: threat analytics, risk evaluation, Microsoft 365 Defender, M365D, mitigation status, secure configuration, Microsoft Defender for Office 365, Microsoft Defender for Office 365 threat analytics, MDO threat analytics, integrated MDE and MDO threat analytics data, threat analytics data integration, integrated Microsoft 365 Defender threat analytics
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+f1.keywords:
+- NOCSH
++
+ms.localizationpriority: medium
+
+audience: ITPro
+
+- M365-security-compliance
+- m365initiative-m365-defender
++++
+# Track and respond to emerging threats with threat analytics
++
+**Applies to:**
+- Microsoft 365 Defender
+
+> Want to experience Microsoft 365 Defender? You can [evaluate it in a lab environment](https://aka.ms/mtp-trial-lab) or [run your pilot project in production](https://aka.ms/m365d-pilotplaybook).
+>
+++
+Threat analytics is our in-product threat intelligence solution from expert Microsoft security researchers, designed to assist security teams to be as efficient as possible while facing emerging threats, including:
+
+- Active threat actors and their campaigns
+- Popular and new attack techniques
+- Critical vulnerabilities
+- Common attack surfaces
+- Prevalent malware
+
+Watch this short video to learn more about how threat analytics can help you track the latest threats and stop them.
+
+>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWwJfU]
+
+You can access Threat analytics either from the upper left-hand side of Microsoft 365 security portalΓÇÖs navigation bar, or from a dedicated dashboard card which shows the top threats in your org. Getting visibility on active or ongoing campaigns and knowing what to do through threat analytics can help equip your security operations team with informed decisions.
+
+![Image of the threat analytics dashboard](../../media/threat-analytics/ta_inlandingpage_mtp.png)
+
+_Where to access Threat analytics_
+
+With more sophisticated adversaries and new threats emerging frequently and prevalently, it's critical to be able to quickly:
+
+- Identify and react to emerging threats
+- Learn if you are currently under attack
+- Assess the impact of the threat to your assets
+- Review your resilience against or exposure to the threats
+- Identify the mitigation, recovery, or prevention actions you can take to stop or contain the threats
+
+Each report provides an analysis of a tracked threat and extensive guidance on how to defend against that threat. It also incorporates data from your network, indicating whether the threat is active and if you have applicable protections in place.
+
+## View the threat analytics dashboard
+
+The threat analytics dashboard ([security.microsoft.com/threatanalytics3](https://security.microsoft.com/threatanalytics3)) highlights the reports that are most relevant to your organization. It summarizes the threats in the following sections:
+
+- **Latest threats**ΓÇölists the most recently published or updated threat reports, along with the number of active and resolved alerts.
+- **High-impact threats**ΓÇölists the threats that have the highest impact to your organization. This section lists threats with the highest number of active and resolved alerts first.
+- **Threat summary**ΓÇöprovides the overall impact of all tracked threats by showing the number of threats with active and resolved alerts.
+
+Select a threat from the dashboard to view the report for that threat.
+
+![Screenshot of threat analytics dashboard](../../media/threat-analytics/ta_dashboard_mtp.png)
+
+_Threat analytics dashboard. You can also click the Search icon to key in a keyword related to the threat analytics report that you'd like to read._
+
+## View a threat analytics report
+
+Each threat analytics report provides information in several sections:
+
+- [**Overview**](#overview-quickly-understand-the-threat-assess-its-impact-and-review-defenses)
+- [**Analyst report**](#analyst-report-get-expert-insight-from-microsoft-security-researchers)
+- [**Related incidents**](#related-incidents-view-and-manage-related-incidents)
+- [**Impacted assets**](#impacted-assets-get-list-of-impacted-devices-and-mailboxes)
+- [**Prevented email attempts**](#prevented-email-attempts-view-blocked-or-junked-threat-emails)
+- [**Mitigations**](#mitigations-review-list-of-mitigations-and-the-status-of-your-devices)
+
+### Overview: Quickly understand the threat, assess its impact, and review defenses
+
+The **Overview** section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization and your exposure through misconfigured and unpatched devices.
+
+![Image of the overview section of a threat analytics report](../../media/threat-analytics/ta_overview_mtp.png)
+
+_Overview section of a threat analytics report_
+
+#### Assess impact on your organization
+Each report includes charts designed to provide information about the organizational impact of a threat:
+- **Related incidents**ΓÇöprovides an overview of the impact of the tracked threat to your organization with the following data:
+ - Number of active alerts and the number of active incidents they are associated with
+ - Severity of active incidents
+- **Alerts over time**ΓÇöshows the number of related **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days.
+- **Impacted assets**ΓÇöshows the number of distinct devices and email accounts (mailboxes) that currently have at least one active alert associated with the tracked threat. Alerts are triggered for mailboxes that received threat emails. Review both org- and user-level policies for overrides that cause the delivery of threat emails.
+- **Prevented email attempts**ΓÇöshows the number of emails from the past seven days that were either blocked before delivery or delivered to the junk mail folder.
+
+#### Review security resilience and posture
+Each report includes charts that provide an overview of how resilient your organization is against a given threat:
+- **Secure configuration status**ΓÇöshows the number of devices with misconfigured security settings. Apply the recommended security settings to help mitigate the threat. Devices are considered **Secure** if they have applied _all_ the tracked settings.
+- **Vulnerability patching status**ΓÇöshows the number of vulnerable devices. Apply security updates or patches to address vulnerabilities exploited by the threat.
+
+### Analyst report: Get expert insight from Microsoft security researchers
+In the **Analyst report** section, read through the detailed expert write-up. Most reports provide detailed descriptions of attack chains, including tactics and techniques mapped to the MITRE ATT&CK framework, exhaustive lists of recommendations, and powerful [threat hunting](advanced-hunting-overview.md) guidance.
+
+[Learn more about the analyst report](threat-analytics-analyst-reports.md)
+
+### Related incidents: View and manage related incidents
+The **Related incidents** tab provides the list of all incidents related to the tracked threat. You can assign incidents or manage alerts linked to each incident.
+
+![Image of the related incidents section of a threat analytics report](../../media/threat-analytics/ta_related_incidents_mtp.png)
+
+_Related incidents section of a threat analytics report_
+
+### Impacted assets: Get list of impacted devices and mailboxes
+An asset is considered impacted if it is affected by an active, unresolved alert. The **Impacted assets** tab lists the following types of impacted assets:
+- **Impacted devices**ΓÇöendpoints that have unresolved Microsoft Defender for Endpoint alerts. These alerts typically fire on sightings of known threat indicators and activities.
+- **Impacted mailboxes**ΓÇömailboxes that have received email messages that have triggered Microsoft Defender for Office 365 alerts. While most messages that trigger alerts are typically blocked, user- or org-level policies can override filters.
+
+![Image of the impacted assets section of a threat analytics report](../../media/threat-analytics/ta_impacted_assets_mtp.png)
+
+_Impacted assets section of a threat analytics report_
+
+### Prevented email attempts: View blocked or junked threat emails
+Microsoft Defender for Office 365 typically blocks emails with known threat indicators, including malicious links or attachments. In some cases, proactive filtering mechanisms that check for suspicious content will instead send threat emails to the junk mail folder. In either case, the chances of the threat launching malware code on the device is reduced.
+
+The **Prevented email attempts** tab lists all the emails that have either been blocked before delivery or sent to the junk mail folder by Microsoft Defender for Office 365.
+
+![Image of the prevented email attempts section of a threat analytics report](../../media/threat-analytics/ta_prevented_email_attempts_mtp.png)
+
+_Prevented email attempts section of a threat analytics report_
+
+### Mitigations: Review list of mitigations and the status of your devices
+In the **Mitigations** section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes:
+
+- **Security updates**ΓÇödeployment of supported software security updates for vulnerabilities found on onboarded devices
+- **Supported security configurations**
+ - Cloud-delivered protection
+ - Potentially unwanted application (PUA) protection
+ - Real-time protection
+
+Mitigation information in this section incorporates data from [threat and vulnerability management](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt), which also provides detailed drill-down information from various links in the report.
+
+![Image of the mitigations section of a threat analytics report showing secure configuration details](../../media/threat-analytics/ta_mitigations_mtp.png)
+![Image of the mitigations section of a threat analytics report showing vulnerability details](../../media/threat-analytics/ta_mitigations_mtp2.png)
+
+_Mitigations section of a threat analytics report_
+
+## Additional report details and limitations
+>[!NOTE]
+>As part of the unified security experience, threat analytics is now available not just for Microsoft Defender for Endpoint, but also for Microsoft Defender for Office E5 license holders.
+>If you are not using the Microsoft 365 security portal (Microsoft 365 Defender), you can also see the report details (without the Microsoft Defender for Office data) in the Microsoft Defender Security Center portal (Microsoft Defender for Endpoint).
+
+To access threat analytics report you need certain roles and permissions. See [Custom roles in role-based access control for Microsoft 365 Defender](custom-roles.md) for details.
+ - To view alerts, incidents, or impacted assets data, you need to have permissions to Microsoft Defender for Office or Microsoft Defender for Endpoint alerts data, or both.
+ - To view prevented email attempts, you need to have permissions to Microsoft Defender for Office hunting data.
+ - To view mitigations, you need to have permissions to threat and vulnerability management data in Microsoft Defender for Endpoint.
+
+When looking at the threat analytics data, remember the following factors:
+- Charts reflect only mitigations that are tracked. Check the report overview for additional mitigations that are not shown in the charts.
+- Mitigations don't guarantee complete resilience. The provided mitigations reflect the best possible actions needed to improve resiliency.
+- Devices are counted as "unavailable" if they have not transmitted data to the service.
+- Antivirus-related statistics are based on Microsoft Defender Antivirus settings. Devices with third-party antivirus solutions can appear as "exposed".
+
+## Related topics
+- [Proactively find threats with advanced hunting](advanced-hunting-overview.md)
+- [Understand the analyst report section](threat-analytics-analyst-reports.md)
+- [Assess and resolve security weaknesses and exposures](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/whats-new https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/whats-new.md
@@ -35,6 +35,8 @@ https://docs.microsoft.com/api/search/rss?search=%22Lists+the+new+features+and+f
``` > Want to experience Microsoft 365 Defender? You can [evaluate it in a lab environment](https://aka.ms/mtp-trial-lab) or [run your pilot project in production](https://aka.ms/m365d-pilotplaybook) >
+## February 2021
+- (Preview) The enhanced [Microsoft 365 security center (https://security.microsoft.com)](https://security.microsoft.com) is now available in public preview. This new experience brings Defender for Endpoint and Defender for Office 365 to the center. [Learn more about what's changed](https://docs.microsoft.com/microsoft-365/security/mtp/overview-security-center).
## September 2020 - [IdentityDirectoryEvents table](advanced-hunting-identitydirectoryevents-table.md) <br> Find events involving an on-premises domain controller running Active Directory (AD). This [advanced hunting](advanced-hunting-overview.md) schema table covers a range of identity-related events and system events on the domain controller.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/air-custom-reporting https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-custom-reporting.md
@@ -1,8 +1,8 @@
Title: Using custom reporting solutions with automated investigation and response
+ Title: Custom reporting solutions with automated investigation and response
keywords: SIEM, API, AIR, autoIR, ATP, automated investigation, integration, custom report f1.keywords:
- - NOCSH
+- NOCSH
@@ -10,32 +10,27 @@ audience: ITPro
localization_priority: Normal search.appverid:
- - MET150
- - MOE150
+- MET150
+- MOE150
- - M365-security-compliance
- - m365initiative-defender-office365
+- M365-security-compliance
+- m365initiative-defender-office365
description: Learn how to integrate automated investigation and response with a custom or third-party reporting solution. Previously updated : 09/29/2020 Last updated : 01/29/2021
- - air
+- air
ms.technology: mdo ms.prod: m365-security
-# Use the Management Activity API for custom or third-party reporting solutions
+# Custom or third-party reporting solutions for Microsoft Defender for Office 365
+With [Microsoft Defender for Office 365](office-365-atp.md), you get [detailed information about automated investigations](air-view-investigation-results.md). However, some organizations also use a custom or third-party reporting solution. If your organization wants to integrate information about [automated investigations](office-365-air.md) with such a solution, you can use the Office 365 Management Activity API.
-
-With [Microsoft Defender for Office 365](office-365-atp.md), you get [detailed information about automated investigations](air-view-investigation-results.md). However, some organizations also use a custom or third-party reporting solution. If your organization wants to integrate information about automated investigations with such a solution, you can use the Office 365 Management Activity API.
-
-Use the following resources to set this up:
-
-****
+Resources to configure integration
|Resource|Description|
-|||
+|:|:|
|[Office 365 Management APIs overview](https://docs.microsoft.com/office/office-365-management-api/office-365-management-apis-overview)|The Office 365 Management Activity API provides information about various user, admin, system, and policy actions and events from Microsoft 365 and Azure Active Directory activity logs.| |[Get started with Office 365 Management APIs](https://docs.microsoft.com/office/office-365-management-api/get-started-with-office-365-management-apis)|The Office 365 Management API uses Azure AD to provide authentication services for your application to access Microsoft 365 data. Follow the steps in this article to set this up.| |[Office 365 Management Activity API reference](https://docs.microsoft.com/office/office-365-management-api/office-365-management-activity-api-reference)|You can use the Office 365 Management Activity API to retrieve information about user, admin, system, and policy actions and events from Microsoft 365 and Azure AD activity logs. Read this article to learn more about how this works.|
@@ -45,5 +40,4 @@ Use the following resources to set this up:
## See also - [Microsoft Defender for Office 365](office-365-atp.md)- - [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/air-remediation-actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-remediation-actions.md
@@ -15,60 +15,53 @@ search.appverid:
- M365-security-compliance - m365initiative-defender-office365
-description: Learn about remediation actions following automated investigation in Microsoft Defender for Office 365.
