Updates from: 03/11/2022 02:31:37
Category Microsoft Docs article Related commit history on GitHub Change details
commerce Use Cost Mgmt https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/use-cost-mgmt.md
+
+ Title: "Use Cost management in the Microsoft 365 admin center"
++++
+audience: Admin
++
+ms.localizationpriority: normal
+
+- M365-subscription-management
+- Adm_O365
+- Adm_TOC
+
+- commerce_subscriptions
+- AdminTemplateSet
+search.appverid: MET150
+description: "Learn how to use the cost management feature in the Microsoft 365 admin center to view, analyze, and manage costs for your organization."
Last updated : 03/09/2022++
+# Use Cost management in the Microsoft 365 admin center
+
+If youΓÇÖre a Global or Billing admin with a Microsoft Customer Agreement (MCA), you can use the **Cost management** page in the Microsoft 365 admin center to view, analyze, and manage your service costs. To get to the **Cost management** page, in the admin center left navigation pane, select **Billing** > **Cost management**.
+
+## Before you begin
+
+You must be a Global or Billing admin to do the steps described in this article. For more information, see [About admin roles](../admin/add-users/about-admin-roles.md).
+
+## What is cost management?
+
+In general, cost management is a methodology used to plan and control an organizationΓÇÖs budget. In the Microsoft 365 admin center, the cost management features help reduce the cost and overhead needed to manage your organizationΓÇÖs assets. As part of this feature, Microsoft is introducing new products and services that use a pay-as-you-go billing model, where you only pay for what you use. You can use the new cost management features to:
+
+- Download cost and usage data used to generate your monthly invoice
+- Proactively apply data analysis to your costs
+- Set spending thresholds
+- Identify opportunities for workload changes that can optimize your spending (internal processes)
+
+## Understand your costs
+
+You can use Microsoft 365 billing features to review your invoiced costs and manage access to billing information. In larger organizations, procurement and finance teams usually conduct billing tasks.
+
+When you sign up to use Microsoft 365, a billing account is automatically created for you. You use your billing account to manage your invoices and payments, and track costs. ItΓÇÖs possible for you to have multiple billing accounts. For each legal entity or sold-to address for your organization, you receive a separate billing account.
+
+## Plan and control costs
+
+Cost management in the Microsoft 365 admin center helps you plan for and control your organizationΓÇÖs costs by helping you do the following tasks:
+
+- **Analyze costs:** Cost management views let you explore and analyze your organizational costs. You can view aggregated costs by organization to understand where costs are accrued and to identify spending trends. You can also see accumulated costs over time to estimate monthly, quarterly, or even yearly cost trends against a budget.
+- **Create budgets:** Budgets help you plan for and meet financial accountability in your organization. They help prevent cost thresholds or limits from being surpassed. Budgets can also help you inform others about their spending to proactively manage costs. And with budgets, you can see how spending in your organization progresses over time.
+
+## View costs
+
+The **Cost management** page in the admin center has a **Services** tab where you can see the breakdown of the different products and services youΓÇÖre using today.
++
+Use the **Services** tab to see the list of all services being used during the selected period. The chart on the page breaks down the costs daily for the top 10 services. Use the date picker to look back at historical costs and use different date ranges to compare cost trends.
+
+## Download costs
+
+Select **Download** to download your daily cost data into a CSV or Excel file. You can use the data to further analyze your charges or merge with other data, as needed.
+
+## Create budgets
+
+Budgets let you monitor your charges and ensure youΓÇÖre aware when you go over specified thresholds. You can create a quick budget where you set a threshold amount that you want to stay under each month. The quick budget sends you a notification when your costs exceed this threshold. Notifications are only sent to the admin who created the budget.
++
+To customize the budget, select **Configure advanced settings**. You can give your budget a name and change the budget frequency. You can also set up a monthly, quarterly, or annual budget, and choose the period for which budget notifications are sent.
++
+## Related content
+
+[Cost Management best practices](/azure/cost-management-billing/costs/cost-mgt-best-practices) (article)
compliance Apply Sensitivity Label Automatically https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/apply-sensitivity-label-automatically.md
In all cases, matched files are labeled until the OneDrive account is permanentl
5. For the page **Name your auto-labeling policy**: Provide a unique name, and optionally a description to help identify the automatically applied label, locations, and conditions that identify the content to label.
-6. For the page **Choose locations where you want to apply the label**: Select and specify locations for Exchange, SharePoint, and OneDrive. If you don't want to keep the default of **All** for your chosen locations, select the link to choose specific instances to include, or select the link to choose specific instances to exclude. Then select **Next**.
+6. For the page **Choose locations where you want to apply the label**: Select and specify locations for Exchange, SharePoint, and OneDrive. If you don't want to keep the default of **All** included for your chosen locations, select the link to choose specific instances to include, or select the link to choose specific instances to exclude. Then select **Next**.
![Choose locations page for auto-labeling configuration.](../media/locations-auto-labeling-wizard.png)
- More information about the locations:
+ If you change the default settings by using **Included** or **Excluded**:
- - If you choose **Exchange** and want to label incoming email from outside your organization, you must keep the default of **All** included. For this configuration to be scoped to specific users in your organization, choose **Advanced rules** in the next step. Then configure the conditions to include specific recipients in your organization to achieve the scoping requirement for a subset of users.
+ - For the **Exchange** location, the policy is applied according to the sender address of the recipients specified. Most of the time, you'll want to keep the default of **All** included with **None** excluded. This configuration is suitable even if you're testing for a subset of users. Instead of specifying your subset of users here, use the advanced rules in the next step to configure conditions to include or exclude recipients in your organization. Otherwise, when you change the default settings here:
+ - If you change the default of **All** included and instead, choose specific users or groups, email sent from outside your organization will be exempt from the policy.
+ - If you keep the default of **All** included but specify users or groups to exclude, email that these excluded users send will be exempt from the policy, but not email that they receive.
- - To specify individual OneDrive accounts, see [Get a list of all user OneDrive URLs in your organization](/onedrive/list-onedrive-urls).
+ - For OneDrive accounts, see [Get a list of all user OneDrive URLs in your organization](/onedrive/list-onedrive-urls) to help you specify individual OneDrive accounts to include or exclude.
7. For the **Set up common or advanced rules** page: Keep the default of **Common rules** to define rules that identify content to label across all your selected locations. If you need different rules per location, including more options for Exchange, select **Advanced rules**. Then select **Next**.
compliance Data Spillage Scenariosearch And Purge https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/data-spillage-scenariosearch-and-purge.md
After you create a content search, you need to review and validate that the sear
If you have more than 1,000 mailboxes or more than 100 email messages per mailbox to review, you can divide the initial search into multiple searches by using additional keywords or conditions such as date range or sender/recipient and review the results of each search individually. Make sure to note down all search queries to use when you delete messages in [Step 7](#step-7-permanently-delete-the-spilled-data).
-If a custodian or end user is assigned an Office 365 E5 license, you can examine up to 10,000 search results at once using Advanced eDiscovery. If there are more than 10,000 email messages to review, you can divide the search query by date range and review each result individually as search results are sorted by date. In Advanced eDiscovery, you can tag search results using the **Label as** feature in the preview panel and filter the search result by the tag you labeled. This is helpful when you collaborate with a secondary reviewer. By using additional analytics tools in Advanced eDiscovery, such as optical character recognition, email threading, and predictive coding, you can quickly process and review thousands of messages and tag them for further review. See [Quick setup for Advanced eDiscovery](./get-started-with-advanced-ediscovery.md).
- When you find an email message that contains spilled data, check the recipients of the message to determine if it was shared externally. To further trace a message, you can collect sender information and date ranges so you can use the message trace logs. This process is described in [Step 5](#step-5-use-message-trace-log-to-check-how-spilled-data-was-shared). After you verified the search results, you may want to share your findings with others for a secondary review. People who you assigned to the case in Step 1 can review the case content in both eDiscovery and Advanced eDiscovery and approve case findings. You can also generate a report without exporting the actual content. You can also use this same report as a proof of deletion, which is described in [Step 8](#step-8-verify-provide-a-proof-of-deletion-and-audit).
compliance Predictive Coding Quick Start https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/compliance/predictive-coding-quick-start.md
description: "Learn how to get started using the predictive coding module in Adv
# Quick start: Predictive coding in Advanced eDiscovery (preview)
-This article presents a quick start for using predictive coding in Advanced eDiscovery. The predictive coding module in Advanced eDiscovery uses the intelligent, machine learning capabilities in Advanced eDiscovery to help you reduce the amount of content to review. Predictive coding helps you reduce and cull large volumes of case content to a relevant set of items that you can prioritize for review. This is accomplished by creating and training your own predictive coding models that help you prioritize the review of the most relevant items in a review set.