Previously updated : 01/21/2021
+description: "Learn about remediation actions following automated investigation in Microsoft Defender for Office 365."
Last updated : 01/29/2021 - air ms.technology: mdo ms.prod: m365-security
-# Remediation actions following automated investigation in Microsoft Defender for Office 365
--
+# Remediation actions in Microsoft Defender for Office 365
## Remediation actions
-[Automated investigation and response capabilities](office-365-air.md) (AIR) in [Microsoft Defender for Office 365](office-365-atp.md) include certain remediation actions. Whenever an automated investigation is running or has completed, you'll typically see one or more remediation actions that require approval by your security operations team to proceed. Such remediation actions can include:
+Threat protection features in [Microsoft Defender for Office 365](office-365-atp.md) include certain remediation actions. Such remediation actions can include:
- Soft delete email messages or clusters - Block URL (time-of-click) - Turn off external mail forwarding - Turn off delegation
-> [!NOTE]
-> In Microsoft Defender for Office 365, automated investigations do not result in remediation actions that are taken automatically. Remediation actions are taken only upon approval by your organization's security operations team.
+In Microsoft Defender for Office 365, remediation actions are not taken automatically. Instead, remediation actions are taken only upon approval by your organization's security operations team.
## Threats and remediation actions
-The table in this section summarizes threats and appropriate remediation actions in Microsoft Defender for Office 365. In some cases, an automated investigation does not result in a specific remediation action. Your security operations team can further investigate and take appropriate actions as described in the table below.
+Microsoft Defender for Office 365 includes remediation actions to address various threats. Automated investigations often result in one or more remediation actions to review and approve. In some cases, an automated investigation does not result in a specific remediation action. To further investigate and take appropriate actions, use the guidance in the following table.
|Category|Threat/risk|Remediation action(s)| |:|:|:|
-|Email|Malware|Soft delete email/clusterΓÇï <br> If more than a handful of email messages in a cluster contain malware, the cluster is considered to be malicious.ΓÇï|
-|Email|Malicious URLΓÇï <br> (A malicious URL was detected by [Safe Links in Microsoft Defender for Office 365](atp-safe-links.md)).|Soft delete email/clusterΓÇï <p> Email that contains a malicious URL is considered to be maliciousΓÇï.|
-|Email|Phish|Soft delete email/clusterΓÇï <br> If more than a handful of email messages in a cluster contain phishing attempts, the cluster is considered phish.ΓÇï|
-|Email|Zapped phishΓÇï <br> (Email messages were delivered and [zappedΓÇï](zero-hour-auto-purge.md).)|Soft delete email/clusterΓÇï <p> Reports are available to view zapped messages. [See if ZAP moved a message and FAQs](zero-hour-auto-purge.md#how-to-see-if-zap-moved-your-message).|
+|Email|Malware|Soft delete email/clusterΓÇï <p> If more than a handful of email messages in a cluster contain malware, the cluster is considered to be malicious.ΓÇï|
+|Email|Malicious URLΓÇï<br/>(A malicious URL was detected by [Safe Links](atp-safe-links.md).)|Soft delete email/clusterΓÇï <p>Email that contains a malicious URL is considered to be maliciousΓÇï.|
+|Email|Phish|Soft delete email/clusterΓÇï <p> If more than a handful of email messages in a cluster contain phishing attempts, the whole cluster is considered a phishing attempt.ΓÇï|
+|Email|Zapped phishΓÇï <br>(Email messages were delivered and then [zappedΓÇï](zero-hour-auto-purge.md).)|Soft delete email/clusterΓÇï <p>Reports are available to view zapped messages. [See if ZAP moved a message and FAQs](zero-hour-auto-purge.md#how-to-see-if-zap-moved-your-message).|
|Email|Missed phish email [reported](enable-the-report-message-add-in.md) by a user|[Automated investigation triggered by the user's report](automated-investigation-response-office.md#example-a-user-reported-phish-message-launches-an-investigation-playbook)|
-|Email|Volume anomalyΓÇï <br> (Recent email quantities exceed the previous 7-10 days for matching criteria.ΓÇï)|Automated investigation does not result in a specific pending action. <p> Volume anomaly is not a clear threat, but is merely an indication of larger email volumes in recent days compared to the last 7-10 days. Although volume anomaly can indicate potential issues, confirmation is needed in terms of either malicious verdicts or a manual review of email messages/clusters. See [Find suspicious email that was delivered](investigate-malicious-email-that-was-delivered.md#find-suspicious-email-that-was-delivered).|
-|Email|No threats found <br> (The system did not find any threats based on files, urls, or analysis of email cluster verdicts.ΓÇï)|Automated investigation does not result in a specific pending action. <p> Threats found and [zapped](zero-hour-auto-purge.md) after an investigation is complete are not reflected in an investigation's numerical findings, but such threats are viewable in [Threat Explorer](threat-explorer.md).ΓÇï|
-|User|A user clicked a malicious URL <br> (A user navigated to a page that was later found to be malicious, or a user bypassed a [Safe Links warning page](atp-safe-links.md#warning-pages-from-safe-links) to get to a malicious page.ΓÇï)|Automated investigation does not result in a specific pending action. <p> Use Threat Explorer to [view data about URLs and click verdicts](threat-explorer.md#view-phishing-url-and-click-verdict-data). <p> If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/), consider [investigating the user](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-user) to determine if their account is compromised.|
+|Email|Volume anomalyΓÇï <br> (Recent email quantities exceed the previous 7-10 days for matching criteria.ΓÇï)|Automated investigation does not result in a specific pending action. <p>Volume anomaly is not a clear threat, but is merely an indication of larger email volumes in recent days compared to the last 7-10 days. <p>Although a high volume of email can indicate potential issues, confirmation is needed in terms of either malicious verdicts or a manual review of email messages/clusters. See [Find suspicious email that was delivered](investigate-malicious-email-that-was-delivered.md#find-suspicious-email-that-was-delivered).|
+|Email|No threats found <br> (The system did not find any threats based on files, URLs, or analysis of email cluster verdicts.ΓÇï)|Automated investigation does not result in a specific pending action. <p>Threats found and [zapped](zero-hour-auto-purge.md) after an investigation is complete are not reflected in an investigation's numerical findings, but such threats are viewable in [Threat Explorer](threat-explorer.md).ΓÇï|
+|User|A user clicked a malicious URL <br> (A user navigated to a page that was later found to be malicious, or a user bypassed a [Safe Links warning page](atp-safe-links.md#warning-pages-from-safe-links) to get to a malicious page.ΓÇï)|Automated investigation does not result in a specific pending action. <p>Use Threat Explorer to [view data about URLs and click verdicts](threat-explorer.md#view-phishing-url-and-click-verdict-data). <p>If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/), consider [investigating the user](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-user) to determine if their account is compromised.|
|User|A user is sending malware/phish|Automated investigation does not result in a specific pending action. <p> The user might be reporting malware/phish, or someone could be [spoofing the user](anti-spoofing-protection.md) as part of an attack. Use [Threat Explorer](threat-explorer.md) to view and handle email containing [malware](threat-explorer-views.md#email--malware) or [phish](threat-explorer-views.md#email--phish).| |User|Email forwarding <br> (Mailbox forwarding rules are configured, which could be used for data exfiltrationΓÇï.)|Remove forwarding ruleΓÇï <p> Use [mail flow insights](mail-flow-insights-v2.md), including the [Autoforwarded messages report](mfi-auto-forwarded-messages-report.md), to view more specific details about forwarded email.| |User|Email delegation rulesΓÇï <br> (A user's account has delegation set up.)|Remove delegation ruleΓÇï <p> If your organization is using [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/), consider [investigating the user](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/investigate-user) who's getting the delegation permission.ΓÇï| |User|Data exfiltration <br> (A user violated email or file-sharing [DLP policies](https://docs.microsoft.com/microsoft-365/compliance/data-loss-prevention-policies).)|Automated investigation does not result in a specific pending action. <p> [View DLP reports and take action](https://docs.microsoft.com/microsoft-365/compliance/view-the-dlp-reports).| |User|Anomalous email sending <br> (A user recently sent more email than during the previous 7-10 days.)|Automated investigation does not result in a specific pending action. <p> Sending a large volume of email isn't malicious by itself; the user might just have sent email to a large group of recipients for an event. To investigate, use [mail flow insights](mail-flow-insights-v2.md), including the [mail flow map report](mfi-mail-flow-map-report.md) to determine what's going on and take action.|
-|
## Next steps - [View details and results of an automated investigation in Microsoft Defender for Office 365](air-view-investigation-results.md)- - [View pending or completed remediation actions following an automated investigation in Microsoft Defender for Office 365](air-review-approve-pending-completed-actions.md) ## Related articles - [Learn about automated investigation in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations)- - [Learn about capabilities in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/microsoft-threat-protection)
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/air-report-false-positives-negatives https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-report-false-positives-negatives.md
@@ -8,35 +8,32 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.pagetype: security f1.keywords:
- - NOCSH
+- NOCSH
Previously updated : 09/29/2020 Last updated : 01/29/2021 ms.localizationpriority: medium audience: ITPro
- - M365-security-compliance
- - m365initiative-defender-office365
-
+- M365-security-compliance
+- m365initiative-defender-office365
+
- - autoir
+- autoir
ms.technology: mdo # How to report false positives/negatives in automated investigation and response capabilities -- **Applies to:** - Microsoft Defender for Office 365
-Did [automated investigation and response (AIR) capabilities in Office 365](automated-investigation-response-office.md) miss or wrongly detect something? There are steps you can take to fix it. You can:
+If [automated investigation and response (AIR) capabilities in Office 365](automated-investigation-response-office.md) missed or wrongly detected something, there are steps your security operations team can take to fix it. Such actions include:
-- [Report a false positive/negative to Microsoft](#report-a-false-positivenegative-to-microsoft-for-analysis);-- [Adjust your alerts](#adjust-an-alert-to-prevent-false-positives-from-recurring) (if needed); and-- [Undo remediation actions that were taken](#undo-a-remediation-action).
+- [Reporting a false positive/negative to Microsoft](#report-a-false-positivenegative-to-microsoft-for-analysis);
+- [Adjusting alerts](#adjust-an-alert-to-prevent-false-positives-from-recurring) (if needed); and
+- [Undoing remediation actions that were taken](#undo-a-remediation-action).
Use this article as a guide.
@@ -54,7 +51,7 @@ If your organization is using [Microsoft Defender for Endpoint](https://docs.mic
## Undo a remediation action
-In most cases, if a remediation action was taken on an email message, email attachment, or URL, and the item is actually not a threat, your security operations team can undo the remediation action and take steps to prevent the false positive from recurring. You can either use [Threat Explorer](#undo-an-action-using-threat-explorer) or the [Actions tab for an investigation](#undo-an-action-using-the-actions-tab-for-an-investigation) to undo an action.
+In most cases, if a remediation action was taken on an email message, email attachment, or URL, and the item is actually not a threat, your security operations team can undo the remediation action and take steps to prevent the false positive from recurring. You can either use [Threat Explorer](#undo-an-action-using-threat-explorer) or the [Actions tab for an investigation](#undo-an-action-in-the-action-center) to undo an action.
> [!IMPORTANT] > Make sure you have the necessary permissions before attempting to perform the following tasks.
@@ -63,32 +60,23 @@ In most cases, if a remediation action was taken on an email message, email atta
With Threat Explorer, your security operations team can find an email affected by an action and potentially undo the action.
-****
- |Scenario|Undo Options|Learn more| ||||
-|An email message was routed to a user's Junk Email folder|<ul><li>Move the message to the user's Deleted Items folder</li><li>Move the message to the user's Inbox</li><li>Delete the message</li></ul>|[Find and investigate malicious email that was delivered in Office 365](investigate-malicious-email-that-was-delivered.md)|
-|An email message or a file was quarantined|<ul><li>Release the email or file</li><li>Delete the email or file</li></ul>|[Manage quarantined messages as an admin](manage-quarantined-messages-and-files.md)|
+|An email message was routed to a user's Junk Email folder|- Move the message to the user's Deleted Items folder<br/>- Move the message to the user's Inbox<br/>- Delete the message|[Find and investigate malicious email that was delivered in Office 365](investigate-malicious-email-that-was-delivered.md)|
+|An email message or a file was quarantined|- Release the email or file<br/>- Delete the email or file|[Manage quarantined messages as an admin](manage-quarantined-messages-and-files.md)|
|
-### Undo an action using the Actions tab for an investigation
+### Undo an action in the Action center
In the Action center, you can see remediation actions that were taken and potentially undo the action.
-1. Go to <https://protection.office.com> and sign in. This takes you to the Security & Compliance Center.
-
-2. Go to **Threat management** \> **Investigations**.
-
-3. In the list of investigations, select the **Open in new window** icon next to an item's ID.
-
-4. Select the **Actions** tab.
-
-5. Select an item that has status of **Completed**, and look for a link, such as **Approved**, in the **Decision** column. This opens a flyout with more details about the action.
-
-6. To undo the action, select **Delete remediation**.
-
-## Related articles
+1. Go to the Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)).
+2. In the navigation pane, select **Action center**.
+3. Select the **History** tab to view the list of completed actions.
+4. Select an item. Its flyout pane opens.
+5. In the flyout pane, select **Undo**. (Only actions that can be undone will have an **Undo** button.)
-[Microsoft Defender for Office 365](office-365-atp.md)
+## See also
-[AIR in Microsoft Defender for Office 365](office-365-air.md)
+- [Microsoft Defender for Office 365](office-365-atp.md)
+- [Automated investigations in Microsoft Defender for Office 365](office-365-air.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/air-review-approve-pending-completed-actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-review-approve-pending-completed-actions.md
@@ -1,56 +1,70 @@
Title: Review and approve pending remediation actions in automated investigation and response
+ Title: Review and manage remediation actions in Microsoft Defender for Office 365
keywords: AIR, autoIR, ATP, automated, investigation, response, remediation, threats, advanced, threat, protection f1.keywords:
- - NOCSH
+- NOCSH
audience: ITPro-+ localization_priority: Normal search.appverid:
- - MET150
- - MOE150
+- MET150
+- MOE150
- - M365-security-compliance
- - m365initiative-defender-office365
+- M365-security-compliance
+- m365initiative-defender-office365
description: Learn about remediation actions in automated investigation and response capabilities in Microsoft Defender for Office 365 Plan 2. ms.technology: mdo ms.prod: m365-security Last updated : 01/29/2021
-# View pending or completed remediation actions following an automated investigation in Office 365
+# Review and manage remediation actions in Office 365
+As automated investigations on email & collaboration content result in verdicts, such as *Malicious* or *Suspicious*, certain remediation actions are created. In Microsoft Defender for Office 365, remediation actions can include:
+- Blocking a URL (time-of-click)
+- Soft deleting email messages or clusters
+- Quarantining email or email attachments
+- Turning off external mail forwarding
--
-![AIR investigations action page](../../media/air-investigationactionspage.png)
+These remediation actions are not taken unless and until your security operations team approves them. We recommend reviewing and approving any pending actions as soon as possible so that your automated investigations complete in a timely manner. In some cases, you can undo a remediation action.
## Approve (or reject) pending actions
-While viewing the [details of an investigation](air-view-investigation-results.md), you can approve or reject any pending remediation actions. We recommend doing this as soon as possible so that your automated investigations complete.
-
-> [!IMPORTANT]
-> Appropriate permissions are required to approve or reject remediation actions. See [Required permissions to use AIR capabilities](office-365-air.md#required-permissions-to-use-air-capabilities).
+1. Go to the Microsoft 365 security center [https://security.microsoft.com](https://security.microsoft.com)) and sign in.
+2. In the navigation pane, select **Action center**.
+3. On the **Pending** tab, review the list of actions that are awaiting approval.
+4. Select an item in the list. Its flyout pane opens.
+5. Review the information in the flyout pane, and then take one of the following steps:
+ - Select **Open investigation page** to view more details about the investigation.
+ - Select **Approve** to initiate a pending action.
+ - Select **Reject** to prevent a pending action from being taken.
-1. Go to <https://protection.office.com> and sign in. This takes you to the the Security & Compliance Center.
+## Undo one remediation action
-2. Go to **Threat management** \> **Investigations**.
+1. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) and sign in.
+2. On the **History** tab, select an action that you want to undo.
+3. In the pane on the right side of the screen, select **Undo**.
-3. In the list of investigations, select an item in the **ID** column.
+## Undo multiple remediation actions
-4. Select the **Actions** tab.
+1. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) and sign in.
+2. On the **History** tab, select the actions that you want to undo. Make sure to select items that have the same Action type. A flyout pane opens.
+3. In the flyout pane, select Undo.
-5. Select an item in the list. (This activates the Approve and Reject buttons.)
+## To remove a file from quarantine across multiple devices
-6. Review available information for the item(s) you selected, and then either approve or reject the action(s).
- - **Approve** allows remediation to begin.
- - **Reject** takes no further action
+1. Go to the Action center ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) and sign in.
+2. On the **History** tab, select a file that has the Action type **Quarantine file**.
+3. In the pane on the right side of the screen, select **Apply to X more instances of this file**, and then select **Undo**.
## Next steps -- [Details and results of an automated investigation in Office 365](air-view-investigation-results.md)- - [Use Threat Explorer](threat-explorer.md)
+- [How to report false positives/negatives in automated investigation and response capabilities](air-report-false-positives-negatives.md)
+
+## See also
+
+- [View details and results of an automated investigation in Office 365](air-view-investigation-results.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/air-view-investigation-results https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-view-investigation-results.md
@@ -1,8 +1,8 @@
Title: View the results of an automated investigation in Microsoft 365
-keywords: AIR, autoIR, ATP, automated, investigation, response, remediation, threats, advanced, threat, protection
+keywords: AIR, autoIR, ATP, automated, investigation, remediation, actions
f1.keywords:
- - NOCSH
+- NOCSH
@@ -10,281 +10,81 @@ audience: ITPro
localization_priority: Normal search.appverid:
- - MET150
- - MOE150
+- MET150
+- MOE150
- - M365-security-compliance
- - m365initiative-defender-office365
+- M365-security-compliance
+- m365initiative-defender-office365
description: During and after an automated investigation in Microsoft 365, you can view the results and key findings. Previously updated : 11/05/2020 Last updated : 01/29/2021 ms.technology: mdo ms.prod: m365-security # Details and results of an automated investigation in Microsoft 365
+When an [automated investigation](office-365-air.md) occurs in [Microsoft Defender for Office 365](office-365-atp.md), details about that investigation are available during and after the automated investigation process. If you have the necessary permissions, you can view those details in your security center. Investigation details provide you with up-to-date status, and the ability to approve any pending actions.
-
-When an [automated investigation](office-365-air.md) occurs in [Microsoft Defender for Office 365](office-365-atp.md), details about that investigation are available during and after the automated investigation process. If you have the necessary permissions, you can view those details in the Microsoft 365 security center. Investigation details provide you with up-to-date status, and the ability to approve any pending actions.
+> [!TIP]
+> Check out the new, unified investigation page in the Microsoft 365 security center. To learn more, see [(NEW!) Unified investigation page](../mtp/mtp-autoir-results.md#new-unified-investigation-page).
## Investigation status The investigation status indicates the progress of the analysis and actions. As the investigation runs, status changes to indicate whether threats were found, and whether actions have been approved. |Status|Description|
-|||
+|:|:|
|**Starting**|The investigation has been triggered and waiting to start runningΓÇï.| |**Running**|The investigation process has started and is underway. This state also occurs when [pending actions](air-review-approve-pending-completed-actions.md#approve-or-reject-pending-actions) are approved.| |**No Threats Found**|The investigation has finished and no threats (user account, email message, URL, or file) were identified. <p> **TIP**: If you suspect something was missed (such as a false negative), you can take action using [Threat Explorer](threat-explorer.md)ΓÇï.|
-|**Threats Found**|The automated investigation found issues, but there are no specific remediation actions to resolve those issues. <p> The **Threats Found** status can occur when some type of user activity was identified but no cleanup actions are available. Examples include any of the following user activities: <ul><li>A [data loss prevention](https://docs.microsoft.com/Microsoft-365/compliance/data-loss-prevention-policies) (DLP) event</li><li>An email sending anomaly</li><li>Sent malware</li><li>Sent phish</li></ul> <p> The investigation found no malicious URLs, files, or email messages to remediate, and no mailbox activity to fix, such as turning off forwarding rules or delegation. <p> **TIP**: If you suspect something was missed (such as a false negative), you can investigate and take action using [Threat Explorer](threat-explorer.md)ΓÇï.|
-|**Terminated By System**|The investigation stopped. An investigation can stop for several reasons:ΓÇï <ul><li>The investigation's pending actions expired. Pending actions time out after awaiting approval for one week.</li><li>There are too many actions. For example, if there are too many users clicking on malicious URLs, it can exceed the investigation's ability to run all the analyzers, so the investigation haltsΓÇï.</li></ul> <p> **TIP**: If an investigation halts before actions were taken, try using [Threat Explorer](threat-explorer.md) to find and address threats.|
-|**Pending Action**|The investigation has found a threat, such as a malicious email, a malicious URL, or a risky mailbox settingΓÇï, and an action to remediate that threat is [awaiting approval](air-review-approve-pending-completed-actions.md). <p> The **Pending Action** state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. Check the [investigation log](#playbook-log) to see if other items are still pending completion.ΓÇï|
-|**Remediated**|The investigation finished and all remediation actions were approved (this is noted as fully remediated). <p> **NOTE**: Approved remediation actions can have errors that prevent the actions from being taken. Regardless of whether remediation actions are successfully completed, the investigation status does not change. Check the [investigation log](#playbook-log) for detailed results.ΓÇï|
+|**Threats Found**|The automated investigation found issues, but there are no specific remediation actions to resolve those issues. <p> The **Threats Found** status can occur when some type of user activity was identified but no cleanup actions are available. Examples include any of the following user activities: <br/>- A [data loss prevention](https://docs.microsoft.com/Microsoft-365/compliance/data-loss-prevention-policies) (DLP) event<br/>- An email sending anomaly<br/>- Sent malware<br/>- Sent phish <p> The investigation found no malicious URLs, files, or email messages to remediate, and no mailbox activity to fix, such as turning off forwarding rules or delegation. <p> **TIP**: If you suspect something was missed (such as a false negative), you can investigate and take action using [Threat Explorer](threat-explorer.md)ΓÇï.|
+|**Terminated By System**|The investigation stopped. An investigation can stop for several reasons:ΓÇï <br/>- The investigation's pending actions expired. Pending actions time out after awaiting approval for one week.<br/>- There are too many actions. For example, if there are too many users clicking on malicious URLs, it can exceed the investigation's ability to run all the analyzers, so the investigation haltsΓÇï.<p> **TIP**: If an investigation halts before actions were taken, try using [Threat Explorer](threat-explorer.md) to find and address threats.|
+|**Pending Action**|The investigation has found a threat, such as a malicious email, a malicious URL, or a risky mailbox settingΓÇï, and an action to remediate that threat is [awaiting approval](air-review-approve-pending-completed-actions.md). <p> The **Pending Action** state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. View investigation details to see if other items are still pending completion.ΓÇï|
+|**Remediated**|The investigation finished and all remediation actions were approved (noted as fully remediated). <p> **NOTE**: Approved remediation actions can have errors that prevent the actions from being taken. Regardless of whether remediation actions are successfully completed, the investigation status does not change. View investigation details.ΓÇï|
|**Partially Remediated**|The investigation resulted in remediation actions, and some were approved and completedΓÇï. Other actions are still [pending](air-review-approve-pending-completed-actions.md).|
-|**Failed**|At least one investigation analyzer ran into a problem where it could not complete properlyΓÇï. <p> **NOTE**: If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. Check the [investigation log](#playbook-log) for detailed results.ΓÇïΓÇï|
+|**Failed**|At least one investigation analyzer ran into a problem where it could not complete properlyΓÇï. <p> **NOTE**: If an investigation fails after remediation actions were approved, the remediation actions might still have succeeded. View the investigation details. ΓÇïΓÇï|
|**Queued By Throttling**|An investigation is being held in a queue. When other investigations complete, queued investigations begin. Throttling helps avoid poor service performance. <p> **TIP**: Pending actions can limit how many new investigations can run. Make sure to [approve (or reject) pending actions](air-review-approve-pending-completed-actions.md#approve-or-reject-pending-actions).| |**Terminated By Throttling**|If an investigation is held in the queue too long, it stops. <p> **TIP**: You can [start an investigation from Threat Explorer](automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer).| | ## View details of an investigation
-1. Go to the Security & Compliance Center (<https://protection.office.com>) and sign in.
-
-2. Do one of the following actions:
-
- - Go to **Threat management** \> **Dashboard**. This takes you to the [Security Dashboard](security-dashboard.md). Your AIR widgets appear across the top of the [Security Dashboard](security-dashboard.md). Select a widget, such as **Investigations summary**.
-
- - Go to **Threat management** \> **Investigations**.
-
- Either method takes you to a list of investigations.
-
- ![Main investigation page for AIR](../../media/air-maininvestigationpage.png)
-
-3. In the list of investigations, select an item in the **ID** column. This opens investigation details page, starting with the investigation graph in view.
-
- ![AIR investigation graph page](../../media/air-investigationgraphpage.png)
-
- Use the various tabs to learn more about the investigation.
+1. Go to the Microsoft 365 security center [https://security.microsoft.com](https://security.microsoft.com)) and sign in.
+2. In the navigation pane, select **Action center**.
+3. On either the **Pending** or **History** tabs, select an action. Its flyout pane opens.
+4. In the flyout pane, select **Open investigation page**.
+5. Use the various tabs to learn more about the investigation.
## View details about an alert related to an investigation Certain kinds of alerts trigger automated investigation in Microsoft 365. To learn more, see [alert policies that trigger automated investigations](office-365-air.md#which-alert-policies-trigger-automated-investigations).
-Use the following procedure to view details about an alert that is associated with an automated investigation.
-
-1. Go to the Security & Compliance Center (<https://protection.office.com>) and sign in.
-
-2. Go to **Threat management** \> **Investigations**.
-
-3. In the list of investigations, select an item in the **ID** column.
-
-4. With details of an investigation open, select the **Alerts** tab. Any alerts that triggered the investigation are listed here.
-
-5. Select an item in the list. A flyout opens, with details about the alert and links to additional information and actions.
-
-6. Review the information on the flyout, and, depending on the particular alert, take an action, such as **Resolve**, **Suppress**, or **Notify users**.
-
- - **Resolve** is equivalent to closing an alert
-
- - **Suppress** causes a policy to not trigger alerts for a specified period of time
-
- - **Notify users** starts an email with users' email addresses already entered, and enables your security operations team to type a message to those users. (This is similar to sending a message to recipients using [Threat Explorer](threat-explorer.md).)