+This article presents a quick start for using predictive coding in Advanced eDiscovery. The predictive coding module uses intelligent, machine learning capabilities to help you cull large volumes of case content that's not relevant to your investigation. This is accomplished by creating and training your own predictive coding models that help you prioritize the most relevant items for review.
Here's an a quick overview of the predictive coding process:
contentunderstanding Form Processing Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/form-processing-overview.md
- enabler-strategic - m365initiative-syntex ms.localizationpriority: medium
-description: Learn about form processing in Microsoft SharePoint Syntex.
+description: Learn how to use AI Build to create form processing models in Microsoft SharePoint Syntex.
# Form processing overview in Microsoft SharePoint Syntex
For example, you can create a form processing model that identifies all purchase
![Doc library view.](../media/content-understanding/doc-lib-done.png)</br>
-You use example files to train your model and define the information to be extracted from your form. The layout of your document is learned by training your model. You only need five form documents to get started. AI Builder will analyze your example files for key-value pairs, and you can also manually identify ones that may not have been detected. AI builder lets you test the accuracy of your model on your example files.
+You use example files to train your model and define the information to be extracted from your form. The layout of your document is learned by training your model. You only need five form documents to get started. AI Builder will analyze your example files for key-value pairs, and you can also manually identify ones that might not have been detected. AI builder lets you test the accuracy of your model on your example files.
-After you train and publish your model, your model creates a [Power Automate Flow](/power-automate/getting-started). The flow runs when a file is uploaded to the SharePoint document library and will extract data that has been identified in the model. The extracted data will display in columns in your model's document library view.
+After you train and publish your model, your model creates a [Power Automate flow](/power-automate/getting-started). The flow runs when a file is uploaded to the SharePoint document library and will extract data that has been identified in the model. The extracted data will display in columns in your model's document library view.
-An Office 365 admin needs to [enable Form processing](./set-up-content-understanding.md) for the SharePoint document library for users to be able to [create a form processing model](create-a-form-processing-model.md) in it. You can select the sites during setup, or after setup in your management settings.
+An Office 365 admin needs to [enable form processing](./set-up-content-understanding.md) for the SharePoint document library for users to be able to [create a form processing model](create-a-form-processing-model.md) in it. You can select the sites during setup, or after setup in your management settings.
### File limitations
contentunderstanding Index https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/index.md
Learn more about how to use and implement SharePoint Syntex in your organization
|See example scenarios to give you ideas about how you can use SharePoint Syntex in your organization |[Scenarios and use cases for SharePoint Syntex](./adoption-scenarios.md)| |Set up and run a trial pilot program for SharePoint Syntex |[Run a trial](./trial-syntex.md)| |Learn how to use SharePoint Syntex to automate document processes |[Manage contracts using a Microsoft 365 solution](./solution-manage-contracts-in-microsoft-365.md)|
+|Try out this customizable SharePoint site template to help manage contracts |[Use the Contracts Management site template](./use-contracts-management-site.md)|
+|Try out this instructional Content Center site template to learn more about models |[Use the Content Center site template](./use-content-center-site.md)|
## Set up SharePoint Syntex
contentunderstanding Model Usage Analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/model-usage-analytics.md
Title: Document understanding model usage analytics in Microsoft SharePoint Syntex
+ Title: Analyze how your models are used in Microsoft SharePoint Syntex
- enabler-strategic - m365initiative-syntex ms.localizationpriority: medium
-description: Learn how to find and use usage analytics for a document understanding model.
+description: Learn how to find more information about how your document understanding and form processing models are performing.
-# Document understanding model usage analytics in Microsoft SharePoint Syntex
+# Analyze how your models are used in Microsoft SharePoint Syntex
</br>
contentunderstanding Rename A Model https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/rename-a-model.md
- enabler-strategic - m365initiative-syntex ms.localizationpriority: medium
-description: Learn how and why to rename a model in Microsoft SharePoint Syntex.
+description: Learn how and why to rename a document understanding model in Microsoft SharePoint Syntex.
# Rename a model in Microsoft SharePoint Syntex
contentunderstanding Rename An Extractor https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/contentunderstanding/rename-an-extractor.md
Follow these steps to rename an entity extractor.
2. On the **Models** page, in the **Name** column, select the model for which you want to rename an extractor.
-3. Under **Entity extractors**, select the name of the extractor you want to rename, and then select **Rename**.</br>
+3. Under **Entity extractors**, select the name of the extractor you want to rename, and then select **Rename**.
- ![Screenshot of the Entity extractors section showing a selected extractor with the Rename option highlighted.](../media/content-understanding/entity-extractor-rename.png) </br>
+ ![Screenshot of the Entity extractors section showing a selected extractor with the Rename option highlighted.](../media/content-understanding/entity-extractor-rename.png)
4. On the **Rename entity extractor** panel:
- a. Under **New name**, enter the new name of the extractor.</br>
+ a. Under **New name**, enter the new name of the extractor.
- ![Screenshot showing the Entity extractor panel.](../media/content-understanding/rename-entity-extractor-panel.png) </br>
+ ![Screenshot showing the Entity extractor panel.](../media/content-understanding/rename-entity-extractor-panel.png)
b. (Optional) Under **Advanced settings**, select whether you want to associate an existing site column.
enterprise Modern Desktop Deployment And Management Lab https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab.md
Detailed lab guides take you through multiple deployment and management scenario
[Download the Windows 11 and Office 365 deployment lab kit](https://www.microsoft.com/evalcenter/evaluate-windows-11-office-365-lab-kit) > [!NOTE]
-> Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows 10 lab expires May 16, 2022. The Windows 11 lab expires April 11, 2022. New versions will be published prior to expiration.
+> Please use a broadband internet connection to download this content and allow approximately 30 minutes for automatic provisioning. The lab environment requires a minimum of 16 GB of available memory and 150 GB of free disk space. For optimal performance, 32 GB of available memory and 300 GB of free space is recommended. The Windows 10 lab expires May 16, 2022. The Windows 11 lab expires May 6, 2022. New versions will be published prior to expiration.
## Additional guidance
enterprise Office 365 Network Mac Perf Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/enterprise/office-365-network-mac-perf-overview.md
Test reports are linked to a location if it was added with LAN subnet informatio
Measurement samples and office locations should start to appear 2-3 minutes after a test report is completed. For more information, see [Microsoft 365 network connectivity test](office-365-network-mac-perf-onboarding-tool.md). > [!NOTE]
-> Currently, wWhen adding your office locations to Microsoft 365 network connectivity in the Microsoft 365 admin center, you can provide only IPv4 addresses for your LAN subnets. Egress IP addresses must use IPv4.
+> Currently, When adding your office locations to Microsoft 365 network connectivity in the Microsoft 365 admin center, you can provide only IPv4 addresses for your LAN subnets. Egress IP addresses must use IPv4.
## How do I use this information?
security Compare Mdb M365 Plans https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/compare-mdb-m365-plans.md
# Compare Microsoft Defender for Business to Microsoft 365 Business Premium > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Get Defender Business https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/get-defender-business.md
# Get Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
To find a solution provider in your area, take the following steps:
## Get Microsoft 365 Business Premium
-*Beginning March 1, 2022, Defender for Business will start rolling out as part of Microsoft 365 Business Premium*.
+*Beginning March 1, 2022, Defender for Business is rolling out as part of Microsoft 365 Business Premium*.
See [Try or buy Microsoft 365 Business Premium](../../business-premium/get-microsoft-365-business-premium.md).
When you're ready to start your trial, you'll work with two main portals to get
|Portal |Description | |||
-| The Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)) | Use the Microsoft 365 admin center activate your trial and sign in for the first time.<br/><br/> You'll also use the Microsoft 365 admin center to: <br/>- Add or remove users<br/>- Assign user licenses<br/>- View your products and services<br/>- Complete setup tasks for your Microsoft 365 subscription <br/><br/> To learn more, see [Overview of the Microsoft 365 admin center](../../admin/admin-overview/admin-center-overview.md). |
+| The Microsoft 365 admin center ([https://admin.microsoft.com/](https://admin.microsoft.com/)) | Use the Microsoft 365 admin center to activate your trial and sign in for the first time.<br/><br/> You'll also use the Microsoft 365 admin center to: <br/>- Add or remove users<br/>- Assign user licenses<br/>- View your products and services<br/>- Complete setup tasks for your Microsoft 365 subscription <br/><br/> To learn more, see [Overview of the Microsoft 365 admin center](../../admin/admin-overview/admin-center-overview.md). |
| The Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) | Use the Microsoft 365 Defender portal to set up and configure Defender for Business. <br/><br/>You'll use the Microsoft 365 Defender portal to: <br/>- View your devices and device protection policies<br/>- View detected threats and take action<br/>- View security recommendations and manage your security settings <br/><br/>To learn more, see [Get started using the Microsoft 365 Defender portal](mdb-get-started.md). | If your organization is using Microsoft 365 Business Premium, then you have Microsoft Intune (part of Microsoft Endpoint Manager), and you might be using the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com/](https://endpoint.microsoft.com/)). Endpoint Manager enables you to manage devices and configure security settings as well. To learn more, see [Microsoft Intune is an MDM and MAM provider for your devices](/mem/intune/fundamentals/what-is-intune).
security Mdb Configure Security Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-configure-security-settings.md
# View and edit your security policies and settings in Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Create Edit Device Groups https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-create-edit-device-groups.md
# Device groups in Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Custom Rules Firewall https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-custom-rules-firewall.md
# Manage your custom rules for firewall policies in Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Email Notifications https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-email-notifications.md
f1.keywords: NOCSH
# Set up email notifications > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Firewall https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-firewall.md
# Firewall in Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Get Help https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-get-help.md
Last updated 02/24/2022
# Get help and support for Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Get Started https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-get-started.md
# Get started using the Microsoft 365 Defender portal > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Lighthouse Integration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-lighthouse-integration.md
# Microsoft 365 Lighthouse and Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Manage Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-manage-devices.md
# Manage devices in Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Next Gen Configuration Settings https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-next-gen-configuration-settings.md
# Understand next-generation configuration settings in Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Onboard Devices https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-onboard-devices.md
audience: Admin Previously updated : 03/09/2022 Last updated : 03/10/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal
# Onboard devices to Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
-The device onboarding experience in Defender for Business was built on processes that are similar to what we use in Microsoft Defender for Endpoint. Watch the following video to see how it works:<br/><br/>
-
-> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4bGqr]
- With Microsoft Defender for Business, you have several options to choose from for onboarding your organization's devices. This article walks you through your options and includes an overview of how onboarding works.
-> [!TIP]
-> To view more detailed information about device onboarding in Defender for Endpoint, see [Onboard devices and configure Microsoft Defender for Endpoint capabilities](../defender-endpoint/onboard-configure.md).
- ## What to do 1. See your options for [onboarding devices](#device-onboarding-methods), and select one of the following methods:
The following table describes the most commonly used methods to onboard devices
|||| | **Automatic onboarding**<br/>(*available to customers who are already using Microsoft Endpoint Manager*) | *Microsoft 365 Business Premium customers already have Microsoft Intune, and can use this option*. Automatic onboarding sets up a connection between Defender for Business and Microsoft Endpoint Manager, and then onboards Windows devices to Defender for Business. In order to use this option, your devices must already be enrolled in Endpoint Manager.<br/><br/>To learn more, see [Automatic onboarding](#automatic-onboarding-for-windows-devices-enrolled-in-microsoft-endpoint-manager). | Windows | | **Local script** <br/> | This option enables you to onboard individual devices to Defender for Business manually. You can onboard up to 10 devices at a time using the local script.<br/><br/>To learn more, see [Local script in Defender for Business](#local-script-in-defender-for-business). | Windows <br/>macOS |
-| **Microsoft Intune** or **Microsoft Endpoint Manager**<br/>(*available to customers who are using Microsoft Intune or Endpoint Manager*) | [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Mobile Device Management](/mem/intune/enrollment/device-enrollment) are part of Endpoint Manager. Microsoft 365 Business Premium customers already have Microsoft Intune, and can use this option.<br/><br/>If you were already using Endpoint Manager before you got Defender for Business, you can opt to continue using Endpoint Manager to onboard and manage devices<br/><br/>To use this method, see [Microsoft Endpoint Manager](#microsoft-endpoint-manager). | Windows <br/>macOS<br/>iOS<br/>Android OS |
+| **Microsoft Intune** or **Microsoft Endpoint Manager**<br/>(*available to customers who are using Microsoft Intune or Endpoint Manager*) | [Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Mobile Device Management](/mem/intune/enrollment/device-enrollment) are part of Endpoint Manager. (Microsoft 365 Business Premium customers already have Microsoft Intune.)<br/><br/>If you were already using Endpoint Manager before you got Defender for Business, you can opt to continue using Endpoint Manager to onboard and manage devices<br/><br/>To use this method, see [Microsoft Endpoint Manager](#microsoft-endpoint-manager). | Windows <br/>macOS<br/>iOS<br/>Android OS |
| **Microsoft Defender for Business security configuration** <br/>(*uses the Microsoft 365 Defender portal*) | To use this option, you configure certain settings to facilitate communication between Defender for Business and Endpoint Manager. Then, you onboard devices in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) by using a package that you download and run on each device. A trust is established between devices and Azure Active Directory (Azure AD), and Defender for Business security policies are pushed to devices.<br/><br/>To learn more, see [Microsoft Defender for Business security configuration](#microsoft-defender-for-business-security-configuration). | Windows <br/>macOS | > [!IMPORTANT]
The following table describes the most commonly used methods to onboard devices
## Automatic onboarding for Windows devices enrolled in Microsoft Endpoint Manager
-The automatic onboarding option applies to Windows devices only. Automatic onboarding is available if your organization was already using Microsoft Endpoint Manager, Microsoft Intune, or Mobile Device Management (MDM) in Microsoft Intune before you got Defender for Business, and you already have Windows devices enrolled in Endpoint Manager.
+The automatic onboarding option applies to Windows devices only. Automatic onboarding is available if the following conditions are met:
+
+- Your organization was already using Microsoft Endpoint Manager, Microsoft Intune, or Mobile Device Management (MDM) in Microsoft Intune before you got Defender for Business
+- You already have Windows devices enrolled in Endpoint Manager
If Windows devices are already enrolled in Endpoint Manager, Defender for Business will detect those devices while you are in the process of setting up and configuring Defender for Business. You'll be asked if you want to use automatic onboarding for all or some of your Windows devices. You can onboard all Windows devices at once, or select specific devices to start with, and then add more devices later.
+> [!TIP]
+> We recommend selecting the "all devices enrolled" option. That way, when Windows devices are enrolled in Endpoint Manager later on, they'll be onboarded to Defender for Business automatically.
+ To learn more about automatic onboarding, see step 2 in [Use the wizard to set up Microsoft Defender for Business](mdb-use-wizard.md). ## Local script in Defender for Business
You can use a local script to onboard Windows and Mac devices. When you run the
2. In the navigation pane, choose **Settings** > **Endpoints**, and then under **Device management**, choose **Onboarding**.
-3. Select an operating system, such as **Windows 10 and 11**, and then, under **Onboard a device**, in the **Deployment method** section, choose **Local script**.
+3. Select an operating system, such as **Windows 10 and 11** or **macOS**, and then, in the **Deployment method** section, choose **Local script**.
-4. Select **Download onboarding package**. We recommend saving the onboarding package to a removable drive.
+4. Select **Download onboarding package**. We recommend saving the onboarding package to a removable drive. (If you selected **macOS**, also select **Download installation package** and save it to your removable device.)
-5. Follow the guidance in the following articles:
+5. Follow the guidance in the following table:
- - Windows devices: [Onboard Windows devices using a local script](../defender-endpoint/configure-endpoints-script.md#onboard-devices)
- - macOS devices: [Manual deployment for Microsoft Defender for Endpoint on macOS](../defender-endpoint/mac-install-manually.md#client-configuration)
+ | Operating System | Procedure |
+ |||
+ | Windows | 1. On a Windows device, extract the contents of the configuration package to a location, such as the Desktop folder. You should have a file named `WindowsDefenderATPLocalOnboardingScript.cmd`. <br/><br/>2. Open Command Prompt as an administrator.<br/><br/>3. Type the location of the script file. For example, if you copied the file to the Desktop folder, you would type: `%userprofile%\Desktop\WindowsDefenderATPLocalOnboardingScript.cmd`, and then press the Enter key (or select **OK**).<br/><br/>4. After the script runs, proceed to [Run a detection test](#run-a-detection-test). |
+ | macOS | 1. On a Mac computer, save the installation package as `wdav.pkg` to a local directory. <br/><br/>2. Save the onboarding package as `WindowsDefenderATPOnboardingPackage.zip` to the same directory you used for the installation package. <br/><br/>3. Use Finder to navigate to `wdav.pkg` you saved, and then open it.<br/><br/>4. Select **Continue**, agree with the License terms, and then enter your password when prompted.<br/><br/>5. You will be prompted to allow a driver from Microsoft to be installed (either "System Extension Blocked" or "Installation is on hold", or both. The driver must be allowed to be installed. To allow the installation, select **Open Security Preferences** or **Open System Preferences** > **Security & Privacy**, and then select **Allow**.<br/><br/>6. Use the following Python command in Bash to run the onboarding package: `/usr/bin/python MicrosoftDefenderATPOnboardingMacOs.py`. <br/><br/>7. To confirm that the device is associated with your organization, use the following Python command in Bash: `mdatp health --field org_id`.<br/><br/>8. If you are using macOS 10.15 (Catalina) or later, grant Defender for Business consent to protect your device. Go to **System Preferences** > **Security & Privacy** > **Privacy** > **Full Disk Access**. Select the lock icon to make changes (bottom of the dialog box), and then select Microsoft Defender for Business (or Defender for Endpoint, if that's what you see). <br/><br/>9. To verify that the device is onboarded, use the following command in Bash: `mdatp health --field real_time_protection_enabled`. |
## Microsoft Endpoint Manager
You can onboard your organization's devices in phases. *We call this gradual dev
## Offboarding a device
-If you want to offboard a device, follow these steps:
-
-1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.