-
-## How to use the various tabs
-
-The following sections walk you through the various tabs on the automated investigations page and how you can use the information.
-
-### Automated investigations page
-
-The automated investigations page shows your organization's investigations and their current states.
-
-![Main investigation page for AIR](../../media/air-maininvestigationpage.png)
-
-You can:
--- Navigate directly to an investigation (select an **Investigation ID**).--- Apply filters. Choose from **Investigation Type**, **Time range**, **Status**, or a combination of these.--- Export the data to a .csv file.-
-### Investigation graph
-
-When you open a specific investigation, you see the investigation graph page. This page shows all the different entities: email messages, users (and their activities), and devices that were automatically investigated as part of the alert that was triggered.
-
-![AIR investigation graph page](../../media/air-investigationgraphpage.png)
-
-You can:
--- Get a visual overview of the current investigation.-- View a summary of the investigation duration.-- Select a node in the visualization to view details for that node.-- Select a tab across the top to view details for that tab.-
-### Alert investigation
-
-On the **Alerts** tab for an investigation, you can see alerts relevant to the investigation. Details include the alert that triggered the investigation and other correlated alerts, such as risky sign-in, [DLP policy](https://docs.microsoft.com/Microsoft-365/compliance/data-loss-prevention-policies) violations, etc., that are correlated to the investigation. From this page, a security analyst can also view additional details on individual alerts.
-
-![AIR alerts page](../../media/air-investigationalertspage.png)
-
-You can:
--- Get a visual overview of the current triggering alert and any associated alerts.-- Select an alert in the list to open a fly-out page that shows full alert details.-
-### Email investigation
-
-On the **Email** tab for an investigation, you can see the original emails and the clusters of similar email identified as part of the investigation. The **Email** tab also shows email items related to the investigation, such as the user-reported email details, the original email reported, the email message(s) zapped due to malware/phish, etc.
-
-![AIR email investigation page](../../media/air-investigationemailpage.png)
-
-With email investigation, you can:
--- Get a visual overview of the current clustering results and threats found.-- Click a cluster entity or a threat list to open a fly-out page that shows the full alert details.-- Further investigate the email cluster by clicking the **Open in Explorer** link at the top of the **Email cluster details** tab-
-![AIR investigation email with flyout details](../../media/air-investigationemailpageflyoutdetails.png)
-
-Given the sheer volume of email that users in an organization send and receive, plus the multi-user nature of email communications and attacks, the following process can take a significant amount of time:
-
-1. Clustering email messages based on similar attributes from a message header, body, URL, and attachments.
-2. Separating malicious email from the good email.
-3. Taking action on malicious email messages.
-
-AIR automates this process, saving your organization's security team time and effort.
-
-#### Types of email clusters
-
-Three different types of email clusters can be identified during the email analysis step: similarity clusters (all investigations), indicator clusters (all investigations), and mailbox/user clusters. The following table describes these types of email clusters.
-
-|Email cluster|Description|
-|||
-|Similarity clusters|Email messages identified by hunting for emails with similar sender and content attributes. These clusters are evaluated for malicious content based on the original detection findings. Email clusters that contain enough malicious email detections are considered malicious.|
-|Indicator clusters|Email messages that are identified by hunting for the same indicator entity (file hash or URL) from the original email. When the original file/URL entity is identified as malicious, AIR applies the indicator verdict to the entire cluster of email messages containing that entity. A file identified as malware means that the cluster of email messages containing that file are treated as malware email messages.|
-|Mailbox/user clusters|Email messages related to the user involved in a user compromise investigation. These email clusters are for further analysis by the security operations team and will not generate email remediation actions. <p> The compromised user security playbook reviews the emails being sent by the user being analyzed in order to understand the potential impact of the emails being sent from the mailbox.|
-
-> [!NOTE]
-> The goal of clustering is to hunt and find other related email messages that are sent by the same sender as part of an attack or a campaign. In some cases, legitimate email might trigger an investigation (for example, a user reports a marketing email). In these scenarios, the email clustering should identify that email clusters are not malicious ΓÇô when it appropriately does so, it will **not** indicate a threat, nor will it recommend email removal.
-
-#### Email classifications
-
-As email messages are analyzed, they are classified as *malicious*, *suspicious*, or *clean* (as in, *not identified as a threat*):
--- *Malicious emails* sent from the mailbox/user indicate potential compromise of the mailbox/account. Other users/mailboxes that are potentially impacted by malicious email as part of a compromise are shown.--- *Suspicious emails* sent by the mailbox/user indicate the potential for a compromised account or unwanted email activity. These messages include any spam/bulk email sent from the mailbox.--- *Clean emails* (emails that are considered not a threat) sent by the mailbox/user can provide your security operations team with a view of legitimate user emails sent. However, these emails can also include data exfiltration if the email account is compromised.-
-#### More about email counts
-
-The email count identified on the email tab currently represents the sum total of all email messages that shown on the **Email** tab. Because email messages are present in multiple clusters, the actual total count of email messages identified (and affected by remediation actions) is the count of unique email messages present across all of the clusters and original recipients' email messages.
-
-Both [Explorer](threat-explorer.md) and AIR count email messages on a per-recipient basis, because the security verdicts, actions, and delivery locations vary on a per-recipient basis. Thus, an original email sent to three users counts as a total of three email messages instead of one email.
-
-There might be cases where an email gets counted two or more times, such as when an email has multiple actions on it, or when there are multiple copies of the email when all the actions occur.
-
-For example, a malware email that is detected at delivery can result in both a blocked (quarantined) email and a replaced email (threat file replaced with a warning file, then delivered to user's mailbox). Because there are literally two copies of the email in the system, both might be counted in cluster counts.
-
-> [!IMPORTANT]
-> Here are a few points to keep in mind:
->
-> - Email counts are calculated at the time of the investigation, and some counts are recalculated when you open investigation flyouts (based on an underlying query).
->
-> - The email counts shown for the email clusters on the **Email** tab and the email quantity value shown on cluster flyout are calculated at the time of investigation, and do not change.
->
-> - The email count shown at the bottom of the **Email** tab of the email cluster flyout and the count of email messages shown in Explorer reflect email messages received after the investigation's initial analysis.
-
-Thus, an email cluster that shows an original quantity of 10 email messages would show an email list total of 15 when five more email messages arrive between the investigation analysis phase and when the admin reviews the investigation. Likewise, old investigations might start showing higher counts than Explorer queries show, because data in Microsoft Defender for Office 365 Plan 2 expires after 7 days for trials and after 30 days for paid licenses.
-
-Showing both count historical and current counts in different views is done to indicate the email impact at the time of investigation and the current impact up until the time that remediation is run.
-
-> [!NOTE]
-> In the context of email, you might see a volume anomaly threat surface as part of the investigation. A volume anomaly indicates a spike in similar email messages around the investigation event time compared to earlier timeframes. This spike in email traffic with similar characteristics (e.g. subject and sender domain, body similarity and sender IP) is typical of the start of email campaigns or attacks.
-> However, bulk, spam, and legitimate email campaigns commonly share these characteristics.
->
-> Volume anomalies represent a potential threat, and accordingly could be less severe compared to malware or phish threats that are identified using anti-virus engines, detonation or malicious reputation.
-
-### User investigation
-
-On the **Users** tab, you can see all the users identified as part of the investigation. User accounts appear in the investigation when there is an event or indication that those user accounts might be affected or compromised.
-
-For example, in the following image, AIR has identified indicators of compromise and anomalies based on a new inbox rule that was created. Additional details (evidence) of the investigation are available through detailed views within this tab. Indicators of compromise and anomalies might also include anomaly detections from [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security).
-
-![AIR investigation users page](../../media/air-investigationuserspage.png)
-
-You can:
--- Get a visual overview of identified user results and risks found.--- Select a user to open a fly-out page that shows the full alert details.-
-### Machine investigation
-
-On the **Machines** tab, you can see all the machines identified as part of the investigation.
-
-![AIR investigation machine page](../../media/air-investigationmachinepage.png)
-
-As part of some playbooks, AIR correlates email threats to devices (for example, Zapped malware). For example, an investigation passes a malicious file hash across to [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection
-) to investigate. This allows for automated investigation of relevant machines for your users, to help ensure that threats are addressed both in the cloud and across your endpoints.
-
-You can:
--- Get a visual overview of the current machines and threats found.--- Select a machine to open a view that into the related [Microsoft Defender for Endpoint investigations](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) in the Microsoft Defender Security Center.-
-### Entity investigation
-
-On the **Entities** tab, you can see the entities identified and analyzed as part of the investigation.
-
-Here, you can see the investigated entities and details of the types of entities, such as email messages, clusters, IP addresses, users, and more. You can also see how many entities were analyzed, and the threats that were associated with each.
-
-![AIR investigation entities page](../../media/air-investigationentitiespage.png)
-
-You can:
--- Get a visual overview of the investigation entities and threats found.--- Select an entity to open a fly-out page that shows the related entity details.-
-![AIR investigation entities details](../../media/air-investigationsentitiespagedetails.png)
-
-### Playbook log
-
-On the **Log** tab, you can see all the playbook steps that have occurred during the investigation. The log captures a complete inventory of all analyzers and actions completed by Office 365 auto-investigation capabilities as part of AIR. It provides a clear view of all the steps taken, including the action itself, a description, and the duration of the actual from start to finish.
-
-![AIR investigation log page](../../media/air-investigationlogpage.png)
+1. Go to the Microsoft 365 security center [https://security.microsoft.com](https://security.microsoft.com)) and sign in.
+2. In the navigation pane, select **Action center**.
+3. On either the **Pending** or **History** tabs, select an action. Its flyout pane opens.
+4. In the flyout pane, select **Open investigation page**.
+5. Select the **Alerts** tab to view a list of all of the alerts associated with that investigation.
+6. Select an item in the list to open its flyout pane. There, you can view more information about the alert.
-You can:
+## Keep the following points in mind
-- Get see a visual overview of the playbook steps taken.-- Export the results to a CSV file.-- Filter the view.
+- Email counts are calculated at the time of the investigation, and some counts are recalculated when you open investigation flyouts (based on an underlying query).
-### Recommended actions
+- The email counts shown for the email clusters on the **Email** tab and the email quantity value shown on cluster flyout are calculated at the time of investigation, and do not change.
-On the **Actions** tab, you can see all the playbook actions that are recommended for remediation after the investigation has completed. Actions capture the steps Microsoft recommends you take at the end of an investigation. You can take remediation actions here by selecting one or more actions.
+- The email count shown at the bottom of the **Email** tab of the email cluster flyout and the count of email messages shown in Explorer reflect email messages received after the investigation's initial analysis.
-Selecting **Approve** allows remediation to begin. (Appropriate permissions are needed - the **Search And Purge** role is required to run actions from Explorer and AIR).
+ Thus, an email cluster that shows an original quantity of 10 email messages would show an email list total of 15 when five more email messages arrive between the investigation analysis phase and when the admin reviews the investigation. Likewise, old investigations might start showing higher counts than Explorer queries show, because data in Microsoft Defender for Office 365 Plan 2 expires after seven days for trials and after 30 days for paid licenses.
-For example, a Security Reader can view actions, but not approve them.
+ Showing both count historical and current counts in different views is done to indicate the email impact at the time of investigation and the current impact up until the time that remediation is run.
-> [!IMPORTANT]
-> You do not have to approve every action. If you do not agree with the recommended action or your organization does not choose certain types of actions, then you can choose to **Reject** the actions or simply ignore them and take no action.
-> Approving and/or rejecting all actions lets the investigation fully close (status becomes remediated), while leaving some actions incomplete results in the investigation status changing to a partially remediated state.
+- In the context of email, you might see a volume anomaly threat surface as part of the investigation. A volume anomaly indicates a spike in similar email messages around the investigation event time compared to earlier timeframes. A spike in email traffic together with certain characteristics (for example, subject and sender domain, body similarity, and sender IP) is typical of the start of email campaigns or attacks. However, bulk, spam, and legitimate email campaigns commonly share these characteristics.
-![AIR investigations action page](../../media/air-investigationactionspage.png)
+- Volume anomalies represent a potential threat, and accordingly could be less severe compared to malware or phish threats that are identified using anti-virus engines, detonation, or malicious reputation.
-You can:
+- You do not have to approve every action. If you do not agree with the recommended action or your organization does not choose certain types of actions, then you can choose to **Reject** the actions or simply ignore them and take no action.
-- Get a visual overview of the playbook-recommended actions.-- Select a single action or multiple actions.-- Approve or reject recommended actions with comments.-- Export the results to a CSV file.-- Filter the view.
+- Approving and/or rejecting all actions lets the investigation fully close (status becomes remediated), while leaving some actions incomplete results in the investigation status changing to a partially remediated state.
## Next steps
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/automated-investigation-response-office https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/automated-investigation-response-office.md
@@ -1,34 +1,31 @@
Title: How automated investigation and response works in Microsoft Defender for Office 365 f1.keywords:
- - NOCSH
+- NOCSH
audience: ITPro - localization_priority: Normal search.appverid:
- - MET150
- - MOE150
+- MET150
+- MOE150
- - M365-security-compliance
- - m365initiative-defender-office365
+- M365-security-compliance
+- m365initiative-defender-office365
keywords: automated incident response, investigation, remediation, threat protection Previously updated : 11/05/2020 Last updated : 01/29/2021 description: See how automated investigation and response capabilities work in Microsoft Defender for Office 365
- - air
- - seo-marvel-mar2020
+- air
+- seo-marvel-mar2020
ms.technology: mdo ms.prod: m365-security # How automated investigation and response works in Microsoft Defender for Office 365 - As security alerts are triggered, it's up to your security operations team to look into those alerts and take steps to protect your organization. Sometimes, security operations teams can feel overwhelmed by the volume of alerts that are triggered. Automated investigation and response (AIR) capabilities in Microsoft Defender for Office 365 can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond to detected threats.