-
-2. In the navigation pane, choose **Settings**, and then choose **Endpoints**.
-
-3. Under **Device management**, choose **Offboarding**.
-
-4. Select an operating system, such as **Windows 10 and 11**, and then, under **Offboard a device**, in the **Deployment method** section, choose **Local script**.
-
-5. In the confirmation screen, review the information, and then choose **Download** to proceed.
-
-6. Select **Download offboarding package**. We recommend saving the offboarding package to a removable drive.
-
-7. Run the script on each device that you want to offboard. Need help with this task? See the following resources:
+If you want to offboard a device, use one of the following procedures:
- - Windows devices: [Offboard Windows devices using a local script](../defender-endpoint/configure-endpoints-script.md#offboard-devices-using-a-local-script)
- - macOS devices: [Uninstalling on macOS](../defender-endpoint/mac-resources.md#uninstalling)
+| Operating system | Procedure |
+|||
+| Windows | 1. Go to the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) and sign in.<br/><br/>2. In the navigation pane, choose **Settings**, and then choose **Endpoints**.<br/><br/>3. Under **Device management**, choose **Offboarding**.<br/><br/>4. Select an operating system, such as **Windows 10 and 11**, and then, under **Offboard a device**, in the **Deployment method** section, choose **Local script**. <br/><br/>5. In the confirmation screen, review the information, and then choose **Download** to proceed.<br/><br/>6. Select **Download offboarding package**. We recommend saving the offboarding package to a removable drive.<br/><br/>7. Run the script on each device that you want to offboard.|
+| macOS | 1. Go to **Finder** > **Applications**. <br/><br/>2. Right click on Microsoft Defender for Business, and then choose **Move to Trash**. <br/><br/> or <br/><br/> Use the following command: `sudo '/Library/Application Support/Microsoft/Defender/uninstall/uninstall'`.|
> [!IMPORTANT] > Offboarding a device causes the devices to stop sending data to Defender for Business. However, data received prior to offboarding is retained for up to six (6) months.
security Mdb Overview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-overview.md
# Overview of Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Policy Order https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-policy-order.md
# Understand policy order in Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-reports.md
audience: Admin Previously updated : 02/24/2022 Last updated : 03/10/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal-+ f1.keywords: NOCSH - SMB
# Reports in Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Requirements https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-requirements.md
audience: Admin Previously updated : 02/24/2022 Last updated : 03/10/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal-+ f1.keywords: NOCSH - SMB
# Microsoft Defender for Business requirements > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Respond Mitigate Threats https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-respond-mitigate-threats.md
audience: Admin Previously updated : 02/24/2022 Last updated : 03/10/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal-+ f1.keywords: NOCSH - SMB
# Respond to and mitigate threats in Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Review Remediation Actions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-review-remediation-actions.md
audience: Admin Previously updated : 02/24/2022 Last updated : 03/10/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal-+ f1.keywords: NOCSH - SMB
# Review remediation actions in the Action center > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Roles Permissions https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-roles-permissions.md
audience: Admin Previously updated : 02/24/2022 Last updated : 03/10/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal-+ f1.keywords: NOCSH - SMB
# Assign roles and permissions in Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Setup Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-setup-configuration.md
# Set up and configure Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb Simplified Configuration https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-simplified-configuration.md
# The simplified configuration process in Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
Microsoft Defender for Business features a simplified configuration process, des
When it comes to onboarding devices and configuring security settings for your organizationΓÇÖs devices, you can choose from several experiences: - The simplified configuration process in Microsoft Defender for Business (*recommended*) -- Microsoft Endpoint Manager, which includes Microsoft Intune
+- Microsoft Endpoint Manager, which includes Microsoft Intune (included in [Microsoft 365 Business Premium](../../business-premium/index.md))
- Your non-Microsoft solution for managing devices ## What to do
The following table describes each experience:
| Portal experience | Description | |||
-| The simplified configuration experience in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) <br/>(*This is the recommended option for most customers*) | The simplified configuration experience includes a wizard-like experience to help you set up and configure Defender for Business. Simplified configuration also includes default security settings and policies that help you protect your organization's devices from day one. <br/><br/>With this experience, your security team uses the Microsoft 365 Defender portal to: <br/>- Set up and configure Defender for Business <br/>- View and manage incidents<br/>- Respond to and mitigate threats<br/>- View reports<br/>- Review pending or completed actions <br/><br/> This portal is your one-stop shop for your organization's security settings and threat protection capabilities. You get a simplified experience to help you get started quickly and efficiently. To learn more, see [Use the wizard to set up Microsoft Defender for Business](mdb-use-wizard.md).<br/><br/>And, you can edit your settings or define new policies to suit your organization's needs.<br/><br/>To learn more, see [View or edit device policies in Microsoft Defender for Business](mdb-view-edit-policies.md). |
-| The Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) | Microsoft Endpoint Manager includes Microsoft Intune, a cloud-based mobile device management (MDM) and mobile application management (MAM) provider for apps and devices. <br/><br/>Many organizations use Intune to manage their devices, such as mobile phones, tablets, and laptops. To learn more, see [Microsoft Intune is an MDM and MAM provider for your devices](/mem/intune/fundamentals/what-is-intune). <br/><br/>If you're already using Microsoft Intune or Microsoft Endpoint Manager, you can continue using that solution. |
-| Your non-Microsoft device management solution | If you're using a non-Microsoft productivity and device management solution, you can continue to use that solution with Defender for Business. <br/><br/>When devices are onboarded to Defender for Business, you'll see their status and alerts in the Microsoft 365 Defender portal. To learn more, see [Onboarding and configuration tool options for Defender for Endpoint](../defender-endpoint/onboard-configure.md).<br/><br/>If you're already using a non-Microsoft device management solution, you can continue using that solution. |
+| The simplified configuration experience in the Microsoft 365 Defender portal ([https://security.microsoft.com](https://security.microsoft.com)) <br/>(*This is the recommended option for most customers*) | The simplified configuration experience includes a wizard-like experience to help you set up and configure Defender for Business. Simplified configuration also includes default security settings and policies to help you protect your organization's devices as soon as they are onboarded to Defender for Business. <br/><br/>With this experience, your security team uses the Microsoft 365 Defender portal to: <br/>- Set up and configure Defender for Business <br/>- View and manage incidents<br/>- Respond to and mitigate threats<br/>- View reports<br/>- Review pending or completed actions <br/><br/> The Microsoft 365 Defender portal is your one-stop shop for your organization's security settings and threat protection capabilities. You get a simplified experience to help you get started quickly and efficiently. To learn more, see [Use the wizard to set up Microsoft Defender for Business](mdb-use-wizard.md).<br/><br/>And, you can edit your settings or define new policies to suit your organization's needs.<br/><br/>To learn more, see [View or edit device policies in Microsoft Defender for Business](mdb-view-edit-policies.md). |
+| The Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) | Microsoft Endpoint Manager includes Microsoft Intune, a cloud-based mobile device management (MDM) and mobile application management (MAM) provider for apps and devices. [Microsoft 365 Business Premium](../../business-premium/index.md) customers already have Endpoint Manager. <br/><br/>Many organizations use Intune to manage their devices, such as mobile phones, tablets, and laptops. To learn more, see [Microsoft Intune is an MDM and MAM provider for your devices](/mem/intune/fundamentals/what-is-intune). <br/><br/>If you're already using Microsoft Intune or Microsoft Endpoint Manager, you can continue using that solution. |
+| Your non-Microsoft device management solution | If you're using a non-Microsoft productivity and device management solution, you can continue to use that solution with Defender for Business. <br/><br/>When devices are onboarded to Defender for Business, you'll see their status and alerts in the Microsoft 365 Defender portal. To learn more, see [Onboarding and configuration tool options for Defender for Endpoint](../defender-endpoint/onboard-configure.md). |
## Why we recommend using the simplified configuration process
security Mdb Use Wizard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-use-wizard.md
audience: Admin Previously updated : 03/02/2022 Last updated : 03/10/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal
# Use the wizard to set up Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
The wizard is designed to help you set up and configure Defender for Business qu
- If you're already using Microsoft Intune (part of Microsoft Endpoint Manager), and your organization has devices enrolled in Endpoint Manager, you'll be asked whether you want to use [automatic onboarding](mdb-onboard-devices.md#automatic-onboarding-for-windows-devices-enrolled-in-microsoft-endpoint-manager) for some or all of your enrolled Windows devices. Automatic onboarding sets up a connection between Endpoint Manager and Defender for Business, and then onboards Windows devices to Defender for Business seamlessly.
- - If you're not already using Endpoint Manager, or if you have non-Windows devices enrolled in Endpoint Manager, you can onboard devices to Defender for Business manually.
+ - If you're not already using Endpoint Manager, or if you have non-Windows devices enrolled in Endpoint Manager, you can [onboard devices to Defender for Business manually](mdb-onboard-devices.md#local-script-in-defender-for-business).
3. **Configure your security policies**. Defender for Business includes default security policies for next-generation protection and firewall protection that can be applied to your organization's devices. These default policies use recommended settings and are designed to provide strong protection for your devices.
security Mdb View Edit Create Policies https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-view-edit-create-policies.md
audience: Admin Previously updated : 02/03/2022 Last updated : 03/10/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal-+ f1.keywords: NOCSH - SMB
# View or edit policies in Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb View Manage Incidents https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-view-manage-incidents.md
audience: Admin Previously updated : 01/06/2022 Last updated : 03/10/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal-+ f1.keywords: NOCSH - SMB
# View and manage incidents in Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Mdb View Tvm Dashboard https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-business/mdb-view-tvm-dashboard.md
audience: Admin Previously updated : 02/07/2022 Last updated : 03/10/2022 ms.prod: m365-security ms.technology: mdb localization_priority: Normal-+ f1.keywords: NOCSH - SMB
# Use your Threat & Vulnerability Management dashboard in Microsoft Defender for Business > [!IMPORTANT]
-> Microsoft Defender for Business is rolling out to Microsoft 365 Business Premium customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
+> Microsoft Defender for Business is rolling out to [Microsoft 365 Business Premium](../../business-premium/index.md) customers, beginning March 1, 2022. Defender for Business as a standalone subscription is in in preview, and will roll out gradually to customers and IT Partners who [sign-up here](https://aka.ms/mdb-preview) to request it. Preview includes an [initial set of scenarios](mdb-tutorials.md#try-these-preview-scenarios), and we will be adding capabilities regularly.
> > Some information in this article relates to prereleased products/services that might be substantially modified before they are commercially released. Microsoft makes no warranties, express or implied, for the information provided here.
security Alerts Queue https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/alerts-queue.md
ms.technology: mde
> Want to experience Defender for Endpoint? [Sign up for a free trial.](https://signup.microsoft.com/create-account/signup?products=7f379fee-c4f9-4278-b0a1-e4c8c2fcdf7e&ru=https://aka.ms/MDEp2OpenTrial?ocid=docs-wdatp-alertsq-abovefoldlink)
-The **Alerts queue** shows a list of alerts that were flagged from devices in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view. The most recent alerts are showed at the top of the list helping you see the most recent alerts first.
+The **Alerts** shows a list of alerts that were flagged from devices in your network. The most recent alerts are showed at the top of the list helping you see the most recent alerts first.
> [!NOTE]
-> The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a device that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
+> The alerts are significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a device that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
-There are several options you can choose from to customize the alerts queue view.
+There are several options you can choose from to customize the alerts view.
On the top navigation you can: -- Select grouped view or list view - Customize columns to add or remove columns-- Select the items to show per page-- Navigate between pages - Apply filters
+- Display the alerts for a particular duration like 1 Day, 3 Days, 1 Week, 30 Days, and 6 Months
+- Export the alerts list to excel
+- Manage Alerts
-![Image of alerts queue.](images/alerts-queue-list.png)
-## Sort, filter, and group the alerts queue
+## Sort and filter alerts
-You can apply the following filters to limit the list of alerts and get a more focused view the alerts.
+You can apply the following filters to limit the list of alerts and get a more focused view of the alerts.
### Severity
-Alert severity|Description
-|
-High <br> (Red)|Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on devices. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
-Medium <br> (Orange)|Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
-Low <br> (Yellow)|Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
-Informational <br> (Grey)|Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.
+You can filter the alerts based on their Severity.
+
+|Alert severity|Description|
+|||
+|High <br> (Red)|Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on devices. Some examples are: credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.|
+|Medium <br> (Orange)|Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.|
+|Low <br> (Yellow)|Alerts on threats associated with prevalent malware. For example, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.|
+|Informational <br> (Grey)|Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.|
#### Understanding alert severity
So, for example:
- An alert about malware detected while executing which can pose a threat not only to the individual device but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". - Suspicious behavioral alerts, which weren't blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations.
-#### Understanding alert categories
-
-We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will keep the previous category names.
+### Status
-The table below lists the current categories and how they generally map to previous categories.
-
-|New category|API category name|Detected threat activity or component|
-||||
-|Collection|Collection|Locating and collecting data for exfiltration.|
-|Command and control|CommandAndControl|Connecting to attacker-controlled network infrastructure to relay data or receive commands.|
-|Credential access|CredentialAccess|Obtaining valid credentials to extend control over devices and other resources in the network.|
-|Defense evasion|DefenseEvasion|Avoiding security controls by, for example, turning off security apps, deleting implants, and running rootkits.|
-|Discovery|Discovery|Gathering information about important devices and resources, such as administrator computers, domain controllers, and file servers.|
-|Execution|Execution|Launching attacker tools and malicious code, including RATs and backdoors.|
-|Exfiltration|Exfiltration|Extracting data from the network to an external, attacker-controlled location.|
-|Exploit|Exploit|Exploit code and possible exploitation activity.|
-|Initial access|InitialAccess|Gaining initial entry to the target network, usually involving password-guessing, exploits, or phishing emails.|
-|Lateral movement|LateralMovement|Moving between devices in the target network to reach critical resources or gain network persistence.|
-|Malware|Malware|Backdoors, trojans, and other types of malicious code.|
-|Persistence|Persistence|Creating autostart extensibility points (ASEPs) to remain active and survive system restarts.|
-|Privilege escalation|PrivilegeEscalation|Obtaining higher permission levels for code by running it in the context of a privileged process or account.|
-|Ransomware|Ransomware|Malware that encrypts files and extorts payment to restore access.|
-|Suspicious activity|SuspiciousActivity|Atypical activity that could be malware activity or part of an attack.|
-|Unwanted software|UnwantedSoftware|Low-reputation apps and apps that impact productivity and the user experience; detected as potentially unwanted applications (PUAs).|
+You can choose to filter the list of alerts based on their Status.
-### Status
+### Categories
-You can choose to limit the list of alerts based on their status.
+We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will keep the previous category names.
-### Investigation state
+### Service sources
-Corresponds to the automated investigation state.
+Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service.
-### Category
+Filter the alerts based on the following Service sources:
-You can choose to filter the queue to display specific types of malicious activity.
+- Microsoft Defender for Identity
+- Microsoft Defender for Cloud Apps
+- Microsoft Defender for Endpoint
+- Microsoft 365 Defender
+- Microsoft Defender for Office 365
+- App Governance
+- AAD Identity Protection
-### Assigned to
+> [!NOTE]
+> The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product.
-You can choose between showing alerts that are assigned to you or automation.
+### Tags
-### Detection source
+You can filter the alerts based on Tags assigned to alerts.
-Select the source that triggered the alert detection. Microsoft Threat Experts preview participants can now filter and see detections from the new threat experts-managed hunting service.
+### Policy
-> [!NOTE]
-> The Antivirus filter will only appear if devices are using Microsoft Defender Antivirus as the default real-time protection antimalware product.
+You can filter the alerts based on the following policies:
-|Detection source|API value|
-|||
-|3rd party sensors|ThirdPartySensors|
-|Antivirus|WindowsDefenderAv|
-|Automated investigation|AutomatedInvestigation|
-|Custom detection|CustomDetection|
-|Custom TI|CustomerTI|
-|EDR|WindowsDefenderAtp|
-|Microsoft 365 Defender|MTP|
-|Microsoft Defender for Office 365|OfficeATP|
-|Microsoft Threat Experts|ThreatExperts|
-|SmartScreen|WindowsDefenderSmartScreen|
+- Activity from infrequent country
+- Admin Submission Result Completed
+- Admin triggered manual investigation of email
+- Admin triggered user compromise investigation
+- Anomalous Token
+- Atypical travel
+- Creation of forwarding/redirect rule
+- Email messages containing malicious URL removed after delivery
+- Email messages containing malicious file removed after delivery
+- Email reported by user as malware or phish
+- Password Spray
+- Remediation action taken by admin on emails or URL or sender
+- Suspicious service creation
+- Unfamiliar sign-in properties
-### OS platform
+### Entities
-Limit the alerts queue view by selecting the OS platform that you're interested in investigating.