@@ -90,7 +87,4 @@ For example, recently, an organization set up a way for their security operation
## Next steps - [Get started using AIR](office-365-air.md)--- [Visit the Microsoft 365 Roadmap to see what's planned and releasing soon](https://www.microsoft.com/microsoft-365/roadmap?filters=)--- [Learn about automated investigation and response capabilities in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
+- [View pending or completed remediation actions](air-review-approve-pending-completed-actions.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/identity-access-policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-policies.md
@@ -23,6 +23,11 @@ ms.technology: mdo
# Common identity and device access policies
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- Azure
+ This article describes the common recommended policies for securing access to Microsoft 365 cloud services, including on-premises applications published with Azure Active Directory (Azure AD) Application Proxy. This guidance discusses how to deploy the recommended policies in a newly-provisioned environment. Setting up these policies in a separate lab environment allows you to understand and evaluate the recommended policies before staging the rollout to your preproduction and production environments. Your newly provisioned environment can be cloud-only or hybrid to reflect your evaluation needs.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/identity-access-prerequisites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/identity-access-prerequisites.md
@@ -27,6 +27,11 @@ This article describes the prerequisites admins must meet to use recommended ide
## Prerequisites
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- Azure
+ Before using the identity and device access policies that are recommended, your organization needs to meet prerequisites. The requirements are different for the various identity and authentication models listed: - Cloud-only
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/integrate-office-365-ti-with-wdatp.md
@@ -31,7 +31,7 @@ ms.prod: m365-security
Integrating Microsoft Defender for Office 365 with Microsoft Defender for Endpoint can help your security operations team monitor and take action quickly if users' devices are at risk. For example, once integration is enabled, your security operations team will be able to see the devices that are potentially affected by a detected email message, as well as how many recent alerts were generated for those devices in Microsoft Defender for Endpoint.
-The following image depicts what the **Devices** tab looks like have Microsoft Defender for Endpoint integration enabled:
+The following image depicts what the **Devices** tab looks like when you have Microsoft Defender for Endpoint integration enabled:
![When Microsoft Defender for Endpoint is enabled, you can see a list of devices with alerts.](../../media/fec928ea-8f0c-44d7-80b9-a2e0a8cd4e89.PNG)
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/isolated-sharepoint-online-team-site-dev-test-environment https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/isolated-sharepoint-online-team-site-dev-test-environment.md
@@ -24,6 +24,11 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1](https://go.microsoft.com/fwlink/?linkid=2148715)
+- SharePoint Online
+ **Summary:** Configure a SharePoint Online team site that is isolated from the rest of the organization in your Microsoft 365 dev/test environment.
@@ -290,4 +295,4 @@ When you are ready to deploy an isolated SharePoint Online team site in producti
[The lightweight base configuration](https://docs.microsoft.com/microsoft-365/enterprise/lightweight-base-configuration-microsoft-365-enterprise)
-[Cloud adoption and hybrid solutions](https://docs.microsoft.com/office365/enterprise/cloud-adoption-and-hybrid-solutions)
+[Microsoft 365 solution and architecture center](https://docs.microsoft.com/microsoft-365/solutions.)
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/isolated-sharepoint-online-team-sites https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/isolated-sharepoint-online-team-sites.md
@@ -26,6 +26,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1](https://go.microsoft.com/fwlink/?linkid=2148715)
+- SharePoint Online
**Summary:** Learn about the uses for isolated SharePoint Online team sites.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/manage-an-isolated-sharepoint-online-team-site https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-an-isolated-sharepoint-online-team-site.md
@@ -24,6 +24,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1](https://go.microsoft.com/fwlink/?linkid=2148715)
+- SharePoint Online
**Summary:** Manage your isolated SharePoint Online team site with these procedures.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/manage-recipients-in-eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/manage-recipients-in-eop.md
@@ -22,6 +22,8 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection standalone](https://go.microsoft.com/fwlink/?linkid=2148611)
Standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes support the following types of recipients:
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-email-entity-page https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-email-entity-page.md
@@ -0,0 +1,149 @@
+
+ Title: "The Microsoft Defender for Office 365 (MDO) email entity page"
+f1.keywords:
+- NOCSH
+++ Last updated : 01/21/2021
+audience: ITPro
++
+localization_priority: Normal
+search.appverid:
+
+- M365-security-compliance
+- m365initiative-defender-office365
+description: Microsoft Defender for Office 365 E5 and ATP P1 and ATP P2 customers can now get a 360-degree view of each email with email entity page.
+
+# The Email entity page
+
+**In this article:**
+- [Reach the email entity page](#reach-the-email-entity-page)
+- [Read the email entity page](#read-the-email-entity-page)
+- [Use email entity page tabs](#use-email-entity-page-tabs)
+- [New to the email entity page](#new-to-the-email-entity-page)
+
+Admins of Microsoft Defender for Office 365 (or MDO) E5, and MDO P1 and P2 have a 360-degree view of email using the **Email entity page**. This go-to email page was created to enhance information delivered on the [Threat Explorer 'email details' fly-out](https://docs.microsoft.com/microsoft-365/security/office-365-security/threat-explorer-views).
+
+## Reach the email entity page
+
+Either of the existing Office Security and Compliance center (protection.office.com) or new Microsoft 365 Security center (security.microsoft.com) will let you see and use the email entity page..
+
+|Center |URL |Navigation |
+||||
+|Security & Compliance |protection.office.com | Threat Management > Explorer |
+|Microsoft 365 security center |security.microsoft.com | Email & Collaboration > Explorer |
+
+In Threat Explorer, select the subject of an email you're investigating. A gold bar will display at the top of the email fly-out for that mail. This invitation to the new page, reads 'Try out our new email entity page with enriched data...'. Select to view the new page.
+++
+> [!NOTE]
+> The permissions needed to view and use this page are the same as to view Threat Explorer. The admin must be a member of Global admin or global reader, or Security admin or security reader.
+
+## Read the email entity page
+
+The structure is designed to be easy to read and navigate through at a glance. Various tabs along the top of the page allow you to investigate in more detail. Here's how the layout works:
+
+1. The most required fields are on the left side of the fly-out. These details are 'sticky', meaning they're anchored to the left no matter the tab you navigate to in the rest of the fly-out.
+
+ :::image type="content" source="../../media/email-entities-3-left-panel.png" alt-text="Graphic of the email entity page with the left side highlighted. The title and facts about the mail delivery are over here.":::
+
+2. On the top-right corner are the actions that can be taken on an email. Any actions that can be taken through Explorer will also be available through email entity page.
+
+ :::image type="content" source="../../media/email-entities-5-preview.png" alt-text="Graphic of the email entity page with the *right* side highlighted, this time. Actions like 'Email preview' and 'Go to quarantine' are here.":::
+
+3. Deeper analysis can be done by sorting through the rest of the page. Check the email detection details, email authentication status, and header. This area should be looked on a case-by-case basis, but the info in these tabs is available for any email.
+
+ :::image type="content" source="../../media/email-entities-4-middle-panel.png" alt-text="The main panel of this page includes the email header and authentication status.":::
+
+### Use email entity page tabs
+
+The tabs along the top of the entity page will allow you to investigate email efficiently.
+
+1. **Timeline**: The timeline view for an email (per the Threat Explorer timeline) shows the original delivery to post-delivery events that happen on an email. For emails that have no post-delivery actions, the view shows the original delivery row in timeline view. Events like: Zero-hour auto purge (ZAP), Remediate, URL clicks, et cetera, from sources like: system, admin, and user, show up here, in the order in which they occurred.
+2. **Analysis**: Analysis shows fields that help admins analyze an email in depth. For cases where admins need to understand more about detection, sender / recipient, and email authentication details, they should use the Analysis tab. Links for Attachments and URLs are also found on this page, under 'Related Entities'. Both attachments and identified threats are numbered here, and clicking will take you straight to the Attachments and URL pages. This tab also has a View header option to *show the email header*. Admins can compare any detail from email headers, side by side with information on the main panel, for clarity.
+3. **Attachments**: This examines attachments found in the email with other details found on attachments. The number of attachments shown is currently limited to 10. Notice that detonation details for attachments found to be malicious is also shown here.
+4. **URLs**: This tab lists URLs found in the email with other details about the URLs. The number of URLs is limited to 10 right now, but these 10 are prioritized to show *malicious URLs first*. Prioritization saves you time and guess-work. The URLs which were found to be malicious and detonated will also be shown here.
+5. **Similar emails**: This tab lists all emails similar to the *network message id + recipient* combination specific to this email. Similarity is based on the *body of the message*, only. The determinations made on mails to categorize them as 'similar' don't include a consideration of *attachments*.
+
+## New to the email entity page
+
+There are new capabilities that come with this email entity page. Here's the list.
+
+### Email preview for Cloud mailboxes
+Admins can preview emails in Cloud mailboxes, ***if*** the mails are still present in the Cloud. In case of a soft delete (by an admin, or user), or ZAP (to quarantine), emails are no longer present in the Cloud location. In that case, admins won't be able to preview those specific mails. Emails that were dropped, or where delivery failed, never actually made it into the mailbox. As a result, admins wonΓÇÖt be able to preview those emails either.
+
+> [!WARNING]
+>Previewing emails requires a special role called ***Preview*** to be assigned to admins. You can add this role by going to **Permissions & roles** > **Email & collaboration roles** in *security.microsoft.com*, or **Permissions** in *protection.office.com*. Add the ***Preview*** role to any of the role groups, or a copy of a role group that allows admins in your organization to work in Threat Explorer.
+
+### Detonation details
+
+These details are specific to email attachments and URLs.
+
+Users will see enriched detonation details for known malicious attachments or hyperlinks found in their mailboxes, including Detonation chain, Detonation summary, Screenshot, and Observed behavior details to help customers understand why the attachment or URL was deemed malicious and detonated.
+
+- *Detonation chain*: A single file or URL detonation can trigger multiple detonations. The Detonation chain tracks the path of detonations, including the original malicious file or URL that caused the verdict, and all other files or URLs effected by the detonation. These URLs or attached files may not be directly present in the email, but including that analysis is important to determining why the file or URL was found to be malicious.
+- *Detonation summary*: This gives information on:
+ - Detonation time range.
+ - Verdict of the attached file, or URL.
+ - Related info (file number, URLs, IPs, or Domains), which are other entities examined during detonation.
+- *Detonation screenshot*: This shows screenshot(s) taken during detonation process.
+- *Detonation details*: These are the exact behavior details of each process that took place during the detonation.
++
+### Other innovations
+
+*Tags*: These are tags applied to users. If the user is a recipient, admins will see a *recipient* tag. Likewise, if the user is a sender, a *sender* tag. This will appear in the left side of the email entities page (in the part that's described as *sticky* and, thus, anchored to the page).
+
+*Latest delivery location*: The latest delivery location is the location where an email landed after system actions like ZAP, or admin actions like Move to Deleted Items, finish. Latest delivery location is not intended to inform admins of the message's *current* location. For example, if a user deletes a message, or moves it to archive, the delivery location won't be updated. However, if a system action has taken place and updated the location (like a ZAP resulting in an email moving to Quarantine) this would update the Latest delivery location to Quarantine.
+
+*Email details*: Details required for a deeper understanding of email available in the *Analysis* tab.
+
+- *Exchange Transport Rules (ETRs or Mailflow rules)*: These rules are applied to a message at the transport layer and take precedence over phish and spam verdicts. These can be only created and modified in the Exchange admin center, but if any ETR applies to a message, the ETR name and GUID will be shown here. Valuable information for tracking purposes.
+
+- *System Overrides*: This is a means of making exceptions to the delivery location intended for a message by overriding the delivery location given by system (as per the threat and detection tech).
+
+- *Junk Mailbox Rule*: 'Junk' is hidden Inbox rule that's enabled by default in every mailbox.
+ - When the Junk email rule is enabled on the mailbox, Exchange Online Protection (EOP) is able to move messages to Junk according to some criteria. The move can be based on spam filtering verdict action *Move message to Junk Email folder*, or on the Blocked Senders list on the mailbox. Disabling the Junk email rule prevents the delivery of messages to the Junk email folder based on the *Safe Senders* list on the mailbox.
+ - When the junk email rule is *disabled* on the mailbox, EOP can't move messages to the Junk Email folder based on the spam filtering verdict action *Move message to Junk Email folder*, or the safe list collection on the mailbox.
+
+- *Bulk Compliant Level (BCL)*: The Bulk Complaint Level (BCL) of the message. A higher BCL indicates a bulk mail message is more likely to generate complaints (the natural result if the email is likely to be spam).
+
+- *Spam Confidence Level (SCL)*: The spam confidence level (SCL) of the message. A higher value indicates the message is more likely to be spam.
+
+- *Domain Name*: Is the sender domain name.
+
+- *Domain Owner*: Specifies the owner of the sending domain.
+
+- *Domain Location*: Specifies the location of the sending domain.
+
+- *Domain Created Date*: Specifies the date of creation of the sending domain. A newly created domain is something you could be cautious of if other signals indicate some suspicious behavior.
+
+*Email Authentication*: Email authentication methods used by Microsoft 365 include SPF, DKIM, and DMARC.
+
+- Sender Policy Framework (**SPF**): Describes results for SPF check for the message. Possible values can be:
+ - Pass (IP address): The SPF check for the message passed and includes the sender's IP address. The client is authorized to send or relay email on behalf of the sender's domain.