+You can filter the alerts based on Entity name or ID.
-### Device group
+### Automated investigation state
-If you have specific device groups that you're interested in checking, you can select the groups to limit the alerts queue view.
+You can choose to filter the alerts based on their Automated investigation state.
-### Associated threat
-Use this filter to focus on alerts that are related to high profile threats. You can see the full list of high-profile threats in [Threat analytics](threat-analytics.md).
## Related topics
security Configure Endpoints Vdi https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-vdi.md
The following steps will guide you through onboarding VDI devices and will highl
> [!WARNING] > For environments where there are low resource configurations, the VDI boot procedure might slow the Defender for Endpoint sensor onboarding.
-### For Windows 10, or Windows 11, or Windows Server 2019, or Windows Server 2022
+### For Windows 10, or Windows 11, or Windows Server 2012 R2 and later
+
+> [!NOTE]
+> Windows Server 2016 and Windows Server 2012 R2 will need to be prepared by applying the installation package first using the instructions in [Onboard Windows servers](/microsoft-365/security/defender-endpoint/configure-server-endpoints#windows-server-2012-r2-and-windows-server-2016) for this feature to work.
1. Open the VDI configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the <a href="https://go.microsoft.com/fwlink/p/?linkid=2077139" target="_blank">Microsoft 365 Defender portal</a>:
The following steps will guide you through onboarding VDI devices and will highl
7. Use the search function by entering the device name and select **Device** as search type.
-## For downlevel SKUs (Windows Server 2008 R2/2012 R2/2016)
+## For downlevel SKUs (Windows Server 2008 R2)
+
+> [!NOTE]
+> These instructions for other Windows server versions also apply if you are running the previous Microsoft Defender for Endpoint for Windows Server 2016 and Windows Server 2012 R2 that requires the MMA. Instructions to migrate to the new unified solution are at [Server migration scenarios in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/server-migration).
> [!NOTE] > The following registry is relevant only when the aim is to achieve a 'Single entry for each device'.
security Configure Server Endpoints https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-server-endpoints.md
For other Windows server versions, you have two options to offboard Windows serv
- Remove the Defender for Endpoint workspace configuration >[!NOTE]
->*These offboarding instructions for other Windows server versions also apply if you are running the previous Microsoft Defender for Endpoint for Windows Server 2016 and Windows Server 2012 R2 that requires the MMA. Instructions to migrate to the new unfiied solution are at [Server migration scenarios in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/server-migration).
+> These offboarding instructions for other Windows server versions also apply if you are running the previous Microsoft Defender for Endpoint for Windows Server 2016 and Windows Server 2012 R2 that requires the MMA. Instructions to migrate to the new unfiied solution are at [Server migration scenarios in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/server-migration).
## Related topics
security Linux Update Mde Linux https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-update-mde-linux.md
CRON_TZ=America/Los_Angeles
> #!RHEL and variants (CentOS and Oracle Linux) > > ```bash
-> 0 6 * * sun [ $(date +%d) -le 15 ] && sudo yum update mdatp >> ~/mdatp_cron_job.log
+> 0 6 * * sun [ $(date +%d) -le 15 ] && sudo yum update mdatp -y >> ~/mdatp_cron_job.log
> ``` > #!SLES and variants
security Live Response https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/live-response.md
Anytime during a session, you can cancel a command by pressing CTRL + C.
## Run a script
-Before you can run a PowerShell/Bash scripts, you must first upload it to the library.
+Before you can run a PowerShell/Bash script, you must first upload it to the library.
After uploading the script to the library, use the `run` command to run the script.
security Threat Analytics Analyst Reports https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/threat-analytics-analyst-reports.md
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] **Applies to:**+ - Microsoft 365 Defender > Want to experience Microsoft 365 Defender? You can [evaluate it in a lab environment](m365d-evaluation.md?ocid=cx-docs-MTPtriallab) or [run your pilot project in production](m365d-pilot.md?ocid=cx-evalpilot).
Each [threat analytics report](threat-analytics.md) includes dynamic sections an
_Analyst report section of a threat analytics report_
-## Scan the analyst report
+## Scan the analyst report
+ Each section of the analyst report is designed to provide actionable information. While reports vary, most reports include the sections described in the following table. | Report section | Description | |--|--| | Executive summary | Overview of the threat, including when it was first seen, its motivations, notable events, major targets, and distinct tools and techniques. You can use this information to further assess how to prioritize the threat in the context of your industry, geographic location, and network. |
-| Analysis | Technical information about the threats, including the details of an attack and how attackers might utilize a new technique or attack surface |
-| MITRE ATT&CK techniques observed | How observed techniques map to the [MITRE ATT&CK attack framework](https://attack.mitre.org/) |
+| Analysis | Technical information about the threats, including the details of an attack and how attackers might utilize a new technique or attack surface |
+| MITRE ATT&CK techniques observed | How observed techniques map to the [MITRE ATT&CK attack framework](https://attack.mitre.org/) |
| [Mitigations](#apply-additional-mitigations) | Recommendations that can stop or help reduce the impact of the threat. This section also includes mitigations that aren't tracked dynamically as part of the threat analytics report. |
-| [Detection details](#understand-how-each-threat-can-be-detected) | Specific and generic detections provided by Microsoft security solutions that can surface activity or components associated with the threat. |
-| [Advanced hunting](#find-subtle-threat-artifacts-using-advanced-hunting) | [Advanced hunting queries](advanced-hunting-overview.md) for proactively identifying possible threat activity. Most queries are provided to supplement detections, especially for locating potentially malicious components or behaviors that couldn't be dynamically assessed to be malicious. |
-| References | Microsoft and third-party publications referenced by analysts during the creation of the report. Threat analytics content is based on data validated by Microsoft researchers. Information from publicly available, third-party sources are identified clearly as such. |
+| [Detection details](#understand-how-each-threat-can-be-detected) | Specific and generic detections provided by Microsoft security solutions that can surface activity or components associated with the threat. |
+| [Advanced hunting](#find-subtle-threat-artifacts-using-advanced-hunting) | [Advanced hunting queries](advanced-hunting-overview.md) for proactively identifying possible threat activity. Most queries are provided to supplement detections, especially for locating potentially malicious components or behaviors that couldn't be dynamically assessed to be malicious. |
+| References | Microsoft and third-party publications referenced by analysts during the creation of the report. Threat analytics content is based on data validated by Microsoft researchers. Information from publicly available, third-party sources are identified clearly as such. |
| Change log | The time the report was published and when significant changes were made to the report. | ## Apply additional mitigations
-Threat analytics dynamically tracks the [status of security updates and secure configurations](threat-analytics.md#mitigations-review-list-of-mitigations-and-the-status-of-your-devices). This information is available as charts and tables in the **Mitigations** tab.
+
+Threat analytics dynamically tracks the [status of security updates and secure configurations](threat-analytics.md#exposure-and-mitigations-review-list-of-mitigations-and-the-status-of-your-devices). This information is available as charts and tables in the **Exposure & mitigations** tab.
In addition to these tracked mitigations, the analyst report also discusses mitigations that are _not_ dynamically monitored. Here are some examples of important mitigations that are not dynamically tracked:
In addition to these tracked mitigations, the analyst report also discusses miti
- Educate end users about phishing email and other threat vectors - Turn on specific [attack surface reduction rules](/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)
-While you can use the **Mitigations** tab to assess your security posture against a threat, these recommendations let you take additional steps towards improving your security posture. Carefully read all the mitigation guidance in the analyst report and apply them whenever possible.
+While you can use the **Exposure & mitigations** tab to assess your security posture against a threat, these recommendations let you take additional steps towards improving your security posture. Carefully read all the mitigation guidance in the analyst report and apply them whenever possible.
## Understand how each threat can be detected+ The analyst report also provides the detections from Microsoft Defender Antivirus and _endpoint detection and response_ (EDR) capabilities. ### Antivirus detections+ These detections are available on devices with [Microsoft Defender Antivirus](/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10) turned on. When these detections occur on devices that have been onboarded to Microsoft Defender for Endpoint, they also trigger alerts that light up the charts in the report. >[!NOTE] >The analyst report also lists **generic detections** that can identify a wide-range of threats, in addition to components or behaviors specific to the tracked threat. These generic detections don't reflect in the charts. ### Endpoint detection and response (EDR) alerts+ EDR alerts are raised for [devices onboarded to Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/onboard-configure). These alerts generally rely on security signals collected by the Microsoft Defender for Endpoint sensor and other endpoint capabilitiesΓÇösuch as antivirus, network protection, tamper protectionΓÇöthat serve as powerful signal sources. Like the list of antivirus detections, some EDR alerts are designed to generically flag suspicious behavior that might not be associated with the tracked threat. In such cases, the report will clearly identify the alert as "generic" and that it doesn't influence any of the charts in the report. ### Email-related detections and mitigations
-Email-related detections and mitigations from Microsoft Defender for Office 365, are included in analyst reports in addition to the endpoint data already available from Microsoft Defender for Endpoint.