+ - Fail (IP address): The SPF check for the message failed and includes the sender's IP address. This is sometimes called hard fail.
+ - Softfail (reason): The SPF record designated the host as not being allowed to send but is in transition.
+ - Neutral: The SPF record explicitly states that it does not assert whether the IP address is authorized to send.
+ - None: The domain doesn't have an SPF record, or the SPF record doesn't evaluate to a result.
+ - Temperror: A temporary error has occurred. For example, a DNS error. The same check later might succeed.
+ - Permerror: A permanent error has occurred. For example, the domain has a badly formatted SPF record.
+
+- DomainKeys Identified Mail (**DKIM**):
+ - Pass: Indicates the DKIM check for the message passed.
+ - Fail (reason): Indicates the DKIM check for the message failed and why. For example, if the message was not signed or the signature was not verified.
+ - None: Indicates that the message was not signed. This may or may not indicate that the domain has a DKIM record or the DKIM record does not evaluate to a result, only that this message was not signed.
+
+- Domain-based Message Authentication, Reporting and Conformance (**DMARC**):
+ - Pass: Indicates the DMARC check for the message passed.
+ - Fail: Indicates the DMARC check for the message failed.
+ - Bestguesspass: Indicates that no DMARC TXT record for the domain exists, but if one had existed, the DMARC check for the message would have passed.
+ - None: Indicates that no DMARC TXT record exists for the sending domain in DNS.
+
+*Composite Authentication*: This is a value is used by Microsoft 365 to combine email authentication like SPF, DKIM, and DMARC, to determine if the message is authentic. It uses the *From:* domain of the mail as the basis of evaluation.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/message-trace-scc https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/message-trace-scc.md
@@ -21,6 +21,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
## Message trace features
@@ -84,7 +88,8 @@ The default value is **2 days**, but you can specify date/time ranges of up to 9
For more information about the different report types, see the [Choose report type](#choose-report-type) section in this article.
- **Note**: Enhanced summary and Extended reports are prepared using archived message trace data, and it can take up to several hours before your report is available for download. Depending on how many other admins have also submitted report requests around the same time, you might also notice a delay before processing starts for your queued request.
+ > [!NOTE]
+ > Enhanced summary and Extended reports are prepared using archived message trace data, and it can take up to several hours before your report is available for download. Depending on how many other admins have also submitted report requests around the same time, you might also notice a delay before processing starts for your queued request.
- Saving a query in **Slider** view saves the relative time range (for example, 3 days from today). Saving a query in **Custom** view saves the absolute date/time range (for example, 2018-05-06 13:00 to 2018-05-08 18:00).
@@ -108,7 +113,8 @@ You can leave the default value **All** selected, or you can select one of the f
- **Getting status:** The message was recently received by Microsoft 365, but no other status data is yet available. Check back in a few minutes.
-**Note**: The values **Pending,** **Quarantined**, and **Filter as spam** are only available for searches less than 10 days. Also, there might be a 5 to 10 minute delay between the actual and reported delivery status.
+> [!NOTE]
+> The values **Pending,** **Quarantined**, and **Filter as spam** are only available for searches less than 10 days. Also, there might be a 5 to 10 minute delay between the actual and reported delivery status.
#### Message ID
@@ -126,7 +132,8 @@ You can leave the default value **All** selected, or you can select **Inbound**
You can filer the results by client IP address to investigate hacked computers that are sending large amounts of spam or malware. Although the messages might appear to come from multiple senders, it's likely that the same computer is generating all of the messages.
-**Note**: The client IP address information is only available for 10 days, and is only available in the **Enhanced summary** or **Extended** reports (downloadable CSV files).
+> [!NOTE]
+> The client IP address information is only available for 10 days, and is only available in the **Enhanced summary** or **Extended** reports (downloadable CSV files).
### Choose report type
@@ -136,11 +143,11 @@ The available report types are:
- **Enhanced summary** or **Extended**: These reports are only available as downloadable CSV files, and require one or more of the following filtering options regardless of the time range: **By these people**, **To these people**, or **Message ID**. You can use wildcards for the senders or the recipients (for example, \*@contoso.com). The Enhanced summary report returns up to 50000 results. The Extended report returns up to 1000 results.
-**Notes**:
--- Enhanced summary and Extended reports are prepared using archived message trace data, and it can take up to several hours before your report is available to download. Depending on how many other admins have also submitted report requests around the same time, you might also notice a delay before your queued request starts to be processed.--- While you can select an Enhanced summary or Extended report for any date/time range, commonly the last four hours of archived data will not yet be available for these two types of reports.
+> [!NOTE]
+>
+> - Enhanced summary and Extended reports are prepared using archived message trace data, and it can take up to several hours before your report is available to download. Depending on how many other admins have also submitted report requests around the same time, you might also notice a delay before your queued request starts to be processed.
+>
+> - While you can select an Enhanced summary or Extended report for any date/time range, commonly the last four hours of archived data will not yet be available for these two types of reports.
When you click **Next**, you're presented with a summary page that lists the filtering options that you selected, a unique (editable) title for the report, and the email address that receives the notification when the message trace completes (also editable, and must be in one of your organization's accepted domains). Click **Prepare report** to submit the message trace. On the main **Message trace** page, you can see the status of the report in the **Downloadable reports** section.
@@ -214,11 +221,11 @@ The message trace details contain the following additional information that's no
- **Resolved**: The message was redirected to a new recipient address based on an Active Directory look up. When this happens, the original recipient address is listed in a separate row in the message trace along with the final delivery status for the message.
- Notes:
-
- - An uneventful message that's successfully delivered will generate multiple **Event** entries in the message trace.
-
- - This list is not meant to be exhaustive. For descriptions of more events, see [Event types in the message tracking log](https://docs.microsoft.com/Exchange/mail-flow/transport-logs/message-tracking#event-types-in-the-message-tracking-log). Note that this link is an Exchange Server (on-premises Exchange) topic.
+ > [!NOTE]
+ >
+ > - An uneventful message that's successfully delivered will generate multiple **Event** entries in the message trace.
+ >
+ > - This list is not meant to be exhaustive. For descriptions of more events, see [Event types in the message tracking log](https://docs.microsoft.com/Exchange/mail-flow/transport-logs/message-tracking#event-types-in-the-message-tracking-log). Note that this link is an Exchange Server (on-premises Exchange) topic.
- **More information**: This section contains the following details:
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mfi-auto-forwarded-messages-report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-auto-forwarded-messages-report.md
@@ -19,6 +19,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
The **Auto-forwarded messages** insight in the [Mail flow dashboard](mail-flow-insights-v2.md) in the [Security & Compliance Center](https://protection.office.com) displays information about messages that are automatically forwarded from your organization to recipients in external domains.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mfi-domain-mail-flow-status-insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-domain-mail-flow-status-insight.md
@@ -21,6 +21,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
The **Top domain mail flow status** insight in the [Mail flow dashboard](mail-flow-insights-v2.md) in the [Security & Compliance Center](https://protection.office.com) gives you the current mail flow status for your organization.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mfi-mail-flow-map-report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-mail-flow-map-report.md
@@ -21,6 +21,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
The **Mail flow map** in the [Mail flow dashboard](mail-flow-insights-v2.md) in the [Security & Compliance Center](https://protection.office.com) gives insight as to how mail flows through your organization. You can use this information to learn patterns, identify anomalies, and fix issues as they occur.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mfi-mail-loop-insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-mail-loop-insight.md
@@ -21,6 +21,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
Mail loops are bad because:
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mfi-new-domains-being-forwarded-email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-new-domains-being-forwarded-email.md
@@ -18,6 +18,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
There are valid business reasons to forward email messages to external recipients in specific domains. However, it's suspicious when users in your organization suddenly start forwarding messages to a domain where no one in your organization has ever forwarded messages to (a new domain).
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mfi-new-users-forwarding-email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-new-users-forwarding-email.md
@@ -18,6 +18,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
It's suspicious when new user accounts in your organization suddenly start forwarding email messages to external domains.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mfi-non-accepted-domain-report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-non-accepted-domain-report.md
@@ -21,6 +21,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
The **Non-accepted domain** report in the [Mail flow dashboard](mail-flow-insights-v2.md) in the [Security & Compliance Center](https://protection.office.com) displays information about messages from your on-premises email organization where the sender's domain isn't configured as an accepted domain in your Microsoft 365 organization.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mfi-non-delivery-report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-non-delivery-report.md
@@ -21,6 +21,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
The **Non-delivery report** in the [Mail flow dashboard](mail-flow-insights-v2.md) in the [Security & Compliance Center](https://protection.office.com) shows the most-encountered error codes in non-delivery reports (also known as NDRs or bounce messages) for users in your organization. This report shows the details of NDRs so you can troubleshoot email delivery problems.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mfi-outbound-and-inbound-mail-flow https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-outbound-and-inbound-mail-flow.md
@@ -20,6 +20,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
The **Outbound and inbound mail flow** insight in the [Mail flow dashboard](mail-flow-insights-v2.md) in the [Security & Compliance Center](https://protection.office.com) combines the information from the [Connector report](view-mail-flow-reports.md#connector-report) and the former **TLS overview report** in one place.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mfi-queue-alerts-and-queues https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-queue-alerts-and-queues.md
@@ -19,6 +19,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
When messages can't be sent from your organization to your on-premises or partner email servers using connectors, the messages are queued in Microsoft 365. Common examples that cause this condition are:
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mfi-slow-mail-flow-rules-insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-slow-mail-flow-rules-insight.md
@@ -22,6 +22,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
Inefficient mail flow rules (also known as transport rules) can lead to mail flow delays for your organization. This insight reports mail flow rules that have an impact on your organization's mail flow. Examples of these types of rules include:
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/mfi-smtp-auth-clients-report https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mfi-smtp-auth-clients-report.md
@@ -21,6 +21,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
The **SMTP Auth clients** insight in the [Mail flow dashboard](mail-flow-insights-v2.md) and the associated [SMTP Auth clients report](#smtp-auth-clients-report) in the [Security & Compliance Center](https://protection.office.com) highlight the use of the SMTP AUTH client submission protocol by users or system accounts in your organization. This legacy protocol (which uses the endpoint smtp.office365.com) only offers Basic authentication, and is susceptible to being used by compromised accounts to send email. The insight and report allow you to check for unusual activity for SMTP AUTH email submissions. It also shows the TLS usage data for clients or devices using SMTP AUTH.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/microsoft-365-policies-configurations https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-365-policies-configurations.md
@@ -22,6 +22,10 @@ ms.technology: mdo
# Identity and device access configurations
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+ The modern security perimeter of your organization now extends beyond your network to include users accessing cloud-based apps from any location with a variety of devices. Your security infrastructure needs to determine whether a given access request should be granted and under what conditions. This determination should be based on the user account of the sign-in, the device being used, the app the user is using for access, the location from which the access request is made, and an assessment of the risk of the request. This capability helps ensure that only approved users and devices can access your critical resources.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/microsoft-security-guidance-for-political-campaigns-nonprofits-and-other-agile-o https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/microsoft-security-guidance-for-political-campaigns-nonprofits-and-other-agile-o.md
@@ -29,6 +29,9 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
**Summary:** Planning and implementation guidance for fast-moving organizations that have an increased threat profile.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/move-domains-and-settings-from-one-eop-organization-to-another-eop-organization https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/move-domains-and-settings-from-one-eop-organization-to-another-eop-organization.md
@@ -22,6 +22,8 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection standalone](https://go.microsoft.com/fwlink/?linkid=2148611)
Changing business requirements can sometimes require splitting one Microsoft Exchange Online Protection (EOP) organization (tenant) into two separate organizations, merging two organizations into one, or moving your domains and EOP settings from one organization to another organization. Moving from one EOP organization to a second EOP organization can be challenging, but with a few basic remote Windows PowerShell scripts and a small amount of preparation, this can be achieved with a relatively small maintenance window.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-air https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-air.md
@@ -8,7 +8,7 @@
audience: ITPro Previously updated : 01/28/2021 Last updated : 01/29/2021 localization_priority: Normal search.appverid: - MET150
@@ -28,6 +28,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+ [Microsoft Defender for Office 365](office-365-atp.md) includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered.
@@ -35,8 +39,9 @@ AIR enables your security operations team to operate more efficiently and effect
This article describes: - The [overall flow of AIR](#the-overall-flow-of-air);-- [How to get AIR](#how-to-get-air); and-- The [required permissions](#required-permissions-to-use-air-capabilities) to configure or use AIR capabilities.
+- [How to get AIR](#how-to-get-air); and
+- The [required permissions](#required-permissions-to-use-air-capabilities) to configure or use AIR capabilities.
+- Changes that are coming soon to your security center
This article also includes [next steps](#next-steps), and resources to learn more.
@@ -44,33 +49,20 @@ This article also includes [next steps](#next-steps), and resources to learn mor
An alert is triggered, and a security playbook starts an automated investigation, which results in findings and recommended actions. Here's the overall flow of AIR, step by step:
-1. An automated investigation is initiated in one of the following ways:
-
- - An [alert is triggered](#which-alert-policies-trigger-automated-investigations) by something suspicious in email (such as a message, attachment, URL, or compromised user account). An incident is created, and an automated investigation begins.
-
- or
-
+1. An automated investigation is initiated in one of the following ways:
+ - Either [an alert is triggered](#which-alert-policies-trigger-automated-investigations) by something suspicious in email (such as a message, attachment, URL, or compromised user account). An incident is created, and an automated investigation begins; or
- A security analyst [starts an automated investigation](automated-investigation-response-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer) while using [Threat Explorer](threat-explorer.md).-
-2. While an automated investigation runs, it gathers additional data about the email in question and entities related to that email. Such entities can include files, URLs, and recipients. The investigation's scope can increase as new and related alerts are triggered.
-
-3. During and after an automated investigation, [details and results](air-view-investigation-results.md) are available to view. Results include [recommended actions](air-remediation-actions.md) that can be taken to respond to and remediate any threats that were found. In addition, a [playbook log](air-view-investigation-results.md#playbook-log) is available that tracks all investigation activity.
-
+2. While an automated investigation runs, it gathers data about the email in question and entities related to that email. Such entities can include files, URLs, and recipients. The investigation's scope can increase as new and related alerts are triggered.
+3. During and after an automated investigation, [details and results](air-view-investigation-results.md) are available to view. Results include [recommended actions](air-remediation-actions.md) that can be taken to respond to and remediate any threats that were found.
4. Your security operations team reviews the [investigation results and recommendations](air-view-investigation-results.md), and [approves or rejects remediation actions](air-review-approve-pending-completed-actions.md).- 5. As pending remediation actions are approved (or rejected), the automated investigation completes.
-> [!IMPORTANT]
-> In Microsoft Defender for Office 365, no remediation actions are taken automatically. Remediation actions are taken only upon approval by your organization's security team.
->
-> AIR capabilities save your security operations team time by identifying remediation actions and providing the details needed to make an informed decision.
+In Microsoft Defender for Office 365, no remediation actions are taken automatically. Remediation actions are taken only upon approval by your organization's security team. AIR capabilities save your security operations team time by identifying remediation actions and providing the details needed to make an informed decision.
During and after each automated investigation, your security operations team can: - [View details about an alert related to an investigation](air-view-investigation-results.md#view-details-about-an-alert-related-to-an-investigation)- - [View the results details of an investigation](air-view-investigation-results.md#view-details-of-an-investigation)- - [Review and approve actions as a result of an investigation](air-review-approve-pending-completed-actions.md) > [!TIP]
@@ -78,21 +70,19 @@ During and after each automated investigation, your security operations team can
## How to get AIR
-AIR capabilities are included in [Microsoft Defender for Office 365](office-365-atp.md#microsoft-defender-for-office-365-plan-1-and-plan-2), provided your policies and alerts are configured. If you would like some help with this, follow the guidance in [Protect against threats](protect-against-threats.md) to set up or configure the following protection settings:
-
-1. [Audit logging](https://docs.microsoft.com/microsoft-365/compliance/turn-audit-log-search-on-or-off) (should be turned on)
-
-2. [Antimalware policies](protect-against-threats.md#part-1anti-malware-protection)
-
-3. [Antiphishing protection](protect-against-threats.md#part-2anti-phishing-protection)
-
-4. [Antispam protection](protect-against-threats.md#part-3anti-spam-protection).
-
-5. [Safe Links and Safe Attachments](protect-against-threats.md#part-4protection-from-malicious-urls-and-files-safe-links-and-safe-attachments-in-defender-for-office-365).
+AIR capabilities are included in [Microsoft Defender for Office 365](office-365-atp.md#microsoft-defender-for-office-365-plan-1-and-plan-2), provided your policies and alerts are configured. Need some help? Follow the guidance in [Protect against threats](protect-against-threats.md) to set up or configure the following protection settings:
-6. [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](protect-against-threats.md#part-5verify-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams-is-turned-on).
-
-7. [Zero-hour auto purge for email](protect-against-threats.md#zero-hour-auto-purge-for-email-in-eop).
+- [Audit logging](https://docs.microsoft.com/microsoft-365/compliance/turn-audit-log-search-on-or-off) (should be turned on)
+- [Antimalware policies](protect-against-threats.md#part-1anti-malware-protection)
+- [Antiphishing protection](protect-against-threats.md#part-2anti-phishing-protection)
+- [Antispam protection](protect-against-threats.md#part-3anti-spam-protection)
+- [Antiphishing protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats?part-2anti-phishing-protection)
+- [Antispam protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats?part-3anti-spam-protection)
+- [Safe Links and Safe Attachments](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats?part-4protection-from-malicious-urls-and-files-safe-links-and-safe-attachments-in-defender-for-office-365)
+- [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats?part-5verify-atp-for-sharepoint-onedrive-and-microsoft-teams-is-turned-on)
+- [Zero-hour auto purge for email](https://docs.microsoft.com/microsoft-365/security/office-365-security/protect-against-threats?zero-hour-auto-purge-for-email-in-eop)
+- [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](protect-against-threats.md#part-5verify-safe-attachments-for-sharepoint-onedrive-and-microsoft-teams-is-turned-on)
+- [Zero-hour auto purge for email](protect-against-threats.md#zero-hour-auto-purge-for-email-in-eop).
In addition, make sure to [review your organization's alert policies](https://docs.microsoft.com/microsoft-365/compliance/alert-policies), especially the [default policies in the Threat management category](https://docs.microsoft.com/microsoft-365/compliance/alert-policies?default-alert-policies).
@@ -106,8 +96,8 @@ Microsoft 365 provides many built-in alert policies that help identify Exchange
|An email message is reported by a user as malware or phish|**Informational**|This alert is generated when users in your organization report messages as phishing email using the [Report Message add-in](enable-the-report-message-add-in.md) or the [Report Phishing add-in](enable-the-report-phish-add-in.md).| |Email messages containing malware are removed after delivery|**Informational**|This alert is generated when any email messages containing malware are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](zero-hour-auto-purge.md).| |Email messages containing phish URLs are removed after delivery|**Informational**|This alert is generated when any messages containing phish are delivered to mailboxes in your organization. If this event occurs, Microsoft removes the infected messages from Exchange Online mailboxes using [Zero-hour auto purge](zero-hour-auto-purge.md).|
-|Suspicious email sending patterns are detected|**Medium**|This alert is generated when someone in your organization has sent suspicious email and is at risk of being restricted from sending email. This is an early warning for behavior that might indicate that the account is compromised, but not severe enough to restrict the user. <p> Although it's rare, an alert generated by this policy may be an anomaly. However, it's a good idea to [check whether the user account is compromised](responding-to-a-compromised-email-account.md).|
-|A user is restricted from sending email|**High**|This alert is generated when someone in your organization is restricted from sending outbound mail. This typically results when an [email account is compromised](responding-to-a-compromised-email-account.md). <p> For more information about restricted users, see [Remove blocked users from the Restricted Users portal in Microsoft 365](removing-user-from-restricted-users-portal-after-spam.md).|
+|Suspicious email sending patterns are detected|**Medium**|This alert is generated when someone in your organization has sent suspicious email and is at risk of being restricted from sending email. The alert is an early warning for behavior that might indicate that the account is compromised, but not severe enough to restrict the user. <p> Although it's rare, an alert generated by this policy may be an anomaly. However, it's a good idea to [check whether the user account is compromised](responding-to-a-compromised-email-account.md).|
+|A user is restricted from sending email|**High**|This alert is generated when someone in your organization is restricted from sending outbound mail. This alert typically results when an [email account is compromised](responding-to-a-compromised-email-account.md). <p> For more information about restricted users, see [Remove blocked users from the Restricted Users portal in Microsoft 365](removing-user-from-restricted-users-portal-after-spam.md).|
| > [!TIP]
@@ -121,7 +111,6 @@ Permissions are granted through certain roles, such as those that are described
||| |Set up AIR features|One of the following roles: <ul><li>Global Administrator</li><li>Security Administrator</li></ul> <p> These roles can be assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) or in the [Security & Compliance Center](permissions-in-the-security-and-compliance-center.md).| |Start an automated investigation <p> or <p> Approve or reject recommended actions|One of the following roles, assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles) or in the [Security & Compliance Center](permissions-in-the-security-and-compliance-center.md): <ul><li>Global Administrator</li><li>Security Administrator</li><li>Security Operator</li><li>Security Reader <br> and </li><li>Search and Purge (this role is assigned only in the [Security & Compliance Center](permissions-in-the-security-and-compliance-center.md). You might have to create a new role group there and add the Search and Purge role to that new role group.</li></ul>|
-|
## Required licenses
@@ -131,14 +120,39 @@ Permissions are granted through certain roles, such as those that are described
- Your organization's security operations team (including security readers and those with the **Search and Purge** role) - End users
-## Next steps
-- [See details and results of an automated investigation](air-view-investigation-results.md#view-details-of-an-investigation)
+## Changes are coming soon in your security center
-- [Review and approve pending actions](air-remediation-actions.md)
+If youΓÇÖre already using AIR capabilities in Microsoft Defender for Office 365, youΓÇÖre about to see some changes in the [improved Microsoft 365 security center](../mtp/overview-security-center.md).
++
+The new and improved security center brings together AIR capabilities in [Microsoft Defender for Office 365](https://docs.microsoft.com/microsoft-365/security/office-365-security/office-365-atp) and in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). With these updates and improvements, your security operations team will be able to view details about automated investigations and remediation actions across your email, collaboration content, user accounts, and devices, all in one place.
+
+> [!TIP]
+> The new Microsoft 365 security center ([https://security.microsoft.com](https://security.microsoft.com)) replaces the following centers:
+> - Office 365 Security & Compliance Center ([https://protection.office.com](https://protection.office.com))
+> - Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com))
+>
+> In addition to the URL changing, thereΓÇÖs a new look and feel, designed to give your security team a more streamlined experience, with visibility to more threat detections in one place.
+
+### What to expect
+
+The following table lists changes and improvements coming to AIR in Microsoft Defender for Office 365.
-## See also
+|Item |What's changing? |
+|||
+|**Investigations** page | The updated **Investigations** page is more consistent with what you see in [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations). YouΓÇÖll see some general format and styling changes that align with the new, unified **Investigations** view. For example, the investigation graph has a more unified format. |
+|**Users** tab |The **Users** tab is now the **Mailboxes** tab. Details about users are listed on the **Mailbox** tab. |
+|**Email** tab |The **Email** tab has been removed; visit the **Entities** tab to see a list of email and email cluster items. |
+|**Entities** tab | The **Entities** tab has a tab-in-tab style that includes an all-summary view, and the ability to filter by entity type. The **Entities** tab now includes a **Go hunting** option in addition to the **Open in Explorer** option. You can now use either [Threat Explorer](https://docs.microsoft.com/microsoft-365/security/office-365-security/threat-explorer) or [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) to find entities and threats, and filter on results. |
+|**Actions** tab |The updated **Actions** tab now includes a **Pending actions** tab and an **Actions history** tab. Actions can be approved (or rejected) in a side pane that opens when you select a pending action. |
+|**Evidence** tab | A new **Evidence** tab shows the key entity findings related to actions. Actions related to each piece of evidence can be approved (or rejected) in a side pane that opens when you select a pending action. |
+|**Action center** |The updated **Action center** ([https://security.microsoft.com/action-center](https://security.microsoft.com/action-center)) brings together pending and completed actions across email, devices, and identities. To learn more, see Action center. (To learn more, see [The Action center](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-action-center).)
+|**Incidents** page |The **Incidents** page now correlates multiple investigations together to provide a better consolidated view of investigations. ([Learn more about Incidents](https://docs.microsoft.com/microsoft-365/security/mtp/incidents-overview).)
-- [Automated investigation and remediation in Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) -- [Automated investigation and response in Microsoft 365 Defender](https://docs.microsoft.com/microsoft-365/security/mtp/mtp-autoir)
+## Next steps
+
+- [See details and results of an automated investigation](air-view-investigation-results.md#view-details-of-an-investigation)
+- [Review and approve pending actions](air-remediation-actions.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-atp.md
@@ -27,6 +27,9 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> [!IMPORTANT] > This article is intended for business customers who have [Microsoft Defender for Office 365](https://docs.microsoft.com/office365/servicedescriptions/office-365-advanced-threat-protection-service-description). If you are using Outlook.com, Microsoft 365 Family, or Microsoft 365 Personal, and you're looking for information about Safe Links or Safe Attachments in Outlook, see [Advanced Outlook.com security for Microsoft 365 subscribers](https://support.microsoft.com/office/882d2243-eab9-4545-a58a-b36fee4a46e2).
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-ti https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-ti.md
@@ -28,6 +28,9 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies To**
+- [Microsoft Defender for Office 365 plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+ Threat investigation and response capabilities in [Microsoft Defender for Office 365](office-365-atp.md) help security analysts and administrators protect their organization's Microsoft 365 for business users by:
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office365-security-incident-response-overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office365-security-incident-response-overview.md
@@ -26,6 +26,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
**Summary:** This solution tells you what the indicators are for the most common cybersecurity attacks in Office 365, how to positively confirm any given attack, and how to respond to it.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/outbound-spam-controls https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/outbound-spam-controls.md
@@ -27,6 +27,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, we take managing outbound spam seriously. One customer who intentionally or unintentionally sends spam from their organization can degrade the reputation of the whole service, and can affect email delivery for other customers.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-in-the-security-and-compliance-center.md
@@ -26,6 +26,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
The Security & Compliance Center lets you grant permissions to people who perform compliance tasks like device management, data loss prevention, eDiscovery, retention, and so on. These people can perform only the tasks that you explicitly grant them access to. To access the Security & Compliance Center, users need to be a global administrator or a member of one or more Security & Compliance Center role groups.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/permissions-microsoft-365-compliance-security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/permissions-microsoft-365-compliance-security.md
@@ -25,6 +25,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
Your organization needs to manage security and compliance scenarios that span all the Microsoft 365 services. And you need the flexibility to give the right admin permissions to the right people in your organization's IT group. By using the Microsoft 365 security center or Microsoft 365 compliance center, you can manage permissions centrally for all tasks related to security or compliance.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/preset-security-policies.md
@@ -22,6 +22,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
Preset security policies provide a centralized location for applying all of the recommended spam, malware, and phishing policies to users at once. The policy settings are not configurable. Instead, they are set by us and are based on our observations and experiences in the datacenters for a balance between keeping harmful content away from users without disrupting their work.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/protect-against-threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/protect-against-threats.md
@@ -27,6 +27,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
Here's a quick-start guide that breaks the configuration of Defender for Office 365 into chunks. If you're new to threat protection features in Office 365, not sure where to begin, or if you learn best by *doing*, use this guidance as a checklist and a starting point.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/sharepoint-file-access-policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/sharepoint-file-access-policies.md
@@ -22,6 +22,12 @@ ms.technology: mdo
# Policy recommendations for securing SharePoint sites and files
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- SharePoint Online
++ This article describes how to implement the recommended identity and device-access policies to protect SharePoint and OneDrive for Business. This guidance builds on the [common identity and device access policies](identity-access-policies.md). These recommendations are based on three different tiers of security and protection for SharePoint files that can be applied based on the granularity of your needs: **baseline**, **sensitive**, and **highly regulated**. You can learn more about these security tiers, and the recommended client operating systems, referenced by these recommendations in [the overview](microsoft-365-policies-configurations.md).
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/siem-integration-with-office-365-ti https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/siem-integration-with-office-365-ti.md
@@ -24,6 +24,11 @@ ms.prod: m365-security
# SIEM integration with Microsoft Defender for Office 365
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+ [!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/siem-server-integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/siem-server-integration.md
@@ -23,6 +23,11 @@ ms.prod: m365-security
# Security Information and Event Management (SIEM) server integration with Microsoft 365 services and applications
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+ [!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/spam-confidence-levels https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/spam-confidence-levels.md
@@ -24,6 +24,11 @@ ms.prod: m365-security
# Spam confidence level (SCL) in EOP
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+ [!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submit-spam-non-spam-and-phishing-scam-messages-to-microsoft-for-analysis.md
@@ -25,6 +25,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> [!NOTE] > If you're an admin in an organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Security & Compliance Center. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/submitting-malware-and-non-malware-to-microsoft-for-analysis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submitting-malware-and-non-malware-to-microsoft-for-analysis.md
@@ -24,6 +24,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> [!NOTE] > If you're an admin in an organization with Exchange Online mailboxes, we recommend that you use the Submissions portal in the Security & Compliance Center. For more information, see [Use Admin Submission to submit suspected spam, phish, URLs, and files to Microsoft](admin-submission.md).
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/support-for-anonymous-inbound-email-messages-over-ipv6 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/support-for-anonymous-inbound-email-messages-over-ipv6.md
@@ -25,6 +25,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
Microsoft 365 organizations with Exchange Online mailboxes and standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes support anonymous inbound email over IPv6. The source IPv6 email server must meet both of the following requirements:
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/support-for-validation-of-dkim-signed-messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/support-for-validation-of-dkim-signed-messages.md
@@ -23,6 +23,11 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+ Exchange Online Protection (EOP) and Exchange Online both support inbound validation of Domain Keys Identified Mail ([DKIM](https://www.rfc-editor.org/rfc/rfc6376.txt)) messages. DKIM validates that an email message wasn't *spoofed* by someone else, and was sent from the domain it *says* it came from. It ties an email message to the organization that sent it. DKIM verification is used automatically for all messages sent with IPv6. Microsoft 365 also supports DKIM when mail is sent over IPv4. (For more information about IPv6 support, see [Support for anonymous inbound email messages over IPv6](support-for-anonymous-inbound-email-messages-over-ipv6.md).)
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/switch-to-eop-from-google-postini-the-barracuda-spam-and-virus-firewall-or-cisco https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/switch-to-eop-from-google-postini-the-barracuda-spam-and-virus-firewall-or-cisco.md
@@ -22,6 +22,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
The purpose of this topic is to help you understand the process for switching to Exchange Online Protection (EOP) from an on-premises email hygiene appliance or cloud-based protection service, and then to provide you with help resources to get started. There are many spam-filtering solutions, but the process for switching to EOP is similar in most cases.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-allow-block-list https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-allow-block-list.md
@@ -23,6 +23,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
> [!NOTE] >
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security.md
@@ -27,6 +27,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
This topic walks you through recommended configuration for tenant-wide settings that affect the security of your Microsoft 365 environment. Your security needs might require more or less security. Use these recommendations as a starting point.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-views https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-views.md
@@ -24,6 +24,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+ ![Threat Explorer](../../media/ThreatExplorerFirstOpened.png)
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer.md
@@ -24,7 +24,13 @@ ms.prod: m365-security
# Threat Explorer and Real-time detections
-If your organization has [Microsoft Defender for Office 365](office-365-atp.md) and you have the [necessary permissions](#required-licenses-and-permissions), you have access to *Explorer* or *Real-time detections*, which were formerly *Real-time reports*. ([See what's new.](#new-features-in-threat-explorer-and-real-time-detections)) In the Security & Compliance Center, go to **Threat management**, and then select **Explorer** _or_ **Real-time detections**.
+
+**Applies to**
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
+If your organization has [Microsoft Defender for Office 365](office-365-atp.md), and you have the [necessary permissions](#required-licenses-and-permissions), you have either **Explorer** or **Real-time detections** (formerly *Real-time reports* ΓÇö [see what's new](#new-features-in-threat-explorer-and-real-time-detections)!). In the Security & Compliance Center, go to **Threat management**, and then choose **Explorer** _or_ **Real-time detections**.
+ |With Microsoft Defender for Office 365 Plan 2, you see:|With Microsoft Defender for Office 365 Plan 1, you see:| |||
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-trackers https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-trackers.md
@@ -25,6 +25,9 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Microsoft Defender for Office 365 plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
[Office 365 Threat Investigation and Response](office-365-ti.md) capabilities enable your organization's security team to discover and take action against cybersecurity threats. Office 365 Threat Investigation and Response capabilities include Threat Tracker features, including Noteworthy trackers. Read this article to get an overview of these new features and next steps.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/troubleshooting-mail-sent-to-office-365 https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/troubleshooting-mail-sent-to-office-365.md
@@ -26,6 +26,9 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
This article provides troubleshooting information for senders who are experiencing issues when trying to send email to inboxes in Microsoft 365 and best practices for bulk mailing to customers.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/tuning-anti-phishing https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tuning-anti-phishing.md
@@ -23,6 +23,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
Although Microsoft 365 comes with a variety of anti-phishing features that are enabled by default, it's possible that some phishing messages could still get through to your mailboxes. This topic describes what you can do to discover why a phishing message got through, and what you can do to adjust the anti-phishing settings in your Microsoft 365 organization _without accidentally making things worse_.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/turn-on-atp-for-spo-odb-and-teams https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/turn-on-atp-for-spo-odb-and-teams.md
@@ -27,6 +27,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+ Microsoft Defender for Office 365 for SharePoint, OneDrive, and Microsoft Teams protects your organization from inadvertently sharing malicious files. For more information, see [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](atp-for-spo-odb-and-teams.md). This article contains the steps for enabling and configuring Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-dkim-to-validate-outbound-email.md
@@ -27,6 +27,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
**Summary:** This article describes how you use DomainKeys Identified Mail (DKIM) with Microsoft 365 to ensure that destination email systems trust messages sent outbound from your custom domain.
@@ -347,6 +351,7 @@ For example, the DKIM record would look like this:
```console *._domainkey.SubDomainThatShouldntSendMail.contoso.com. TXT "v=DKIM1; p=" ```
+`
## Next steps: After you set up DKIM for Microsoft 365 <a name="DKIMNextSteps"> </a>
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-dmarc-to-validate-email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-dmarc-to-validate-email.md
@@ -24,6 +24,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
Domain-based Message Authentication, Reporting, and Conformance ([DMARC](https://dmarc.org)) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain. Implementing DMARC with SPF and DKIM provides additional protection against spoofing and phishing email. DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-mail-flow-rules-to-see-what-your-users-are-reporting-to-microsoft https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-mail-flow-rules-to-see-what-your-users-are-reporting-to-microsoft.md
@@ -23,6 +23,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, there are multiple ways for users to report messages to Microsoft for analysis as described in [Report messages and files to Microsoft](report-junk-email-messages-to-microsoft.md).
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-mail-flow-rules-to-set-the-spam-confidence-level-scl-in-messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-mail-flow-rules-to-set-the-spam-confidence-level-scl-in-messages.md
@@ -25,6 +25,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP uses anti-spam policies (also known as spam filter policies or content filter policies) to scan inbound messages for spam. For more information, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-spam-notifications-to-release-and-report-quarantined-messages https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-spam-notifications-to-release-and-report-quarantined-messages.md
@@ -28,6 +28,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, quarantine holds potentially dangerous or unwanted messages. For more information, see [Quarantined messages in EOP](quarantine-email-messages.md).
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-the-delist-portal-to-remove-yourself-from-the-office-365-blocked-senders-lis.md
@@ -27,6 +27,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
Are you getting an error message when you try to send an email to a recipient whose email address is in Microsoft 365? If you think you should not be receiving the error message, you can use the delist portal to remove yourself from the blocked senders list.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/use-transport-rules-to-configure-bulk-email-filtering https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/use-transport-rules-to-configure-bulk-email-filtering.md
@@ -24,6 +24,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, EOP uses anti-spam policies (also known as spam filter policies or content filter policies) to scan inbound messages for spam and bulk mail (also known as gray mail). For more information, see [Configure anti-spam policies in EOP](configure-your-spam-filter-policies.md).
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/user-submission https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-submission.md
@@ -24,6 +24,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
In Microsoft 365 organizations with Exchange Online mailboxes, you can specify a mailbox to receive messages that users report as malicious or not malicious. When users submit messages using the various reporting options, you can use this mailbox to intercept messages (send to the custom mailbox only) or receive copies of messages (send to the custom mailbox and Microsoft). This feature works with the following message reporting options:
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/view-email-security-reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-email-security-reports.md
@@ -26,6 +26,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
A variety of reports are available in the [Security & Compliance Center](https://protection.office.com) to help you see how email security features, such as anti-spam, anti-malware, and encryption features in Microsoft 365 are protecting your organization. If you have the [necessary permissions](#what-permissions-are-needed-to-view-these-reports), you can view these reports in the Security & Compliance Center by going to **Reports** \> **Dashboard**. To go directly to the Reports dashboard, open <https://protection.office.com/insightdashboard>.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/view-mail-flow-reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-mail-flow-reports.md
@@ -26,6 +26,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
In addition to the mail flow reports that are available in the [Mail flow dashboard](mail-flow-insights-v2.md) in the Security & Compliance Center, a variety of additional mail flow reports are available in the Reports dashboard to help you monitor your Microsoft 365 organization.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/view-reports-for-atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-reports-for-atp.md
@@ -27,6 +27,9 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
Microsoft Defender for Office 365 organizations (for example, Microsoft 365 E5 subscriptions or Microsoft Defender for Office 365 Plan 1 or Microsoft Defender for Office 365 Plan 2 add-ons) contain a variety of security-related reports. If you have the [necessary permissions](#what-permissions-are-needed-to-view-the-defender-for-office-365-reports), you can view these reports in the Security & Compliance Center by going to **Reports** \> **Dashboard**. To go directly to the Reports dashboard, open <https://protection.office.com/insightdashboard>.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/view-the-admin-audit-log-eop https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-the-admin-audit-log-eop.md
@@ -18,6 +18,9 @@ ms.prod: m365-security
# View the admin audit log in standalone EOP
+**Applies to**
+- [Exchange Online Protection standalone](https://go.microsoft.com/fwlink/?linkid=2148611)
+ [!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/virus-detection-in-spo https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/virus-detection-in-spo.md
@@ -27,6 +27,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+ Microsoft 365 uses a common virus detection engine for scanning files that users upload to SharePoint Online, OneDrive, and Microsoft Teams. This protection is included with all subscriptions that include SharePoint Online, OneDrive, and Microsoft Teams. > [!IMPORTANT]
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/walkthrough-spoof-intelligence-insight https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/walkthrough-spoof-intelligence-insight.md
@@ -26,6 +26,9 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
In Microsoft 365 organizations with Defender for Office 365, you can use the Spoof intelligence insight to quickly determine which external senders are legitimately sending you unauthenticated email (messages from domains that don't pass SPF, DKIM, or DMARC checks).
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/what-s-the-difference-between-junk-email-and-bulk-email https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/what-s-the-difference-between-junk-email-and-bulk-email.md
@@ -26,6 +26,10 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, customers sometimes ask: "what's the difference between junk email and bulk email?" This topic explains the difference and describes the controls that are available in EOP.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/whats-new-in-office-365-atp https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/whats-new-in-office-365-atp.md
@@ -28,10 +28,9 @@ ms.prod: m365-security
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)] -
-**Applies to:**
--- [Microsoft Defender for Office 365](office-365-atp.md)
+**Applies to**
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
This article lists new features in the latest release of Microsoft Defender for Office 365. Features that are currently in preview are denoted with **(preview)**.
security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-hour-auto-purge.md
@@ -27,6 +27,11 @@ ms.prod: m365-security
# Zero-hour auto purge (ZAP) in Exchange Online
+**Applies to**
+- [Exchange Online Protection](https://go.microsoft.com/fwlink/?linkid=2148611)
+- [Microsoft Defender for Office 365 plan 1 and plan 2](https://go.microsoft.com/fwlink/?linkid=2148715)
+- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+ [!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender-for-office.md)]