+
+Email-related detections and mitigations from Microsoft Defender for Office 365, are included in analyst reports in addition to the endpoint data already available from Microsoft Defender for Endpoint.
Prevented email attempt information gives you insights on whether your organization were a target of the threat tackled in the analyst report even if the attack has been effectively blocked before delivery or delivered to the junk mail folder. ## Find subtle threat artifacts using advanced hunting+ While detections allow you to identify and stop the tracked threat automatically, many attack activities leave subtle traces that require additional inspection. Some attack activities exhibit behaviors that can also be normal, so detecting them dynamically can result in operational noise or even false positives. [Advanced hunting](advanced-hunting-overview.md) provides a query interface based on Kusto Query Language that simplifies locating subtle indicators of threat activity. It also allows you to surface contextual information and verify whether indicators are connected to a threat. Advanced hunting queries in the analyst reports have been vetted by Microsoft analysts and are ready for you to run in the [advanced hunting query editor](https://security.microsoft.com/advanced-hunting). You can also use the queries to create [custom detection rules](custom-detection-rules.md) that trigger alerts for future matches. - >[!NOTE] > Threat analytics is also available in [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/threat-analytics). However, it does not have the data integration between Microsoft Defender for Office and Microsoft Defender for Endpoint that Microsoft 365 Defender threat analytics has. - ## Related topics+ - [Threat analytics overview](threat-analytics.md)-- [Proactively find threats with advanced hunting](advanced-hunting-overview.md) -- [Custom detection rules](custom-detection-rules.md)
+- [Proactively find threats with advanced hunting](advanced-hunting-overview.md)
+- [Custom detection rules](custom-detection-rules.md)
security Threat Analytics https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/threat-analytics.md
-# Threat analytics in Microsoft 365 Defender
+# Threat analytics in Microsoft 365 Defender
[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)] **Applies to:**+ - Microsoft 365 Defender > Want to experience Microsoft 365 Defender? You can [evaluate it in a lab environment](m365d-evaluation.md?ocid=cx-docs-MTPtriallab) or [run your pilot project in production](m365d-pilot.md?ocid=cx-evalpilot).
[!INCLUDE [Prerelease](../includes/prerelease.md)]
-Threat analytics is our in-product threat intelligence solution from expert Microsoft security researchers, designed to assist security teams to be as efficient as possible while facing emerging threats, including:
+Threat analytics is our in-product threat intelligence solution from expert Microsoft security researchers. It's designed to assist security teams to be as efficient as possible while facing emerging threats, such as:
- Active threat actors and their campaigns - Popular and new attack techniques
Watch this short video to learn more about how threat analytics can help you tra
>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWwJfU]
-You can access threat analytics either from the upper left-hand side of Microsoft 365 security portalΓÇÖs navigation bar, or from a dedicated dashboard card which shows the top threats in your org. Getting visibility on active or ongoing campaigns and knowing what to do through threat analytics can help equip your security operations team with informed decisions.
+You can access threat analytics either from the upper left-hand side of Microsoft 365 security portalΓÇÖs navigation bar, or from a dedicated dashboard card that shows the top threats to your org, both in terms of impact, and in terms of exposure.
![Image of the threat analytics dashboard.](../../media/threat-analytics/ta_inlandingpage_mtp.png)
+High impact threats have the greatest potential to cause harm, while high exposure threats are the ones that your assets are most vulnerable to. Getting visibility on active or ongoing campaigns and knowing what to do through threat analytics can help equip your security operations team with informed decisions.
+ _Where to access threat analytics_ With more sophisticated adversaries and new threats emerging frequently and prevalently, it's critical to be able to quickly: - Identify and react to emerging threats-- Learn if you are currently under attack
+- Learn if you're currently under attack
- Assess the impact of the threat to your assets - Review your resilience against or exposure to the threats - Identify the mitigation, recovery, or prevention actions you can take to stop or contain the threats
The threat analytics dashboard ([security.microsoft.com/threatanalytics3](https:
- **Latest threats**ΓÇölists the most recently published or updated threat reports, along with the number of active and resolved alerts. - **High-impact threats**ΓÇölists the threats that have the highest impact to your organization. This section lists threats with the highest number of active and resolved alerts first.-- **Threat summary**ΓÇöprovides the overall impact of all tracked threats by showing the number of threats with active and resolved alerts.
+- **Highest exposure**ΓÇölists threats with the highest exposure levels first. the exposure level of a threat is calculated using two pieces of information: how severe the vulnerabilities associated with the threat are, and how many devices in your organization could be exploited by those vulnerabilities.
Select a threat from the dashboard to view the report for that threat. ![Screenshot of threat analytics dashboard.](../../media/threat-analytics/ta_dashboard_mtp.png)
-_Threat analytics dashboard. You can also click the Search icon to key in a keyword related to the threat analytics report that you'd like to read._
+_Threat analytics dashboard. You can also select the Search field to key in a keyword that's related to the threat analytics report that you'd like to read._
## View a threat analytics report
Each threat analytics report provides information in several sections:
- [**Related incidents**](#related-incidents-view-and-manage-related-incidents) - [**Impacted assets**](#impacted-assets-get-list-of-impacted-devices-and-mailboxes) - [**Prevented email attempts**](#prevented-email-attempts-view-blocked-or-junked-threat-emails)-- [**Mitigations**](#mitigations-review-list-of-mitigations-and-the-status-of-your-devices)
+- [**Exposure & mitigations**](#exposure-and-mitigations-review-list-of-mitigations-and-the-status-of-your-devices)
### Overview: Quickly understand the threat, assess its impact, and review defenses
-The **Overview** section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization and your exposure through misconfigured and unpatched devices.
+The **Overview** section provides a preview of the detailed analyst report. It also provides charts that highlight the impact of the threat to your organization, and your exposure through misconfigured and unpatched devices.
![Image of the overview section of a threat analytics report.](../../media/threat-analytics/ta_overview_mtp.png)
_Overview section of a threat analytics report_
Each report includes charts designed to provide information about the organizational impact of a threat: - **Related incidents**ΓÇöprovides an overview of the impact of the tracked threat to your organization with the following data:
- - Number of active alerts and the number of active incidents they are associated with
+ - Number of active alerts and the number of active incidents they're associated with
- Severity of active incidents - **Alerts over time**ΓÇöshows the number of related **Active** and **Resolved** alerts over time. The number of resolved alerts indicates how quickly your organization responds to alerts associated with a threat. Ideally, the chart should be showing alerts resolved within a few days. - **Impacted assets**ΓÇöshows the number of distinct devices and email accounts (mailboxes) that currently have at least one active alert associated with the tracked threat. Alerts are triggered for mailboxes that received threat emails. Review both org- and user-level policies for overrides that cause the delivery of threat emails.
Each report includes charts designed to provide information about the organizati
Each report includes charts that provide an overview of how resilient your organization is against a given threat: -- **Secure configuration status**ΓÇöshows the number of devices with misconfigured security settings. Apply the recommended security settings to help mitigate the threat. Devices are considered **Secure** if they have applied _all_ the tracked settings.
+- **Secure configuration status**ΓÇöshows the number of devices with misconfigured security settings. Apply the recommended security settings to help mitigate the threat. Devices are considered **Secure** if they've applied _all_ the tracked settings.
- **Vulnerability patching status**ΓÇöshows the number of vulnerable devices. Apply security updates or patches to address vulnerabilities exploited by the threat. #### View reports per threat tags
Each report includes charts that provide an overview of how resilient your organ
You can filter the threat report list and view the most relevant reports according to a specific threat tag (category) or a report type. - **Threat tags**ΓÇöassist you in viewing the most relevant reports according to a specific threat category. For example, all reports related to ransomware.-- **Report types**ΓÇöassist you in viewing the most relevant reports according to a specific report type. For example, all reports that cover tools and techniques.
+- **Report types**ΓÇöassist you in viewing the most relevant reports according to a specific report type. For example, all reports that cover tools and techniques.
- **Filters**ΓÇöassist you in efficiently reviewing the threat report list and filtering the view based on a specific threat tag or report type. For example, review all threat reports related to ransomware category, or threat reports that cover vulnerabilities. ##### How does it work?
The Microsoft Threat Intelligence team has added threat tags to each threat repo
- Phishing - Vulnerability - Activity group-- Threat tags are presented at the top of the threat analytics page, with counters for the number of available reports under each tag.
+- Threat tags are presented at the top of the threat analytics page. There are counters for the number of available reports under each tag.
![threat tags.](../../media/threat-analytics/ta-threattags-mtp.png)
In the **Analyst report** section, read through the detailed expert write-up. Mo
### Related incidents: View and manage related incidents
-The **Related incidents** tab provides the list of all incidents related to the tracked threat. You can assign incidents or manage alerts linked to each incident.
-
+The **Related incidents** tab provides the list of all incidents related to the tracked threat. You can assign incidents or manage alerts linked to each incident.
![Image of the related incidents section of a threat analytics report.](../../media/threat-analytics/ta_related_incidents_mtp.png)
_Related incidents section of a threat analytics report_
### Impacted assets: Get list of impacted devices and mailboxes
-An asset is considered impacted if it is affected by an active, unresolved alert. The **Impacted assets** tab lists the following types of impacted assets:
+An asset is considered impacted if it's affected by an active, unresolved alert. The **Impacted assets** tab lists the following types of impacted assets:
- **Impacted devices**ΓÇöendpoints that have unresolved Microsoft Defender for Endpoint alerts. These alerts typically fire on sightings of known threat indicators and activities. - **Impacted mailboxes**ΓÇömailboxes that have received email messages that have triggered Microsoft Defender for Office 365 alerts. While most messages that trigger alerts are typically blocked, user- or org-level policies can override filters.
_Impacted assets section of a threat analytics report_
Microsoft Defender for Office 365 typically blocks emails with known threat indicators, including malicious links or attachments. In some cases, proactive filtering mechanisms that check for suspicious content will instead send threat emails to the junk mail folder. In either case, the chances of the threat launching malware code on the device is reduced.
-The **Prevented email attempts** tab lists all the emails that have either been blocked before delivery or sent to the junk mail folder by Microsoft Defender for Office 365.
+The **Prevented email attempts** tab lists all the emails that have either been blocked before delivery or sent to the junk mail folder by Microsoft Defender for Office 365.
![Image of the prevented email attempts section of a threat analytics report.](../../media/threat-analytics/ta_prevented_email_attempts_mtp.png) _Prevented email attempts section of a threat analytics report_
-### Mitigations: Review list of mitigations and the status of your devices
+### Exposure and mitigations: Review list of mitigations and the status of your devices
-In the **Mitigations** section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes:
+In the **Exposure & mitigations** section, review the list of specific actionable recommendations that can help you increase your organizational resilience against the threat. The list of tracked mitigations includes:
- **Security updates**ΓÇödeployment of supported software security updates for vulnerabilities found on onboarded devices - **Supported security configurations**
Mitigation information in this section incorporates data from [threat and vulner
![Image of the mitigations section of a threat analytics report showing vulnerability details.](../../media/threat-analytics/ta_mitigations_mtp2.png)
-_Mitigations section of a threat analytics report_
+_Exposure & mitigations section of a threat analytics report_
+
+## Set up email notifications for report updates
+
+You can set up email notifications that will send you updates on threat analytics reports.
+
+To set up email notifications for threat analytics reports, perform the following steps:
+
+1. Select **Settings** in the Microsoft 365 Defender sidebar. Select **Microsoft 365 Defender** from the list of settings.
+
+![Screenshot with "Settings" and "Microsoft 365 Defender" both highlighted in red](../../media/threat-analytics/ta_create_notification_0.png)
+
+2. Choose **Email notifications** > **Threat analytics**, and select the button, **+ Create a notification rule**. A flyout will appear.
+
+![Screenshot with "+ Create a notification rule" highlighted in red](../../media/threat-analytics/ta_create_notification_1.png)
+
+3. Follow the steps listed in the flyout. First, give your new rule a name. The description field is optional, but a name is required. You can toggle the rule on or off using the checkbox under the description field.
+
+> [!NOTE]
+> The name and description fields for a new notification rule only accept English letters and numbers. They don't accept spaces, dashes, underscores, or any other punctuation.
+
+![Screenshot of the naming screen, with all fields filled out and the "Turn rule on" checkbox checked](../../media/threat-analytics/ta_create_notification_2.png)
+
+4. Choose which kind of reports you want to be notified about. You can choose between being updated about all newly published or updated reports, or only those reports which have a certain tag or type.
+
+![Screenshot of the notification screen, with Ransomware tags selected and a drop down menu for types open](../../media/threat-analytics/ta_create_notification_3.png)
+
+5. Add at least one recipient to receive the notification emails. You can also use this screen to check how the notifications will be received, by sending a test email.
+
+![Screenshot of the recipients screen. There are 3 recipients listed, and a test email has been sent, as indicated by a green checkmark](../../media/threat-analytics/ta_create_notification_4.png)
+
+6. Review your new rule. If there is anything you would like to change, select the **Edit** button at the end of each subsection. Once your review is complete, select the **Create rule** button.
+
+![Screenshot of the review screen. An edit button is highlighted in red](../../media/threat-analytics/ta_create_notification_5.png)
+
+7. Congratulations! Your new rule has been successfully created. Select the **Done** button to complete the process and close the flyout.
+
+![Screenshot of the rule created screen. A successfully created rule will display green checkmarks along the sidebar, and a big green check in the main area of the screen](../../media/threat-analytics/ta_create_notification_6.png)
+
+8. Your new rule will now appear in the list of Threat analytics email notifications.
+
+![Screenshot of the list of email notification rules within the Settings screen](../../media/threat-analytics/ta_create_notification_7.png)
## Additional report details and limitations
_Mitigations section of a threat analytics report_
> > If you are not using the Microsoft 365 security portal (Microsoft 365 Defender), you can also see the report details (without the Microsoft Defender for Office data) in the Microsoft Defender Security Center portal (Microsoft Defender for Endpoint).
-To access threat analytics report you need certain roles and permissions. See [Custom roles in role-based access control for Microsoft 365 Defender](custom-roles.md) for details.
+To access threat analytics reports, you need certain roles and permissions. See [Custom roles in role-based access control for Microsoft 365 Defender](custom-roles.md) for details.
- To view alerts, incidents, or impacted assets data, you need to have permissions to Microsoft Defender for Office or Microsoft Defender for Endpoint alerts data, or both.-- To view prevented email attempts, you need to have permissions to Microsoft Defender for Office hunting data.
+- To view prevented email attempts, you need to have permissions to Microsoft Defender for Office hunting data.
- To view mitigations, you need to have permissions to threat and vulnerability management data in Microsoft Defender for Endpoint. When looking at the threat analytics data, remember the following factors: -- Charts reflect only mitigations that are tracked. Check the report overview for additional mitigations that are not shown in the charts.
+- Charts reflect only mitigations that are tracked. Check the report overview for additional mitigations that aren't shown in the charts.
- Mitigations don't guarantee complete resilience. The provided mitigations reflect the best possible actions needed to improve resiliency.-- Devices are counted as "unavailable" if they have not transmitted data to the service.
+- Devices are counted as "unavailable" if they haven't transmitted data to the service.
- Antivirus-related statistics are based on Microsoft Defender Antivirus settings. Devices with third-party antivirus solutions can appear as "exposed".
-## Related topics
+## Related articles
-- [Proactively find threats with advanced hunting](advanced-hunting-overview.md)
+- [Proactively find threats with advanced hunting](advanced-hunting-overview.md)
- [Understand the analyst report section](threat-analytics-analyst-reports.md) - [Assess and resolve security weaknesses and exposures](/windows/security/threat-protection/microsoft-defender-atp/next-gen-threat-and-vuln-mgt)
security View And Release Quarantined Messages From Shared Mailboxes https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/view-and-release-quarantined-messages-from-shared-mailboxes.md
Now, automapping is no longer required for users to manage quarantined messages
- To manage quarantined messages for the shared mailbox in [Exchange Online PowerShell](/powershell/exchange/connect-to-exchange-online-powershell), the end-user will need to use the [Get-QuarantineMessage](/powershell/module/exchange/get-quarantinemessage) cmdlet with shared mailbox email address for the value of the _RecipientAddress_ parameter to identify the messages. For example: ```powershell
- Get-QuarantinedMessage -RecipientAddress officeparty@contoso.com
+ Get-QuarantineMessage -RecipientAddress officeparty@contoso.com
``` Then, the end-user can select a quarantined message from the list to view or take action on.
Now, automapping is no longer required for users to manage quarantined messages
This example shows all of the quarantined messages that were sent to the shared mailbox, and then releases the first message in the list from quarantine (the first message in the list is 0, the second is 1, and so on). ```powershell
- $SharedMessages = Get-QuarantinedMessage -RecipientAddress officeparty@contoso.com | select -ExpandProperty Identity
+ $SharedMessages = Get-QuarantineMessage -RecipientAddress officeparty@contoso.com | select -ExpandProperty Identity
$SharedMessages
- Release-QuarantinedMessage -Identity $SharedMessages[0]
+ Release-QuarantineMessage -Identity $SharedMessages[0]
``` For detailed syntax and parameter information, see the following topics: