Category | Microsoft Docs article | Related commit history on GitHub | Change details |
---|---|---|---|
commerce | Manage Auto Claim Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/commerce/licenses/manage-auto-claim-policies.md | If a user lacks a standalone Power Apps license and launches an app that require If a user without a standalone Power Apps license launches an app within a Managed environment, they're automatically granted a Power Apps per user license. +## Auto-claim policies for Microsoft Power Automate ++Auto-claim for Power Automate licenses is supported for the following plans: ++- Power Automate premium plan +- Power Automate per user plan ++When the auto-claim policy is configured and a user doesn't have a license for the product, the user is automatically assigned a license when they take any of the following actions: ++**For Power Automate per user plans** ++- Trigger a premium cloud flow +- Save a premium cloud flow +- Turn on a premium cloud flow ++**For Power Automate premium plans** ++In addition to the actions listed in **For Power Automate per user plans**, the following actions also apply: ++- Trigger a premium cloud flow with Attended Robotic Process Automation (RPA) +- Save a premium cloud flow with Attended RPA +- Turn on a premium cloud flow with Attended RPA + ## Next steps You can periodically return to the **Auto-claim policy** tab to see a list of users who have claimed licenses under the policies you created. You can periodically return to the **Auto-claim policy** tab to see a list of us [Assign licenses to users](../../admin/manage/assign-licenses-to-users.md) (article)\ [Buy or remove subscription licenses](buy-licenses.md) (article)\-u[Understand subscriptions and licenses in Microsoft 365 for business](subscriptions-and-licenses.md) (article) +[Understand subscriptions and licenses in Microsoft 365 for business](subscriptions-and-licenses.md) (article) |
frontline | Frontline Usage Report | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/frontline/frontline-usage-report.md | + + Title: Microsoft Teams frontline usage report ++++audience: Admin ++++f1.keywords: +- NOCSH +ms.localizationpriority: high +search.appverid: MET150 ++ - M365-collaboration + - m365-frontline +description: Use the frontline usage report on the Manage frontline teams page of the Teams admin center to get an overview of active users in Teams for each of your frontline locations. + - Microsoft Teams + - Microsoft 365 for frontline workers ++ Last updated : 03/18/2024++# Microsoft Teams frontline usage report ++## Overview ++You can track usage for all your frontline locations deployed through the [deploy frontline dynamic teams](deploy-dynamic-teams-at-scale.md) experience from the usage dashboard on the Manage frontline teams page in the Teams admin center. ++From the usage dashboard, you can: ++- Run and view the [frontline usage report](#the-frontline-usage-report). The report shows usage data for active users on Microsoft Teams for each of your frontline locations. You can filter the table to the date range for which you want to see usage data, and then export this data to a CSV file for analysis. +- See the progress of overall frontline deployment tasks on the [Deployment task progress](#deployment-task-progress-card) card. ++## Access the usage dashboard ++In the Teams admin center, choose **Frontline deployment** > **Manage frontline teams**. From here, there are two ways to get to the usage dashboard. ++- Directly, by going to the **Usage** tab. ++ :::image type="content" source="media/flw-usage-report-usage-tab.png" alt-text="Screenshot of the Usage tab on the Manage frontline teams page." lightbox="media/flw-usage-report-usage-tab.png"::: +- Through the **App usage - Microsoft Teams** card. This card shows the overall percentage of users across all your frontline teams that have been active on Teams in the last 30 days. Choose **View details** to go to the dashboard. ++ :::image type="content" source="media/flw-usage-report-app-usage-card.png" alt-text="Screenshot of the App usage - Microsoft Teams card on the Manage frontline teams page." lightbox="media/flw-usage-report-app-usage-card.png"::: ++To view usage reports in the dashboard, make sure the **Display concealed user, group, and site names in all reports** setting is turned on in the Microsoft 365 admin center. Otherwise, you'll see a "User details have been hidden by your Microsoft 365 Reports privacy setting" message. ++You must be a Global admin to turn on this setting. ++1. In the Microsoft 365 admin center, go to **Settings** > **Org Settings**, and then on the **Services** tab, choose **Reports**. +1. Select the **Display concealed user, group, and site names in all reports** check box, and then choose **Save**. ++## The frontline usage report ++### Run the report ++1. On the **Usage** tab, under **Teams**, select which teams you want in your usage report. Currently, the only option is **All frontline teams**, which represents all teams deployed through the [deploy frontline dynamic teams](deploy-dynamic-teams-at-scale.md) experience in the Teams admin center. WeΓÇÖll be adding more options in the future. +1. Under **Date range**, select the date range for which you want to see data. You can choose from the last 7 days, 30 days, 90 days, or 180 days. Then, choose **Run report**. ++ > [!IMPORTANT] + > It might take several minutes to load the first report of the day. After the report is loaded, itΓÇÖs available to view for the next 24 hours. Usage data may take up to 72 hours to update. ++### Interpret the report ++The table shows usage data for your frontline teams during the date range you selected. +++Each row in the table represents a team. ++|Item |Description | +||| +|Team name |The name of the team.| +|Team ID |The ID of the team.| +|Total members|The total number of users on each team.| +|Active users|The number of active users on each team. Users are considered active if they signed in to Teams one time during the selected date range. | +|Last activity date |The last date on which the user signed in to Teams.| ++You can: ++- Select the **Team members** or **Active users** column header to sort the rows from highest to lowest or vice versa. +- Select the **Last activity date** column header to sort the rows from latest to earliest or vice versa. +- Add or remove columns in the table by selecting **Edit columns** (the gear icon) in the upper-right corner of the table. +- Export the data to a CSV file for further analysis by selecting the **Export to Excel** icon in the upper-right corner of the table. ++> [!IMPORTANT] +> If you haven't deployed any frontline locations through the [deploy frontline dynamic teams](deploy-dynamic-teams-at-scale.md) experience in the Teams admin center, you won't see any teams. ++## Deployment task progress card ++The **Deployment task progress** card on the usage dashboard shows you which of the following tasks for your overall frontline deployment are completed, in progress, and not started. ++- Map frontline attributes +- Deploy frontline teams +- Set up operational hierarchy +- Deploy Shifts +++For your completed tasks, you can select **Review** to manage setup. For tasks that aren't started, you can choose **Start** to begin the task. The progress indicator shows the percentage of total tasks that are completed. ++## Troubleshoot errors ++If an error occurs when retrieving data, select **Try Again** on the data table or refresh the page. ++## Related articles ++- [Deploy dynamic frontline teams at scale](deploy-dynamic-teams-at-scale.md) +- [Deploy your frontline operational hierarchy](deploy-frontline-operational-hierarchy.md) +- [Deploy Shifts to your frontline teams at scale](deploy-shifts-at-scale.md) |
includes | Microsoft 365 Content Updates | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/includes/microsoft-365-content-updates.md | <!-- This file is generated automatically each week. Changes made to this file will be overwritten.-->--- -## Week of February 26, 2024 ---| Published On |Topic title | Change | -|||--| -| 2/26/2024 | [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout?view=o365-worldwide) | modified | -| 2/26/2024 | [Understand app protection access requirements using Microsoft Intune](/microsoft-365/solutions/apps-protect-access-requirements?view=o365-worldwide) | added | -| 2/26/2024 | [Understand app protection conditional launch using Microsoft Intune](/microsoft-365/solutions/apps-protect-conditional-launch?view=o365-worldwide) | added | -| 2/26/2024 | [Understand app data protection using Microsoft Intune](/microsoft-365/solutions/apps-protect-data-protection?view=o365-worldwide) | added | -| 2/26/2024 | [Use the app protection framework with Microsoft Intune](/microsoft-365/solutions/apps-protect-framework?view=o365-worldwide) | added | -| 2/26/2024 | [Understand app protection health checks using Microsoft Intune](/microsoft-365/solutions/apps-protect-health-checks?view=o365-worldwide) | added | -| 2/26/2024 | [Secure and protect apps using Microsoft Intune](/microsoft-365/solutions/apps-protect-overview?view=o365-worldwide) | added | -| 2/26/2024 | [Step 1. Apply minimum data protection](/microsoft-365/solutions/apps-protect-step-1?view=o365-worldwide) | added | -| 2/26/2024 | [Step 2. Apply enhanced data protection](/microsoft-365/solutions/apps-protect-step-2?view=o365-worldwide) | added | -| 2/26/2024 | [Step 3. Apply high data protection](/microsoft-365/solutions/apps-protect-step-3?view=o365-worldwide) | added | -| 2/26/2024 | [Step 4. Understand app protection delivery](/microsoft-365/solutions/apps-protect-step-4?view=o365-worldwide) | added | -| 2/26/2024 | [Step 5. Verify and monitor app protection](/microsoft-365/solutions/apps-protect-step-5?view=o365-worldwide) | added | -| 2/26/2024 | [Step 6. Use app protection actions](/microsoft-365/solutions/apps-protect-step-6?view=o365-worldwide) | added | -| 2/26/2024 | [Evaluate and pilot Microsoft Defender XDR security, an XDR solution that unifies threat data so you can take action.](/microsoft-365/security/defender/eval-overview?view=o365-worldwide) | modified | -| 2/26/2024 | [Automatic user notifications for user reported phishing results in AIR](/microsoft-365/security/office-365-security/air-user-automatic-feedback-response?view=o365-worldwide) | modified | -| 2/27/2024 | [Configuring external data integrations for Loop experiences](/microsoft-365/loop/loop-data-integrations-configuration?view=o365-worldwide) | added | -| 2/27/2024 | [Early Launch Antimalware (ELAM) and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/elam-on-mdav?view=o365-worldwide) | added | -| 2/27/2024 | [Manage Loop components in OneDrive and SharePoint](/microsoft-365/loop/loop-components-configuration?view=o365-worldwide) | modified | -| 2/27/2024 | [Cloud protection and sample submission at Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide) | modified | -| 2/27/2024 | [Manage Microsoft Defender Antivirus in your business](/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/27/2024 | [Configure Microsoft Defender Antivirus features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features?view=o365-worldwide) | modified | -| 2/27/2024 | [Vulnerability support in Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/fixed-reported-inaccuracies?view=o365-worldwide) | modified | -| 2/27/2024 | [Block vulnerable applications.](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps?view=o365-worldwide) | modified | -| 2/27/2024 | [Built-in virus protection in SharePoint Online, OneDrive, and Microsoft Teams](/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwide) | modified | -| 2/27/2024 | [Migrate from a third-party protection service to Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365?view=o365-worldwide) | modified | -| 2/27/2024 | [Attack surface reduction rules reference](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide) | modified | -| 2/27/2024 | [Data collection for advanced troubleshooting on Windows](/microsoft-365/security/defender-endpoint/data-collection-analyzer?view=o365-worldwide) | modified | -| 2/27/2024 | [Why you should use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/27/2024 | [Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/amsi-on-mdav?view=o365-worldwide) | added | -| 2/27/2024 | [Run and customize scheduled and on-demand scans](/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/27/2024 | [Antivirus solution compatibility with Defender for Endpoint](/microsoft-365/security/defender-endpoint/defender-compatibility?view=o365-worldwide) | modified | -| 2/27/2024 | [Apply Microsoft Defender Antivirus updates after certain events](/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/27/2024 | [Microsoft Defender Antivirus security intelligence and product updates](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates?view=o365-worldwide) | modified | -| 2/27/2024 | [Microsoft Defender Antivirus updates - Previous versions for technical upgrade support](/microsoft-365/security/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support?view=o365-worldwide) | modified | -| 2/27/2024 | [Microsoft Defender for Cloud in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud?view=o365-worldwide) | modified | -| 2/27/2024 | [Microsoft Defender for Endpoint in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-mde?view=o365-worldwide) | modified | -| 2/27/2024 | [Microsoft Defender for Identity in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-mdi?view=o365-worldwide) | modified | -| 2/27/2024 | [Microsoft Defender for Office 365 in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-mdo?view=o365-worldwide) | modified | -| 2/27/2024 | [Redirecting from the Microsoft Defender Security Center to the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-mde-redirection?view=o365-worldwide) | modified | -| 2/27/2024 | [Compliance features in Microsoft 365 Archive (Preview)](/microsoft-365/syntex/archive/archive-compliance) | modified | -| 2/28/2024 | [Coin miners](/microsoft-365/security/defender-endpoint/malware/coinminer-malware?view=o365-worldwide) | added | -| 2/28/2024 | [Exploits and exploit kits](/microsoft-365/security/defender-endpoint/malware/exploits-malware?view=o365-worldwide) | added | -| 2/28/2024 | [Fileless threats](/microsoft-365/security/defender-endpoint/malware/fileless-threats?view=o365-worldwide) | added | -| 2/28/2024 | [Macro malware](/microsoft-365/security/defender-endpoint/malware/macro-malware?view=o365-worldwide) | added | -| 2/28/2024 | [Phishing trends and techniques](/microsoft-365/security/defender-endpoint/malware/phishing-trends?view=o365-worldwide) | added | -| 2/28/2024 | [How to protect against phishing attacks](/microsoft-365/security/defender-endpoint/malware/phishing?view=o365-worldwide) | added | -| 2/28/2024 | [Prevent malware infection](/microsoft-365/security/defender-endpoint/malware/prevent-malware-infection?view=o365-worldwide) | added | -| 2/28/2024 | [Rootkits](/microsoft-365/security/defender-endpoint/malware/rootkits-malware?view=o365-worldwide) | added | -| 2/28/2024 | [Supply chain attacks](/microsoft-365/security/defender-endpoint/malware/supply-chain-malware?view=o365-worldwide) | added | -| 2/28/2024 | [Tech Support Scams](/microsoft-365/security/defender-endpoint/malware/support-scams?view=o365-worldwide) | added | -| 2/28/2024 | [Trojan malware](/microsoft-365/security/defender-endpoint/malware/trojans-malware?view=o365-worldwide) | added | -| 2/28/2024 | [Understanding malware & other threats](/microsoft-365/security/defender-endpoint/malware/understanding-malware?view=o365-worldwide) | added | -| 2/28/2024 | [Unwanted software](/microsoft-365/security/defender-endpoint/malware/unwanted-software?view=o365-worldwide) | added | -| 2/28/2024 | [Worms](/microsoft-365/security/defender-endpoint/malware/worms-malware?view=o365-worldwide) | added | -| 2/28/2024 | [Configure junk email settings on Exchange Online mailboxes](/microsoft-365/security/office-365-security/configure-junk-email-settings-on-exo-mailboxes?view=o365-worldwide) | modified | -| 2/28/2024 | [Manage Shifts permissions for frontline managers](/microsoft-365/frontline/manage-shifts-permissions-frontline-managers?view=o365-worldwide) | added | -| 2/28/2024 | [Behavior monitoring in Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/behavior-monitor?view=o365-worldwide) | added | -| 2/28/2024 | [Windows and Office 365 deployment lab kit](/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab?view=o365-worldwide) | modified | -| 2/28/2024 | [Deploy frontline dynamic teams at scale](/microsoft-365/frontline/deploy-dynamic-teams-at-scale?view=o365-worldwide) | modified | -| 2/28/2024 | [Overview of next-generation protection in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/next-generation-protection?view=o365-worldwide) | modified | -| 2/28/2024 | [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/28/2024 | Configure Directory Services account in Microsoft Defender for Identity | removed | -| 2/28/2024 | Microsoft Defender for Identity entity tags in Microsoft Defender XDR | removed | -| 2/28/2024 | Microsoft Defender for Identity detection exclusions in Microsoft Defender XDR | removed | -| 2/28/2024 | Microsoft Defender for Identity security alerts in Microsoft Defender XDR | removed | -| 2/28/2024 | Microsoft Defender for Identity notifications in Microsoft Defender XDR | removed | -| 2/28/2024 | Microsoft Defender for Identity sensor health and settings in Microsoft Defender XDR | removed | -| 2/28/2024 | Microsoft Defender for Identity VPN integration in Microsoft Defender XDR | removed | -| 2/28/2024 | [Advanced technologies at the core of Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/adv-tech-of-mdav?view=o365-worldwide) | added | -| 2/28/2024 | [Run Microsoft Defender Antivirus in a sandbox environment](/microsoft-365/security/defender-endpoint/sandbox-mdav?view=o365-worldwide) | added | -| 2/28/2024 | [Configure the Microsoft Defender Antivirus cloud block timeout period](/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/28/2024 | [Create and manage device tags](/microsoft-365/security/defender-endpoint/machine-tags?view=o365-worldwide) | modified | -| 2/29/2024 | [Configure and manage Microsoft Defender Experts capabilities](/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts?view=o365-worldwide) | modified | -| 2/29/2024 | [Preview limitations in Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-limitations) | modified | -| 2/29/2024 | [Disable access to Microsoft 365 services with PowerShell](/microsoft-365/enterprise/disable-access-to-services-with-microsoft-365-powershell?view=o365-worldwide) | modified | -| 2/29/2024 | [What's new in Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management?view=o365-worldwide) | modified | -| 2/29/2024 | [Manage Loop app preview](/microsoft-365/loop/loop-preview-configuration?view=o365-worldwide) | added | -| 2/29/2024 | [Deploy Shifts to your frontline teams at scale](/microsoft-365/frontline/deploy-shifts-at-scale?view=o365-worldwide) | modified | -| 2/29/2024 | [Get started with Microsoft 365 for healthcare organizations](/microsoft-365/frontline/teams-in-hc?view=o365-worldwide) | modified | -| 2/29/2024 | [Manage Loop workspaces in SharePoint Embedded](/microsoft-365/loop/loop-workspaces-configuration?view=o365-worldwide) | modified | -| 2/29/2024 | [Onboard Windows devices using a local script](/microsoft-365/security/defender-endpoint/configure-endpoints-script?view=o365-worldwide) | modified | -| 2/29/2024 | [Set preferences for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-preferences?view=o365-worldwide) | modified | -| 2/29/2024 | [Microsoft Defender Antivirus in Windows](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide) | modified | -| 3/1/2024 | [Data Residency for Microsoft Copilot for Microsoft 365](/microsoft-365/enterprise/m365-dr-workload-copilot?view=o365-worldwide) | added | -| 3/1/2024 | [Advanced data residency in Microsoft 365](/microsoft-365/enterprise/advanced-data-residency?view=o365-worldwide) | modified | -| 3/1/2024 | [Advanced Data Residency Commitments](/microsoft-365/enterprise/m365-dr-commitments?view=o365-worldwide) | modified | -| 3/1/2024 | [Data Residency Legacy Move Program](/microsoft-365/enterprise/m365-dr-legacy-move-program?view=o365-worldwide) | modified | -| 3/1/2024 | [Overview and Definitions](/microsoft-365/enterprise/m365-dr-overview?view=o365-worldwide) | modified | -| 3/1/2024 | [Overview of Product Terms Data Residency](/microsoft-365/enterprise/m365-dr-product-terms-dr?view=o365-worldwide) | modified | -| 3/1/2024 | [Data Residency for Exchange Online](/microsoft-365/enterprise/m365-dr-workload-exo?view=o365-worldwide) | modified | -| 3/1/2024 | [Data Residency for Microsoft Defender for Office P1](/microsoft-365/enterprise/m365-dr-workload-mdo-p1?view=o365-worldwide) | modified | -| 3/1/2024 | [Data Residency for Other Microsoft 365 Services](/microsoft-365/enterprise/m365-dr-workload-other?view=o365-worldwide) | modified | -| 3/1/2024 | [Data Residency for Microsoft Purview](/microsoft-365/enterprise/m365-dr-workload-purview?view=o365-worldwide) | modified | -| 3/1/2024 | [Data Residency for SharePoint and OneDrive](/microsoft-365/enterprise/m365-dr-workload-spo?view=o365-worldwide) | modified | -| 3/1/2024 | [Data Residency for Microsoft Teams](/microsoft-365/enterprise/m365-dr-workload-teams?view=o365-worldwide) | modified | -| 3/1/2024 | [Advanced technologies at the core of Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/adv-tech-of-mdav?view=o365-worldwide) | modified | -| 3/1/2024 | [Evaluate network protection](/microsoft-365/security/defender-endpoint/evaluate-network-protection?view=o365-worldwide) | modified | -| 3/1/2024 | [Create custom Microsoft Defender XDR reports using Microsoft Graph security API and Power BI](/microsoft-365/security/defender/defender-xdr-custom-reports?view=o365-worldwide) | modified | -| 3/1/2024 | [Memory regression analysis](/microsoft-365/test-base/memory?view=o365-worldwide) | modified | -| 3/1/2024 | [Hardware acceleration and Microsoft Defender Antivirus.](/microsoft-365/security/defender-endpoint/hardware-acceleration-and-mdav?view=o365-worldwide) | added | -| 3/1/2024 | [Evaluate Microsoft Defender Antivirus using PowerShell.](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-using-powershell?view=o365-worldwide) | added | -| 3/1/2024 | [Microsoft 365 admin center SharePoint activity reports](/microsoft-365/admin/activity-reports/sharepoint-activity-ww?view=o365-worldwide) | modified | -| 3/1/2024 | [Microsoft 365 admin center Viva Engage activity reports](/microsoft-365/admin/activity-reports/viva-engage-activity-report-ww?view=o365-worldwide) | modified | -| 3/1/2024 | [Microsoft 365 admin center Viva Learning activity reports](/microsoft-365/admin/activity-reports/viva-learning-activity?view=o365-worldwide) | modified | -| 3/1/2024 | [Transfer data manually between two accounts](/microsoft-365/admin/get-help-with-domains/transfer-data-manually?view=o365-worldwide) | modified | -| 3/1/2024 | [Domains Frequently Asked Questions](/microsoft-365/admin/setup/domains-faq?view=o365-worldwide) | modified | ---## Week of February 19, 2024 ---| Published On |Topic title | Change | -|||--| -| 2/19/2024 | [What's new in Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score-whats-new?view=o365-worldwide) | modified | -| 2/20/2024 | [Use roles to define your frontline managers and workers in Shifts](/microsoft-365/frontline/shifts-frontline-manager-worker-roles?view=o365-worldwide) | added | -| 2/20/2024 | [Block Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/block-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified | -| 2/20/2024 | [Delete Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/delete-and-restore-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified | -| 2/20/2024 | [Manage Microsoft 365 groups](/microsoft-365/enterprise/manage-microsoft-365-groups?view=o365-worldwide) | modified | -| 2/20/2024 | [Manage security groups with PowerShell](/microsoft-365/enterprise/manage-security-groups-with-microsoft-365-powershell?view=o365-worldwide) | modified | -| 2/20/2024 | Manage schedule owners for shift management | removed | -| 2/20/2024 | [Microsoft Teams Virtual Appointments Call Quality Dashboard](/microsoft-365/frontline/virtual-appointments-call-quality?view=o365-worldwide) | modified | -| 2/20/2024 | [Set up multitenant management in Microsoft Defender XDR](/microsoft-365/security/defender/mto-requirements?view=o365-worldwide) | modified | -| 2/20/2024 | [Automated investigation and response in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/air-about?view=o365-worldwide) | modified | -| 2/20/2024 | [Use Azure Privileged Identity Management (PIM) in Microsoft Defender for Office 365 to limit admin access to cyber security tools.](/microsoft-365/security/office-365-security/pim-in-mdo-configure?view=o365-worldwide) | modified | -| 2/21/2024 | [Manage add-ins in the admin center](/microsoft-365/admin/manage/manage-addins-in-the-admin-center?view=o365-worldwide) | modified | -| 2/21/2024 | [Deploy and manage Office Add-ins](/microsoft-365/admin/manage/office-addins?view=o365-worldwide) | modified | -| 2/21/2024 | [Visit the Action center to see remediation actions](/microsoft-365/security/defender-endpoint/auto-investigation-action-center?view=o365-worldwide) | modified | -| 2/21/2024 | [View the details and results of an automated investigation](/microsoft-365/security/defender-endpoint/autoir-investigation-results?view=o365-worldwide) | modified | -| 2/21/2024 | [Use basic permissions to access the portal](/microsoft-365/security/defender-endpoint/basic-permissions?view=o365-worldwide) | modified | -| 2/21/2024 | [Cloud protection and sample submission at Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide) | modified | -| 2/21/2024 | [Device health Sensor health & OS report](/microsoft-365/security/defender-endpoint/device-health-sensor-health-os?view=o365-worldwide) | modified | -| 2/21/2024 | [Download the Microsoft Defender for Endpoint client analyzer](/microsoft-365/security/defender-endpoint/download-client-analyzer?view=o365-worldwide) | modified | -| 2/21/2024 | [EDR detection test for verifying device's onboarding and reporting service](/microsoft-365/security/defender-endpoint/edr-detection?view=o365-worldwide) | modified | -| 2/21/2024 | [Turn on cloud protection in Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/21/2024 | [Enable and update Microsoft Defender Antivirus on Windows Server](/microsoft-365/security/defender-endpoint/enable-update-mdav-to-latest-ws?view=o365-worldwide) | modified | -| 2/21/2024 | [Evaluate controlled folder access](/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access?view=o365-worldwide) | modified | -| 2/21/2024 | [See how Exploit protection works in a demo](/microsoft-365/security/defender-endpoint/evaluate-exploit-protection?view=o365-worldwide) | modified | -| 2/21/2024 | [Evaluate Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/evaluate-mde?view=o365-worldwide) | modified | -| 2/21/2024 | [Evaluate network protection](/microsoft-365/security/defender-endpoint/evaluate-network-protection?view=o365-worldwide) | modified | -| 2/21/2024 | [Review events and errors using Event Viewer](/microsoft-365/security/defender-endpoint/event-error-codes?view=o365-worldwide) | modified | -| 2/21/2024 | [Apply mitigations to help prevent attacks through vulnerabilities](/microsoft-365/security/defender-endpoint/exploit-protection?view=o365-worldwide) | modified | -| 2/21/2024 | [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-ebpf?view=o365-worldwide) | modified | -| 2/21/2024 | [Diagnosing performance issues with SharePoint](/microsoft-365/enterprise/diagnosing-performance-issues-with-sharepoint-online?view=o365-worldwide) | modified | -| 2/21/2024 | [Microsoft 365 network connectivity test tool](/microsoft-365/enterprise/office-365-network-mac-perf-onboarding-tool?view=o365-worldwide) | modified | -| 2/21/2024 | [Frequently asked questions (FAQs) about tamper protection](/microsoft-365/security/defender-endpoint/faqs-on-tamper-protection?view=o365-worldwide) | modified | -| 2/21/2024 | [Fix unhealthy sensors in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors?view=o365-worldwide) | modified | -| 2/21/2024 | [Become a Microsoft Defender for Endpoint partner](/microsoft-365/security/defender-endpoint/get-started-partner-integration?view=o365-worldwide) | modified | -| 2/21/2024 | [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide) | modified | -| 2/21/2024 | [Grant access to managed security service provider (MSSP)](/microsoft-365/security/defender-endpoint/grant-mssp-access?view=o365-worldwide) | modified | -| 2/21/2024 | [Investigate agent health issues](/microsoft-365/security/defender-endpoint/health-status?view=o365-worldwide) | modified | -| 2/21/2024 | [Host firewall reporting in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/host-firewall-reporting?view=o365-worldwide) | modified | -| 2/21/2024 | [Create indicators based on certificates](/microsoft-365/security/defender-endpoint/indicator-certificates?view=o365-worldwide) | modified | -| 2/21/2024 | [Create indicators for files](/microsoft-365/security/defender-endpoint/indicator-file?view=o365-worldwide) | modified | -| 2/21/2024 | [Manage indicators](/microsoft-365/security/defender-endpoint/indicator-manage?view=o365-worldwide) | modified | -| 2/21/2024 | [Use Microsoft Defender for Endpoint sensitivity labels to protect your data and prioritize security incident response](/microsoft-365/security/defender-endpoint/information-protection-investigation?view=o365-worldwide) | modified | -| 2/21/2024 | [Investigate Microsoft Defender for Endpoint alerts](/microsoft-365/security/defender-endpoint/investigate-alerts?view=o365-worldwide) | modified | -| 2/21/2024 | [Investigate connection events that occur behind forward proxies](/microsoft-365/security/defender-endpoint/investigate-behind-proxy?view=o365-worldwide) | modified | -| 2/21/2024 | [Investigate an IP address associated with an alert](/microsoft-365/security/defender-endpoint/investigate-ip?view=o365-worldwide) | modified | -| 2/21/2024 | [Investigate devices in the Defender for Endpoint Devices list](/microsoft-365/security/defender-endpoint/investigate-machines?view=o365-worldwide) | modified | -| 2/21/2024 | [Investigate a user account in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/investigate-user?view=o365-worldwide) | modified | -| 2/21/2024 | [Configure Microsoft Defender for Endpoint on iOS features](/microsoft-365/security/defender-endpoint/ios-configure-features?view=o365-worldwide) | modified | -| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on iOS with Mobile Application Management](/microsoft-365/security/defender-endpoint/ios-install-unmanaged?view=o365-worldwide) | modified | -| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on iOS with Microsoft Intune](/microsoft-365/security/defender-endpoint/ios-install?view=o365-worldwide) | modified | -| 2/21/2024 | [Privacy information - Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-privacy?view=o365-worldwide) | modified | -| 2/21/2024 | [Troubleshoot issues and find answers on FAQs related to Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-troubleshoot?view=o365-worldwide) | modified | -| 2/21/2024 | [What's new in Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-whatsnew?view=o365-worldwide) | modified | -| 2/21/2024 | [How to Deploy Defender for Endpoint on Linux with Chef](/microsoft-365/security/defender-endpoint/linux-deploy-defender-for-endpoint-with-chef?view=o365-worldwide) | modified | -| 2/21/2024 | [Configure and validate exclusions for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-exclusions?view=o365-worldwide) | modified | -| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on Linux with Ansible](/microsoft-365/security/defender-endpoint/linux-install-with-ansible?view=o365-worldwide) | modified | -| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on Linux with Puppet](/microsoft-365/security/defender-endpoint/linux-install-with-puppet?view=o365-worldwide) | modified | -| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on Linux with SaltStack](/microsoft-365/security/defender-endpoint/linux-install-with-saltack?view=o365-worldwide) | modified | -| 2/21/2024 | [Privacy for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-privacy?view=o365-worldwide) | modified | -| 2/21/2024 | [Detect and block potentially unwanted applications with Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-pua?view=o365-worldwide) | modified | -| 2/21/2024 | [How to schedule scans with Microsoft Defender for Endpoint (Linux)](/microsoft-365/security/defender-endpoint/linux-schedule-scan-mde?view=o365-worldwide) | modified | -| 2/21/2024 | [Microsoft Defender for Endpoint on Linux static proxy discovery](/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration?view=o365-worldwide) | modified | -| 2/21/2024 | [Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-connectivity?view=o365-worldwide) | modified | -| 2/21/2024 | [Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-events?view=o365-worldwide) | modified | -| 2/21/2024 | [Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-install?view=o365-worldwide) | modified | -| 2/21/2024 | [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-perf?view=o365-worldwide) | modified | -| 2/21/2024 | [Troubleshoot issues for Microsoft Defender for Endpoint on Linux RHEL6](/microsoft-365/security/defender-endpoint/linux-support-rhel?view=o365-worldwide) | modified | -| 2/21/2024 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified | -| 2/21/2024 | [Live response library methods and properties](/microsoft-365/security/defender-endpoint/live-response-library-methods?view=o365-worldwide) | modified | -| 2/21/2024 | [macOS Device control policies frequently asked questions (FAQ)](/microsoft-365/security/defender-endpoint/mac-device-control-faq?view=o365-worldwide) | modified | -| 2/21/2024 | [Deploy and manage Device Control using Intune](/microsoft-365/security/defender-endpoint/mac-device-control-intune?view=o365-worldwide) | modified | -| 2/21/2024 | [Deploy and manage device control using JAMF](/microsoft-365/security/defender-endpoint/mac-device-control-jamf?view=o365-worldwide) | modified | -| 2/21/2024 | [Deploy and manage device control manually](/microsoft-365/security/defender-endpoint/mac-device-control-manual?view=o365-worldwide) | modified | -| 2/21/2024 | [Device control for macOS](/microsoft-365/security/defender-endpoint/mac-device-control-overview?view=o365-worldwide) | modified | -| 2/21/2024 | [Sign in to Jamf Pro](/microsoft-365/security/defender-endpoint/mac-install-jamfpro-login?view=o365-worldwide) | modified | -| 2/21/2024 | [Deploying Microsoft Defender for Endpoint on macOS with Jamf Pro](/microsoft-365/security/defender-endpoint/mac-install-with-jamf?view=o365-worldwide) | modified | -| 2/21/2024 | [Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-install-with-other-mdm?view=o365-worldwide) | modified | -| 2/21/2024 | [Set up device groups in Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-device-groups?view=o365-worldwide) | modified | -| 2/21/2024 | [Enroll Microsoft Defender for Endpoint on macOS devices into Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-enroll-devices?view=o365-worldwide) | modified | -| 2/21/2024 | [Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-policies?view=o365-worldwide) | modified | -| 2/21/2024 | [Privacy for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-privacy?view=o365-worldwide) | modified | -| 2/21/2024 | [Detect and block potentially unwanted applications with Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-pua?view=o365-worldwide) | modified | -| 2/21/2024 | [How to schedule scans with Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-schedule-scan?view=o365-worldwide) | modified | -| 2/21/2024 | [Troubleshoot installation issues for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-support-install?view=o365-worldwide) | modified | -| 2/21/2024 | [Troubleshoot license issues for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-support-license?view=o365-worldwide) | modified | -| 2/21/2024 | [Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-support-perf?view=o365-worldwide) | modified | -| 2/21/2024 | [Troubleshoot system extension issues for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-support-sys-ext?view=o365-worldwide) | modified | -| 2/21/2024 | [New configuration profiles for macOS Big Sur and newer versions of macOS](/microsoft-365/security/defender-endpoint/mac-sysext-policies?view=o365-worldwide) | modified | -| 2/21/2024 | [Troubleshooting mode in Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-troubleshoot-mode?view=o365-worldwide) | modified | -| 2/21/2024 | [Deploy updates for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-updates?view=o365-worldwide) | modified | -| 2/21/2024 | [Device inventory](/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-worldwide) | modified | -| 2/21/2024 | [Manage Microsoft Defender for Endpoint alerts](/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-worldwide) | modified | -| 2/21/2024 | [Manage automation folder exclusions](/microsoft-365/security/defender-endpoint/manage-automation-folder-exclusions?view=o365-worldwide) | modified | -| 2/21/2024 | [Apply Microsoft Defender Antivirus updates after certain events](/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/21/2024 | [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout?view=o365-worldwide) | modified | -| 2/21/2024 | [Manage Microsoft Defender for Endpoint incidents](/microsoft-365/security/defender-endpoint/manage-incidents?view=o365-worldwide) | modified | -| 2/21/2024 | Manage Microsoft Defender for Endpoint using Configuration Manager | removed | -| 2/21/2024 | Manage Microsoft Defender for Endpoint using Group Policy Objects | removed | -| 2/21/2024 | Manage Microsoft Defender for Endpoint using Intune | removed | -| 2/21/2024 | Manage Microsoft Defender for Endpoint using PowerShell, WMI, and MPCmdRun.exe | removed | -| 2/21/2024 | Manage Microsoft Defender for Endpoint after initial setup or migration | removed | -| 2/21/2024 | [Apply Microsoft Defender Antivirus protection updates to out of date endpoints](/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/21/2024 | [Deployment guidance for Microsoft Defender for Endpoint on Linux for SAP](/microsoft-365/security/defender-endpoint/mde-linux-deployment-on-sap?view=o365-worldwide) | modified | -| 2/21/2024 | [Manage contracts using a Microsoft 365 solution](/microsoft-365/syntex/solution-manage-contracts-in-microsoft-365) | modified | -| 2/22/2024 | [Set up multifactor authentication for users](/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide) | modified | -| 2/22/2024 | [Understand your invoice for your Microsoft MCA billing account](/microsoft-365/commerce/billing-and-payments/understand-your-invoice?view=o365-worldwide) | modified | -| 2/22/2024 | [Buy or remove licenses for a Microsoft business subscription](/microsoft-365/commerce/licenses/buy-licenses?view=o365-worldwide) | modified | -| 2/22/2024 | [Manage self-service purchases and trials (for admins)](/microsoft-365/commerce/subscriptions/manage-self-service-purchases-admins?view=o365-worldwide) | modified | -| 2/22/2024 | [Manage system extensions using JamF](/microsoft-365/security/defender-endpoint/manage-sys-extensions-using-jamf?view=o365-worldwide) | modified | -| 2/22/2024 | [Get started with your Microsoft Defender for Endpoint deployment](/microsoft-365/security/defender-endpoint/mde-planning-guide?view=o365-worldwide) | modified | -| 2/22/2024 | [Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux (WSL)](/microsoft-365/security/defender-endpoint/mde-plugin-wsl?view=o365-worldwide) | modified | -| 2/22/2024 | [Configure Microsoft Defender for Cloud Apps integration](/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-config?view=o365-worldwide) | modified | -| 2/22/2024 | [Microsoft Defender for Cloud Apps integration overview](/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-integration?view=o365-worldwide) | modified | -| 2/22/2024 | [Pilot ring deployment using Group Policy and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-pilot-ring-deployment-group-policy-wsus?view=o365-worldwide) | modified | -| 2/22/2024 | [Production ring deployment using Group Policy and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-production-ring-deployment-group-policy-wsus?view=o365-worldwide) | modified | -| 2/22/2024 | [Production ring deployment using Group Policy and Microsoft Update (MU)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-microsoft-update?view=o365-worldwide) | modified | -| 2/22/2024 | [Production ring deployment using Group Policy and network share](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-network-share?view=o365-worldwide) | modified | -| 2/22/2024 | [Appendices for ring deployment using Group Policy and Windows Server Update Services (WSUS)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-wsus-appendices?view=o365-worldwide) | modified | -| 2/22/2024 | [Ring deployment using Intune and Microsoft Update (MU)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-intune-microsoft-update?view=o365-worldwide) | modified | -| 2/22/2024 | [Ring deployment using System Center Configuration Manager and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-sscm-wsus?view=o365-worldwide) | modified | -| 2/22/2024 | [Microsoft Defender Antivirus ring deployment guide overview](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment?view=o365-worldwide) | modified | -| 2/22/2024 | [Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide) | modified | -| 2/22/2024 | [Schedule antivirus scans using Windows Management Instrumentation](/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-wmi?view=o365-worldwide) | modified | -| 2/22/2024 | [Changes coming to Topics](/microsoft-365/topics/changes-coming-to-topics?view=o365-worldwide) | added | -| 2/22/2024 | [Frequently asked questions about changes coming to Topics](/microsoft-365/topics/topics-changes-faq?view=o365-worldwide) | added | -| 2/22/2024 | [How to schedule an antivirus scan using Anacron in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/schedule-antivirus-scan-in-mde?view=o365-worldwide) | modified | -| 2/22/2024 | [Schedule antivirus scans using Group Policy](/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-group-policy?view=o365-worldwide) | modified | -| 2/22/2024 | [Schedule antivirus scans using PowerShell](/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-powershell?view=o365-worldwide) | modified | -| 2/22/2024 | [Server migration scenarios for the new version of Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/server-migration?view=o365-worldwide) | modified | -| 2/22/2024 | [Supported Microsoft Defender for Endpoint capabilities by platform](/microsoft-365/security/defender-endpoint/supported-capabilities-by-platform?view=o365-worldwide) | modified | -| 2/22/2024 | [Migrate to Microsoft Defender for Endpoint from non-Microsoft endpoint protection](/microsoft-365/security/defender-endpoint/switch-to-mde-overview?view=o365-worldwide) | modified | -| 2/22/2024 | [Technological partners of Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/technological-partners?view=o365-worldwide) | modified | -| 2/22/2024 | [Understand threat intelligence concepts in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/threat-indicator-concepts?view=o365-worldwide) | modified | -| 2/22/2024 | [Integrate Microsoft Defender for Endpoint with other Microsoft solutions](/microsoft-365/security/defender-endpoint/threat-protection-integration?view=o365-worldwide) | modified | -| 2/22/2024 | [Data privacy and compliance in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-data-privacy-and-compliance?view=o365-worldwide) | added | -| 2/22/2024 | [Assign roles to Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/assign-roles-to-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified | -| 2/22/2024 | [Get scan history by session](/microsoft-365/security/defender-endpoint/api/get-scan-history-by-session?view=o365-worldwide) | modified | -| 2/22/2024 | [Add, update, or delete a scan definition](/microsoft-365/security/defender-endpoint/api/add-a-new-scan-definition?view=o365-worldwide) | modified | -| 2/22/2024 | [Add or remove a tag for a machine](/microsoft-365/security/defender-endpoint/api/add-or-remove-machine-tags?view=o365-worldwide) | modified | -| 2/22/2024 | [Add or remove a tag for multiple machines](/microsoft-365/security/defender-endpoint/api/add-or-remove-multiple-machine-tags?view=o365-worldwide) | modified | -| 2/22/2024 | [Get alerts API](/microsoft-365/security/defender-endpoint/api/alerts?view=o365-worldwide) | modified | -| 2/22/2024 | [API Explorer in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/api/api-explorer?view=o365-worldwide) | modified | -| 2/22/2024 | [Hello World for Microsoft Defender for Endpoint API](/microsoft-365/security/defender-endpoint/api/api-hello-world?view=o365-worldwide) | modified | -| 2/22/2024 | [Microsoft Defender for Endpoint APIs connection to Power BI](/microsoft-365/security/defender-endpoint/api/api-power-bi?view=o365-worldwide) | modified | -| 2/22/2024 | [Microsoft Defender for Endpoint API release notes](/microsoft-365/security/defender-endpoint/api/api-release-notes?view=o365-worldwide) | modified | -| 2/22/2024 | [Access the Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/api/apis-intro?view=o365-worldwide) | modified | -| 2/22/2024 | [Batch Delete Indicators API](/microsoft-365/security/defender-endpoint/api/batch-delete-ti-indicators?view=o365-worldwide) | modified | -| 2/22/2024 | [Batch Update alert entities API](/microsoft-365/security/defender-endpoint/api/batch-update-alerts?view=o365-worldwide) | modified | -| 2/22/2024 | [Cancel machine action API](/microsoft-365/security/defender-endpoint/api/cancel-machine-action?view=o365-worldwide) | modified | -| 2/22/2024 | [Collect investigation package API](/microsoft-365/security/defender-endpoint/api/collect-investigation-package?view=o365-worldwide) | modified | -| 2/22/2024 | [Common Microsoft Defender for Endpoint API errors](/microsoft-365/security/defender-endpoint/api/common-errors?view=o365-worldwide) | modified | -| 2/22/2024 | [Create alert from event API](/microsoft-365/security/defender-endpoint/api/create-alert-by-reference?view=o365-worldwide) | modified | -| 2/22/2024 | [Delete a file from the live response library](/microsoft-365/security/defender-endpoint/api/delete-library?view=o365-worldwide) | modified | -| 2/22/2024 | [Delete Indicator API.](/microsoft-365/security/defender-endpoint/api/delete-ti-indicator-by-id?view=o365-worldwide) | modified | -| 2/22/2024 | [Get alert information by ID API](/microsoft-365/security/defender-endpoint/api/get-alert-info-by-id?view=o365-worldwide) | modified | -| 2/22/2024 | [Get alert related domains information](/microsoft-365/security/defender-endpoint/api/get-alert-related-domain-info?view=o365-worldwide) | modified | -| 2/22/2024 | [Get alert related files information](/microsoft-365/security/defender-endpoint/api/get-alert-related-files-info?view=o365-worldwide) | modified | -| 2/22/2024 | [Get alert-related IPs' information](/microsoft-365/security/defender-endpoint/api/get-alert-related-ip-info?view=o365-worldwide) | modified | -| 2/22/2024 | [Get alert related machine information](/microsoft-365/security/defender-endpoint/api/get-alert-related-machine-info?view=o365-worldwide) | modified | -| 2/22/2024 | [Get alert related user information](/microsoft-365/security/defender-endpoint/api/get-alert-related-user-info?view=o365-worldwide) | modified | -| 2/22/2024 | [List alerts API](/microsoft-365/security/defender-endpoint/api/get-alerts?view=o365-worldwide) | modified | -| 2/22/2024 | [List all recommendations](/microsoft-365/security/defender-endpoint/api/get-all-recommendations?view=o365-worldwide) | modified | -| 2/22/2024 | [Get all vulnerabilities by machine and software](/microsoft-365/security/defender-endpoint/api/get-all-vulnerabilities-by-machines?view=o365-worldwide) | modified | -| 2/22/2024 | [Get all vulnerabilities](/microsoft-365/security/defender-endpoint/api/get-all-vulnerabilities?view=o365-worldwide) | modified | -| 2/22/2024 | [Export assessment methods and properties per device](/microsoft-365/security/defender-endpoint/api/get-assessment-methods-properties?view=o365-worldwide) | modified | -| 2/22/2024 | [Export secure configuration assessment per device](/microsoft-365/security/defender-endpoint/api/get-assessment-secure-config?view=o365-worldwide) | modified | -| 2/22/2024 | [Export software inventory assessment per device](/microsoft-365/security/defender-endpoint/api/get-assessment-software-inventory?view=o365-worldwide) | modified | -| 2/22/2024 | [Export software vulnerabilities assessment per device](/microsoft-365/security/defender-endpoint/api/get-assessment-software-vulnerabilities?view=o365-worldwide) | modified | -| 2/22/2024 | [Authenticated scan methods and properties](/microsoft-365/security/defender-endpoint/api/get-authenticated-scan-properties?view=o365-worldwide) | modified | -| 2/22/2024 | [Get the device secure score](/microsoft-365/security/defender-endpoint/api/get-device-secure-score?view=o365-worldwide) | modified | -| 2/22/2024 | [Get discovered vulnerabilities](/microsoft-365/security/defender-endpoint/api/get-discovered-vulnerabilities?view=o365-worldwide) | modified | -| 2/22/2024 | [Get domain-related alerts API](/microsoft-365/security/defender-endpoint/api/get-domain-related-alerts?view=o365-worldwide) | modified | -| 2/22/2024 | [Get domain-related machines API](/microsoft-365/security/defender-endpoint/api/get-domain-related-machines?view=o365-worldwide) | modified | -| 2/22/2024 | [Get domain statistics API](/microsoft-365/security/defender-endpoint/api/get-domain-statistics?view=o365-worldwide) | modified | -| 2/22/2024 | [Get exposure score](/microsoft-365/security/defender-endpoint/api/get-exposure-score?view=o365-worldwide) | modified | -| 2/22/2024 | [Get file information API](/microsoft-365/security/defender-endpoint/api/get-file-information?view=o365-worldwide) | modified | -| 2/22/2024 | [Get file-related alerts API](/microsoft-365/security/defender-endpoint/api/get-file-related-alerts?view=o365-worldwide) | modified | -| 2/22/2024 | [Get file-related machines API](/microsoft-365/security/defender-endpoint/api/get-file-related-machines?view=o365-worldwide) | modified | -| 2/22/2024 | [Get file statistics API](/microsoft-365/security/defender-endpoint/api/get-file-statistics?view=o365-worldwide) | modified | -| 2/22/2024 | [Get installed software](/microsoft-365/security/defender-endpoint/api/get-installed-software?view=o365-worldwide) | modified | -| 2/22/2024 | [List Investigations API](/microsoft-365/security/defender-endpoint/api/get-investigation-collection?view=o365-worldwide) | modified | -| 2/22/2024 | [Get Investigation object API](/microsoft-365/security/defender-endpoint/api/get-investigation-object?view=o365-worldwide) | modified | -| 2/22/2024 | [Get IP related alerts API](/microsoft-365/security/defender-endpoint/api/get-ip-related-alerts?view=o365-worldwide) | modified | -| 2/22/2024 | [Get IP statistics API](/microsoft-365/security/defender-endpoint/api/get-ip-statistics?view=o365-worldwide) | modified | -| 2/22/2024 | [Get live response results](/microsoft-365/security/defender-endpoint/api/get-live-response-result?view=o365-worldwide) | modified | -| 2/22/2024 | [Get machine by ID API](/microsoft-365/security/defender-endpoint/api/get-machine-by-id?view=o365-worldwide) | modified | -| 2/22/2024 | [List exposure score by device group](/microsoft-365/security/defender-endpoint/api/get-machine-group-exposure-score?view=o365-worldwide) | modified | -| 2/22/2024 | [Get machine logon users API](/microsoft-365/security/defender-endpoint/api/get-machine-log-on-users?view=o365-worldwide) | modified | -| 2/22/2024 | [Get machine related alerts API](/microsoft-365/security/defender-endpoint/api/get-machine-related-alerts?view=o365-worldwide) | modified | -| 2/22/2024 | [Get MachineAction object API](/microsoft-365/security/defender-endpoint/api/get-machineaction-object?view=o365-worldwide) | modified | -| 2/22/2024 | [List machineActions API](/microsoft-365/security/defender-endpoint/api/get-machineactions-collection?view=o365-worldwide) | modified | -| 2/22/2024 | [List devices by software](/microsoft-365/security/defender-endpoint/api/get-machines-by-software?view=o365-worldwide) | modified | -| 2/22/2024 | [List devices by vulnerability](/microsoft-365/security/defender-endpoint/api/get-machines-by-vulnerability?view=o365-worldwide) | modified | -| 2/22/2024 | [Get missing KBs by device ID](/microsoft-365/security/defender-endpoint/api/get-missing-kbs-machine?view=o365-worldwide) | modified | -| 2/22/2024 | [Get missing KBs by software ID](/microsoft-365/security/defender-endpoint/api/get-missing-kbs-software?view=o365-worldwide) | modified | -| 2/22/2024 | [Get package SAS URI API](/microsoft-365/security/defender-endpoint/api/get-package-sas-uri?view=o365-worldwide) | modified | -| 2/22/2024 | [Get recommendation by Id](/microsoft-365/security/defender-endpoint/api/get-recommendation-by-id?view=o365-worldwide) | modified | -| 2/22/2024 | [List devices by recommendation](/microsoft-365/security/defender-endpoint/api/get-recommendation-machines?view=o365-worldwide) | modified | -| 2/22/2024 | [List vulnerabilities by recommendation](/microsoft-365/security/defender-endpoint/api/get-recommendation-vulnerabilities?view=o365-worldwide) | modified | -| 2/22/2024 | [List all remediation activities](/microsoft-365/security/defender-endpoint/api/get-remediation-all-activities?view=o365-worldwide) | modified | -| 2/22/2024 | [List exposed devices of one remediation activity](/microsoft-365/security/defender-endpoint/api/get-remediation-exposed-devices-activities?view=o365-worldwide) | modified | -| 2/22/2024 | [Remediation activity methods and properties](/microsoft-365/security/defender-endpoint/api/get-remediation-methods-properties?view=o365-worldwide) | modified | -| 2/22/2024 | [Get one remediation activity by ID](/microsoft-365/security/defender-endpoint/api/get-remediation-one-activity?view=o365-worldwide) | modified | -| 2/22/2024 | [Get security recommendations](/microsoft-365/security/defender-endpoint/api/get-security-recommendations?view=o365-worldwide) | modified | -| 2/22/2024 | [Get software by ID](/microsoft-365/security/defender-endpoint/api/get-software-by-id?view=o365-worldwide) | modified | -| 2/22/2024 | [List software version distribution](/microsoft-365/security/defender-endpoint/api/get-software-ver-distribution?view=o365-worldwide) | modified | -| 2/22/2024 | [List software](/microsoft-365/security/defender-endpoint/api/get-software?view=o365-worldwide) | modified | -| 2/22/2024 | [List Indicators API](/microsoft-365/security/defender-endpoint/api/get-ti-indicators-collection?view=o365-worldwide) | modified | -| 2/22/2024 | [Get user-related alerts API](/microsoft-365/security/defender-endpoint/api/get-user-related-alerts?view=o365-worldwide) | modified | -| 2/22/2024 | [Get user-related machines API](/microsoft-365/security/defender-endpoint/api/get-user-related-machines?view=o365-worldwide) | modified | -| 2/22/2024 | [List vulnerabilities by software](/microsoft-365/security/defender-endpoint/api/get-vuln-by-software?view=o365-worldwide) | modified | -| 2/22/2024 | [Get vulnerability by ID](/microsoft-365/security/defender-endpoint/api/get-vulnerability-by-id?view=o365-worldwide) | modified | -| 2/22/2024 | [Import Indicators API](/microsoft-365/security/defender-endpoint/api/import-ti-indicators?view=o365-worldwide) | modified | -| 2/22/2024 | [Start Investigation API](/microsoft-365/security/defender-endpoint/api/initiate-autoir-investigation?view=o365-worldwide) | modified | -| 2/22/2024 | [Stream Microsoft Defender for Endpoint event](/microsoft-365/security/defender-endpoint/api/raw-data-export?view=o365-worldwide) | modified | -| 2/22/2024 | [Recommendation methods and properties](/microsoft-365/security/defender-endpoint/api/recommendation?view=o365-worldwide) | modified | -| 2/22/2024 | [Restrict app execution API](/microsoft-365/security/defender-endpoint/api/restrict-code-execution?view=o365-worldwide) | modified | -| 2/22/2024 | [Advanced Hunting API](/microsoft-365/security/defender-endpoint/api/run-advanced-query-api?view=o365-worldwide) | modified | -| 2/22/2024 | [Advanced Hunting with PowerShell API Basics](/microsoft-365/security/defender-endpoint/api/run-advanced-query-sample-powershell?view=o365-worldwide) | modified | -| 2/22/2024 | [Advanced Hunting with Python API Guide](/microsoft-365/security/defender-endpoint/api/run-advanced-query-sample-python?view=o365-worldwide) | modified | -| 2/22/2024 | [Run antivirus scan API](/microsoft-365/security/defender-endpoint/api/run-av-scan?view=o365-worldwide) | modified | -| 2/22/2024 | [Set device value API](/microsoft-365/security/defender-endpoint/api/set-device-value?view=o365-worldwide) | modified | -| 2/22/2024 | [Software methods and properties](/microsoft-365/security/defender-endpoint/api/software?view=o365-worldwide) | modified | -| 2/22/2024 | [Stop and quarantine file API](/microsoft-365/security/defender-endpoint/api/stop-and-quarantine-file?view=o365-worldwide) | modified | -| 2/22/2024 | [Indicator resource type](/microsoft-365/security/defender-endpoint/api/ti-indicator?view=o365-worldwide) | modified | -| 2/22/2024 | [Release device from isolation API](/microsoft-365/security/defender-endpoint/api/unisolate-machine?view=o365-worldwide) | modified | -| 2/22/2024 | [Remove app restriction API](/microsoft-365/security/defender-endpoint/api/unrestrict-code-execution?view=o365-worldwide) | modified | -| 2/22/2024 | [Update alert entity API](/microsoft-365/security/defender-endpoint/api/update-alert?view=o365-worldwide) | modified | -| 2/22/2024 | [Update machine entity API](/microsoft-365/security/defender-endpoint/api/update-machine-method?view=o365-worldwide) | modified | -| 2/22/2024 | [Upload files to the live response library](/microsoft-365/security/defender-endpoint/api/upload-library?view=o365-worldwide) | modified | -| 2/22/2024 | [User resource type](/microsoft-365/security/defender-endpoint/api/user?view=o365-worldwide) | modified | -| 2/22/2024 | [Vulnerability methods and properties](/microsoft-365/security/defender-endpoint/api/vulnerability?view=o365-worldwide) | modified | -| 2/22/2024 | [Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios?view=o365-worldwide) | modified | -| 2/22/2024 | [Microsoft Defender Offline scan in Windows](/microsoft-365/security/defender-endpoint/microsoft-defender-offline?view=o365-worldwide) | modified | -| 2/22/2024 | [Migrating from non-Microsoft HIPS to attack surface reduction rules](/microsoft-365/security/defender-endpoint/migrating-asr-rules?view=o365-worldwide) | modified | -| 2/22/2024 | [Migrating servers from Microsoft Defender for Endpoint to Microsoft Defender for Cloud](/microsoft-365/security/defender-endpoint/migrating-mde-server-to-cloud?view=o365-worldwide) | modified | -| 2/22/2024 | [Resources for Microsoft Defender for Endpoint for mobile devices](/microsoft-365/security/defender-endpoint/mobile-resources-defender-endpoint?view=o365-worldwide) | modified | -| 2/22/2024 | [Monthly security summary reporting in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/monthly-security-summary-report?view=o365-worldwide) | modified | -| 2/22/2024 | [Managed security service provider (MSSP) partnership opportunities](/microsoft-365/security/defender-endpoint/mssp-support?view=o365-worldwide) | modified | -| 2/22/2024 | [Use network protection to help prevent Linux connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection-linux?view=o365-worldwide) | modified | -| 2/22/2024 | [Use network protection to help prevent macOS connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection-macos?view=o365-worldwide) | modified | -| 2/22/2024 | [Microsoft Defender for Endpoint on other platforms](/microsoft-365/security/defender-endpoint/non-windows?view=o365-worldwide) | modified | -| 2/22/2024 | [Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats](/microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/22/2024 | [Onboarding using Microsoft Intune](/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager?view=o365-worldwide) | modified | -| 2/22/2024 | [Create an onboarding or offboarding notification rule](/microsoft-365/security/defender-endpoint/onboarding-notification?view=o365-worldwide) | modified | -| 2/22/2024 | [Troubleshoot sensor health using Microsoft Defender for Endpoint Client Analyzer](/microsoft-365/security/defender-endpoint/overview-client-analyzer?view=o365-worldwide) | modified | -| 2/22/2024 | [Partner applications in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/partner-applications?view=o365-worldwide) | modified | -| 2/22/2024 | [Microsoft Defender for Endpoint partner opportunities and scenarios](/microsoft-365/security/defender-endpoint/partner-integration?view=o365-worldwide) | modified | -| 2/22/2024 | [Hide the Microsoft Defender Antivirus interface](/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/22/2024 | [Turn on the preview experience in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/preview-settings?view=o365-worldwide) | modified | -| 2/22/2024 | [Microsoft Defender for Endpoint preview features](/microsoft-365/security/defender-endpoint/preview?view=o365-worldwide) | modified | -| 2/22/2024 | [Professional services supported by Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/professional-services?view=o365-worldwide) | modified | -| 2/22/2024 | [Use role-based access control to grant fine-grained access to Microsoft Defender portal](/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide) | modified | -| 2/22/2024 | [Review detected threats using the Microsoft Defender for Endpoint Antivirus and Intune integration](/microsoft-365/security/defender-endpoint/review-detected-threats?view=o365-worldwide) | modified | -| 2/22/2024 | [Run a detection test on a device recently onboarded to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/run-detection-test?view=o365-worldwide) | modified | -| 2/22/2024 | [Use Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-nativeapp?view=o365-worldwide) | modified | -| 2/22/2024 | [Partner access through Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-partners?view=o365-worldwide) | modified | -| 2/22/2024 | [Create an app to access Microsoft Defender for Endpoint without a user](/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-webapp?view=o365-worldwide) | modified | -| 2/22/2024 | [Advanced Hunting with PowerShell API Guide](/microsoft-365/security/defender-endpoint/api/exposed-apis-full-sample-powershell?view=o365-worldwide) | modified | -| 2/22/2024 | [Supported Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/api/exposed-apis-list?view=o365-worldwide) | modified | -| 2/22/2024 | [OData queries with Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/api/exposed-apis-odata-samples?view=o365-worldwide) | modified | -| 2/22/2024 | [Fetch alerts from MSSP customer tenant](/microsoft-365/security/defender-endpoint/api/fetch-alerts-mssp?view=o365-worldwide) | modified | -| 2/22/2024 | [File resource type](/microsoft-365/security/defender-endpoint/api/files?view=o365-worldwide) | modified | -| 2/22/2024 | [Find device information by internal IP API](/microsoft-365/security/defender-endpoint/api/find-machine-info-by-ip?view=o365-worldwide) | modified | -| 2/22/2024 | [Find devices by internal IP API](/microsoft-365/security/defender-endpoint/api/find-machines-by-ip?view=o365-worldwide) | modified | -| 2/22/2024 | [Find devices by tag API](/microsoft-365/security/defender-endpoint/api/find-machines-by-tag?view=o365-worldwide) | modified | -| 2/22/2024 | [Investigation resource type](/microsoft-365/security/defender-endpoint/api/investigation?view=o365-worldwide) | modified | -| 2/22/2024 | [Isolate machine API](/microsoft-365/security/defender-endpoint/api/isolate-machine?view=o365-worldwide) | modified | -| 2/22/2024 | [List library files](/microsoft-365/security/defender-endpoint/api/list-library-files?view=o365-worldwide) | modified | -| 2/22/2024 | [List software by recommendation](/microsoft-365/security/defender-endpoint/api/list-recommendation-software?view=o365-worldwide) | modified | -| 2/22/2024 | [Machine resource type](/microsoft-365/security/defender-endpoint/api/machine?view=o365-worldwide) | modified | -| 2/22/2024 | [machineAction resource type](/microsoft-365/security/defender-endpoint/api/machineaction?view=o365-worldwide) | modified | -| 2/22/2024 | [Overview of management and APIs](/microsoft-365/security/defender-endpoint/api/management-apis?view=o365-worldwide) | modified | -| 2/22/2024 | [Submit or Update Indicator API](/microsoft-365/security/defender-endpoint/api/post-ti-indicator?view=o365-worldwide) | modified | -| 2/22/2024 | [Stream Microsoft Defender for Endpoint events to your Storage account](/microsoft-365/security/defender-endpoint/api/raw-data-export-storage?view=o365-worldwide) | modified | -| 2/23/2024 | [Upgrade or change to a different Microsoft 365 for business plan](/microsoft-365/commerce/subscriptions/upgrade-to-different-plan?view=o365-worldwide) | modified | -| 2/23/2024 | [Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune](/microsoft-365/security/defender-endpoint/device-control-deploy-manage-intune?view=o365-worldwide) | modified | -| 2/23/2024 | [Use a promo code to reduce price of a new Microsoft 365 for business subscription](/microsoft-365/commerce/use-a-promo-code?view=o365-worldwide) | modified | -| 2/23/2024 | [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure?view=o365-worldwide) | modified | ---## Week of February 12, 2024 ---| Published On |Topic title | Change | -|||--| -| 2/12/2024 | [Troubleshooting mode in Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-troubleshoot-mode?view=o365-worldwide) | added | -| 2/12/2024 | [Deploy Microsoft Defender for Endpoint on Linux manually](/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide) | modified | -| 2/12/2024 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified | -| 2/12/2024 | [How to schedule scans with Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-schedule-scan?view=o365-worldwide) | modified | -| 2/12/2024 | [Tenant roadmap for Microsoft 365](/microsoft-365/enterprise/tenant-roadmap-microsoft-365?view=o365-worldwide) | modified | -| 2/12/2024 | [Microsoft 365 admin center Microsoft 365 Copilot usage](/microsoft-365/admin/activity-reports/microsoft-365-copilot-usage?view=o365-worldwide) | modified | -| 2/12/2024 | [What's new in Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-worldwide) | modified | -| 2/12/2024 | [Vulnerability support in Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/fixed-reported-inaccuracies?view=o365-worldwide) | modified | -| 2/12/2024 | [Run script and code analysis with Security Copilot in Microsoft Defender XDR](/microsoft-365/security/defender/security-copilot-m365d-script-analysis?view=o365-worldwide) | modified | -| 2/12/2024 | [Anti-phishing policies](/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide) | modified | -| 2/12/2024 | [Spoof intelligence insight](/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence?view=o365-worldwide) | modified | -| 2/12/2024 | [Email authentication in Microsoft 365](/microsoft-365/security/office-365-security/email-authentication-about?view=o365-worldwide) | modified | -| 2/12/2024 | How Sender Policy Framework (SPF) prevents spoofing | removed | -| 2/12/2024 | [Configure trusted ARC sealers](/microsoft-365/security/office-365-security/email-authentication-arc-configure?view=o365-worldwide) | modified | -| 2/12/2024 | [How to use DKIM for email in your custom domain](/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide) | modified | -| 2/12/2024 | Support for validation of Domain Keys Identified Mail (DKIM) signed messages | removed | -| 2/12/2024 | [Use DMARC to validate email, setup steps](/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide) | modified | -| 2/12/2024 | Use DMARC Reports to protect against spoofing and phishing in Microsoft Office 365 | removed | -| 2/12/2024 | [Set up SPF identify valid email sources for your Microsoft 365 domain](/microsoft-365/security/office-365-security/email-authentication-spf-configure?view=o365-worldwide) | modified | -| 2/12/2024 | [Get started with Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/mdo-deployment-guide?view=o365-worldwide) | modified | -| 2/12/2024 | [How to enable DMARC Reporting for Microsoft Online Email Routing Address (MOERA) and parked Domains](/microsoft-365/security/office-365-security/step-by-step-guides/how-to-enable-dmarc-reporting-for-microsoft-online-email-routing-address-moera-and-parked-domains?view=o365-worldwide) | modified | -| 2/13/2024 | [Enable attack surface reduction rules](/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide) | modified | -| 2/13/2024 | [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-ebpf?view=o365-worldwide) | modified | -| 2/13/2024 | [Enable the limited periodic Microsoft Defender Antivirus scanning feature](/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/13/2024 | [IdentityLogonEvents table in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide) | modified | -| 2/13/2024 | [Set up pay-as-you-go billing for Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-billing) | added | -| 2/13/2024 | Help your clients and customers use virtual appointments scheduled with the Bookings app in Teams | removed | -| 2/13/2024 | [Run the client analyzer on macOS or Linux](/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux?view=o365-worldwide) | modified | -| 2/13/2024 | [Set up Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-setup) | modified | -| 2/14/2024 | [Set preferences for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-preferences?view=o365-worldwide) | modified | -| 2/14/2024 | [Set up pay-as-you-go billing for Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-billing) | modified | -| 2/14/2024 | [Deploy and manage device control in Microsoft Defender for Endpoint with Group Policy](/microsoft-365/security/defender-endpoint/device-control-deploy-manage-gpo?view=o365-worldwide) | modified | -| 2/14/2024 | [Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune](/microsoft-365/security/defender-endpoint/device-control-deploy-manage-intune?view=o365-worldwide) | modified | -| 2/14/2024 | [Device control in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/device-control-overview?view=o365-worldwide) | modified | -| 2/14/2024 | [Device control policies in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/device-control-policies?view=o365-worldwide) | modified | -| 2/14/2024 | [Device control walkthroughs](/microsoft-365/security/defender-endpoint/device-control-walkthroughs?view=o365-worldwide) | modified | -| 2/15/2024 | Managers - Get your team started with Microsoft 365 for frontline workers | removed | -| 2/15/2024 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified | -| 2/15/2024 | [Unified cloud.microsoft domain for Microsoft 365 apps](/microsoft-365/enterprise/cloud-microsoft-domain?view=o365-worldwide) | added | -| 2/15/2024 | [Engage your frontline employees and focus on wellbeing](/microsoft-365/frontline/flw-wellbeing-engagement?view=o365-worldwide) | modified | -| 2/15/2024 | [Overview of using Microsoft 365 Lighthouse baselines to deploy standard tenant configurations](/microsoft-365/lighthouse/m365-lighthouse-deploy-standard-tenant-configurations-overview?view=o365-worldwide) | modified | -| 2/16/2024 | [Change the billing addresses for your Microsoft business subscription](/microsoft-365/commerce/billing-and-payments/change-your-billing-addresses?view=o365-worldwide) | modified | -| 2/16/2024 | [Manage billing notifications and invoice attachment settings in the Microsoft 365 admin center](/microsoft-365/commerce/billing-and-payments/manage-billing-notifications?view=o365-worldwide) | modified | -| 2/16/2024 | [Manage your Microsoft business billing profiles](/microsoft-365/commerce/billing-and-payments/manage-billing-profiles?view=o365-worldwide) | modified | -| 2/16/2024 | [Manage payment methods for Microsoft business accounts](/microsoft-365/commerce/billing-and-payments/manage-payment-methods?view=o365-worldwide) | modified | -| 2/16/2024 | [What's new in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-whats-new?view=o365-worldwide) | modified | -| 2/16/2024 | [Access the Microsoft Defender XDR MSSP customer portal](/microsoft-365/security/defender-endpoint/access-mssp-portal?view=o365-worldwide) | modified | -| 2/16/2024 | [Submit files in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/admin-submissions-mde?view=o365-worldwide) | modified | -| 2/16/2024 | [Alerts queue in Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response?view=o365-worldwide) | modified | -| 2/16/2024 | [View and organize the Microsoft Defender for Endpoint Alerts queue](/microsoft-365/security/defender-endpoint/alerts-queue?view=o365-worldwide) | modified | -| 2/16/2024 | [Provide feedback on the Microsoft Defender for Endpoint Client Analyzer tool](/microsoft-365/security/defender-endpoint/analyzer-feedback?view=o365-worldwide) | modified | -| 2/16/2024 | [Understand the client analyzer HTML report](/microsoft-365/security/defender-endpoint/analyzer-report?view=o365-worldwide) | modified | -| 2/16/2024 | [Configure Microsoft Defender for Endpoint on Android risk signals using App Protection Policies (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam?view=o365-worldwide) | modified | -| 2/16/2024 | [Configure Microsoft Defender for Endpoint on Android features](/microsoft-365/security/defender-endpoint/android-configure?view=o365-worldwide) | modified | -| 2/16/2024 | [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](/microsoft-365/security/defender-endpoint/android-intune?view=o365-worldwide) | modified | -| 2/16/2024 | [Microsoft Defender for Endpoint on Android - Privacy information](/microsoft-365/security/defender-endpoint/android-privacy?view=o365-worldwide) | modified | -| 2/16/2024 | [Troubleshoot issues on Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-support-signin?view=o365-worldwide) | modified | -| 2/16/2024 | [What's new in Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-whatsnew?view=o365-worldwide) | modified | -| 2/16/2024 | [How to use Power Automate Connector to set up a Flow for events](/microsoft-365/security/defender-endpoint/api-microsoft-flow?view=o365-worldwide) | modified | -| 2/16/2024 | [Migrating servers from Microsoft Monitoring Agent to the unified solution](/microsoft-365/security/defender-endpoint/application-deployment-via-mecm?view=o365-worldwide) | modified | -| 2/16/2024 | [Assign user access](/microsoft-365/security/defender-endpoint/assign-portal-access?view=o365-worldwide) | modified | -| 2/16/2024 | [Attack surface reduction frequently asked questions (FAQ)](/microsoft-365/security/defender-endpoint/attack-surface-reduction-faq?view=o365-worldwide) | modified | -| 2/16/2024 | [Implement attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement?view=o365-worldwide) | modified | -| 2/16/2024 | [Plan attack surface reduction rules deployment](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-plan?view=o365-worldwide) | modified | -| 2/16/2024 | [Test attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-test?view=o365-worldwide) | modified | -| 2/16/2024 | [Microsoft Defender for Endpoint attack surface reduction rules deployment overview](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment?view=o365-worldwide) | modified | -| 2/16/2024 | [Attack surface reduction rules reporting](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-report?view=o365-worldwide) | modified | -| 2/16/2024 | [Use automated investigations to investigate and remediate threats](/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide) | modified | -| 2/16/2024 | [Integration with Microsoft Defender for Cloud](/microsoft-365/security/defender-endpoint/azure-server-integration?view=o365-worldwide) | modified | -| 2/16/2024 | [Check the device health at Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/check-sensor-status?view=o365-worldwide) | modified | -| 2/16/2024 | [Advanced deployment guidance for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment?view=o365-worldwide) | modified | -| 2/16/2024 | [Enable Conditional Access to better protect users, devices, and data](/microsoft-365/security/defender-endpoint/conditional-access?view=o365-worldwide) | modified | -| 2/16/2024 | [Manage Microsoft Defender Antivirus in your business](/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/16/2024 | [Understand and use attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide) | modified | -| 2/16/2024 | [Enable block at first sight to detect malware in seconds](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/16/2024 | [Configure the Microsoft Defender Antivirus cloud block timeout period](/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/16/2024 | [Configure Conditional Access in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-conditional-access?view=o365-worldwide) | modified | -| 2/16/2024 | [Optimize ASR rule deployment and detections](/microsoft-365/security/defender-endpoint/configure-machines-asr?view=o365-worldwide) | modified | -| 2/16/2024 | [Increase compliance to the Microsoft Defender for Endpoint security baseline](/microsoft-365/security/defender-endpoint/configure-machines-security-baseline?view=o365-worldwide) | modified | -| 2/16/2024 | [Ensure your devices are configured properly](/microsoft-365/security/defender-endpoint/configure-machines?view=o365-worldwide) | modified | -| 2/16/2024 | [Configure alert notifications that are sent to MSSPs](/microsoft-365/security/defender-endpoint/configure-mssp-notifications?view=o365-worldwide) | modified | -| 2/16/2024 | [Configure managed security service provider support](/microsoft-365/security/defender-endpoint/configure-mssp-support?view=o365-worldwide) | modified | -| 2/16/2024 | [Configure Microsoft Defender Antivirus notifications](/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/16/2024 | [Enable and configure Microsoft Defender Antivirus protection features](/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/16/2024 | [Onboard Windows servers to the Microsoft Defender for Endpoint service](/microsoft-365/security/defender-endpoint/configure-server-endpoints?view=o365-worldwide) | modified | -| 2/16/2024 | [Migrate from the MDE SIEM API to the Microsoft Defender XDR alerts API](/microsoft-365/security/defender-endpoint/configure-siem?view=o365-worldwide) | modified | -| 2/16/2024 | [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates?view=o365-worldwide) | modified | -| 2/16/2024 | [Connected applications in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/connected-applications?view=o365-worldwide) | modified | -| 2/16/2024 | [Contact Microsoft Defender for Endpoint support](/microsoft-365/security/defender-endpoint/contact-support?view=o365-worldwide) | modified | -| 2/16/2024 | [Protect important folders from ransomware from encrypting your files with controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders?view=o365-worldwide) | modified | -| 2/16/2024 | [Run and customize scheduled and on-demand scans](/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/16/2024 | [Data collection for advanced troubleshooting on Windows](/microsoft-365/security/defender-endpoint/data-collection-analyzer?view=o365-worldwide) | modified | -| 2/16/2024 | [Antivirus solution compatibility with Defender for Endpoint](/microsoft-365/security/defender-endpoint/defender-compatibility?view=o365-worldwide) | modified | -| 2/16/2024 | [Microsoft Defender for Endpoint SmartScreen app reputation demonstration](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-app-reputation?view=o365-worldwide) | modified | -| 2/16/2024 | [Microsoft Defender for Endpoint attack surface reduction rules demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-attack-surface-reduction-rules?view=o365-worldwide) | modified | -| 2/16/2024 | [Microsoft Defender for Endpoint Cloud-delivered protection demonstration](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-cloud-delivered-protection?view=o365-worldwide) | modified | -| 2/16/2024 | [Microsoft Defender for Endpoint Controlled folder access (CFA) demonstration test tool](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access-test-tool?view=o365-worldwide) | modified | -| 2/16/2024 | [Microsoft Defender for Endpoint Controlled folder access (CFA) demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access?view=o365-worldwide) | modified | -| 2/16/2024 | [Microsoft Defender for Endpoint Exploit protection (EP) demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-exploit-protection?view=o365-worldwide) | modified | -| 2/16/2024 | [Microsoft Defender for Endpoint Network protection demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-network-protection?view=o365-worldwide) | modified | -| 2/16/2024 | [Microsoft Defender for Endpoint Potentially unwanted applications (PUA) demonstration](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-potentially-unwanted-applications?view=o365-worldwide) | modified | -| 2/16/2024 | [Microsoft Defender for Endpoint SmartScreen URL reputation demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-smartscreen-url-reputation?view=o365-worldwide) | modified | -| 2/16/2024 | [Microsoft Defender for Endpoint demonstration scenarios](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstrations?view=o365-worldwide) | modified | -| 2/16/2024 | [Threat protection report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/threat-protection-reports?view=o365-worldwide) | modified | -| 2/16/2024 | [Microsoft Defender XDR time zone settings](/microsoft-365/security/defender-endpoint/time-settings?view=o365-worldwide) | modified | -| 2/16/2024 | [Report and troubleshoot Microsoft Defender for Endpoint attack surface reduction rules](/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules?view=o365-worldwide) | modified | -| 2/16/2024 | [Troubleshoot problems with attack surface reduction rules](/microsoft-365/security/defender-endpoint/troubleshoot-asr?view=o365-worldwide) | modified | -| 2/16/2024 | [Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/troubleshoot-cloud-connect-mdemac?view=o365-worldwide) | modified | -| 2/16/2024 | [Collect support logs in Microsoft Defender for Endpoint using live response](/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log?view=o365-worldwide) | modified | -| 2/16/2024 | [Troubleshoot exploit protection mitigations](/microsoft-365/security/defender-endpoint/troubleshoot-exploit-protection-mitigations?view=o365-worldwide) | modified | -| 2/16/2024 | [Troubleshoot Microsoft Defender for Endpoint live response issues](/microsoft-365/security/defender-endpoint/troubleshoot-live-response?view=o365-worldwide) | modified | -| 2/16/2024 | [Troubleshoot Microsoft Defender for Endpoint service issues](/microsoft-365/security/defender-endpoint/troubleshoot-mdatp?view=o365-worldwide) | modified | -| 2/16/2024 | [Troubleshoot Microsoft Defender Antivirus while migrating from a non-Microsoft solution](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating?view=o365-worldwide) | modified | -| 2/16/2024 | [Microsoft Defender Antivirus event IDs and error codes](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/16/2024 | [Troubleshoot problems with Network protection](/microsoft-365/security/defender-endpoint/troubleshoot-np?view=o365-worldwide) | modified | -| 2/16/2024 | [Troubleshoot onboarding issues and error messages](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding-error-messages?view=o365-worldwide) | modified | -| 2/16/2024 | [Troubleshoot Microsoft Defender for Endpoint onboarding issues](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide) | modified | -| 2/16/2024 | [Troubleshoot problems with reporting tools for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/troubleshoot-reporting?view=o365-worldwide) | modified | -| 2/16/2024 | [Troubleshoot SIEM tool integration issues in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/troubleshoot-siem?view=o365-worldwide) | modified | -| 2/16/2024 | [Performance analyzer for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus?view=o365-worldwide) | modified | -| 2/16/2024 | [Configure Microsoft Defender Antivirus using Microsoft Intune](/microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/16/2024 | [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/16/2024 | [Configure Microsoft Defender Antivirus with WMI](/microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 2/16/2024 | [View and organize the Incidents queue](/microsoft-365/security/defender-endpoint/view-incidents-queue?view=o365-worldwide) | modified | -| 2/16/2024 | [Monitoring web browsing security in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/web-protection-monitoring?view=o365-worldwide) | modified | -| 2/16/2024 | [Web protection](/microsoft-365/security/defender-endpoint/web-protection-overview?view=o365-worldwide) | modified | -| 2/16/2024 | [Respond to web threats in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/web-protection-response?view=o365-worldwide) | modified | -| 2/16/2024 | [Protect your organization against web threats](/microsoft-365/security/defender-endpoint/web-threat-protection?view=o365-worldwide) | modified | -| 2/16/2024 | [Zero Trust with Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/zero-trust-with-microsoft-defender-endpoint?view=o365-worldwide) | modified | ---## Week of February 05, 2024 ---| Published On |Topic title | Change | -|||--| -| 2/5/2024 | [Use network protection to help prevent connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide) | modified | -| 2/5/2024 | [Other endpoints not included in the Microsoft 365 IP Address and URL Web service](/microsoft-365/enterprise/additional-office365-ip-addresses-and-urls?view=o365-worldwide) | modified | -| 2/5/2024 | [Microsoft 365 IP Address and URL web service](/microsoft-365/enterprise/microsoft-365-ip-web-service?view=o365-worldwide) | modified | -| 2/5/2024 | [Microsoft 365 US Government DOD endpoints](/microsoft-365/enterprise/microsoft-365-u-s-government-dod-endpoints?view=o365-worldwide) | modified | -| 2/5/2024 | [Microsoft 365 U.S. Government GCC High endpoints](/microsoft-365/enterprise/microsoft-365-u-s-government-gcc-high-endpoints?view=o365-worldwide) | modified | -| 2/5/2024 | [URLs and IP address ranges for Microsoft 365 operated by 21Vianet](/microsoft-365/enterprise/urls-and-ip-address-ranges-21vianet?view=o365-worldwide) | modified | -| 2/5/2024 | [Microsoft 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide) | modified | -| 2/6/2024 | [Manage the join experience for Teams Virtual Appointments on browsers](/microsoft-365/frontline/browser-join?view=o365-worldwide) | modified | -| 2/6/2024 | [Allow cookies for LMS URLs in your browser](/microsoft-365/lti/browser-cookies?view=o365-worldwide) | modified | -| 2/6/2024 | Microsoft Defender for Endpoint Block at First Sight (BAFS) demonstration | removed | -| 2/6/2024 | [What's new in Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-worldwide) | modified | -| 2/6/2024 | [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure?view=o365-worldwide) | modified | -| 2/6/2024 | [Configure anti-malware policies](/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide) | modified | -| 2/6/2024 | [Configure anti-phishing policies in EOP](/microsoft-365/security/office-365-security/anti-phishing-policies-eop-configure?view=o365-worldwide) | modified | -| 2/6/2024 | [Configure anti-phishing policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure?view=o365-worldwide) | modified | -| 2/6/2024 | [Configure spam filter policies](/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide) | modified | -| 2/6/2024 | [Microsoft Defender for Office 365 permissions in the Microsoft Defender portal](/microsoft-365/security/office-365-security/mdo-portal-permissions?view=o365-worldwide) | modified | -| 2/6/2024 | [Configure outbound spam policies](/microsoft-365/security/office-365-security/outbound-spam-policies-configure?view=o365-worldwide) | modified | -| 2/6/2024 | [Preset security policies](/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide) | modified | -| 2/6/2024 | [Quarantine policies](/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide) | modified | -| 2/6/2024 | [Set up Safe Attachments policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-attachments-policies-configure?view=o365-worldwide) | modified | -| 2/6/2024 | [Set up Safe Links policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide) | modified | -| 2/6/2024 | [Use Microsoft Defender for Office 365 in SharePoint Online](/microsoft-365/security/office-365-security/step-by-step-guides/utilize-microsoft-defender-for-office-365-in-sharepoint-online?view=o365-worldwide) | modified | -| 2/6/2024 | [Allow or block email using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure?view=o365-worldwide) | modified | -| 2/6/2024 | [Allow or block files using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-files-configure?view=o365-worldwide) | modified | -| 2/6/2024 | [User tags in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/user-tags-about?view=o365-worldwide) | modified | -| 2/6/2024 | [Pricing model for Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-pricing) | modified | -| 2/6/2024 | [Set up Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-setup) | modified | -| 2/7/2024 | [Detect and Remediate Illicit Consent Grants](/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide) | modified | -| 2/7/2024 | [Get started with Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/mdo-deployment-guide?view=o365-worldwide) | modified | -| 2/7/2024 | [Microsoft Defender for Office 365 permissions in the Microsoft Defender portal](/microsoft-365/security/office-365-security/mdo-portal-permissions?view=o365-worldwide) | modified | -| 2/7/2024 | [Continuous access evaluation for Microsoft 365 - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide) | modified | -| 2/7/2024 | [Common Zero Trust identity and device access policies - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-common?view=o365-worldwide) | modified | -| 2/7/2024 | [Zero Trust identity and device access configurations - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-overview?view=o365-worldwide) | modified | -| 2/7/2024 | [Prerequisite work for implementing Zero Trust identity and device access policies](/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-prereq?view=o365-worldwide) | modified | -| 2/7/2024 | [How to configure Exchange Server on-premises to use Hybrid Modern Authentication](/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide) | modified | -| 2/7/2024 | [Data Residency for Exchange Online](/microsoft-365/enterprise/m365-dr-workload-exo?view=o365-worldwide) | modified | -| 2/7/2024 | [View Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/view-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified | -| 2/7/2024 | [Frontline team collaboration](/microsoft-365/frontline/flw-team-collaboration?view=o365-worldwide) | modified | -| 2/7/2024 | [Microsoft 365 for Financial Services](/microsoft-365/frontline/teams-for-financial-services?view=o365-worldwide) | modified | -| 2/7/2024 | [Microsoft 365 for Manufacturing](/microsoft-365/frontline/teams-for-manufacturing?view=o365-worldwide) | modified | -| 2/7/2024 | [Microsoft 365 for retail organizations](/microsoft-365/frontline/teams-for-retail-landing-page?view=o365-worldwide) | modified | -| 2/7/2024 | [Microsoft Defender for Endpoint demonstration scenarios](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstrations?view=o365-worldwide) | modified | -| 2/7/2024 | [Configure apps using Microsoft Intune](/microsoft-365/solutions/apps-config-overview?view=o365-worldwide) | modified | -| 2/7/2024 | [Step 1. Configure the Company Portal](/microsoft-365/solutions/apps-config-step-1?view=o365-worldwide) | modified | -| 2/7/2024 | [Step 3. Configure Microsoft 365](/microsoft-365/solutions/apps-config-step-3?view=o365-worldwide) | modified | -| 2/7/2024 | [Step 4. Configure Microsoft Edge](/microsoft-365/solutions/apps-config-step-4?view=o365-worldwide) | modified | -| 2/7/2024 | [Step 5. Configure Microsoft Teams](/microsoft-365/solutions/apps-config-step-5?view=o365-worldwide) | modified | -| 2/7/2024 | [Step 6. Configure other apps](/microsoft-365/solutions/apps-config-step-6?view=o365-worldwide) | modified | -| 2/7/2024 | [Feature update validation](/microsoft-365/test-base/feature?view=o365-worldwide) | modified | -| 2/8/2024 | Industry collaboration programs | removed | -| 2/8/2024 | [Manage submissions](/microsoft-365/security/office-365-security/submissions-admin?view=o365-worldwide) | modified | -| 2/8/2024 | [Troubleshoot a signature request for SharePoint eSignature](/microsoft-365/syntex/esignature-troubleshoot) | modified | -| 2/8/2024 | [Remove Microsoft 365 licenses from user accounts with PowerShell](/microsoft-365/enterprise/remove-licenses-from-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified | -| 2/9/2024 | [Manage Office Scripts settings](/microsoft-365/admin/manage/manage-office-scripts-settings?view=o365-worldwide) | modified | -| 2/9/2024 | [Review detected threats using the Microsoft Defender for Endpoint Antivirus and Intune integration](/microsoft-365/security/defender-endpoint/review-detected-threats?view=o365-worldwide) | added | -| 2/9/2024 | Manage self-service purchases and organizational trials for Microsoft Project | removed | -| 2/9/2024 | [Resources for Microsoft Defender for Endpoint for mobile devices](/microsoft-365/security/defender-endpoint/mobile-resources-defender-endpoint?view=o365-worldwide) | modified | -| 2/9/2024 | [Run the client analyzer on macOS or Linux](/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux?view=o365-worldwide) | modified | ---## Week of January 29, 2024 ---| Published On |Topic title | Change | -|||--| -| 1/29/2024 | [GDPR simplified: A guide for your small business](/microsoft-365/admin/security-and-compliance/gdpr-compliance?view=o365-worldwide) | modified | -| 1/29/2024 | [Accept an email invitation to a Microsoft 365 for business subscription organization using an Outlook, Yahoo, Gmail or other account (User)](/microsoft-365/admin/simplified-signup/user-invite-msa-nodomain-join?view=o365-worldwide) | modified | -| 1/29/2024 | [SharePoint Cross-tenant SharePoint migration Step 5 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step5?view=o365-worldwide) | modified | -| 1/29/2024 | [SharePoint site Cross-tenant SharePoint migration Step 6 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step6?view=o365-worldwide) | modified | -| 1/29/2024 | [Mailbox utilization service alerts](/microsoft-365/enterprise/microsoft-365-mailbox-utilization-service-alerts?view=o365-worldwide) | modified | -| 1/29/2024 | [Microsoft Azure Architectures for SharePoint 2013](/microsoft-365/enterprise/microsoft-azure-architectures-for-sharepoint-2013?view=o365-worldwide) | modified | -| 1/29/2024 | [Deploy Microsoft Defender for Endpoint on Linux with SaltStack](/microsoft-365/security/defender-endpoint/linux-install-with-saltack?view=o365-worldwide) | modified | -| 1/29/2024 | [Collect support logs in Microsoft Defender for Endpoint using live response](/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log?view=o365-worldwide) | modified | -| 1/29/2024 | [Microsoft Defender Antivirus event IDs and error codes](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide) | modified | -| 1/29/2024 | [Step 2. Configure Microsoft Outlook](/microsoft-365/solutions/apps-config-step-2?view=o365-worldwide) | modified | -| 1/29/2024 | [Key Compliance and Security Considerations for the Energy Industry](/microsoft-365/solutions/energy-secure-collaboration?view=o365-worldwide) | modified | -| 1/29/2024 | [To identity and beyondΓÇöOne architect's viewpoint](/microsoft-365/solutions/identity-design-principles?view=o365-worldwide) | modified | -| 1/29/2024 | [Communicating with Microsoft Defender Experts](/microsoft-365/security/defender/communicate-defender-experts-xdr?view=o365-worldwide) | added | -| 1/29/2024 | [How to use the Microsoft Defender Experts for XDR service](/microsoft-365/security/defender/start-using-mdex-xdr?view=o365-worldwide) | modified | -| 1/29/2024 | [How to schedule an update of the Microsoft Defender for Endpoint (Linux)](/microsoft-365/security/defender-endpoint/linux-update-mde-linux?view=o365-worldwide) | modified | -| 1/29/2024 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified | -| 1/30/2024 | [Protect macOS security settings with tamper protection](/microsoft-365/security/defender-endpoint/tamperprotection-macos?view=o365-worldwide) | modified | -| 1/30/2024 | [Get started with Microsoft Defender Experts for XDR](/microsoft-365/security/defender/get-started-xdr?view=o365-worldwide) | modified | -| 1/30/2024 | [View Microsoft 365 account license and service details with PowerShell](/microsoft-365/enterprise/view-account-license-and-service-details-with-microsoft-365-powershell?view=o365-worldwide) | modified | -| 1/30/2024 | [Microsoft 365 OneDrive usage reports](/microsoft-365/admin/activity-reports/onedrive-for-business-usage-ww?view=o365-worldwide) | modified | -| 1/30/2024 | [Microsoft 365 network provider assessments.](/microsoft-365/enterprise/office-365-network-mac-perf-nppdata?view=o365-worldwide) | modified | -| 1/30/2024 | [Network provider connectivity attribution in the Microsoft 365 Admin Center](/microsoft-365/enterprise/office-365-network-mac-perf-nppux?view=o365-worldwide) | modified | -| 1/30/2024 | [Network connectivity in the Microsoft 365 Admin Center](/microsoft-365/enterprise/office-365-network-mac-perf-overview?view=o365-worldwide) | modified | -| 1/30/2024 | [Configuration analyzer for security policies](/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies?view=o365-worldwide) | modified | -| 1/31/2024 | [Network provider details in the Microsoft 365 Admin Center (PREVIEW)](/microsoft-365/enterprise/office-365-network-mac-perf-nppdetails?view=o365-worldwide) | added | -| 1/31/2024 | [Security advisories](/microsoft-365/security/defender-vulnerability-management/tvm-weaknesses-security-advisories?view=o365-worldwide) | added | -| 1/31/2024 | [Vulnerability methods and properties](/microsoft-365/security/defender-endpoint/api/vulnerability?view=o365-worldwide) | modified | -| 1/31/2024 | [Use basic permissions to access the portal](/microsoft-365/security/defender-endpoint/basic-permissions?view=o365-worldwide) | modified | -| 1/31/2024 | [Vulnerabilities in my organization](/microsoft-365/security/defender-vulnerability-management/tvm-weaknesses?view=o365-worldwide) | modified | -| 1/31/2024 | [Automatic attack disruption in Microsoft Defender XDR](/microsoft-365/security/defender/automatic-attack-disruption?view=o365-worldwide) | modified | -| 1/31/2024 | [Microsoft 365 for frontline workers - scenario posters](/microsoft-365/frontline/flw-scenario-posters?view=o365-worldwide) | modified | -| 1/31/2024 | [Threat protection report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/threat-protection-reports?view=o365-worldwide) | modified | -| 2/1/2024 | [Deploy and manage device control in Microsoft Defender for Endpoint with Group Policy](/microsoft-365/security/defender-endpoint/device-control-deploy-manage-gpo?view=o365-worldwide) | added | -| 2/1/2024 | [Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune](/microsoft-365/security/defender-endpoint/device-control-deploy-manage-intune?view=o365-worldwide) | added | -| 2/1/2024 | [Microsoft Defender for Endpoint Device Control frequently asked questions](/microsoft-365/security/defender-endpoint/device-control-faq?view=o365-worldwide) | renamed | -| 2/1/2024 | [Device control in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/device-control-overview?view=o365-worldwide) | added | -| 2/1/2024 | [Device control policies in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/device-control-policies?view=o365-worldwide) | added | -| 2/1/2024 | [Device control walkthroughs](/microsoft-365/security/defender-endpoint/device-control-walkthroughs?view=o365-worldwide) | added | -| 2/1/2024 | Deploy and manage using group policy | removed | -| 2/1/2024 | Deploy and manage printer protection using Intune | removed | -| 2/1/2024 | Deploy and manage Removable Storage Access Control using group policy | removed | -| 2/1/2024 | Deploy and manage Removable Storage Access Control using Intune | removed | -| 2/1/2024 | Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media | removed | -| 2/1/2024 | Microsoft Defender for Endpoint Device Control Removable Storage Protection | removed | -| 2/1/2024 | [View device control events and information in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/device-control-report?view=o365-worldwide) | modified | -| 2/1/2024 | Microsoft Defender for Endpoint Device Control Device Installation | removed | -| 2/1/2024 | Printer Protection frequently asked questions | removed | -| 2/1/2024 | Printer Protection Overview | removed | -| 2/1/2024 | Microsoft Defender for Endpoint Device Control Printer Protection | removed | -| 2/1/2024 | [How Microsoft identifies malware and potentially unwanted applications](/microsoft-365/security/intelligence/criteria?view=o365-worldwide) | modified | -| 2/2/2024 | [Synchronize users in multitenant organizations in Microsoft 365 (Preview)](/microsoft-365/enterprise/sync-users-multi-tenant-orgs?view=o365-worldwide) | modified | -| 2/2/2024 | [View licensed and unlicensed Microsoft 365 users with PowerShell](/microsoft-365/enterprise/view-licensed-and-unlicensed-users-with-microsoft-365-powershell?view=o365-worldwide) | modified | -| 2/2/2024 | [View Microsoft 365 licenses and services with PowerShell](/microsoft-365/enterprise/view-licenses-and-services-with-microsoft-365-powershell?view=o365-worldwide) | modified | -| 2/2/2024 | [Attack surface reduction rules reference](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide) | modified | -| 2/2/2024 | [Microsoft Defender XDR # < 60 chars](/microsoft-365/security/defender/index?view=o365-worldwide) | modified | +++++## Week of February 26, 2024 +++| Published On |Topic title | Change | +|||--| +| 2/26/2024 | [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout?view=o365-worldwide) | modified | +| 2/26/2024 | [Understand app protection access requirements using Microsoft Intune](/microsoft-365/solutions/apps-protect-access-requirements?view=o365-worldwide) | added | +| 2/26/2024 | [Understand app protection conditional launch using Microsoft Intune](/microsoft-365/solutions/apps-protect-conditional-launch?view=o365-worldwide) | added | +| 2/26/2024 | [Understand app data protection using Microsoft Intune](/microsoft-365/solutions/apps-protect-data-protection?view=o365-worldwide) | added | +| 2/26/2024 | [Use the app protection framework with Microsoft Intune](/microsoft-365/solutions/apps-protect-framework?view=o365-worldwide) | added | +| 2/26/2024 | [Understand app protection health checks using Microsoft Intune](/microsoft-365/solutions/apps-protect-health-checks?view=o365-worldwide) | added | +| 2/26/2024 | [Secure and protect apps using Microsoft Intune](/microsoft-365/solutions/apps-protect-overview?view=o365-worldwide) | added | +| 2/26/2024 | [Step 1. Apply minimum data protection](/microsoft-365/solutions/apps-protect-step-1?view=o365-worldwide) | added | +| 2/26/2024 | [Step 2. Apply enhanced data protection](/microsoft-365/solutions/apps-protect-step-2?view=o365-worldwide) | added | +| 2/26/2024 | [Step 3. Apply high data protection](/microsoft-365/solutions/apps-protect-step-3?view=o365-worldwide) | added | +| 2/26/2024 | [Step 4. Understand app protection delivery](/microsoft-365/solutions/apps-protect-step-4?view=o365-worldwide) | added | +| 2/26/2024 | [Step 5. Verify and monitor app protection](/microsoft-365/solutions/apps-protect-step-5?view=o365-worldwide) | added | +| 2/26/2024 | [Step 6. Use app protection actions](/microsoft-365/solutions/apps-protect-step-6?view=o365-worldwide) | added | +| 2/26/2024 | [Evaluate and pilot Microsoft Defender XDR security, an XDR solution that unifies threat data so you can take action.](/microsoft-365/security/defender/eval-overview?view=o365-worldwide) | modified | +| 2/26/2024 | [Automatic user notifications for user reported phishing results in AIR](/microsoft-365/security/office-365-security/air-user-automatic-feedback-response?view=o365-worldwide) | modified | +| 2/27/2024 | [Configuring external data integrations for Loop experiences](/microsoft-365/loop/loop-data-integrations-configuration?view=o365-worldwide) | added | +| 2/27/2024 | [Early Launch Antimalware (ELAM) and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/elam-on-mdav?view=o365-worldwide) | added | +| 2/27/2024 | [Manage Loop components in OneDrive and SharePoint](/microsoft-365/loop/loop-components-configuration?view=o365-worldwide) | modified | +| 2/27/2024 | [Cloud protection and sample submission at Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide) | modified | +| 2/27/2024 | [Manage Microsoft Defender Antivirus in your business](/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/27/2024 | [Configure Microsoft Defender Antivirus features](/microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features?view=o365-worldwide) | modified | +| 2/27/2024 | [Vulnerability support in Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/fixed-reported-inaccuracies?view=o365-worldwide) | modified | +| 2/27/2024 | [Block vulnerable applications.](/microsoft-365/security/defender-vulnerability-management/tvm-block-vuln-apps?view=o365-worldwide) | modified | +| 2/27/2024 | [Built-in virus protection in SharePoint Online, OneDrive, and Microsoft Teams](/microsoft-365/security/office-365-security/anti-malware-protection-for-spo-odfb-teams-about?view=o365-worldwide) | modified | +| 2/27/2024 | [Migrate from a third-party protection service to Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365?view=o365-worldwide) | modified | +| 2/27/2024 | [Attack surface reduction rules reference](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide) | modified | +| 2/27/2024 | [Data collection for advanced troubleshooting on Windows](/microsoft-365/security/defender-endpoint/data-collection-analyzer?view=o365-worldwide) | modified | +| 2/27/2024 | [Why you should use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/27/2024 | [Anti-malware Scan Interface (AMSI) integration with Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/amsi-on-mdav?view=o365-worldwide) | added | +| 2/27/2024 | [Run and customize scheduled and on-demand scans](/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/27/2024 | [Antivirus solution compatibility with Defender for Endpoint](/microsoft-365/security/defender-endpoint/defender-compatibility?view=o365-worldwide) | modified | +| 2/27/2024 | [Apply Microsoft Defender Antivirus updates after certain events](/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/27/2024 | [Microsoft Defender Antivirus security intelligence and product updates](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-updates?view=o365-worldwide) | modified | +| 2/27/2024 | [Microsoft Defender Antivirus updates - Previous versions for technical upgrade support](/microsoft-365/security/defender-endpoint/msda-updates-previous-versions-technical-upgrade-support?view=o365-worldwide) | modified | +| 2/27/2024 | [Microsoft Defender for Cloud in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-defender-cloud?view=o365-worldwide) | modified | +| 2/27/2024 | [Microsoft Defender for Endpoint in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-mde?view=o365-worldwide) | modified | +| 2/27/2024 | [Microsoft Defender for Identity in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-mdi?view=o365-worldwide) | modified | +| 2/27/2024 | [Microsoft Defender for Office 365 in the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-center-mdo?view=o365-worldwide) | modified | +| 2/27/2024 | [Redirecting from the Microsoft Defender Security Center to the Microsoft Defender portal](/microsoft-365/security/defender/microsoft-365-security-mde-redirection?view=o365-worldwide) | modified | +| 2/27/2024 | [Compliance features in Microsoft 365 Archive (Preview)](/microsoft-365/syntex/archive/archive-compliance) | modified | +| 2/28/2024 | [Coin miners](/microsoft-365/security/defender-endpoint/malware/coinminer-malware?view=o365-worldwide) | added | +| 2/28/2024 | [Exploits and exploit kits](/microsoft-365/security/defender-endpoint/malware/exploits-malware?view=o365-worldwide) | added | +| 2/28/2024 | [Fileless threats](/microsoft-365/security/defender-endpoint/malware/fileless-threats?view=o365-worldwide) | added | +| 2/28/2024 | [Macro malware](/microsoft-365/security/defender-endpoint/malware/macro-malware?view=o365-worldwide) | added | +| 2/28/2024 | [Phishing trends and techniques](/microsoft-365/security/defender-endpoint/malware/phishing-trends?view=o365-worldwide) | added | +| 2/28/2024 | [How to protect against phishing attacks](/microsoft-365/security/defender-endpoint/malware/phishing?view=o365-worldwide) | added | +| 2/28/2024 | [Prevent malware infection](/microsoft-365/security/defender-endpoint/malware/prevent-malware-infection?view=o365-worldwide) | added | +| 2/28/2024 | [Rootkits](/microsoft-365/security/defender-endpoint/malware/rootkits-malware?view=o365-worldwide) | added | +| 2/28/2024 | [Supply chain attacks](/microsoft-365/security/defender-endpoint/malware/supply-chain-malware?view=o365-worldwide) | added | +| 2/28/2024 | [Tech Support Scams](/microsoft-365/security/defender-endpoint/malware/support-scams?view=o365-worldwide) | added | +| 2/28/2024 | [Trojan malware](/microsoft-365/security/defender-endpoint/malware/trojans-malware?view=o365-worldwide) | added | +| 2/28/2024 | [Understanding malware & other threats](/microsoft-365/security/defender-endpoint/malware/understanding-malware?view=o365-worldwide) | added | +| 2/28/2024 | [Unwanted software](/microsoft-365/security/defender-endpoint/malware/unwanted-software?view=o365-worldwide) | added | +| 2/28/2024 | [Worms](/microsoft-365/security/defender-endpoint/malware/worms-malware?view=o365-worldwide) | added | +| 2/28/2024 | [Configure junk email settings on Exchange Online mailboxes](/microsoft-365/security/office-365-security/configure-junk-email-settings-on-exo-mailboxes?view=o365-worldwide) | modified | +| 2/28/2024 | [Manage Shifts permissions for frontline managers](/microsoft-365/frontline/manage-shifts-permissions-frontline-managers?view=o365-worldwide) | added | +| 2/28/2024 | [Behavior monitoring in Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/behavior-monitor?view=o365-worldwide) | added | +| 2/28/2024 | [Windows and Office 365 deployment lab kit](/microsoft-365/enterprise/modern-desktop-deployment-and-management-lab?view=o365-worldwide) | modified | +| 2/28/2024 | [Deploy frontline dynamic teams at scale](/microsoft-365/frontline/deploy-dynamic-teams-at-scale?view=o365-worldwide) | modified | +| 2/28/2024 | [Overview of next-generation protection in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/next-generation-protection?view=o365-worldwide) | modified | +| 2/28/2024 | [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/28/2024 | Configure Directory Services account in Microsoft Defender for Identity | removed | +| 2/28/2024 | Microsoft Defender for Identity entity tags in Microsoft Defender XDR | removed | +| 2/28/2024 | Microsoft Defender for Identity detection exclusions in Microsoft Defender XDR | removed | +| 2/28/2024 | Microsoft Defender for Identity security alerts in Microsoft Defender XDR | removed | +| 2/28/2024 | Microsoft Defender for Identity notifications in Microsoft Defender XDR | removed | +| 2/28/2024 | Microsoft Defender for Identity sensor health and settings in Microsoft Defender XDR | removed | +| 2/28/2024 | Microsoft Defender for Identity VPN integration in Microsoft Defender XDR | removed | +| 2/28/2024 | [Advanced technologies at the core of Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/adv-tech-of-mdav?view=o365-worldwide) | added | +| 2/28/2024 | [Run Microsoft Defender Antivirus in a sandbox environment](/microsoft-365/security/defender-endpoint/sandbox-mdav?view=o365-worldwide) | added | +| 2/28/2024 | [Configure the Microsoft Defender Antivirus cloud block timeout period](/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/28/2024 | [Create and manage device tags](/microsoft-365/security/defender-endpoint/machine-tags?view=o365-worldwide) | modified | +| 2/29/2024 | [Configure and manage Microsoft Defender Experts capabilities](/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts?view=o365-worldwide) | modified | +| 2/29/2024 | [Preview limitations in Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-limitations) | modified | +| 2/29/2024 | [Disable access to Microsoft 365 services with PowerShell](/microsoft-365/enterprise/disable-access-to-services-with-microsoft-365-powershell?view=o365-worldwide) | modified | +| 2/29/2024 | [What's new in Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/whats-new-in-microsoft-defender-vulnerability-management?view=o365-worldwide) | modified | +| 2/29/2024 | [Manage Loop app preview](/microsoft-365/loop/loop-preview-configuration?view=o365-worldwide) | added | +| 2/29/2024 | [Deploy Shifts to your frontline teams at scale](/microsoft-365/frontline/deploy-shifts-at-scale?view=o365-worldwide) | modified | +| 2/29/2024 | [Get started with Microsoft 365 for healthcare organizations](/microsoft-365/frontline/teams-in-hc?view=o365-worldwide) | modified | +| 2/29/2024 | [Manage Loop workspaces in SharePoint Embedded](/microsoft-365/loop/loop-workspaces-configuration?view=o365-worldwide) | modified | +| 2/29/2024 | [Onboard Windows devices using a local script](/microsoft-365/security/defender-endpoint/configure-endpoints-script?view=o365-worldwide) | modified | +| 2/29/2024 | [Set preferences for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-preferences?view=o365-worldwide) | modified | +| 2/29/2024 | [Microsoft Defender Antivirus in Windows](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide) | modified | +| 3/1/2024 | [Data Residency for Microsoft Copilot for Microsoft 365](/microsoft-365/enterprise/m365-dr-workload-copilot?view=o365-worldwide) | added | +| 3/1/2024 | [Advanced data residency in Microsoft 365](/microsoft-365/enterprise/advanced-data-residency?view=o365-worldwide) | modified | +| 3/1/2024 | [Advanced Data Residency Commitments](/microsoft-365/enterprise/m365-dr-commitments?view=o365-worldwide) | modified | +| 3/1/2024 | [Data Residency Legacy Move Program](/microsoft-365/enterprise/m365-dr-legacy-move-program?view=o365-worldwide) | modified | +| 3/1/2024 | [Overview and Definitions](/microsoft-365/enterprise/m365-dr-overview?view=o365-worldwide) | modified | +| 3/1/2024 | [Overview of Product Terms Data Residency](/microsoft-365/enterprise/m365-dr-product-terms-dr?view=o365-worldwide) | modified | +| 3/1/2024 | [Data Residency for Exchange Online](/microsoft-365/enterprise/m365-dr-workload-exo?view=o365-worldwide) | modified | +| 3/1/2024 | [Data Residency for Microsoft Defender for Office P1](/microsoft-365/enterprise/m365-dr-workload-mdo-p1?view=o365-worldwide) | modified | +| 3/1/2024 | [Data Residency for Other Microsoft 365 Services](/microsoft-365/enterprise/m365-dr-workload-other?view=o365-worldwide) | modified | +| 3/1/2024 | [Data Residency for Microsoft Purview](/microsoft-365/enterprise/m365-dr-workload-purview?view=o365-worldwide) | modified | +| 3/1/2024 | [Data Residency for SharePoint and OneDrive](/microsoft-365/enterprise/m365-dr-workload-spo?view=o365-worldwide) | modified | +| 3/1/2024 | [Data Residency for Microsoft Teams](/microsoft-365/enterprise/m365-dr-workload-teams?view=o365-worldwide) | modified | +| 3/1/2024 | [Advanced technologies at the core of Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/adv-tech-of-mdav?view=o365-worldwide) | modified | +| 3/1/2024 | [Evaluate network protection](/microsoft-365/security/defender-endpoint/evaluate-network-protection?view=o365-worldwide) | modified | +| 3/1/2024 | [Create custom Microsoft Defender XDR reports using Microsoft Graph security API and Power BI](/microsoft-365/security/defender/defender-xdr-custom-reports?view=o365-worldwide) | modified | +| 3/1/2024 | [Memory regression analysis](/microsoft-365/test-base/memory?view=o365-worldwide) | modified | +| 3/1/2024 | [Hardware acceleration and Microsoft Defender Antivirus.](/microsoft-365/security/defender-endpoint/hardware-acceleration-and-mdav?view=o365-worldwide) | added | +| 3/1/2024 | [Evaluate Microsoft Defender Antivirus using PowerShell.](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-using-powershell?view=o365-worldwide) | added | +| 3/1/2024 | [Microsoft 365 admin center SharePoint activity reports](/microsoft-365/admin/activity-reports/sharepoint-activity-ww?view=o365-worldwide) | modified | +| 3/1/2024 | [Microsoft 365 admin center Viva Engage activity reports](/microsoft-365/admin/activity-reports/viva-engage-activity-report-ww?view=o365-worldwide) | modified | +| 3/1/2024 | [Microsoft 365 admin center Viva Learning activity reports](/microsoft-365/admin/activity-reports/viva-learning-activity?view=o365-worldwide) | modified | +| 3/1/2024 | [Transfer data manually between two accounts](/microsoft-365/admin/get-help-with-domains/transfer-data-manually?view=o365-worldwide) | modified | +| 3/1/2024 | [Domains Frequently Asked Questions](/microsoft-365/admin/setup/domains-faq?view=o365-worldwide) | modified | +++## Week of February 19, 2024 +++| Published On |Topic title | Change | +|||--| +| 2/19/2024 | [What's new in Microsoft Secure Score](/microsoft-365/security/defender/microsoft-secure-score-whats-new?view=o365-worldwide) | modified | +| 2/20/2024 | [Use roles to define your frontline managers and workers in Shifts](/microsoft-365/frontline/shifts-frontline-manager-worker-roles?view=o365-worldwide) | added | +| 2/20/2024 | [Block Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/block-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified | +| 2/20/2024 | [Delete Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/delete-and-restore-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified | +| 2/20/2024 | [Manage Microsoft 365 groups](/microsoft-365/enterprise/manage-microsoft-365-groups?view=o365-worldwide) | modified | +| 2/20/2024 | [Manage security groups with PowerShell](/microsoft-365/enterprise/manage-security-groups-with-microsoft-365-powershell?view=o365-worldwide) | modified | +| 2/20/2024 | Manage schedule owners for shift management | removed | +| 2/20/2024 | [Microsoft Teams Virtual Appointments Call Quality Dashboard](/microsoft-365/frontline/virtual-appointments-call-quality?view=o365-worldwide) | modified | +| 2/20/2024 | [Set up multitenant management in Microsoft Defender XDR](/microsoft-365/security/defender/mto-requirements?view=o365-worldwide) | modified | +| 2/20/2024 | [Automated investigation and response in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/air-about?view=o365-worldwide) | modified | +| 2/20/2024 | [Use Azure Privileged Identity Management (PIM) in Microsoft Defender for Office 365 to limit admin access to cyber security tools.](/microsoft-365/security/office-365-security/pim-in-mdo-configure?view=o365-worldwide) | modified | +| 2/21/2024 | [Manage add-ins in the admin center](/microsoft-365/admin/manage/manage-addins-in-the-admin-center?view=o365-worldwide) | modified | +| 2/21/2024 | [Deploy and manage Office Add-ins](/microsoft-365/admin/manage/office-addins?view=o365-worldwide) | modified | +| 2/21/2024 | [Visit the Action center to see remediation actions](/microsoft-365/security/defender-endpoint/auto-investigation-action-center?view=o365-worldwide) | modified | +| 2/21/2024 | [View the details and results of an automated investigation](/microsoft-365/security/defender-endpoint/autoir-investigation-results?view=o365-worldwide) | modified | +| 2/21/2024 | [Use basic permissions to access the portal](/microsoft-365/security/defender-endpoint/basic-permissions?view=o365-worldwide) | modified | +| 2/21/2024 | [Cloud protection and sample submission at Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide) | modified | +| 2/21/2024 | [Device health Sensor health & OS report](/microsoft-365/security/defender-endpoint/device-health-sensor-health-os?view=o365-worldwide) | modified | +| 2/21/2024 | [Download the Microsoft Defender for Endpoint client analyzer](/microsoft-365/security/defender-endpoint/download-client-analyzer?view=o365-worldwide) | modified | +| 2/21/2024 | [EDR detection test for verifying device's onboarding and reporting service](/microsoft-365/security/defender-endpoint/edr-detection?view=o365-worldwide) | modified | +| 2/21/2024 | [Turn on cloud protection in Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/enable-cloud-protection-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/21/2024 | [Enable and update Microsoft Defender Antivirus on Windows Server](/microsoft-365/security/defender-endpoint/enable-update-mdav-to-latest-ws?view=o365-worldwide) | modified | +| 2/21/2024 | [Evaluate controlled folder access](/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access?view=o365-worldwide) | modified | +| 2/21/2024 | [See how Exploit protection works in a demo](/microsoft-365/security/defender-endpoint/evaluate-exploit-protection?view=o365-worldwide) | modified | +| 2/21/2024 | [Evaluate Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/evaluate-mde?view=o365-worldwide) | modified | +| 2/21/2024 | [Evaluate network protection](/microsoft-365/security/defender-endpoint/evaluate-network-protection?view=o365-worldwide) | modified | +| 2/21/2024 | [Review events and errors using Event Viewer](/microsoft-365/security/defender-endpoint/event-error-codes?view=o365-worldwide) | modified | +| 2/21/2024 | [Apply mitigations to help prevent attacks through vulnerabilities](/microsoft-365/security/defender-endpoint/exploit-protection?view=o365-worldwide) | modified | +| 2/21/2024 | [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-ebpf?view=o365-worldwide) | modified | +| 2/21/2024 | [Diagnosing performance issues with SharePoint](/microsoft-365/enterprise/diagnosing-performance-issues-with-sharepoint-online?view=o365-worldwide) | modified | +| 2/21/2024 | [Microsoft 365 network connectivity test tool](/microsoft-365/enterprise/office-365-network-mac-perf-onboarding-tool?view=o365-worldwide) | modified | +| 2/21/2024 | [Frequently asked questions (FAQs) about tamper protection](/microsoft-365/security/defender-endpoint/faqs-on-tamper-protection?view=o365-worldwide) | modified | +| 2/21/2024 | [Fix unhealthy sensors in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/fix-unhealthy-sensors?view=o365-worldwide) | modified | +| 2/21/2024 | [Become a Microsoft Defender for Endpoint partner](/microsoft-365/security/defender-endpoint/get-started-partner-integration?view=o365-worldwide) | modified | +| 2/21/2024 | [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide) | modified | +| 2/21/2024 | [Grant access to managed security service provider (MSSP)](/microsoft-365/security/defender-endpoint/grant-mssp-access?view=o365-worldwide) | modified | +| 2/21/2024 | [Investigate agent health issues](/microsoft-365/security/defender-endpoint/health-status?view=o365-worldwide) | modified | +| 2/21/2024 | [Host firewall reporting in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/host-firewall-reporting?view=o365-worldwide) | modified | +| 2/21/2024 | [Create indicators based on certificates](/microsoft-365/security/defender-endpoint/indicator-certificates?view=o365-worldwide) | modified | +| 2/21/2024 | [Create indicators for files](/microsoft-365/security/defender-endpoint/indicator-file?view=o365-worldwide) | modified | +| 2/21/2024 | [Manage indicators](/microsoft-365/security/defender-endpoint/indicator-manage?view=o365-worldwide) | modified | +| 2/21/2024 | [Use Microsoft Defender for Endpoint sensitivity labels to protect your data and prioritize security incident response](/microsoft-365/security/defender-endpoint/information-protection-investigation?view=o365-worldwide) | modified | +| 2/21/2024 | [Investigate Microsoft Defender for Endpoint alerts](/microsoft-365/security/defender-endpoint/investigate-alerts?view=o365-worldwide) | modified | +| 2/21/2024 | [Investigate connection events that occur behind forward proxies](/microsoft-365/security/defender-endpoint/investigate-behind-proxy?view=o365-worldwide) | modified | +| 2/21/2024 | [Investigate an IP address associated with an alert](/microsoft-365/security/defender-endpoint/investigate-ip?view=o365-worldwide) | modified | +| 2/21/2024 | [Investigate devices in the Defender for Endpoint Devices list](/microsoft-365/security/defender-endpoint/investigate-machines?view=o365-worldwide) | modified | +| 2/21/2024 | [Investigate a user account in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/investigate-user?view=o365-worldwide) | modified | +| 2/21/2024 | [Configure Microsoft Defender for Endpoint on iOS features](/microsoft-365/security/defender-endpoint/ios-configure-features?view=o365-worldwide) | modified | +| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on iOS with Mobile Application Management](/microsoft-365/security/defender-endpoint/ios-install-unmanaged?view=o365-worldwide) | modified | +| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on iOS with Microsoft Intune](/microsoft-365/security/defender-endpoint/ios-install?view=o365-worldwide) | modified | +| 2/21/2024 | [Privacy information - Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-privacy?view=o365-worldwide) | modified | +| 2/21/2024 | [Troubleshoot issues and find answers on FAQs related to Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-troubleshoot?view=o365-worldwide) | modified | +| 2/21/2024 | [What's new in Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/ios-whatsnew?view=o365-worldwide) | modified | +| 2/21/2024 | [How to Deploy Defender for Endpoint on Linux with Chef](/microsoft-365/security/defender-endpoint/linux-deploy-defender-for-endpoint-with-chef?view=o365-worldwide) | modified | +| 2/21/2024 | [Configure and validate exclusions for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-exclusions?view=o365-worldwide) | modified | +| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on Linux with Ansible](/microsoft-365/security/defender-endpoint/linux-install-with-ansible?view=o365-worldwide) | modified | +| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on Linux with Puppet](/microsoft-365/security/defender-endpoint/linux-install-with-puppet?view=o365-worldwide) | modified | +| 2/21/2024 | [Deploy Microsoft Defender for Endpoint on Linux with SaltStack](/microsoft-365/security/defender-endpoint/linux-install-with-saltack?view=o365-worldwide) | modified | +| 2/21/2024 | [Privacy for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-privacy?view=o365-worldwide) | modified | +| 2/21/2024 | [Detect and block potentially unwanted applications with Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-pua?view=o365-worldwide) | modified | +| 2/21/2024 | [How to schedule scans with Microsoft Defender for Endpoint (Linux)](/microsoft-365/security/defender-endpoint/linux-schedule-scan-mde?view=o365-worldwide) | modified | +| 2/21/2024 | [Microsoft Defender for Endpoint on Linux static proxy discovery](/microsoft-365/security/defender-endpoint/linux-static-proxy-configuration?view=o365-worldwide) | modified | +| 2/21/2024 | [Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-connectivity?view=o365-worldwide) | modified | +| 2/21/2024 | [Troubleshoot missing events or alerts issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-events?view=o365-worldwide) | modified | +| 2/21/2024 | [Troubleshoot installation issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-install?view=o365-worldwide) | modified | +| 2/21/2024 | [Troubleshoot performance issues for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-perf?view=o365-worldwide) | modified | +| 2/21/2024 | [Troubleshoot issues for Microsoft Defender for Endpoint on Linux RHEL6](/microsoft-365/security/defender-endpoint/linux-support-rhel?view=o365-worldwide) | modified | +| 2/21/2024 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified | +| 2/21/2024 | [Live response library methods and properties](/microsoft-365/security/defender-endpoint/live-response-library-methods?view=o365-worldwide) | modified | +| 2/21/2024 | [macOS Device control policies frequently asked questions (FAQ)](/microsoft-365/security/defender-endpoint/mac-device-control-faq?view=o365-worldwide) | modified | +| 2/21/2024 | [Deploy and manage Device Control using Intune](/microsoft-365/security/defender-endpoint/mac-device-control-intune?view=o365-worldwide) | modified | +| 2/21/2024 | [Deploy and manage device control using JAMF](/microsoft-365/security/defender-endpoint/mac-device-control-jamf?view=o365-worldwide) | modified | +| 2/21/2024 | [Deploy and manage device control manually](/microsoft-365/security/defender-endpoint/mac-device-control-manual?view=o365-worldwide) | modified | +| 2/21/2024 | [Device control for macOS](/microsoft-365/security/defender-endpoint/mac-device-control-overview?view=o365-worldwide) | modified | +| 2/21/2024 | [Sign in to Jamf Pro](/microsoft-365/security/defender-endpoint/mac-install-jamfpro-login?view=o365-worldwide) | modified | +| 2/21/2024 | [Deploying Microsoft Defender for Endpoint on macOS with Jamf Pro](/microsoft-365/security/defender-endpoint/mac-install-with-jamf?view=o365-worldwide) | modified | +| 2/21/2024 | [Deployment with a different Mobile Device Management (MDM) system for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-install-with-other-mdm?view=o365-worldwide) | modified | +| 2/21/2024 | [Set up device groups in Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-device-groups?view=o365-worldwide) | modified | +| 2/21/2024 | [Enroll Microsoft Defender for Endpoint on macOS devices into Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-enroll-devices?view=o365-worldwide) | modified | +| 2/21/2024 | [Set up the Microsoft Defender for Endpoint on macOS policies in Jamf Pro](/microsoft-365/security/defender-endpoint/mac-jamfpro-policies?view=o365-worldwide) | modified | +| 2/21/2024 | [Privacy for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-privacy?view=o365-worldwide) | modified | +| 2/21/2024 | [Detect and block potentially unwanted applications with Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-pua?view=o365-worldwide) | modified | +| 2/21/2024 | [How to schedule scans with Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-schedule-scan?view=o365-worldwide) | modified | +| 2/21/2024 | [Troubleshoot installation issues for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-support-install?view=o365-worldwide) | modified | +| 2/21/2024 | [Troubleshoot license issues for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-support-license?view=o365-worldwide) | modified | +| 2/21/2024 | [Troubleshoot performance issues for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-support-perf?view=o365-worldwide) | modified | +| 2/21/2024 | [Troubleshoot system extension issues for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-support-sys-ext?view=o365-worldwide) | modified | +| 2/21/2024 | [New configuration profiles for macOS Big Sur and newer versions of macOS](/microsoft-365/security/defender-endpoint/mac-sysext-policies?view=o365-worldwide) | modified | +| 2/21/2024 | [Troubleshooting mode in Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-troubleshoot-mode?view=o365-worldwide) | modified | +| 2/21/2024 | [Deploy updates for Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-updates?view=o365-worldwide) | modified | +| 2/21/2024 | [Device inventory](/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-worldwide) | modified | +| 2/21/2024 | [Manage Microsoft Defender for Endpoint alerts](/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-worldwide) | modified | +| 2/21/2024 | [Manage automation folder exclusions](/microsoft-365/security/defender-endpoint/manage-automation-folder-exclusions?view=o365-worldwide) | modified | +| 2/21/2024 | [Apply Microsoft Defender Antivirus updates after certain events](/microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/21/2024 | [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout?view=o365-worldwide) | modified | +| 2/21/2024 | [Manage Microsoft Defender for Endpoint incidents](/microsoft-365/security/defender-endpoint/manage-incidents?view=o365-worldwide) | modified | +| 2/21/2024 | Manage Microsoft Defender for Endpoint using Configuration Manager | removed | +| 2/21/2024 | Manage Microsoft Defender for Endpoint using Group Policy Objects | removed | +| 2/21/2024 | Manage Microsoft Defender for Endpoint using Intune | removed | +| 2/21/2024 | Manage Microsoft Defender for Endpoint using PowerShell, WMI, and MPCmdRun.exe | removed | +| 2/21/2024 | Manage Microsoft Defender for Endpoint after initial setup or migration | removed | +| 2/21/2024 | [Apply Microsoft Defender Antivirus protection updates to out of date endpoints](/microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/21/2024 | [Deployment guidance for Microsoft Defender for Endpoint on Linux for SAP](/microsoft-365/security/defender-endpoint/mde-linux-deployment-on-sap?view=o365-worldwide) | modified | +| 2/21/2024 | [Manage contracts using a Microsoft 365 solution](/microsoft-365/syntex/solution-manage-contracts-in-microsoft-365) | modified | +| 2/22/2024 | [Set up multifactor authentication for users](/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide) | modified | +| 2/22/2024 | [Understand your invoice for your Microsoft MCA billing account](/microsoft-365/commerce/billing-and-payments/understand-your-invoice?view=o365-worldwide) | modified | +| 2/22/2024 | [Buy or remove licenses for a Microsoft business subscription](/microsoft-365/commerce/licenses/buy-licenses?view=o365-worldwide) | modified | +| 2/22/2024 | [Manage self-service purchases and trials (for admins)](/microsoft-365/commerce/subscriptions/manage-self-service-purchases-admins?view=o365-worldwide) | modified | +| 2/22/2024 | [Manage system extensions using JamF](/microsoft-365/security/defender-endpoint/manage-sys-extensions-using-jamf?view=o365-worldwide) | modified | +| 2/22/2024 | [Get started with your Microsoft Defender for Endpoint deployment](/microsoft-365/security/defender-endpoint/mde-planning-guide?view=o365-worldwide) | modified | +| 2/22/2024 | [Microsoft Defender for Endpoint plug-in for Windows Subsystem for Linux (WSL)](/microsoft-365/security/defender-endpoint/mde-plugin-wsl?view=o365-worldwide) | modified | +| 2/22/2024 | [Configure Microsoft Defender for Cloud Apps integration](/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-config?view=o365-worldwide) | modified | +| 2/22/2024 | [Microsoft Defender for Cloud Apps integration overview](/microsoft-365/security/defender-endpoint/microsoft-cloud-app-security-integration?view=o365-worldwide) | modified | +| 2/22/2024 | [Pilot ring deployment using Group Policy and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-pilot-ring-deployment-group-policy-wsus?view=o365-worldwide) | modified | +| 2/22/2024 | [Production ring deployment using Group Policy and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-production-ring-deployment-group-policy-wsus?view=o365-worldwide) | modified | +| 2/22/2024 | [Production ring deployment using Group Policy and Microsoft Update (MU)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-microsoft-update?view=o365-worldwide) | modified | +| 2/22/2024 | [Production ring deployment using Group Policy and network share](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-network-share?view=o365-worldwide) | modified | +| 2/22/2024 | [Appendices for ring deployment using Group Policy and Windows Server Update Services (WSUS)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-group-policy-wsus-appendices?view=o365-worldwide) | modified | +| 2/22/2024 | [Ring deployment using Intune and Microsoft Update (MU)](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-intune-microsoft-update?view=o365-worldwide) | modified | +| 2/22/2024 | [Ring deployment using System Center Configuration Manager and Windows Server Update Services](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment-sscm-wsus?view=o365-worldwide) | modified | +| 2/22/2024 | [Microsoft Defender Antivirus ring deployment guide overview](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-ring-deployment?view=o365-worldwide) | modified | +| 2/22/2024 | [Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-android?view=o365-worldwide) | modified | +| 2/22/2024 | [Schedule antivirus scans using Windows Management Instrumentation](/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-wmi?view=o365-worldwide) | modified | +| 2/22/2024 | [Changes coming to Topics](/microsoft-365/topics/changes-coming-to-topics?view=o365-worldwide) | added | +| 2/22/2024 | [Frequently asked questions about changes coming to Topics](/microsoft-365/topics/topics-changes-faq?view=o365-worldwide) | added | +| 2/22/2024 | [How to schedule an antivirus scan using Anacron in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/schedule-antivirus-scan-in-mde?view=o365-worldwide) | modified | +| 2/22/2024 | [Schedule antivirus scans using Group Policy](/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-group-policy?view=o365-worldwide) | modified | +| 2/22/2024 | [Schedule antivirus scans using PowerShell](/microsoft-365/security/defender-endpoint/schedule-antivirus-scans-powershell?view=o365-worldwide) | modified | +| 2/22/2024 | [Server migration scenarios for the new version of Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/server-migration?view=o365-worldwide) | modified | +| 2/22/2024 | [Supported Microsoft Defender for Endpoint capabilities by platform](/microsoft-365/security/defender-endpoint/supported-capabilities-by-platform?view=o365-worldwide) | modified | +| 2/22/2024 | [Migrate to Microsoft Defender for Endpoint from non-Microsoft endpoint protection](/microsoft-365/security/defender-endpoint/switch-to-mde-overview?view=o365-worldwide) | modified | +| 2/22/2024 | [Technological partners of Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/technological-partners?view=o365-worldwide) | modified | +| 2/22/2024 | [Understand threat intelligence concepts in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/threat-indicator-concepts?view=o365-worldwide) | modified | +| 2/22/2024 | [Integrate Microsoft Defender for Endpoint with other Microsoft solutions](/microsoft-365/security/defender-endpoint/threat-protection-integration?view=o365-worldwide) | modified | +| 2/22/2024 | [Data privacy and compliance in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-data-privacy-and-compliance?view=o365-worldwide) | added | +| 2/22/2024 | [Assign roles to Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/assign-roles-to-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified | +| 2/22/2024 | [Get scan history by session](/microsoft-365/security/defender-endpoint/api/get-scan-history-by-session?view=o365-worldwide) | modified | +| 2/22/2024 | [Add, update, or delete a scan definition](/microsoft-365/security/defender-endpoint/api/add-a-new-scan-definition?view=o365-worldwide) | modified | +| 2/22/2024 | [Add or remove a tag for a machine](/microsoft-365/security/defender-endpoint/api/add-or-remove-machine-tags?view=o365-worldwide) | modified | +| 2/22/2024 | [Add or remove a tag for multiple machines](/microsoft-365/security/defender-endpoint/api/add-or-remove-multiple-machine-tags?view=o365-worldwide) | modified | +| 2/22/2024 | [Get alerts API](/microsoft-365/security/defender-endpoint/api/alerts?view=o365-worldwide) | modified | +| 2/22/2024 | [API Explorer in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/api/api-explorer?view=o365-worldwide) | modified | +| 2/22/2024 | [Hello World for Microsoft Defender for Endpoint API](/microsoft-365/security/defender-endpoint/api/api-hello-world?view=o365-worldwide) | modified | +| 2/22/2024 | [Microsoft Defender for Endpoint APIs connection to Power BI](/microsoft-365/security/defender-endpoint/api/api-power-bi?view=o365-worldwide) | modified | +| 2/22/2024 | [Microsoft Defender for Endpoint API release notes](/microsoft-365/security/defender-endpoint/api/api-release-notes?view=o365-worldwide) | modified | +| 2/22/2024 | [Access the Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/api/apis-intro?view=o365-worldwide) | modified | +| 2/22/2024 | [Batch Delete Indicators API](/microsoft-365/security/defender-endpoint/api/batch-delete-ti-indicators?view=o365-worldwide) | modified | +| 2/22/2024 | [Batch Update alert entities API](/microsoft-365/security/defender-endpoint/api/batch-update-alerts?view=o365-worldwide) | modified | +| 2/22/2024 | [Cancel machine action API](/microsoft-365/security/defender-endpoint/api/cancel-machine-action?view=o365-worldwide) | modified | +| 2/22/2024 | [Collect investigation package API](/microsoft-365/security/defender-endpoint/api/collect-investigation-package?view=o365-worldwide) | modified | +| 2/22/2024 | [Common Microsoft Defender for Endpoint API errors](/microsoft-365/security/defender-endpoint/api/common-errors?view=o365-worldwide) | modified | +| 2/22/2024 | [Create alert from event API](/microsoft-365/security/defender-endpoint/api/create-alert-by-reference?view=o365-worldwide) | modified | +| 2/22/2024 | [Delete a file from the live response library](/microsoft-365/security/defender-endpoint/api/delete-library?view=o365-worldwide) | modified | +| 2/22/2024 | [Delete Indicator API.](/microsoft-365/security/defender-endpoint/api/delete-ti-indicator-by-id?view=o365-worldwide) | modified | +| 2/22/2024 | [Get alert information by ID API](/microsoft-365/security/defender-endpoint/api/get-alert-info-by-id?view=o365-worldwide) | modified | +| 2/22/2024 | [Get alert related domains information](/microsoft-365/security/defender-endpoint/api/get-alert-related-domain-info?view=o365-worldwide) | modified | +| 2/22/2024 | [Get alert related files information](/microsoft-365/security/defender-endpoint/api/get-alert-related-files-info?view=o365-worldwide) | modified | +| 2/22/2024 | [Get alert-related IPs' information](/microsoft-365/security/defender-endpoint/api/get-alert-related-ip-info?view=o365-worldwide) | modified | +| 2/22/2024 | [Get alert related machine information](/microsoft-365/security/defender-endpoint/api/get-alert-related-machine-info?view=o365-worldwide) | modified | +| 2/22/2024 | [Get alert related user information](/microsoft-365/security/defender-endpoint/api/get-alert-related-user-info?view=o365-worldwide) | modified | +| 2/22/2024 | [List alerts API](/microsoft-365/security/defender-endpoint/api/get-alerts?view=o365-worldwide) | modified | +| 2/22/2024 | [List all recommendations](/microsoft-365/security/defender-endpoint/api/get-all-recommendations?view=o365-worldwide) | modified | +| 2/22/2024 | [Get all vulnerabilities by machine and software](/microsoft-365/security/defender-endpoint/api/get-all-vulnerabilities-by-machines?view=o365-worldwide) | modified | +| 2/22/2024 | [Get all vulnerabilities](/microsoft-365/security/defender-endpoint/api/get-all-vulnerabilities?view=o365-worldwide) | modified | +| 2/22/2024 | [Export assessment methods and properties per device](/microsoft-365/security/defender-endpoint/api/get-assessment-methods-properties?view=o365-worldwide) | modified | +| 2/22/2024 | [Export secure configuration assessment per device](/microsoft-365/security/defender-endpoint/api/get-assessment-secure-config?view=o365-worldwide) | modified | +| 2/22/2024 | [Export software inventory assessment per device](/microsoft-365/security/defender-endpoint/api/get-assessment-software-inventory?view=o365-worldwide) | modified | +| 2/22/2024 | [Export software vulnerabilities assessment per device](/microsoft-365/security/defender-endpoint/api/get-assessment-software-vulnerabilities?view=o365-worldwide) | modified | +| 2/22/2024 | [Authenticated scan methods and properties](/microsoft-365/security/defender-endpoint/api/get-authenticated-scan-properties?view=o365-worldwide) | modified | +| 2/22/2024 | [Get the device secure score](/microsoft-365/security/defender-endpoint/api/get-device-secure-score?view=o365-worldwide) | modified | +| 2/22/2024 | [Get discovered vulnerabilities](/microsoft-365/security/defender-endpoint/api/get-discovered-vulnerabilities?view=o365-worldwide) | modified | +| 2/22/2024 | [Get domain-related alerts API](/microsoft-365/security/defender-endpoint/api/get-domain-related-alerts?view=o365-worldwide) | modified | +| 2/22/2024 | [Get domain-related machines API](/microsoft-365/security/defender-endpoint/api/get-domain-related-machines?view=o365-worldwide) | modified | +| 2/22/2024 | [Get domain statistics API](/microsoft-365/security/defender-endpoint/api/get-domain-statistics?view=o365-worldwide) | modified | +| 2/22/2024 | [Get exposure score](/microsoft-365/security/defender-endpoint/api/get-exposure-score?view=o365-worldwide) | modified | +| 2/22/2024 | [Get file information API](/microsoft-365/security/defender-endpoint/api/get-file-information?view=o365-worldwide) | modified | +| 2/22/2024 | [Get file-related alerts API](/microsoft-365/security/defender-endpoint/api/get-file-related-alerts?view=o365-worldwide) | modified | +| 2/22/2024 | [Get file-related machines API](/microsoft-365/security/defender-endpoint/api/get-file-related-machines?view=o365-worldwide) | modified | +| 2/22/2024 | [Get file statistics API](/microsoft-365/security/defender-endpoint/api/get-file-statistics?view=o365-worldwide) | modified | +| 2/22/2024 | [Get installed software](/microsoft-365/security/defender-endpoint/api/get-installed-software?view=o365-worldwide) | modified | +| 2/22/2024 | [List Investigations API](/microsoft-365/security/defender-endpoint/api/get-investigation-collection?view=o365-worldwide) | modified | +| 2/22/2024 | [Get Investigation object API](/microsoft-365/security/defender-endpoint/api/get-investigation-object?view=o365-worldwide) | modified | +| 2/22/2024 | [Get IP related alerts API](/microsoft-365/security/defender-endpoint/api/get-ip-related-alerts?view=o365-worldwide) | modified | +| 2/22/2024 | [Get IP statistics API](/microsoft-365/security/defender-endpoint/api/get-ip-statistics?view=o365-worldwide) | modified | +| 2/22/2024 | [Get live response results](/microsoft-365/security/defender-endpoint/api/get-live-response-result?view=o365-worldwide) | modified | +| 2/22/2024 | [Get machine by ID API](/microsoft-365/security/defender-endpoint/api/get-machine-by-id?view=o365-worldwide) | modified | +| 2/22/2024 | [List exposure score by device group](/microsoft-365/security/defender-endpoint/api/get-machine-group-exposure-score?view=o365-worldwide) | modified | +| 2/22/2024 | [Get machine logon users API](/microsoft-365/security/defender-endpoint/api/get-machine-log-on-users?view=o365-worldwide) | modified | +| 2/22/2024 | [Get machine related alerts API](/microsoft-365/security/defender-endpoint/api/get-machine-related-alerts?view=o365-worldwide) | modified | +| 2/22/2024 | [Get MachineAction object API](/microsoft-365/security/defender-endpoint/api/get-machineaction-object?view=o365-worldwide) | modified | +| 2/22/2024 | [List machineActions API](/microsoft-365/security/defender-endpoint/api/get-machineactions-collection?view=o365-worldwide) | modified | +| 2/22/2024 | [List devices by software](/microsoft-365/security/defender-endpoint/api/get-machines-by-software?view=o365-worldwide) | modified | +| 2/22/2024 | [List devices by vulnerability](/microsoft-365/security/defender-endpoint/api/get-machines-by-vulnerability?view=o365-worldwide) | modified | +| 2/22/2024 | [Get missing KBs by device ID](/microsoft-365/security/defender-endpoint/api/get-missing-kbs-machine?view=o365-worldwide) | modified | +| 2/22/2024 | [Get missing KBs by software ID](/microsoft-365/security/defender-endpoint/api/get-missing-kbs-software?view=o365-worldwide) | modified | +| 2/22/2024 | [Get package SAS URI API](/microsoft-365/security/defender-endpoint/api/get-package-sas-uri?view=o365-worldwide) | modified | +| 2/22/2024 | [Get recommendation by Id](/microsoft-365/security/defender-endpoint/api/get-recommendation-by-id?view=o365-worldwide) | modified | +| 2/22/2024 | [List devices by recommendation](/microsoft-365/security/defender-endpoint/api/get-recommendation-machines?view=o365-worldwide) | modified | +| 2/22/2024 | [List vulnerabilities by recommendation](/microsoft-365/security/defender-endpoint/api/get-recommendation-vulnerabilities?view=o365-worldwide) | modified | +| 2/22/2024 | [List all remediation activities](/microsoft-365/security/defender-endpoint/api/get-remediation-all-activities?view=o365-worldwide) | modified | +| 2/22/2024 | [List exposed devices of one remediation activity](/microsoft-365/security/defender-endpoint/api/get-remediation-exposed-devices-activities?view=o365-worldwide) | modified | +| 2/22/2024 | [Remediation activity methods and properties](/microsoft-365/security/defender-endpoint/api/get-remediation-methods-properties?view=o365-worldwide) | modified | +| 2/22/2024 | [Get one remediation activity by ID](/microsoft-365/security/defender-endpoint/api/get-remediation-one-activity?view=o365-worldwide) | modified | +| 2/22/2024 | [Get security recommendations](/microsoft-365/security/defender-endpoint/api/get-security-recommendations?view=o365-worldwide) | modified | +| 2/22/2024 | [Get software by ID](/microsoft-365/security/defender-endpoint/api/get-software-by-id?view=o365-worldwide) | modified | +| 2/22/2024 | [List software version distribution](/microsoft-365/security/defender-endpoint/api/get-software-ver-distribution?view=o365-worldwide) | modified | +| 2/22/2024 | [List software](/microsoft-365/security/defender-endpoint/api/get-software?view=o365-worldwide) | modified | +| 2/22/2024 | [List Indicators API](/microsoft-365/security/defender-endpoint/api/get-ti-indicators-collection?view=o365-worldwide) | modified | +| 2/22/2024 | [Get user-related alerts API](/microsoft-365/security/defender-endpoint/api/get-user-related-alerts?view=o365-worldwide) | modified | +| 2/22/2024 | [Get user-related machines API](/microsoft-365/security/defender-endpoint/api/get-user-related-machines?view=o365-worldwide) | modified | +| 2/22/2024 | [List vulnerabilities by software](/microsoft-365/security/defender-endpoint/api/get-vuln-by-software?view=o365-worldwide) | modified | +| 2/22/2024 | [Get vulnerability by ID](/microsoft-365/security/defender-endpoint/api/get-vulnerability-by-id?view=o365-worldwide) | modified | +| 2/22/2024 | [Import Indicators API](/microsoft-365/security/defender-endpoint/api/import-ti-indicators?view=o365-worldwide) | modified | +| 2/22/2024 | [Start Investigation API](/microsoft-365/security/defender-endpoint/api/initiate-autoir-investigation?view=o365-worldwide) | modified | +| 2/22/2024 | [Stream Microsoft Defender for Endpoint event](/microsoft-365/security/defender-endpoint/api/raw-data-export?view=o365-worldwide) | modified | +| 2/22/2024 | [Recommendation methods and properties](/microsoft-365/security/defender-endpoint/api/recommendation?view=o365-worldwide) | modified | +| 2/22/2024 | [Restrict app execution API](/microsoft-365/security/defender-endpoint/api/restrict-code-execution?view=o365-worldwide) | modified | +| 2/22/2024 | [Advanced Hunting API](/microsoft-365/security/defender-endpoint/api/run-advanced-query-api?view=o365-worldwide) | modified | +| 2/22/2024 | [Advanced Hunting with PowerShell API Basics](/microsoft-365/security/defender-endpoint/api/run-advanced-query-sample-powershell?view=o365-worldwide) | modified | +| 2/22/2024 | [Advanced Hunting with Python API Guide](/microsoft-365/security/defender-endpoint/api/run-advanced-query-sample-python?view=o365-worldwide) | modified | +| 2/22/2024 | [Run antivirus scan API](/microsoft-365/security/defender-endpoint/api/run-av-scan?view=o365-worldwide) | modified | +| 2/22/2024 | [Set device value API](/microsoft-365/security/defender-endpoint/api/set-device-value?view=o365-worldwide) | modified | +| 2/22/2024 | [Software methods and properties](/microsoft-365/security/defender-endpoint/api/software?view=o365-worldwide) | modified | +| 2/22/2024 | [Stop and quarantine file API](/microsoft-365/security/defender-endpoint/api/stop-and-quarantine-file?view=o365-worldwide) | modified | +| 2/22/2024 | [Indicator resource type](/microsoft-365/security/defender-endpoint/api/ti-indicator?view=o365-worldwide) | modified | +| 2/22/2024 | [Release device from isolation API](/microsoft-365/security/defender-endpoint/api/unisolate-machine?view=o365-worldwide) | modified | +| 2/22/2024 | [Remove app restriction API](/microsoft-365/security/defender-endpoint/api/unrestrict-code-execution?view=o365-worldwide) | modified | +| 2/22/2024 | [Update alert entity API](/microsoft-365/security/defender-endpoint/api/update-alert?view=o365-worldwide) | modified | +| 2/22/2024 | [Update machine entity API](/microsoft-365/security/defender-endpoint/api/update-machine-method?view=o365-worldwide) | modified | +| 2/22/2024 | [Upload files to the live response library](/microsoft-365/security/defender-endpoint/api/upload-library?view=o365-worldwide) | modified | +| 2/22/2024 | [User resource type](/microsoft-365/security/defender-endpoint/api/user?view=o365-worldwide) | modified | +| 2/22/2024 | [Vulnerability methods and properties](/microsoft-365/security/defender-endpoint/api/vulnerability?view=o365-worldwide) | modified | +| 2/22/2024 | [Microsoft Defender for Endpoint on iOS](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint-ios?view=o365-worldwide) | modified | +| 2/22/2024 | [Microsoft Defender Offline scan in Windows](/microsoft-365/security/defender-endpoint/microsoft-defender-offline?view=o365-worldwide) | modified | +| 2/22/2024 | [Migrating from non-Microsoft HIPS to attack surface reduction rules](/microsoft-365/security/defender-endpoint/migrating-asr-rules?view=o365-worldwide) | modified | +| 2/22/2024 | [Migrating servers from Microsoft Defender for Endpoint to Microsoft Defender for Cloud](/microsoft-365/security/defender-endpoint/migrating-mde-server-to-cloud?view=o365-worldwide) | modified | +| 2/22/2024 | [Resources for Microsoft Defender for Endpoint for mobile devices](/microsoft-365/security/defender-endpoint/mobile-resources-defender-endpoint?view=o365-worldwide) | modified | +| 2/22/2024 | [Monthly security summary reporting in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/monthly-security-summary-report?view=o365-worldwide) | modified | +| 2/22/2024 | [Managed security service provider (MSSP) partnership opportunities](/microsoft-365/security/defender-endpoint/mssp-support?view=o365-worldwide) | modified | +| 2/22/2024 | [Use network protection to help prevent Linux connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection-linux?view=o365-worldwide) | modified | +| 2/22/2024 | [Use network protection to help prevent macOS connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection-macos?view=o365-worldwide) | modified | +| 2/22/2024 | [Microsoft Defender for Endpoint on other platforms](/microsoft-365/security/defender-endpoint/non-windows?view=o365-worldwide) | modified | +| 2/22/2024 | [Better together - Microsoft Defender Antivirus and Office 365 (including OneDrive) - better protection from ransomware and cyberthreats](/microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/22/2024 | [Onboarding using Microsoft Intune](/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager?view=o365-worldwide) | modified | +| 2/22/2024 | [Create an onboarding or offboarding notification rule](/microsoft-365/security/defender-endpoint/onboarding-notification?view=o365-worldwide) | modified | +| 2/22/2024 | [Troubleshoot sensor health using Microsoft Defender for Endpoint Client Analyzer](/microsoft-365/security/defender-endpoint/overview-client-analyzer?view=o365-worldwide) | modified | +| 2/22/2024 | [Partner applications in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/partner-applications?view=o365-worldwide) | modified | +| 2/22/2024 | [Microsoft Defender for Endpoint partner opportunities and scenarios](/microsoft-365/security/defender-endpoint/partner-integration?view=o365-worldwide) | modified | +| 2/22/2024 | [Hide the Microsoft Defender Antivirus interface](/microsoft-365/security/defender-endpoint/prevent-end-user-interaction-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/22/2024 | [Turn on the preview experience in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/preview-settings?view=o365-worldwide) | modified | +| 2/22/2024 | [Microsoft Defender for Endpoint preview features](/microsoft-365/security/defender-endpoint/preview?view=o365-worldwide) | modified | +| 2/22/2024 | [Professional services supported by Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/professional-services?view=o365-worldwide) | modified | +| 2/22/2024 | [Use role-based access control to grant fine-grained access to Microsoft Defender portal](/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide) | modified | +| 2/22/2024 | [Review detected threats using the Microsoft Defender for Endpoint Antivirus and Intune integration](/microsoft-365/security/defender-endpoint/review-detected-threats?view=o365-worldwide) | modified | +| 2/22/2024 | [Run a detection test on a device recently onboarded to Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/run-detection-test?view=o365-worldwide) | modified | +| 2/22/2024 | [Use Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-nativeapp?view=o365-worldwide) | modified | +| 2/22/2024 | [Partner access through Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-partners?view=o365-worldwide) | modified | +| 2/22/2024 | [Create an app to access Microsoft Defender for Endpoint without a user](/microsoft-365/security/defender-endpoint/api/exposed-apis-create-app-webapp?view=o365-worldwide) | modified | +| 2/22/2024 | [Advanced Hunting with PowerShell API Guide](/microsoft-365/security/defender-endpoint/api/exposed-apis-full-sample-powershell?view=o365-worldwide) | modified | +| 2/22/2024 | [Supported Microsoft Defender for Endpoint APIs](/microsoft-365/security/defender-endpoint/api/exposed-apis-list?view=o365-worldwide) | modified | +| 2/22/2024 | [OData queries with Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/api/exposed-apis-odata-samples?view=o365-worldwide) | modified | +| 2/22/2024 | [Fetch alerts from MSSP customer tenant](/microsoft-365/security/defender-endpoint/api/fetch-alerts-mssp?view=o365-worldwide) | modified | +| 2/22/2024 | [File resource type](/microsoft-365/security/defender-endpoint/api/files?view=o365-worldwide) | modified | +| 2/22/2024 | [Find device information by internal IP API](/microsoft-365/security/defender-endpoint/api/find-machine-info-by-ip?view=o365-worldwide) | modified | +| 2/22/2024 | [Find devices by internal IP API](/microsoft-365/security/defender-endpoint/api/find-machines-by-ip?view=o365-worldwide) | modified | +| 2/22/2024 | [Find devices by tag API](/microsoft-365/security/defender-endpoint/api/find-machines-by-tag?view=o365-worldwide) | modified | +| 2/22/2024 | [Investigation resource type](/microsoft-365/security/defender-endpoint/api/investigation?view=o365-worldwide) | modified | +| 2/22/2024 | [Isolate machine API](/microsoft-365/security/defender-endpoint/api/isolate-machine?view=o365-worldwide) | modified | +| 2/22/2024 | [List library files](/microsoft-365/security/defender-endpoint/api/list-library-files?view=o365-worldwide) | modified | +| 2/22/2024 | [List software by recommendation](/microsoft-365/security/defender-endpoint/api/list-recommendation-software?view=o365-worldwide) | modified | +| 2/22/2024 | [Machine resource type](/microsoft-365/security/defender-endpoint/api/machine?view=o365-worldwide) | modified | +| 2/22/2024 | [machineAction resource type](/microsoft-365/security/defender-endpoint/api/machineaction?view=o365-worldwide) | modified | +| 2/22/2024 | [Overview of management and APIs](/microsoft-365/security/defender-endpoint/api/management-apis?view=o365-worldwide) | modified | +| 2/22/2024 | [Submit or Update Indicator API](/microsoft-365/security/defender-endpoint/api/post-ti-indicator?view=o365-worldwide) | modified | +| 2/22/2024 | [Stream Microsoft Defender for Endpoint events to your Storage account](/microsoft-365/security/defender-endpoint/api/raw-data-export-storage?view=o365-worldwide) | modified | +| 2/23/2024 | [Upgrade or change to a different Microsoft 365 for business plan](/microsoft-365/commerce/subscriptions/upgrade-to-different-plan?view=o365-worldwide) | modified | +| 2/23/2024 | [Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune](/microsoft-365/security/defender-endpoint/device-control-deploy-manage-intune?view=o365-worldwide) | modified | +| 2/23/2024 | [Use a promo code to reduce price of a new Microsoft 365 for business subscription](/microsoft-365/commerce/use-a-promo-code?view=o365-worldwide) | modified | +| 2/23/2024 | [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure?view=o365-worldwide) | modified | +++## Week of February 12, 2024 +++| Published On |Topic title | Change | +|||--| +| 2/12/2024 | [Troubleshooting mode in Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-troubleshoot-mode?view=o365-worldwide) | added | +| 2/12/2024 | [Deploy Microsoft Defender for Endpoint on Linux manually](/microsoft-365/security/defender-endpoint/linux-install-manually?view=o365-worldwide) | modified | +| 2/12/2024 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified | +| 2/12/2024 | [How to schedule scans with Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/mac-schedule-scan?view=o365-worldwide) | modified | +| 2/12/2024 | [Tenant roadmap for Microsoft 365](/microsoft-365/enterprise/tenant-roadmap-microsoft-365?view=o365-worldwide) | modified | +| 2/12/2024 | [Microsoft 365 admin center Microsoft 365 Copilot usage](/microsoft-365/admin/activity-reports/microsoft-365-copilot-usage?view=o365-worldwide) | modified | +| 2/12/2024 | [What's new in Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-worldwide) | modified | +| 2/12/2024 | [Vulnerability support in Microsoft Defender Vulnerability Management](/microsoft-365/security/defender-vulnerability-management/fixed-reported-inaccuracies?view=o365-worldwide) | modified | +| 2/12/2024 | [Run script and code analysis with Security Copilot in Microsoft Defender XDR](/microsoft-365/security/defender/security-copilot-m365d-script-analysis?view=o365-worldwide) | modified | +| 2/12/2024 | [Anti-phishing policies](/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide) | modified | +| 2/12/2024 | [Spoof intelligence insight](/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence?view=o365-worldwide) | modified | +| 2/12/2024 | [Email authentication in Microsoft 365](/microsoft-365/security/office-365-security/email-authentication-about?view=o365-worldwide) | modified | +| 2/12/2024 | How Sender Policy Framework (SPF) prevents spoofing | removed | +| 2/12/2024 | [Configure trusted ARC sealers](/microsoft-365/security/office-365-security/email-authentication-arc-configure?view=o365-worldwide) | modified | +| 2/12/2024 | [How to use DKIM for email in your custom domain](/microsoft-365/security/office-365-security/email-authentication-dkim-configure?view=o365-worldwide) | modified | +| 2/12/2024 | Support for validation of Domain Keys Identified Mail (DKIM) signed messages | removed | +| 2/12/2024 | [Use DMARC to validate email, setup steps](/microsoft-365/security/office-365-security/email-authentication-dmarc-configure?view=o365-worldwide) | modified | +| 2/12/2024 | Use DMARC Reports to protect against spoofing and phishing in Microsoft Office 365 | removed | +| 2/12/2024 | [Set up SPF identify valid email sources for your Microsoft 365 domain](/microsoft-365/security/office-365-security/email-authentication-spf-configure?view=o365-worldwide) | modified | +| 2/12/2024 | [Get started with Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/mdo-deployment-guide?view=o365-worldwide) | modified | +| 2/12/2024 | [How to enable DMARC Reporting for Microsoft Online Email Routing Address (MOERA) and parked Domains](/microsoft-365/security/office-365-security/step-by-step-guides/how-to-enable-dmarc-reporting-for-microsoft-online-email-routing-address-moera-and-parked-domains?view=o365-worldwide) | modified | +| 2/13/2024 | [Enable attack surface reduction rules](/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide) | modified | +| 2/13/2024 | [Use eBPF-based sensor for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-support-ebpf?view=o365-worldwide) | modified | +| 2/13/2024 | [Enable the limited periodic Microsoft Defender Antivirus scanning feature](/microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/13/2024 | [IdentityLogonEvents table in the advanced hunting schema](/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide) | modified | +| 2/13/2024 | [Set up pay-as-you-go billing for Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-billing) | added | +| 2/13/2024 | Help your clients and customers use virtual appointments scheduled with the Bookings app in Teams | removed | +| 2/13/2024 | [Run the client analyzer on macOS or Linux](/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux?view=o365-worldwide) | modified | +| 2/13/2024 | [Set up Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-setup) | modified | +| 2/14/2024 | [Set preferences for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-preferences?view=o365-worldwide) | modified | +| 2/14/2024 | [Set up pay-as-you-go billing for Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-billing) | modified | +| 2/14/2024 | [Deploy and manage device control in Microsoft Defender for Endpoint with Group Policy](/microsoft-365/security/defender-endpoint/device-control-deploy-manage-gpo?view=o365-worldwide) | modified | +| 2/14/2024 | [Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune](/microsoft-365/security/defender-endpoint/device-control-deploy-manage-intune?view=o365-worldwide) | modified | +| 2/14/2024 | [Device control in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/device-control-overview?view=o365-worldwide) | modified | +| 2/14/2024 | [Device control policies in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/device-control-policies?view=o365-worldwide) | modified | +| 2/14/2024 | [Device control walkthroughs](/microsoft-365/security/defender-endpoint/device-control-walkthroughs?view=o365-worldwide) | modified | +| 2/15/2024 | Managers - Get your team started with Microsoft 365 for frontline workers | removed | +| 2/15/2024 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified | +| 2/15/2024 | [Unified cloud.microsoft domain for Microsoft 365 apps](/microsoft-365/enterprise/cloud-microsoft-domain?view=o365-worldwide) | added | +| 2/15/2024 | [Engage your frontline employees and focus on wellbeing](/microsoft-365/frontline/flw-wellbeing-engagement?view=o365-worldwide) | modified | +| 2/15/2024 | [Overview of using Microsoft 365 Lighthouse baselines to deploy standard tenant configurations](/microsoft-365/lighthouse/m365-lighthouse-deploy-standard-tenant-configurations-overview?view=o365-worldwide) | modified | +| 2/16/2024 | [Change the billing addresses for your Microsoft business subscription](/microsoft-365/commerce/billing-and-payments/change-your-billing-addresses?view=o365-worldwide) | modified | +| 2/16/2024 | [Manage billing notifications and invoice attachment settings in the Microsoft 365 admin center](/microsoft-365/commerce/billing-and-payments/manage-billing-notifications?view=o365-worldwide) | modified | +| 2/16/2024 | [Manage your Microsoft business billing profiles](/microsoft-365/commerce/billing-and-payments/manage-billing-profiles?view=o365-worldwide) | modified | +| 2/16/2024 | [Manage payment methods for Microsoft business accounts](/microsoft-365/commerce/billing-and-payments/manage-payment-methods?view=o365-worldwide) | modified | +| 2/16/2024 | [What's new in Microsoft 365 Lighthouse](/microsoft-365/lighthouse/m365-lighthouse-whats-new?view=o365-worldwide) | modified | +| 2/16/2024 | [Access the Microsoft Defender XDR MSSP customer portal](/microsoft-365/security/defender-endpoint/access-mssp-portal?view=o365-worldwide) | modified | +| 2/16/2024 | [Submit files in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/admin-submissions-mde?view=o365-worldwide) | modified | +| 2/16/2024 | [Alerts queue in Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/alerts-queue-endpoint-detection-response?view=o365-worldwide) | modified | +| 2/16/2024 | [View and organize the Microsoft Defender for Endpoint Alerts queue](/microsoft-365/security/defender-endpoint/alerts-queue?view=o365-worldwide) | modified | +| 2/16/2024 | [Provide feedback on the Microsoft Defender for Endpoint Client Analyzer tool](/microsoft-365/security/defender-endpoint/analyzer-feedback?view=o365-worldwide) | modified | +| 2/16/2024 | [Understand the client analyzer HTML report](/microsoft-365/security/defender-endpoint/analyzer-report?view=o365-worldwide) | modified | +| 2/16/2024 | [Configure Microsoft Defender for Endpoint on Android risk signals using App Protection Policies (MAM)](/microsoft-365/security/defender-endpoint/android-configure-mam?view=o365-worldwide) | modified | +| 2/16/2024 | [Configure Microsoft Defender for Endpoint on Android features](/microsoft-365/security/defender-endpoint/android-configure?view=o365-worldwide) | modified | +| 2/16/2024 | [Deploy Microsoft Defender for Endpoint on Android with Microsoft Intune](/microsoft-365/security/defender-endpoint/android-intune?view=o365-worldwide) | modified | +| 2/16/2024 | [Microsoft Defender for Endpoint on Android - Privacy information](/microsoft-365/security/defender-endpoint/android-privacy?view=o365-worldwide) | modified | +| 2/16/2024 | [Troubleshoot issues on Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-support-signin?view=o365-worldwide) | modified | +| 2/16/2024 | [What's new in Microsoft Defender for Endpoint on Android](/microsoft-365/security/defender-endpoint/android-whatsnew?view=o365-worldwide) | modified | +| 2/16/2024 | [How to use Power Automate Connector to set up a Flow for events](/microsoft-365/security/defender-endpoint/api-microsoft-flow?view=o365-worldwide) | modified | +| 2/16/2024 | [Migrating servers from Microsoft Monitoring Agent to the unified solution](/microsoft-365/security/defender-endpoint/application-deployment-via-mecm?view=o365-worldwide) | modified | +| 2/16/2024 | [Assign user access](/microsoft-365/security/defender-endpoint/assign-portal-access?view=o365-worldwide) | modified | +| 2/16/2024 | [Attack surface reduction frequently asked questions (FAQ)](/microsoft-365/security/defender-endpoint/attack-surface-reduction-faq?view=o365-worldwide) | modified | +| 2/16/2024 | [Implement attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-implement?view=o365-worldwide) | modified | +| 2/16/2024 | [Plan attack surface reduction rules deployment](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-plan?view=o365-worldwide) | modified | +| 2/16/2024 | [Test attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment-test?view=o365-worldwide) | modified | +| 2/16/2024 | [Microsoft Defender for Endpoint attack surface reduction rules deployment overview](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-deployment?view=o365-worldwide) | modified | +| 2/16/2024 | [Attack surface reduction rules reporting](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-report?view=o365-worldwide) | modified | +| 2/16/2024 | [Use automated investigations to investigate and remediate threats](/microsoft-365/security/defender-endpoint/automated-investigations?view=o365-worldwide) | modified | +| 2/16/2024 | [Integration with Microsoft Defender for Cloud](/microsoft-365/security/defender-endpoint/azure-server-integration?view=o365-worldwide) | modified | +| 2/16/2024 | [Check the device health at Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/check-sensor-status?view=o365-worldwide) | modified | +| 2/16/2024 | [Advanced deployment guidance for Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment?view=o365-worldwide) | modified | +| 2/16/2024 | [Enable Conditional Access to better protect users, devices, and data](/microsoft-365/security/defender-endpoint/conditional-access?view=o365-worldwide) | modified | +| 2/16/2024 | [Manage Microsoft Defender Antivirus in your business](/microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/16/2024 | [Understand and use attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide) | modified | +| 2/16/2024 | [Enable block at first sight to detect malware in seconds](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/16/2024 | [Configure the Microsoft Defender Antivirus cloud block timeout period](/microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/16/2024 | [Configure Conditional Access in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-conditional-access?view=o365-worldwide) | modified | +| 2/16/2024 | [Optimize ASR rule deployment and detections](/microsoft-365/security/defender-endpoint/configure-machines-asr?view=o365-worldwide) | modified | +| 2/16/2024 | [Increase compliance to the Microsoft Defender for Endpoint security baseline](/microsoft-365/security/defender-endpoint/configure-machines-security-baseline?view=o365-worldwide) | modified | +| 2/16/2024 | [Ensure your devices are configured properly](/microsoft-365/security/defender-endpoint/configure-machines?view=o365-worldwide) | modified | +| 2/16/2024 | [Configure alert notifications that are sent to MSSPs](/microsoft-365/security/defender-endpoint/configure-mssp-notifications?view=o365-worldwide) | modified | +| 2/16/2024 | [Configure managed security service provider support](/microsoft-365/security/defender-endpoint/configure-mssp-support?view=o365-worldwide) | modified | +| 2/16/2024 | [Configure Microsoft Defender Antivirus notifications](/microsoft-365/security/defender-endpoint/configure-notifications-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/16/2024 | [Enable and configure Microsoft Defender Antivirus protection features](/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/16/2024 | [Onboard Windows servers to the Microsoft Defender for Endpoint service](/microsoft-365/security/defender-endpoint/configure-server-endpoints?view=o365-worldwide) | modified | +| 2/16/2024 | [Migrate from the MDE SIEM API to the Microsoft Defender XDR alerts API](/microsoft-365/security/defender-endpoint/configure-siem?view=o365-worldwide) | modified | +| 2/16/2024 | [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates?view=o365-worldwide) | modified | +| 2/16/2024 | [Connected applications in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/connected-applications?view=o365-worldwide) | modified | +| 2/16/2024 | [Contact Microsoft Defender for Endpoint support](/microsoft-365/security/defender-endpoint/contact-support?view=o365-worldwide) | modified | +| 2/16/2024 | [Protect important folders from ransomware from encrypting your files with controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders?view=o365-worldwide) | modified | +| 2/16/2024 | [Run and customize scheduled and on-demand scans](/microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/16/2024 | [Data collection for advanced troubleshooting on Windows](/microsoft-365/security/defender-endpoint/data-collection-analyzer?view=o365-worldwide) | modified | +| 2/16/2024 | [Antivirus solution compatibility with Defender for Endpoint](/microsoft-365/security/defender-endpoint/defender-compatibility?view=o365-worldwide) | modified | +| 2/16/2024 | [Microsoft Defender for Endpoint SmartScreen app reputation demonstration](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-app-reputation?view=o365-worldwide) | modified | +| 2/16/2024 | [Microsoft Defender for Endpoint attack surface reduction rules demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-attack-surface-reduction-rules?view=o365-worldwide) | modified | +| 2/16/2024 | [Microsoft Defender for Endpoint Cloud-delivered protection demonstration](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-cloud-delivered-protection?view=o365-worldwide) | modified | +| 2/16/2024 | [Microsoft Defender for Endpoint Controlled folder access (CFA) demonstration test tool](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access-test-tool?view=o365-worldwide) | modified | +| 2/16/2024 | [Microsoft Defender for Endpoint Controlled folder access (CFA) demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-controlled-folder-access?view=o365-worldwide) | modified | +| 2/16/2024 | [Microsoft Defender for Endpoint Exploit protection (EP) demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-exploit-protection?view=o365-worldwide) | modified | +| 2/16/2024 | [Microsoft Defender for Endpoint Network protection demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-network-protection?view=o365-worldwide) | modified | +| 2/16/2024 | [Microsoft Defender for Endpoint Potentially unwanted applications (PUA) demonstration](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-potentially-unwanted-applications?view=o365-worldwide) | modified | +| 2/16/2024 | [Microsoft Defender for Endpoint SmartScreen URL reputation demonstrations](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-smartscreen-url-reputation?view=o365-worldwide) | modified | +| 2/16/2024 | [Microsoft Defender for Endpoint demonstration scenarios](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstrations?view=o365-worldwide) | modified | +| 2/16/2024 | [Threat protection report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/threat-protection-reports?view=o365-worldwide) | modified | +| 2/16/2024 | [Microsoft Defender XDR time zone settings](/microsoft-365/security/defender-endpoint/time-settings?view=o365-worldwide) | modified | +| 2/16/2024 | [Report and troubleshoot Microsoft Defender for Endpoint attack surface reduction rules](/microsoft-365/security/defender-endpoint/troubleshoot-asr-rules?view=o365-worldwide) | modified | +| 2/16/2024 | [Troubleshoot problems with attack surface reduction rules](/microsoft-365/security/defender-endpoint/troubleshoot-asr?view=o365-worldwide) | modified | +| 2/16/2024 | [Troubleshoot cloud connectivity issues for Microsoft Defender for Endpoint on macOS](/microsoft-365/security/defender-endpoint/troubleshoot-cloud-connect-mdemac?view=o365-worldwide) | modified | +| 2/16/2024 | [Collect support logs in Microsoft Defender for Endpoint using live response](/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log?view=o365-worldwide) | modified | +| 2/16/2024 | [Troubleshoot exploit protection mitigations](/microsoft-365/security/defender-endpoint/troubleshoot-exploit-protection-mitigations?view=o365-worldwide) | modified | +| 2/16/2024 | [Troubleshoot Microsoft Defender for Endpoint live response issues](/microsoft-365/security/defender-endpoint/troubleshoot-live-response?view=o365-worldwide) | modified | +| 2/16/2024 | [Troubleshoot Microsoft Defender for Endpoint service issues](/microsoft-365/security/defender-endpoint/troubleshoot-mdatp?view=o365-worldwide) | modified | +| 2/16/2024 | [Troubleshoot Microsoft Defender Antivirus while migrating from a non-Microsoft solution](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating?view=o365-worldwide) | modified | +| 2/16/2024 | [Microsoft Defender Antivirus event IDs and error codes](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/16/2024 | [Troubleshoot problems with Network protection](/microsoft-365/security/defender-endpoint/troubleshoot-np?view=o365-worldwide) | modified | +| 2/16/2024 | [Troubleshoot onboarding issues and error messages](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding-error-messages?view=o365-worldwide) | modified | +| 2/16/2024 | [Troubleshoot Microsoft Defender for Endpoint onboarding issues](/microsoft-365/security/defender-endpoint/troubleshoot-onboarding?view=o365-worldwide) | modified | +| 2/16/2024 | [Troubleshoot problems with reporting tools for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/troubleshoot-reporting?view=o365-worldwide) | modified | +| 2/16/2024 | [Troubleshoot SIEM tool integration issues in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/troubleshoot-siem?view=o365-worldwide) | modified | +| 2/16/2024 | [Performance analyzer for Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/tune-performance-defender-antivirus?view=o365-worldwide) | modified | +| 2/16/2024 | [Configure Microsoft Defender Antivirus using Microsoft Intune](/microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/16/2024 | [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/16/2024 | [Configure Microsoft Defender Antivirus with WMI](/microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 2/16/2024 | [View and organize the Incidents queue](/microsoft-365/security/defender-endpoint/view-incidents-queue?view=o365-worldwide) | modified | +| 2/16/2024 | [Monitoring web browsing security in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/web-protection-monitoring?view=o365-worldwide) | modified | +| 2/16/2024 | [Web protection](/microsoft-365/security/defender-endpoint/web-protection-overview?view=o365-worldwide) | modified | +| 2/16/2024 | [Respond to web threats in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/web-protection-response?view=o365-worldwide) | modified | +| 2/16/2024 | [Protect your organization against web threats](/microsoft-365/security/defender-endpoint/web-threat-protection?view=o365-worldwide) | modified | +| 2/16/2024 | [Zero Trust with Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/zero-trust-with-microsoft-defender-endpoint?view=o365-worldwide) | modified | +++## Week of February 05, 2024 +++| Published On |Topic title | Change | +|||--| +| 2/5/2024 | [Use network protection to help prevent connections to bad sites](/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide) | modified | +| 2/5/2024 | [Other endpoints not included in the Microsoft 365 IP Address and URL Web service](/microsoft-365/enterprise/additional-office365-ip-addresses-and-urls?view=o365-worldwide) | modified | +| 2/5/2024 | [Microsoft 365 IP Address and URL web service](/microsoft-365/enterprise/microsoft-365-ip-web-service?view=o365-worldwide) | modified | +| 2/5/2024 | [Microsoft 365 US Government DOD endpoints](/microsoft-365/enterprise/microsoft-365-u-s-government-dod-endpoints?view=o365-worldwide) | modified | +| 2/5/2024 | [Microsoft 365 U.S. Government GCC High endpoints](/microsoft-365/enterprise/microsoft-365-u-s-government-gcc-high-endpoints?view=o365-worldwide) | modified | +| 2/5/2024 | [URLs and IP address ranges for Microsoft 365 operated by 21Vianet](/microsoft-365/enterprise/urls-and-ip-address-ranges-21vianet?view=o365-worldwide) | modified | +| 2/5/2024 | [Microsoft 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide) | modified | +| 2/6/2024 | [Manage the join experience for Teams Virtual Appointments on browsers](/microsoft-365/frontline/browser-join?view=o365-worldwide) | modified | +| 2/6/2024 | [Allow cookies for LMS URLs in your browser](/microsoft-365/lti/browser-cookies?view=o365-worldwide) | modified | +| 2/6/2024 | Microsoft Defender for Endpoint Block at First Sight (BAFS) demonstration | removed | +| 2/6/2024 | [What's new in Microsoft Defender for Endpoint on Mac](/microsoft-365/security/defender-endpoint/mac-whatsnew?view=o365-worldwide) | modified | +| 2/6/2024 | [Configure the advanced delivery policy for third-party phishing simulations and email delivery to SecOps mailboxes](/microsoft-365/security/office-365-security/advanced-delivery-policy-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Configure anti-malware policies](/microsoft-365/security/office-365-security/anti-malware-policies-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Configure anti-phishing policies in EOP](/microsoft-365/security/office-365-security/anti-phishing-policies-eop-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Configure anti-phishing policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/anti-phishing-policies-mdo-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Configure spam filter policies](/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Microsoft Defender for Office 365 permissions in the Microsoft Defender portal](/microsoft-365/security/office-365-security/mdo-portal-permissions?view=o365-worldwide) | modified | +| 2/6/2024 | [Configure outbound spam policies](/microsoft-365/security/office-365-security/outbound-spam-policies-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Preset security policies](/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide) | modified | +| 2/6/2024 | [Quarantine policies](/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide) | modified | +| 2/6/2024 | [Set up Safe Attachments policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-attachments-policies-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Set up Safe Links policies in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Use Microsoft Defender for Office 365 in SharePoint Online](/microsoft-365/security/office-365-security/step-by-step-guides/utilize-microsoft-defender-for-office-365-in-sharepoint-online?view=o365-worldwide) | modified | +| 2/6/2024 | [Allow or block email using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-email-spoof-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [Allow or block files using the Tenant Allow/Block List](/microsoft-365/security/office-365-security/tenant-allow-block-list-files-configure?view=o365-worldwide) | modified | +| 2/6/2024 | [User tags in Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/user-tags-about?view=o365-worldwide) | modified | +| 2/6/2024 | [Pricing model for Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-pricing) | modified | +| 2/6/2024 | [Set up Microsoft 365 Backup (Preview)](/microsoft-365/syntex/backup/backup-setup) | modified | +| 2/7/2024 | [Detect and Remediate Illicit Consent Grants](/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide) | modified | +| 2/7/2024 | [Get started with Microsoft Defender for Office 365](/microsoft-365/security/office-365-security/mdo-deployment-guide?view=o365-worldwide) | modified | +| 2/7/2024 | [Microsoft Defender for Office 365 permissions in the Microsoft Defender portal](/microsoft-365/security/office-365-security/mdo-portal-permissions?view=o365-worldwide) | modified | +| 2/7/2024 | [Continuous access evaluation for Microsoft 365 - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide) | modified | +| 2/7/2024 | [Common Zero Trust identity and device access policies - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-common?view=o365-worldwide) | modified | +| 2/7/2024 | [Zero Trust identity and device access configurations - Microsoft 365 for enterprise](/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-overview?view=o365-worldwide) | modified | +| 2/7/2024 | [Prerequisite work for implementing Zero Trust identity and device access policies](/microsoft-365/security/office-365-security/zero-trust-identity-device-access-policies-prereq?view=o365-worldwide) | modified | +| 2/7/2024 | [How to configure Exchange Server on-premises to use Hybrid Modern Authentication](/microsoft-365/enterprise/configure-exchange-server-for-hybrid-modern-authentication?view=o365-worldwide) | modified | +| 2/7/2024 | [Data Residency for Exchange Online](/microsoft-365/enterprise/m365-dr-workload-exo?view=o365-worldwide) | modified | +| 2/7/2024 | [View Microsoft 365 user accounts with PowerShell](/microsoft-365/enterprise/view-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified | +| 2/7/2024 | [Frontline team collaboration](/microsoft-365/frontline/flw-team-collaboration?view=o365-worldwide) | modified | +| 2/7/2024 | [Microsoft 365 for Financial Services](/microsoft-365/frontline/teams-for-financial-services?view=o365-worldwide) | modified | +| 2/7/2024 | [Microsoft 365 for Manufacturing](/microsoft-365/frontline/teams-for-manufacturing?view=o365-worldwide) | modified | +| 2/7/2024 | [Microsoft 365 for retail organizations](/microsoft-365/frontline/teams-for-retail-landing-page?view=o365-worldwide) | modified | +| 2/7/2024 | [Microsoft Defender for Endpoint demonstration scenarios](/microsoft-365/security/defender-endpoint/defender-endpoint-demonstrations?view=o365-worldwide) | modified | +| 2/7/2024 | [Configure apps using Microsoft Intune](/microsoft-365/solutions/apps-config-overview?view=o365-worldwide) | modified | +| 2/7/2024 | [Step 1. Configure the Company Portal](/microsoft-365/solutions/apps-config-step-1?view=o365-worldwide) | modified | +| 2/7/2024 | [Step 3. Configure Microsoft 365](/microsoft-365/solutions/apps-config-step-3?view=o365-worldwide) | modified | +| 2/7/2024 | [Step 4. Configure Microsoft Edge](/microsoft-365/solutions/apps-config-step-4?view=o365-worldwide) | modified | +| 2/7/2024 | [Step 5. Configure Microsoft Teams](/microsoft-365/solutions/apps-config-step-5?view=o365-worldwide) | modified | +| 2/7/2024 | [Step 6. Configure other apps](/microsoft-365/solutions/apps-config-step-6?view=o365-worldwide) | modified | +| 2/7/2024 | [Feature update validation](/microsoft-365/test-base/feature?view=o365-worldwide) | modified | +| 2/8/2024 | Industry collaboration programs | removed | +| 2/8/2024 | [Manage submissions](/microsoft-365/security/office-365-security/submissions-admin?view=o365-worldwide) | modified | +| 2/8/2024 | [Troubleshoot a signature request for SharePoint eSignature](/microsoft-365/syntex/esignature-troubleshoot) | modified | +| 2/8/2024 | [Remove Microsoft 365 licenses from user accounts with PowerShell](/microsoft-365/enterprise/remove-licenses-from-user-accounts-with-microsoft-365-powershell?view=o365-worldwide) | modified | +| 2/9/2024 | [Manage Office Scripts settings](/microsoft-365/admin/manage/manage-office-scripts-settings?view=o365-worldwide) | modified | +| 2/9/2024 | [Review detected threats using the Microsoft Defender for Endpoint Antivirus and Intune integration](/microsoft-365/security/defender-endpoint/review-detected-threats?view=o365-worldwide) | added | +| 2/9/2024 | Manage self-service purchases and organizational trials for Microsoft Project | removed | +| 2/9/2024 | [Resources for Microsoft Defender for Endpoint for mobile devices](/microsoft-365/security/defender-endpoint/mobile-resources-defender-endpoint?view=o365-worldwide) | modified | +| 2/9/2024 | [Run the client analyzer on macOS or Linux](/microsoft-365/security/defender-endpoint/run-analyzer-macos-linux?view=o365-worldwide) | modified | +++## Week of January 29, 2024 +++| Published On |Topic title | Change | +|||--| +| 1/29/2024 | [GDPR simplified: A guide for your small business](/microsoft-365/admin/security-and-compliance/gdpr-compliance?view=o365-worldwide) | modified | +| 1/29/2024 | [Accept an email invitation to a Microsoft 365 for business subscription organization using an Outlook, Yahoo, Gmail or other account (User)](/microsoft-365/admin/simplified-signup/user-invite-msa-nodomain-join?view=o365-worldwide) | modified | +| 1/29/2024 | [SharePoint Cross-tenant SharePoint migration Step 5 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step5?view=o365-worldwide) | modified | +| 1/29/2024 | [SharePoint site Cross-tenant SharePoint migration Step 6 (preview)](/microsoft-365/enterprise/cross-tenant-sharepoint-migration-step6?view=o365-worldwide) | modified | +| 1/29/2024 | [Mailbox utilization service alerts](/microsoft-365/enterprise/microsoft-365-mailbox-utilization-service-alerts?view=o365-worldwide) | modified | +| 1/29/2024 | [Microsoft Azure Architectures for SharePoint 2013](/microsoft-365/enterprise/microsoft-azure-architectures-for-sharepoint-2013?view=o365-worldwide) | modified | +| 1/29/2024 | [Deploy Microsoft Defender for Endpoint on Linux with SaltStack](/microsoft-365/security/defender-endpoint/linux-install-with-saltack?view=o365-worldwide) | modified | +| 1/29/2024 | [Collect support logs in Microsoft Defender for Endpoint using live response](/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log?view=o365-worldwide) | modified | +| 1/29/2024 | [Microsoft Defender Antivirus event IDs and error codes](/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide) | modified | +| 1/29/2024 | [Step 2. Configure Microsoft Outlook](/microsoft-365/solutions/apps-config-step-2?view=o365-worldwide) | modified | +| 1/29/2024 | [Key Compliance and Security Considerations for the Energy Industry](/microsoft-365/solutions/energy-secure-collaboration?view=o365-worldwide) | modified | +| 1/29/2024 | [To identity and beyondΓÇöOne architect's viewpoint](/microsoft-365/solutions/identity-design-principles?view=o365-worldwide) | modified | +| 1/29/2024 | [Communicating with Microsoft Defender Experts](/microsoft-365/security/defender/communicate-defender-experts-xdr?view=o365-worldwide) | added | +| 1/29/2024 | [How to use the Microsoft Defender Experts for XDR service](/microsoft-365/security/defender/start-using-mdex-xdr?view=o365-worldwide) | modified | +| 1/29/2024 | [How to schedule an update of the Microsoft Defender for Endpoint (Linux)](/microsoft-365/security/defender-endpoint/linux-update-mde-linux?view=o365-worldwide) | modified | +| 1/29/2024 | [What's new in Microsoft Defender for Endpoint on Linux](/microsoft-365/security/defender-endpoint/linux-whatsnew?view=o365-worldwide) | modified | +| 1/30/2024 | [Protect macOS security settings with tamper protection](/microsoft-365/security/defender-endpoint/tamperprotection-macos?view=o365-worldwide) | modified | +| 1/30/2024 | [Get started with Microsoft Defender Experts for XDR](/microsoft-365/security/defender/get-started-xdr?view=o365-worldwide) | modified | +| 1/30/2024 | [View Microsoft 365 account license and service details with PowerShell](/microsoft-365/enterprise/view-account-license-and-service-details-with-microsoft-365-powershell?view=o365-worldwide) | modified | +| 1/30/2024 | [Microsoft 365 OneDrive usage reports](/microsoft-365/admin/activity-reports/onedrive-for-business-usage-ww?view=o365-worldwide) | modified | +| 1/30/2024 | [Microsoft 365 network provider assessments.](/microsoft-365/enterprise/office-365-network-mac-perf-nppdata?view=o365-worldwide) | modified | +| 1/30/2024 | [Network provider connectivity attribution in the Microsoft 365 Admin Center](/microsoft-365/enterprise/office-365-network-mac-perf-nppux?view=o365-worldwide) | modified | +| 1/30/2024 | [Network connectivity in the Microsoft 365 Admin Center](/microsoft-365/enterprise/office-365-network-mac-perf-overview?view=o365-worldwide) | modified | +| 1/30/2024 | [Configuration analyzer for security policies](/microsoft-365/security/office-365-security/configuration-analyzer-for-security-policies?view=o365-worldwide) | modified | +| 1/31/2024 | [Network provider details in the Microsoft 365 Admin Center (PREVIEW)](/microsoft-365/enterprise/office-365-network-mac-perf-nppdetails?view=o365-worldwide) | added | +| 1/31/2024 | [Security advisories](/microsoft-365/security/defender-vulnerability-management/tvm-weaknesses-security-advisories?view=o365-worldwide) | added | +| 1/31/2024 | [Vulnerability methods and properties](/microsoft-365/security/defender-endpoint/api/vulnerability?view=o365-worldwide) | modified | +| 1/31/2024 | [Use basic permissions to access the portal](/microsoft-365/security/defender-endpoint/basic-permissions?view=o365-worldwide) | modified | +| 1/31/2024 | [Vulnerabilities in my organization](/microsoft-365/security/defender-vulnerability-management/tvm-weaknesses?view=o365-worldwide) | modified | +| 1/31/2024 | [Automatic attack disruption in Microsoft Defender XDR](/microsoft-365/security/defender/automatic-attack-disruption?view=o365-worldwide) | modified | +| 1/31/2024 | [Microsoft 365 for frontline workers - scenario posters](/microsoft-365/frontline/flw-scenario-posters?view=o365-worldwide) | modified | +| 1/31/2024 | [Threat protection report in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/threat-protection-reports?view=o365-worldwide) | modified | +| 2/1/2024 | [Deploy and manage device control in Microsoft Defender for Endpoint with Group Policy](/microsoft-365/security/defender-endpoint/device-control-deploy-manage-gpo?view=o365-worldwide) | added | +| 2/1/2024 | [Deploy and manage device control in Microsoft Defender for Endpoint with Microsoft Intune](/microsoft-365/security/defender-endpoint/device-control-deploy-manage-intune?view=o365-worldwide) | added | +| 2/1/2024 | [Microsoft Defender for Endpoint Device Control frequently asked questions](/microsoft-365/security/defender-endpoint/device-control-faq?view=o365-worldwide) | renamed | +| 2/1/2024 | [Device control in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/device-control-overview?view=o365-worldwide) | added | +| 2/1/2024 | [Device control policies in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/device-control-policies?view=o365-worldwide) | added | +| 2/1/2024 | [Device control walkthroughs](/microsoft-365/security/defender-endpoint/device-control-walkthroughs?view=o365-worldwide) | added | +| 2/1/2024 | Deploy and manage using group policy | removed | +| 2/1/2024 | Deploy and manage printer protection using Intune | removed | +| 2/1/2024 | Deploy and manage Removable Storage Access Control using group policy | removed | +| 2/1/2024 | Deploy and manage Removable Storage Access Control using Intune | removed | +| 2/1/2024 | Microsoft Defender for Endpoint Device Control Removable Storage Access Control, removable storage media | removed | +| 2/1/2024 | Microsoft Defender for Endpoint Device Control Removable Storage Protection | removed | +| 2/1/2024 | [View device control events and information in Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/device-control-report?view=o365-worldwide) | modified | +| 2/1/2024 | Microsoft Defender for Endpoint Device Control Device Installation | removed | +| 2/1/2024 | Printer Protection frequently asked questions | removed | +| 2/1/2024 | Printer Protection Overview | removed | +| 2/1/2024 | Microsoft Defender for Endpoint Device Control Printer Protection | removed | +| 2/1/2024 | [How Microsoft identifies malware and potentially unwanted applications](/microsoft-365/security/intelligence/criteria?view=o365-worldwide) | modified | +| 2/2/2024 | [Synchronize users in multitenant organizations in Microsoft 365 (Preview)](/microsoft-365/enterprise/sync-users-multi-tenant-orgs?view=o365-worldwide) | modified | +| 2/2/2024 | [View licensed and unlicensed Microsoft 365 users with PowerShell](/microsoft-365/enterprise/view-licensed-and-unlicensed-users-with-microsoft-365-powershell?view=o365-worldwide) | modified | +| 2/2/2024 | [View Microsoft 365 licenses and services with PowerShell](/microsoft-365/enterprise/view-licenses-and-services-with-microsoft-365-powershell?view=o365-worldwide) | modified | +| 2/2/2024 | [Attack surface reduction rules reference](/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide) | modified | +| 2/2/2024 | [Microsoft Defender XDR # < 60 chars](/microsoft-365/security/defender/index?view=o365-worldwide) | modified | |
lighthouse | M365 Lighthouse Tenants Page Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-tenants-page-overview.md | The Tenants page also includes the following options: - **Export:** Select to export tenant data to an Excel comma-separated values (.csv) file. - **Manage Tags:** Select to add, edit, or delete a tag. - **Assign Tags:** Select to assign a tag to a tenant.+- **Assign baseline:** Select to assign a baseline to a tenant. - **Search:** Enter keywords to quickly locate a specific tenant in the list. :::image type="content" source="../media/m365-lighthouse-tenants-page-overview/tenant-page-overview.png" alt-text="Screenshot of the Tenants page." lightbox="../media/m365-lighthouse-tenants-page-overview/tenant-page-overview.png"::: The Tenants page also includes the following options: The tenant list provides insights into the different customer tenants that you have a contract with, including their Lighthouse management status. The tenant list also lets you tag tenants to provide different filters throughout Lighthouse, manage services for tenants in the applicable admin center, and drill down to learn more about a given tenant and the status of its deployment plan. -After your customer tenants meet the [Lighthouse onboarding requirements](m365-lighthouse-requirements.md), their status will show as **Active** in the tenant list. +After your customer tenants meet the [Lighthouse onboarding requirements](m365-lighthouse-requirements.md), their Lighthouse management status will show as **Managed** in the tenant list. The tenant list lets you: - Access applicable admin centers to manage services for your customer tenants.-- Automatically sort tenants by active, inactive, and ineligible.+- Automatically sort tenants by Managed, Limited, Removed by partner, or Removed by customer. - Export the tenant list. - Assign and manage tags.+- Assign a baseline. - Search for tenants by name.-- Filter tenants by status, delegated admin privilege (DAP), and tags.+- Filter tenants by Lighthouse management status, Delegated access, or Tags. -To inactivate a tenant, manage tenant services, or view and manage tags, select the three dots (more actions) next to the tenant name. You can view individual tenants by either selecting the tenant name or by selecting one of the tags assigned to the tenant. +To remove a tenant, manage tenant services, or view and manage tags, select the three dots (more actions) next to the tenant name. You can view individual tenants by either selecting the tenant name or by selecting one of the tags assigned to the tenant. > [!TIP] > You can also use the Tenants filter at the top of any page in Lighthouse to select a tenant and then access applicable admin centers to manage services for that tenant. The following table shows the different statuses and their meaning. For informat | Status | Description | ||--|-| Active | This customer tenant can be actively managed and monitored in Lighthouse for users and devices with required licenses. | -| Inactive | Your organization has excluded this customer tenant from Lighthouse management. | -| Limited | This customer tenant has access to only a limited set of experiences in Lighthouse, including GDAP setup and management, user search, user details, tenant tagging, and service health. <br> Select the tenant name to see a detailed status of Lighthouse management requirements. For more information, see [Requirements for Microsoft 365 Lighthouse](m365-lighthouse-requirements.md).| -| In process | An error occurred during the onboarding process for this customer tenant and we're working on a fix. If this error persists for more than 24 hours, please contact Support. | +| Managed | This customer tenant can be actively managed and monitored in Lighthouse for users and devices with required licenses. | +| Limited | This customer tenant has access to only a limited set of experiences in Lighthouse, including GDAP setup and management, user search, user details, tenant tagging, and service health. <br>Select the tenant name to see a detailed status of Lighthouse management requirements. For more information, see [Requirements for Microsoft 365 Lighthouse](m365-lighthouse-requirements.md).| +| Removed by partner | Your organization has excluded this customer tenant from Lighthouse management. To reactivate the tenant for management by Lighthouse, go to the **Tenants** page, select the three dots (more actions) next to the tenant, and then select **Manage tenant**. | +| Removed by customer | The customer chose to disallow the use of Microsoft 365 Lighthouse to manage their tenant. To allow the use of Microsoft 365 Lighthouse to manage their tenant, an admin in the customer tenant needs to go to **Org settings** in the Microsoft 365 admin center, select **Microsoft 365 Lighthouse** on the **Services** tab, and then select the option to allow the use of Microsoft 365 Lighthouse customer management experiences in their tenant. | +| Error | An error occurred during the onboarding process for this customer tenant and we're working on a fix. If this error persists for more than 24 hours, please contact Support. | > [!NOTE]-> Once you inactivate a customer tenant, you can't take action on the tenant until the inactivation process completes. It may take up to 48 hours for inactivation to complete. If you decide to reactivate a customer tenant, it may take up to 48 hours for data to reappear. +> Once you remove a customer tenant, you can't take action on the tenant until the removal process completes. It may take up to 48 hours for this process to complete. If you decide to manage the customer tenant again, it may take up to 48 hours for data to reappear. ## Tenant tags The Tenant overview section provides information about the customer tenant from | Tenant information | Description| |--|| | Tenant Domain |The organization's domain.|-| Tenant ID|The organizations's tenant ID.| -| Lighthouse management | The management status of the customer tenant in Lighthouse (Active, Limited, or Inactive) | +| Tenant ID|The organization's tenant ID.| +| Lighthouse management | The management status of the customer tenant in Lighthouse (Managed, Limited, Removed by partner, or Removed by customer) | +| Delegated access | The type of admin privileges the customer has granted your organization: DAP, GDAP, or None. | | Your permissions | The roles assigned to you in the tenant. Roles determine which tasks you can complete for customers, and what data you can view.| | Total users |The number of users assigned in the tenant. You may select this number to open the Users page for that tenant.| | Total devices|The number of devices enrolled in the tenant. You may select this number to open the Devices page for that tenant.| -#### Customer overview +#### Scores section ++The Scores section shows you the customer tenant's Secure Score, Exposure Score, and adoption insights at a glance. Select any of the links in this section to view detailed information about the scores and insights. ++To learn more, see [Microsoft Secure Score](../security/defender/microsoft-secure-score.md), [Exposure score in Defender Vulnerability Management](../security/defender-vulnerability-management/tvm-exposure-score.md), and [Microsoft Adoption Score](../admin/adoption/adoption-score.md). ++#### Customer overview section The Customer overview section provides the following information for key contacts within the tenants you manage: The Customer overview section provides the following information for key contact - Customer domain - Company website -#### Customer contacts +#### Customer contacts section The Customer contacts section provides the following information for key contacts within the tenants you manage: The **Notes** column shows information for the tenant, such as engagement prefer To edit details, add notes, or delete an existing contact, select the contact name from the list. In the **Edit contact** pane, edit or delete the contact. To add another contact, select **+Add contact**. -#### Deployment and User progress section +#### Deployment progress and User progress sections -These sections provide a graphical view of the progress for deployment and user progress. +These sections provide a graphical view of the deployment and user progress. #### Microsoft 365 services usage section The Deployment progress by user tab also includes the following options: - **Refresh:** Select to retrieve the most current deployment step data. - **Search:** Enter keywords to quickly locate a specific deployment step in the list. -### Secure score tab +### Scores tab ++This tab provides Microsoft Secure Score information and adoption insights. Microsoft Secure Score is a measurement of an organization's security posture. The higher the score, the better protected the organization is from threats. Microsoft provides recommendations for how to increase an organization's secure score, which will improve its security posture. To learn more, see [Microsoft Secure Score](../security/defender/microsoft-secure-score.md). -This tab provides Microsoft Security Score information, a measurement of an organization's security posture. The higher the score, the better protected the organization is from threats. Microsoft provides recommendations for how to increase an organization's secure score, which will improve its security posture. To learn more, see [Microsoft Secure Score](../security/defender/microsoft-secure-score.md). +Adoption insights are a subset of the Microsoft Adoption Score. Adoption insights tell you how the organization uses Microsoft products and features so you can help them improve their productivity and use the products more efficiently. To learn more, see [Microsoft Adoption Score](../admin/adoption/adoption-score.md). ## Related content |
lighthouse | M365 Lighthouse Troubleshoot | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/lighthouse/m365-lighthouse-troubleshoot.md | This article describes error messages and problems that you might encounter whil ## Customer tenant onboarding -### Customer tenants show a status other than "Active" in the tenant list +### Customer tenants show a status other than "Managed" in the tenant list **Cause:** Your customer tenants don't meet the following criteria: Either granular delegated admin privileges (GDAP) plus an indirect reseller rela | Status | Description | Resolution | |--|--|--|-| Inactive | Your organization has excluded this customer tenant from Lighthouse management. | You need to reactivate the tenant. On the **Tenants** page, select the three dots (more actions) next to the tenant that you want to reactivate, and then select **Activate tenant**. It can take 24–48 hours for initial customer data to appear in Lighthouse. | | Limited | This customer tenant has access to only a limited set of experiences in Lighthouse, including GDAP setup and management, user search, user details, tenant tagging, and service health. | Select the tenant name to see a detailed status of Lighthouse management requirements. For more information, see [Requirements for Microsoft 365 Lighthouse](m365-lighthouse-requirements.md). |-| In process | An error occurred during the onboarding process for this customer tenant and we're working on a fix. | If this error persists for more than 48 hours, please contact Support. | +| Removed by partner | Your organization has excluded this customer tenant from Lighthouse management. | You need to reactivate the tenant for management by Lighthouse. On the **Tenants** page, select the three dots (more actions) next to the tenant that you want to manage, and then select **Manage tenant**. It can take 24–48 hours for initial customer data to appear in Lighthouse. | +| Removed by customer | The customer chose to disallow the use of Microsoft 365 Lighthouse to manage their tenant. | An admin in the customer tenant needs to go to **Org settings** in the Microsoft 365 admin center, select **Microsoft 365 Lighthouse** on the **Services** tab, and then select the option to allow the use of Microsoft 365 Lighthouse customer management experiences in their tenant. | +| Error | An error occurred during the onboarding process for this customer tenant and we're working on a fix. | If this error persists for more than 48 hours, please contact Support. | -If you confirmed that your customer tenant meets the onboarding criteria and they're still not showing as **Active** in Lighthouse, contact Support. For more information, see [Get help and support for Microsoft 365 Lighthouse](m365-lighthouse-get-help-and-support.md). +If you confirmed that your customer tenant meets the onboarding criteria and they're still not showing as **Managed** in Lighthouse, contact Support. For more information, see [Get help and support for Microsoft 365 Lighthouse](m365-lighthouse-get-help-and-support.md). ## Access and permissions |
security | Android Configure Mam | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-configure-mam.md | End users also need to take steps to install Microsoft Defender for Endpoint on c. If the connection isn't turned on, select the toggle to turn it on and then select **Save Preferences**. - :::image type="content" source="images/enable-intune-connection.png" alt-text="The Advanced features section in the Microsoft Defender portal." lightbox="images/enable-intune-connection.png"::: + :::image type="content" source="media/enable-intune-connection.png" alt-text="The Advanced features section in the Microsoft Defender portal." lightbox="media/enable-intune-connection.png"::: d. Go to the **Microsoft Intune admin center** and Validate whether Microsoft Defender for Endpoint-Intune connector is enabled. End users also need to take steps to install Microsoft Defender for Endpoint on App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app. - :::image type="content" source="images/create-policy.png" alt-text="The Create policy tab in the App protection policies page in the Microsoft Defender portal." lightbox="images/create-policy.png"::: + :::image type="content" source="media/create-policy.png" alt-text="The Create policy tab in the App protection policies page in the Microsoft Defender portal." lightbox="media/create-policy.png"::: 2. Add apps. End users also need to take steps to install Microsoft Defender for Endpoint on Select **Setting > Max allowed device threat level** in **Device Conditions** and enter a value. Then select **Action: "Block Access"**. Microsoft Defender for Endpoint on Android shares this Device Threat Level. - :::image type="content" source="images/conditional-launch.png" alt-text="The Device conditions pane in the Microsoft Defender portal" lightbox="images/conditional-launch.png"::: + :::image type="content" source="media/conditional-launch.png" alt-text="The Device conditions pane in the Microsoft Defender portal" lightbox="media/conditional-launch.png"::: - **Assign user groups for whom the policy needs to be applied.** End users also need to take steps to install Microsoft Defender for Endpoint on 4. Install the Microsoft Defender for Endpoint (Mobile) app and launch back Managed app onboarding screen. - :::image type="content" source="images/download-mde.png" alt-text="The illustrative pages that contain the procedure of downloading MDE and launching back the app-onboarding screen." lightbox="images/download-mde.png"::: + :::image type="content" source="medie.png"::: 5. Click **Continue > Launch**. The Microsoft Defender for Endpoint app onboarding/activation flow is initiated. Follow the steps to complete onboarding. You'll automatically be redirected back to Managed app onboarding screen, which now indicates that the device is healthy. |
security | Android Intune | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/android-intune.md | Follow the steps below to add Microsoft Defender for Endpoint app into your mana 1. Go to the **Configuration settings** section and choose **'Use configuration designer'** in Configuration settings format. - :::image type="content" alt-text="Image of android create app configuration policy." source="images/configurationformat.png" lightbox="images/configurationformat.png"::: + :::image type="content" alt-text="Image of android create app configuration policy." source="media/configurationformat.png" lightbox="media/configurationformat.png"::: 1. Click on **Add** to view a list of supported configurations. Select the required configuration and click on **Ok**. Follow the steps below to add Microsoft Defender for Endpoint app into your mana 11. Assign the app as a *Required* app to a user group. It is automatically installed in the *work profile* during the next sync of the device via Company Portal app. This assignment can be done by navigating to the *Required* section \> **Add group,** selecting the user group and click **Select**. > [!div class="mx-imgBorder"]- > :::image type="content" source="images/ea06643280075f16265a596fb9a96042.png" alt-text="The Edit application page" lightbox="images/ea06643280075f16265a596fb9a96042.png"::: + > :::image type="content" source="media/ea06643280075f16265a596fb9a96042.png" alt-text="The Edit application page" lightbox="media/ea06643280075f16265a596fb9a96042.png"::: 12. In the **Edit Application** page, review all the information that was entered above. Then select **Review + Save** and then **Save** again to commence assignment. |
security | Raw Data Export Event Hub | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/raw-data-export-event-hub.md | Last updated 10/24/2023 In order to get your **Event Hubs resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > properties tab \> copy the text under **Resource ID**: - :::image type="content" source="../images/event-hub-resource-id.png" alt-text="The Event Hubs resource Id-1" lightbox="../images/event-hub-resource-id.png"::: + :::image type="content" source="../media/event-hub-resource-id.png" alt-text="The Event Hubs resource Id-1" lightbox="../media/event-hub-resource-id.png"::: 7. Choose the events you want to stream and click **Save**. |
security | Raw Data Export Storage | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/api/raw-data-export-storage.md | In order to get the data types for our events properties do the following: - Here's an example for Device Info event: - :::image type="content" source="../images/data-types-mapping-query.png" alt-text="The Event Hubs with resource ID3" lightbox="../images/data-types-mapping-query.png"::: + :::image type="content" source="../media/data-types-mapping-query.png" alt-text="The Event Hubs with resource ID3" lightbox="../media/data-types-mapping-query.png"::: ## Related articles |
security | Application Deployment Via Mecm | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/application-deployment-via-mecm.md | Copy the unified solution package, onboarding script and migration script to the :::image type="content" source="images/manual-deployment-information.png" alt-text="Screenshot specifying the script deployment information."::: 7. On this step, copy the UNC path that your content is located. Example: `\\ServerName\h$\SOFTWARE_SOURCE\path`. - :::image type="content" source="images/deployment-type-wizard.png" alt-text="Screenshot that shows UNC path copy."::: + :::image type="content" source="media/deployment-type-wizard.png" alt-text="Screenshot that shows UNC path copy."::: 8. Additionally, set the following as the installation program: Copy the unified solution package, onboarding script and migration script to the Check the option: **This registry setting must exit on the target system to indicate presence of this application.** - :::image type="content" source="images/detection-wizard.png" alt-text="Screenshot that shows detection type wizard"::: + :::image type="content" source="media/detection-wizard.png" alt-text="Screenshot that shows detection type wizard"::: > [!TIP] > The registry key value was obtained by running the Powershell command shown below on a device that has the unified solution installed. Other creative methods of detection can also be used. The goal is to identify whether the unified solution has already been installed on a specific device. You can leave the Value and Data Type fields as blank. Copy the unified solution package, onboarding script and migration script to the 15. Keep select **Next** until the completion of Application Wizard. Verify all have been green checked. 16. Close the wizard, right-click on the recently created application and deploy it to your down-level-server collection. Locally, the installation can be confirmed at Software Center. For details, check the CM logs at `C:\Windows\CCM\Logs\AppEnforce.log`. - :::image type="content" source="images/deploy-application.png" alt-text="Screenshot that shows deployment of created application." lightbox="images/deploy-application.png"::: + :::image type="content" source="media/deploy-application.png" alt-text="Screenshot that shows deployment of created application." lightbox="media/deploy-application.png"::: 17. Verify the status of the migration at MECM > Monitoring > Deployments. - :::image type="content" source="images/deployment-status.png" alt-text="Screenshot that shows deployment status check." lightbox="images/deployment-status.png"::: + :::image type="content" source="media/deployment-status.png" alt-text="Screenshot that shows deployment status check." lightbox="media/deployment-status.png"::: 18. Troubleshooting .ETL files will be created and automatically saved locally in each server at this location `C:\Windows\ccmcache\#\`. These files can be leveraged by support to troubleshoot onboarding issues. |
security | Cloud Protection Microsoft Antivirus Sample Submission | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission.md | To understand how cloud protection works together with sample submission, it can The following image depicts the flow of cloud protection and sample submission with Microsoft Defender Antivirus: Microsoft Defender Antivirus and cloud protection automatically block most new, never-before-seen threats at first sight by using the following methods: For information about configuration options using Intune, Configuration Manager, ## Examples of metadata sent to the cloud protection service The following table lists examples of metadata sent for analysis by cloud protection: |
security | Comprehensive Guidance On Linux Deployment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/comprehensive-guidance-on-linux-deployment.md | Use the following syntaxes to help identify the process that is causing CPU over sudo ps -T -p <PID> >> Thread_with_highest_cpu_usage.log ``` - :::image type="content" source="images/cpu-utilization.png" alt-text="This is CPU utilization"::: + :::image type="content" source="media/cpu-utilization.png" alt-text="This is CPU utilization"::: The following table lists the processes that might cause a high CPU usage: |
security | Configure Endpoints Gp | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-gp.md | Create a new Group Policy or group these settings in with the other policies. Th :::image type="content" source="images/removal-items-quarantine1.png" alt-text="Removal items quarantine folder" lightbox="images/removal-items-quarantine1.png"::: - :::image type="content" source="images/config-removal-items-quarantine2.png" alt-text="config-removal quarantine" lightbox="images/config-removal-items-quarantine2.png"::: + :::image type="content" source="media/config-removal-items-quarantine2.png" alt-text="config-removal quarantine" lightbox="media/config-removal-items-quarantine2.png"::: 4. In the Scan folder, configure the scan settings. Create a new Group Policy or group these settings in with the other policies. Th Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **Real-time Protection**. ### Configure Windows Defender SmartScreen settings 1. Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Windows Defender SmartScreen** \> **Explorer**. - :::image type="content" source="images/config-windows-def-smartscr-explorer.png" alt-text="Configure windows defender smart screen explorer" lightbox="images/config-windows-def-smartscr-explorer.png"::: + :::image type="content" source="media/config-windows-def-smartscr-explorer.png" alt-text="Configure windows defender smart screen explorer" lightbox="media/config-windows-def-smartscr-explorer.png"::: 2. Browse to **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Defender SmartScreen** > **Microsoft Edge**. - :::image type="content" source="images/configure-windows-defender-smartscreen.png" alt-text="Configure windows defender smart screen on Microsoft Edge" lightbox="images/configure-windows-defender-smartscreen.png"::: + :::image type="content" source="media/configure-windows-defender-smartscreen.png" alt-text="Configure windows defender smart screen on Microsoft Edge" lightbox="media/configure-windows-defender-smartscreen.png"::: ### Configure Potentially Unwanted Applications Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus**. ### Configure Cloud Deliver Protection and send samples automatically Browse to **Computer Configuration** \> **Policies** \> **Administrative Templat Browse to **Computer Configuration** \> **Policies** \> **Administrative Templates** \> **Windows Components** \> **Microsoft Defender Antivirus** \> **MpEngine**. When you configure cloud protection level policy to **Default Microsoft Defender Antivirus blocking policy** this will disable the policy. This is what is required to set the protection level to the windows default. ## Related topics - [Onboard Windows devices using Microsoft Endpoint Configuration Manager](configure-endpoints-sccm.md) |
security | Configure Endpoints Sccm | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/configure-endpoints-sccm.md | Follow these steps to onboard endpoints using Microsoft Configuration 1. In the Microsoft Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**. - :::image type="content" source="images/configmgr-device-collections.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard1." lightbox="images/configmgr-device-collections.png"::: + :::image type="content" source="media/configmgr-device-collections.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard1." lightbox="media/configmgr-device-collections.png"::: 2. Select and hold (or right-click) **Device Collection** and select **Create Device Collection**. - :::image type="content" source="images/configmgr-create-device-collection.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard2." lightbox="images/configmgr-create-device-collection.png"::: + :::image type="content" source="media/configmgr-create-device-collection.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard2." lightbox="media/configmgr-create-device-collection.png"::: 3. Provide a **Name** and **Limiting Collection**, then select **Next**. - :::image type="content" source="images/configmgr-limiting-collection.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard3." lightbox="images/configmgr-limiting-collection.png"::: + :::image type="content" source="media/configmgr-limiting-collection.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard3." lightbox="media/configmgr-limiting-collection.png"::: 4. Select **Add Rule** and choose **Query Rule**. - :::image type="content" source="images/configmgr-query-rule.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard4." lightbox="images/configmgr-query-rule.png"::: + :::image type="content" source="media/configmgr-query-rule.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard4." lightbox="media/configmgr-query-rule.png"::: 5. Select **Next** on the **Direct Membership Wizard** and then select **Edit Query Statement**. - :::image type="content" source="images/configmgr-direct-membership.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard5." lightbox="images/configmgr-direct-membership.png"::: + :::image type="content" source="media/configmgr-direct-membership.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard5." lightbox="media/configmgr-direct-membership.png"::: 6. Select **Criteria** and then choose the star icon. - :::image type="content" source="images/configmgr-criteria.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard6." lightbox="images/configmgr-criteria.png"::: + :::image type="content" source="media/configmgr-criteria.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard6." lightbox="media/configmgr-criteria.png"::: 7. Keep criterion type as **simple value**, choose whereas **Operating System - build number**, operator as **is greater than or equal to** and value **14393**, and select **OK**. - :::image type="content" source="images/configmgr-simple-value.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard7." lightbox="images/configmgr-simple-value.png"::: + :::image type="content" source="media/configmgr-simple-value.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard7." lightbox="media/configmgr-simple-value.png"::: 8. Select **Next** and **Close**. - :::image type="content" source="images/configmgr-membership-rules.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard8." lightbox="images/configmgr-membership-rules.png"::: + :::image type="content" source="media/configmgr-membership-rules.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard8." lightbox="media/configmgr-membership-rules.png"::: 9. Select **Next**. - :::image type="content" source="images/configmgr-confirm.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard9." lightbox="images/configmgr-confirm.png"::: + :::image type="content" source="media/configmgr-confirm.png" alt-text="Screenshot of the Microsoft Configuration Manager wizard9." lightbox="media/configmgr-confirm.png"::: After completing this task you have a device collection with all the Windows endpoints in the environment. |
security | Connected Applications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/connected-applications.md | From the left navigation menu, select **Partners & APIs** (under **Endpoints**) The Connected applications page provides information about the Microsoft Entra applications connected to Microsoft Defender for Endpoint in your organization. You can review the usage of the connected applications: last seen, number of requests in the past 24 hours, and request trends in the last 30 days. ## Edit, reconfigure, or delete a connected application |
security | Controlled Folders | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/controlled-folders.md | The protected folders include common system folders (including boot sectors), an Default folders appear in the user's profile, under **This PC**. > [!div class="mx-imgBorder"]- > ![Protected Windows default systems folders](images/defaultfolders.png) + > ![Protected Windows default systems folders](media/defaultfolders.png) > [!NOTE] > You can configure additional folders as protected, but you cannot remove the Windows system folders that are protected by default. |
security | Defender Endpoint Demonstration Cloud Delivered Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-demonstration-cloud-delivered-protection.md | Cloud-delivered protection for Microsoft Defender Antivirus, also referred to as 2. If you see file blocked by Microsoft Defender SmartScreen, select on "View downloads" button. - :::image type="content" source="images/cloud-delivered-protection-smartscreen-block.png" alt-text="SmartScreen blocks an unsafe download, and provides a button to select to view the **Downloads** list details."::: + :::image type="content" source="media/cloud-delivered-protection-smartscreen-block.png" alt-text="SmartScreen blocks an unsafe download, and provides a button to select to view the **Downloads** list details."::: 3. In Downloads menu right select on the blocked file and select on **Download unsafe file**. - :::image type="content" source="images/cloud-delivered-protection-smartscreen-block-view-downloads.png" alt-text="Lists the download as unsafe, but provides an option to proceed with the download"::: + :::image type="content" source="media/cloud-delivered-protection-smartscreen-block-view-downloads.png" alt-text="Lists the download as unsafe, but provides an option to proceed with the download"::: 4. You should see that "Microsoft Defender Antivirus" found a virus and deleted it. Cloud-delivered protection for Microsoft Defender Antivirus, also referred to as > > In some cases, you might also see **Threat Found** notification from Microsoft Defender Security Center. - :::image type="content" source="images/cloud-delivered-protection-smartscreen-threat-found-notification.png" alt-text="Microsoft Defender Antivirus Threats found notification provides options to get details"::: + :::image type="content" source="media/cloud-delivered-protection-smartscreen-threat-found-notification.png" alt-text="Microsoft Defender Antivirus Threats found notification provides options to get details"::: 5. If the file executes, or if you see that it was blocked by Microsoft Defender SmartScreen, cloud-delivered protection isn't working. For more information, see [Configure and validate network connections for Microsoft Defender Antivirus](/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus?ocid=wd-av-demo-cloud-middle). |
security | Defender Endpoint Trial User Guide | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/defender-endpoint-trial-user-guide.md | This playbook is a simple guide to help you make the most of your free trial. Us <td><a href="microsoft-defender-endpoint.md#tvm"><center><img src="images/logo-mdvm.png" alt="Vulnerability Management"> <br><b> Core Defender Vulnerability Management</b></center></a></td> <td><a href="microsoft-defender-endpoint.md#asr"><center><img src="media/asr-icon.png" alt="Attack surface reduction"><br><b>Attack surface reduction</b></center></a></td> <td><center><a href="microsoft-defender-endpoint.md#ngp"><img src="images/ngp-icon.png" alt="Next-generation protection"><br> <b>Next-generation protection</b></a></center></td>-<td><center><a href="microsoft-defender-endpoint.md#edr"><img src="images/edr-icon.png" alt="Endpoint detection and response"><br> <b>Endpoint detection and response</b></a></center></td> +<td><center><a href="microsoft-defender-endpoint.md#edr"><img src="media/edr-icon.png" alt="Endpoint detection and response"><br> <b>Endpoint detection and response</b></a></center></td> <td><center><a href="microsoft-defender-endpoint.md#ai"><img src="media/air-icon.png" alt="Automated investigation and remediation"><br> <b>Automated investigation and remediation</b></a></center></td> <td><center><a href="microsoft-defender-endpoint.md#mte"><img src="images/mte-icon.png" alt="Microsoft Threat Experts"><br> <b>Microsoft Threat Experts</b></a></center></td> </tr> |
security | Device Control Deploy Manage Intune | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-deploy-manage-intune.md | If you're using Intune to manage Defender for Endpoint settings, you can use it In Intune, each row represents a device control policy. The included ID is the reusable setting that the policy applies to. The excluded ID is the reusable setting that's excluded from the policy. The entry for the policy contains the permissions allowed and the behavior for device control that comes into force when the policy applies. For information on how to add the reusable groups of settings that are included in the row of each device control policy, see the *Add reusable groups to a Device Control profile* section in [Use reusable groups of settings with Intune policies](/mem/intune/protect/reusable-settings-groups). In the following table, identify the setting you want to configure, and then use ### Creating policies with OMA-URI When you create policies with OMA-URI in Intune, create one XML file for each policy. As a best practice, use the Device Control Profile or Device Control Rules Profile to author custom policies. You can use parameters to set conditions for specific entries. Here's a [group e ### Creating groups with OMA-URI When you create groups with OMA-URI in Intune, create one XML file for each group. As a best practice, use reusable settings to define groups. |
security | Device Control Report | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-control-report.md | The **View details** button shows more media usage data in the **Device control The page provides a dashboard with aggregated number of events per type and a list of events and shows 500 events per page, but if you're an administrator (such as a global administrator or security administrator), you can scroll down to see more events and can filter on time range, media class name, and device ID. > [!div class="mx-imgBorder"]-> :::image type="content" source="images/Detaileddevicecontrolreport.png" alt-text="The Device Control Report Details page in the Microsoft Defender portal" lightbox="images/Detaileddevicecontrolreport.png"::: +> :::image type="content" source="media/Detaileddevicecontrolreport.png" alt-text="The Device Control Report Details page in the Microsoft Defender portal" lightbox="media/Detaileddevicecontrolreport.png"::: When you select an event, a flyout appears that shows you more information: When you select an event, a flyout appears that shows you more information: - **Location details:** Device name, User, and MDATP device ID. > [!div class="mx-imgBorder"]-> :::image type="content" source="images/devicecontrolreportfilter.png" alt-text="The Filter On Device Control Report page" lightbox="images/devicecontrolreportfilter.png"::: +> :::image type="content" source="media/devicecontrolreportfilter.png" alt-text="The Filter On Device Control Report page" lightbox="media/devicecontrolreportfilter.png"::: To see real-time activity for this media across the organization, select the **Open Advanced hunting** button. This includes an embedded, predefined query. > [!div class="mx-imgBorder"]-> :::image type="content" source="images/Devicecontrolreportquery.png" alt-text="The Query On Device Control Report page" lightbox="images/Devicecontrolreportquery.png"::: +> :::image type="content" source="media/Devicecontrolreportquery.png" alt-text="The Query On Device Control Report page" lightbox="media/Devicecontrolreportquery.png"::: To see the security of the device, select the **Open device page** button on the flyout. This button opens the device entity page. > [!div class="mx-imgBorder"]-> :::image type="content" source="images/Devicesecuritypage.png" alt-text="The Device Entity Page" lightbox="images/Devicesecuritypage.png"::: +> :::image type="content" source="media/Devicesecuritypage.png" alt-text="The Device Entity Page" lightbox="media/Devicesecuritypage.png"::: ### Reporting delays |
security | Device Health Microsoft Defender Antivirus Health | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-health-microsoft-defender-antivirus-health.md | Up-to-date reporting generates information for devices that meet the following c > [!NOTE] > \* Currently up to date reporting is only available for Windows devices. Cross platform devices such as Mac and Linux are listed under "No data available"/Unknown. ### Card functionality The functionality is essentially the same for all cards. By clicking on a numbered bar in any of the cards, the **Microsoft Defender Antivirus details** flyout opens enabling you to review information about all the devices configured with the version number of an aspect on that card. If the version number that you clicked on is: If the version number that you clicked on is: To add or remove specific types of information on the **Microsoft Defender Antivirus details** flyout, select **Customize Columns**. In **Customize Columns**, select or clear items to specify what you want included in the Microsoft Defender Antivirus details report. #### New Microsoft Defender Antivirus filter definitions There are two different export csv functionalities through the portal: - **Top level export**. You can use the top-level **Export** button to gather an all-up Microsoft Defender Antivirus health report (500-K limit). - **Flyout level export**. You can use the **Export** button within the flyouts to export a report to an Excel spreadsheet (100-K limit). Following are descriptions for the six cards that report about the _version_ and In any of the three _version_ cards, select **View full report** to display the nine most recent Microsoft Defender Antivirus _version_ reports for each of the three device types: Windows, Mac, and Linux; if fewer than nine exist, they're all shown. An **Other** category captures recent antivirus engine versions ranking tenth and below, if detected. A primary benefit of the three _version_ cards is that they provide quick indicators as to whether the most current versions of the antivirus engines, platforms, and security intelligence are being utilized. Coupled with the detailed information that is linked to the card, the versions cards become a powerful tool to check if versions are up to date and to gather information about individual computers, or groups of computers. Ideally, when you run these reports, they'll indicate that the most current antivirus versions are installed, as opposed to older versions. Use these reports to determine whether your organization is taking full advantage of the most current versions. To help ensure your anti-malware solution detects the latest threats, get updates automatically as part of Windows Update. Reports on how many devices in your organization ΓÇô on the date indicated on th | 3 | Others (Not running, Unknown) | | 4 | EDRBlocked | Following are descriptions for each mode: |
security | Device Health Sensor Health Os | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-health-sensor-health-os.md | For more information about user role management, see [Create and manage roles fo Sensor health and OS cards report on general operating system health, which includes detection sensor health, up to date versus out-of-date operating systems, and Windows 10 versions. ->:::image type="content" source="images/device-health-sensor-health-os-tab.png" alt-text="Shows Sensor health and Operating system information." lightbox="images/device-health-sensor-health-os-tab.png"::: +>:::image type="content" source="media/device-health-sensor-health-os-tab.png" alt-text="Shows Sensor health and Operating system information." lightbox="media/device-health-sensor-health-os-tab.png"::: Each of the three cards on the **Sensor health** tab has two reporting sections, _Current state_ and _device trends_, presented as graphs: Each of the three cards on the **Sensor health** tab has two reporting sections, In each card, the Current state (referred to in some documentation as _Device summary_) is the top, horizontal bar graph. Current state is a snapshot that shows information collected about devices in your organization, scoped to the current day. This graph represents the distribution of devices across your organization that report status or are detected to be in a specific state. ->:::image type="content" source="images/device-health-sensor-health-os-current-state-graph.png" alt-text="Shows the current state graph." lightbox="images/device-health-sensor-health-os-current-state-graph.png"::: +>:::image type="content" source="media/device-health-sensor-health-os-current-state-graph.png" alt-text="Shows the current state graph." lightbox="media/device-health-sensor-health-os-current-state-graph.png"::: ### Device trends graph The lower graph on each of the three cards isn't named, but is commonly known as _device trends_. The device trends graph depicts the collection of devices across your organization, throughout the time span indicated directly above the graph. By default, the device trends graph displays device information from the 30-day period, ending in the latest full day. To gain a better perspective about trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, open the filter and select a start day and end day. ->:::image type="content" source="images/device-health-sensor-health-os-device-trends-graph.png" alt-text="Shows the Device Health versions trends graph." lightbox="images/device-health-sensor-health-os-device-trends-graph.png"::: +>:::image type="content" source="media/device-health-sensor-health-os-device-trends-graph.png" alt-text="Shows the Device Health versions trends graph." lightbox="media/device-health-sensor-health-os-device-trends-graph.png"::: ### Filtering data |
security | Device Timeline Event Flag | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/device-timeline-event-flag.md | The Defender for Endpoint device timeline helps you research and investigate ano - Custom time range picker: - :::image type="content" source="images/custom-time-range.png" alt-text="Screenshot of the custom time range."::: + :::image type="content" source="media/custom-time-range.png" alt-text="Screenshot of the custom time range."::: - Process tree experience ΓÇô event side panel: While navigating the device timeline, you can search and filter for specific eve 2. Select the flag icon in the Flag column. ## View flagged events While navigating the device timeline, you can search and filter for specific eve You can apply more filters by clicking on the time bar. This will only show events prior to the flagged event. [!INCLUDE [Microsoft Defender for Endpoint Tech Community](../../includes/defender-mde-techcommunity.md)] |
security | Edr In Block Mode | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/edr-in-block-mode.md | EDR in block mode works behind the scenes to remediate malicious artifacts that EDR in block mode is integrated with [threat & vulnerability management](next-gen-threat-and-vuln-mgt.md) capabilities. Your organization's security team gets a [security recommendation](tvm-security-recommendation.md) to turn EDR in block mode on if it isn't already enabled. > [!TIP] > To get the best protection, make sure to **[deploy Microsoft Defender for Endpoint baselines](configure-machines-security-baseline.md)**. Watch this video to learn why and how to turn on endpoint detection and response When EDR in block mode is turned on, and a malicious artifact is detected, Defender for Endpoint remediates that artifact. Your security operations team sees the detection status as **Blocked** or **Prevented** in the [Action center](respond-machine-alerts.md#check-activity-details-in-action-center), listed as completed actions. The following image shows an instance of unwanted software that was detected and remediated through EDR in block mode: ## Enable EDR in block mode |
security | Enable Exploit Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/enable-exploit-protection.md | The result is that DEP is enabled for *test.exe*. DEP won't be enabled for any o 3. Name the profile, choose **Windows 10 and later**, select **templates** for Profile type and choose **Endpoint protection** under template name. - :::image type="content" source="images/create-endpoint-protection-profile.png" alt-text="The Create endpoint protection profile" lightbox="images/create-endpoint-protection-profile.png"::: + :::image type="content" source="media/create-endpoint-protection-profile.png" alt-text="The Create endpoint protection profile" lightbox="media/create-endpoint-protection-profile.png"::: 4. Select **Configure** \> **Windows Defender Exploit Guard** \> **Exploit protection**. 5. Upload an [XML file](/windows/client-management/mdm/policy-csp-exploitguard) with the exploit protection settings: - :::image type="content" source="images/enable-ep-intune.png" alt-text="The Enable network protection setting in Intune" lightbox="images/enable-ep-intune.png"::: + :::image type="content" source="media/enable-ep-intune.png" alt-text="The Enable network protection setting in Intune" lightbox="media/enable-ep-intune.png"::: 6. Select **OK** to save each open blade, and then choose **Create**. |
security | Evaluation Lab | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/evaluation-lab.md | If you are looking for a pre-made simulation, you can use our ["Do It Yourself" 2. Enter the password that was displayed during the device creation step. - :::image type="content" source="images/enter-password.png" alt-text="The screen on which you enter credentials" lightbox="images/enter-password.png"::: + :::image type="content" source="media/enter-password.png" alt-text="The screen on which you enter credentials" lightbox="media/enter-password.png"::: 3. Run Do-it-yourself attack simulations on the device. Each simulation comes with an in-depth description of the attack scenario and re The lab reports summarize the results of the simulations conducted on the devices. At a glance, you'll quickly be able to see: |
security | Information Protection Investigation | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/information-protection-investigation.md | Learn how to use data sensitivity labels to prioritize incident investigation. 2. Scroll over to see the **Data sensitivity** column. This column reflects sensitivity labels that are observed on devices related to the incidents providing an indication of whether sensitive files are impacted by the incident. - :::image type="content" source="images/data-sensitivity-column.png" alt-text="The Highly confidential option in the data sensitivity column" lightbox="images/data-sensitivity-column.png"::: + :::image type="content" source="media/data-sensitivity-column.png" alt-text="The Highly confidential option in the data sensitivity column" lightbox="media/data-sensitivity-column.png"::: You can also filter based on **Data sensitivity** - :::image type="content" source="images/data-sensitivity-filter.png" alt-text="The data sensitivity filter" lightbox="images/data-sensitivity-filter.png"::: + :::image type="content" source="media/data-sensitivity-filter.png" alt-text="The data sensitivity filter" lightbox="media/data-sensitivity-filter.png"::: 3. Open the incident page to further investigate. |
security | Investigate Machines | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/investigate-machines.md | Select an event to view relevant details about that event. A panel displays to s To further inspect the event and related events, you can quickly run an [advanced hunting](advanced-hunting-overview.md) query by selecting **Hunt for related events**. The query returns the selected event and the list of other events that occurred around the same time on the same endpoint. ### Security recommendations The **Software inventory** tab lets you view software on the device, along with The **Discovered vulnerabilities** tab shows the name, severity, and threat insights of discovered vulnerabilities on the device. If you select a specific vulnerability, you see a description and details. ### Missing KBs To gain an in-depth view of the device health report, you can go to **Reports > > [!NOTE] > The date and time for Defender Antivirus mode is currently not available. ## Related articles |
security | Ios Install Unmanaged | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install-unmanaged.md | End users also need to take steps to install Microsoft Defender for Endpoint on 1. **Verify that the Intune connector is enabled in Security portal**. <br> On the [unified security console](https://security.microsoft.com), go to **Settings** > **Endpoints** > **Advanced Features** and ensure that **Microsoft Intune connection** is enabled. - :::image type="content" source="images/enable-intune-connection.png" alt-text="The Defender for Endpoint - Intune connector" lightbox="images/enable-intune-connection.png"::: + :::image type="content" source="media/enable-intune-connection.png" alt-text="The Defender for Endpoint - Intune connector" lightbox="media/enable-intune-connection.png"::: 2. **Verify that the APP connector is enabled in Intune portal**. <br> In the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint Security** > **Microsoft Defender for Endpoint** and ensure that the Connection status is enabled. Microsoft Defender for Endpoint can be configured to send threat signals to be u 1. Create a policy <br> App protection policies (APP) are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move "corporate" data, or a set of actions that are prohibited or monitored when the user is inside the app. 2. Add apps <br> a. Choose how you want to apply this policy to apps on different devices. Then add at least one app. <br> Because mobile app management doesn't require device management, you can protect 3.Set sign-in security requirements for your protection policy. <br> Select **Setting > Max allowed device threat level** in **Conditional Launch > Device Conditions** and enter a value. This will need to be configured to either Low, Medium, High, or Secured. The actions available to you will be **Block access** or **Wipe data**. Select **Action: "Block Access"**. Microsoft Defender for Endpoint on iOS shares this Device Threat Level. - :::image type="content" source="images/conditional-launch.png" alt-text="The Device conditions pane" lightbox="images/conditional-launch.png"::: + :::image type="content" source="media/conditional-launch.png" alt-text="The Device conditions pane" lightbox="media/conditional-launch.png"::: 4.Assign user groups for whom the policy needs to be applied.<br> Select **Included groups**. Then add the relevant groups. |
security | Ios Install | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/ios-install.md | Defender app is installed into the user's device. User signs in and completes th 3. Upon successful onboarding, the device will start showing up on the Devices list in the Microsoft Defender portal. - :::image type="content" source="images/device-inventory-screen.png" alt-text="The Device inventory page." lightbox="images/device-inventory-screen.png"::: + :::image type="content" source="media/device-inventory-screen.png" alt-text="The Device inventory page." lightbox="media/device-inventory-screen.png"::: ## Next Steps |
security | Linux Support Offline Security Intelligence Update | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/linux-support-offline-security-intelligence-update.md | + + Title: Configure Offline Security Intelligence Update for Microsoft Defender for Endpoint on Linux +description: Offline Security Intelligence Update in Microsoft Defender for Endpoint on Linux. +++++ms.localizationpriority: medium ++audience: ITPro ++- m365-security +- tier3 +- mde-linux ++search.appverid: met150 Last updated : 03/12/2024+++# Configure Offline Security Intelligence Update for Microsoft Defender for Endpoint on Linux +++**Applies to:** ++- [Microsoft Defender for Endpoint on Linux](microsoft-defender-endpoint-linux.md) +- [Microsoft Defender for Endpoint Plan 1](https://go.microsoft.com/fwlink/p/?linkid=2154037) +- [Microsoft Defender for Endpoint Plan 2](https://go.microsoft.com/fwlink/p/?linkid=2154037) ++This document describes the *Offline Security Intelligence Update* feature of Microsoft Defender for Endpoint on Linux. ++This feature enables organizations to download *security intelligence* (also referred to as definitions or signatures in this document) on Linux endpoints that aren't exposed to the internet via a local hosting server (termed as *Mirror Server* in this document). ++The Mirror Server is any server in the customer's environment that can connect to the Microsoft cloud to download the signatures. Other Linux endpoints pull the signatures from the Mirror Server at a predefined interval. ++Key benefits include: ++- Customers who have server environments that aren't exposed to the internet can now benefit by being able to download and enable the latest security intelligence updates in a controlled manner. ++- Control and manage the frequency of signature downloads on the local server. ++- Control and manage the frequency at which endpoints pull the signatures from the local server. ++- Test the downloaded signatures on a test device before propagating it to the entire fleet, providing greater security and control. ++- Now, on behalf of your entire fleet, only one local server polls the Microsoft cloud to get the latest signatures. This action helps reduce network bandwidth. ++- Local server can run any of the three OS - Windows, Mac, Linux, and isn't required to install Defender for Endpoint. ++- Signatures are always downloaded along with the latest compatible AV engine. Thus, keeping AV engine + signatures updated after every cycle. ++- In each iteration, signature with n-1 version is moved to a backup folder on the local server. If there's any issue with the latest signature, you can pull the n-1 signature version from the backup folder to your endpoints. ++- If the offline update fails, you can also choose to fall back to online update directly from the Microsoft cloud. ++## How Offline Security Intelligence Update works ++- Organizations need to set up a Mirror Server, which is a local Web/NFS server that is reachable to the Microsoft cloud. Your organization is responsible for the management and maintenance of the Mirror Server. +- Signatures are downloaded from Microsoft Cloud on this Mirror Server by executing a script using cron job/task scheduler on the local server. +- Linux endpoints running Defender for Endpoint pull the downloaded signatures from this Mirror Server at a user-defined time interval. +- Signatures pulled on the Linux endpoints from the local server are first verified before loading it into the AV engine. +- To trigger and configure the update process, update the managed config json file on the Linux endpoints. +- The status of the update can be seen on the mdatp CLI. +- +Fig. 1: Process flow diagram on the Mirror Server for downloading the security intelligence updates +++Fig. 2: Process flow diagram on the Linux endpoint for security intelligence updates ++## Prerequisites ++- Defender for Endpoint version "101.24022.0001" or higher in InsiderSlow ring needs to be installed on the Linux endpoints. + > [!NOTE] + > This version of Defender for Endpoint on Linux will be rolled out to the Production ring soon. +- The Linux endpoints need to have connectivity to the Mirror Server. +- The Mirror Server can be either an HTTP/ HTTPS server or a network share server. For example, an NFS Server. +- The Mirror Server needs to have access to the following URLs: + - https://github.com/microsoft/mdatp-xplat.git + - https://go.microsoft.com/fwlink/?linkid=2144709 +- The following operating systems are supported for the Mirror Server: + - Linux (Any Flavor) + - Windows (Any Version) + - Mac (Any version) +- The Mirror Server should support bash or PowerShell. +- The following minimum system specifications are required for the Mirror Server: ++ | CPU Core | RAM | Free disk | Swap | + |--|--|--|--| + | 2 cores (Preferred 4 Core) | 1 GB Min (Preferred 4 GB) | 2 GB | System Dependent| ++ > [!NOTE] + > This configuration may vary depending on the number of requests that are served and the load each server must process. ++- The Linux endpoint must be running any of the Defender for Endpoint supported distributions. +++## Configuring the Mirror Server ++> [!NOTE] +> The management and ownership of the Mirror Server lies solely with the customer as it resides in the customer's private environment. The Mirror Server's management and maintenance ownership lies with the customers since the Mirror Server resides in the customer's private environment and Microsoft will have no visibility into it. ++> [!NOTE] +> The Mirror Server does not need to have Defender for Endpoint installed. ++### Get the offline security intelligence downloader script ++Microsoft hosts an offline security intelligence downloader script on [this GitHub repo](https://github.com/microsoft/mdatp-xplat). ++Follow these steps to get the downloader script: ++#### Option 1: Clone the repo (Preferred) ++- [Install git](https://kinsta.com/knowledgebase/install-git/) on the Mirror Server. +- Navigate to the directory where you want to clone the repo. +- Execute the command: `git clone https://github.com/microsoft/mdatp-xplat.git` ++#### Option 2: Download the zip file ++- Download the zip file of the repo [from here](https://github.com/microsoft/mdatp-xplat/archive/refs/heads/master.zip). +- Copy the zip file to the folder where you want to keep the script. +- Extract the zip. ++> [!NOTE] +> Schedule a [cron job](#scheduling-a-cron-job) to keep the repo / the downloaded zip file updated to the latest version at regular intervals. ++After cloning the repo / downloading the zip file, the local directory structure should be as follows: ++``` +user@vm:~/mdatp-xplat$ tree linux/definition_downloader/ +linux/definition_downloader/ +├── README.md +├── settings.json +├── settings.ps1 +├── xplat_offline_updates_download.ps1 +└── xplat_offline_updates_download.sh ++0 directories, 5 files +``` ++> [!NOTE] +> Go through the README.md file to understand in detail about how to use the script. ++The `settings.json` file consists of a few variables that the user can configure to determine the output of the script execution. ++| Field Name | Value | Description | +|--|--|--| +| `downloadFolder` | string | Maps to the location where the script downloads the files to | +| `downloadLinuxUpdates` | bool | When set to true, the script downloads the Linux specific updates to the `downloadFolder` | +| `logFilePath` | string | Sets up the diagnostic logs at a given folder. This file can be shared with Microsoft for debugging the script if there are any issues | +| `downloadMacUpdates` | bool | The script downloads the Mac specific updates to the `downloadFolder` | +| `downloadPreviewUpdates` | bool | Downloads the preview version of the updates available for the specific OS | +| `backupPreviousUpdates` | bool | Allows the script to copy the previous update in the _back folder, and new updates are downloaded to `downloadFolder` | ++### Execute the offline security intelligence downloader script ++To manually execute the downloader script, configure the parameters in the `settings.json` file as per the description in the previous section, and use one of the following commands based on the OS of the Mirror Server: +- Bash: + `./xplat_offline_updates_download.sh` +- PowerShell: + `./xplat_offline_updates_download.ps1` ++> [!NOTE] +> Schedule a [cron job](#scheduling-a-cron-job) to execute this script to download the latest security intelligence updates in the Mirror Server at regular intervals. ++### Host the offline security intelligence updates on the Mirror Server ++Once the script is executed, the latest signatures get downloaded to the folder configured in the `settings.json` file (`updates.zip`). ++Once the signatures zip is downloaded, the Mirror Server can be used to host it. The Mirror Server can be hosted using any HTTP / HTTPS / Network share servers. ++Once hosted, copy the absolute path of the hosted server (up to and not including the `arch_*` directory). ++For example, if the script is executed with `downloadFolder=/tmp/wdav-update`, and the HTTP server (`www.example.server.com:8000`) is hosting the `/tmp/wdav-update` path, the corresponding URI is: `www.example.server.com:8000/linux/production/` ++Once the Mirror Server is set up, we need to propagate this URL to the Linux endpoints using the Managed Configuration as described in the next section. ++## Configure the Endpoints ++- Use the following sample `mdatp_managed.json` and update the parameters as per the configuration and copy the file to the location `/etc/opt/microsoft/mdatp/managed/mdatp_managed.json`. ++``` +{ + "cloudService": { + "automaticDefinitionUpdateEnabled": true, + "definitionUpdatesInterval": 1202 + }, + "antivirusEngine": { + "offlineDefinitionUpdateUrl": "http://172.22.199.67:8000/linux/production/", + "offlineDefintionUpdateFallbackToCloud":false, + "offlineDefinitionUpdate": "enabled" + } +} +``` ++| Field Name | Values | Comments | +|-|-|--| +| `automaticDefinitionUpdateEnabled` | True / False | Determines the behavior of Defender for Endpoint attempting to perform updates automatically, is turned on or off respectively | +| `definitionUpdatesInterval` | Numeric | Time of interval between each automatic update of signatures (in seconds) | +| `offlineDefinitionUpdateUrl` | String | URL value generated as part of the Mirror Server set up | +| `offlineDefinitionUpdate` | enabled / disabled | When set to `enabled`, the offline security intelligence update feature is enabled, and vice versa. | +| `offlineDefinitionUpdateFallbackToCloud` | True / False | Determine Defender for Endpoint security intelligence update approach when offline Mirror Server fails to serve the update request. If set to true, the update is retried via the Microsoft cloud when offline security intelligence update failed, else vice versa. | ++> [!NOTE] +> As of today the offline security intelligence update feature can be configured on Linux endpoints via managed json only. Integration with security settings management on the security portal is in our roadmap. ++### Verify the configuration ++Once the Mirror Server and the Linux endpoints are configured, to test if the settings are applied correctly on the Linux endpoints, run the following command: +``` +mdatp health --details definitions +``` ++and verify the updated fields according to the managed json. For example, a sample output would look like: ++``` +user@vm:~$ mdatp health --details definitions +automatic_definition_update_enabled : true [managed] +definitions_updated : Mar 14, 2024 at 12:13:17 PM +definitions_updated_minutes_ago : 2 +definitions_version : "1.407.417.0" +definitions_status : "up_to_date" +definitions_update_source_uri : "https://go.microsoft.com/fwlink/?linkid=2144709" +definitions_update_fail_reason : "" +offline_definition_url_configured : "http://172.22.199.67:8000/linux/production/" [managed] +offline_definition_update : "enabled" [managed] +offline_definition_update_verify_sig : "disabled" +offline_definition_update_fallback_to_cloud : false +``` ++## Triggering the Offline Security Intelligence Updates ++### Automatic update +- If the `automaticDefinitionUpdateEnabled` field is set to true in the managed json, then the offline security intelligence updates are triggered automatically at periodic intervals. +- By default, this periodic interval is every 8 hours. But it can be configured by setting the `definitionUpdatesInterval` in the managed json to the desired interval. ++### Manual update +- In order to trigger the offline security intelligence update manually to download the signatures from the Mirror Server on the Linux endpoints, run the command: + `mdatp definitions update` ++### Check update status +- After triggering the offline security intelligence update by either the automatic or manual method, verify that the update was successful by running the command: `mdatp health --details --definitions`. +- Verify the following fields: ++ ``` + user@vm:~$ mdatp health --details definitions + ... + definitions_status : "up_to_date" + ... + definitions_update_fail_reason : "" + ... + ``` ++## Troubleshooting and Diagnostics ++### Issues: MDATP update failure ++- Update stuck or update didn't trigger +- Update failed ++### Common Troubleshooting Steps ++- Check the status of the offline security intelligence update feature by using the command: `mdatp health --details definitions` + - This should provide us with some user-friendly message in the `definitions_update_fail_reason` section. + - Check if `offline_definition_update` and `offline_definition_update_verify_sig` is enabled. + - Check if `definitions_update_source_uri` is equal to `offline_definition_url_configured` + - `definitions_update_source_uri` is the source from where the signatures were downloaded. + - `offline_definition_url_configured` is the source from where signatures should be downloaded, the one mentioned in the managed config file. +- Try performing the connectivity test to check if Mirror Server is reachable from the host: + - `mdatp connectivity test` +- Try to trigger manual update using the command: + - `mdatp definitions update` ++## Useful Links ++### Downloader script ++- [GitHub repo](https://github.com/microsoft/mdatp-xplat) ++### Scheduling a cron job +- [Schedule a cron job in Linux](https://phoenixnap.com/kb/set-up-cron-job-linux) +- [Schedule a cron job in macOS](https://phoenixnap.com/kb/cron-job-mac) +- [Schedule a cron job in Windows](https://phoenixnap.com/kb/cron-job-windows) |
security | Mac Install Manually | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-install-manually.md | To complete this process, you must have admin privileges on the device. 5. From **Destination Select**, select the disk where you want to install the Microsoft Defender Software, for example, *Macintosh HD* and select **Continue**. - :::image type="content" source="images/destination-select.png" alt-text="Screenshot that shows the selection of destination for installation."::: + :::image type="content" source="media/destination-select.png" alt-text="Screenshot that shows the selection of destination for installation."::: > [!NOTE] > The amount of disk space required for installation is around 777 MB. |
security | Mac Jamfpro Device Groups | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-device-groups.md | Set up the device groups similar to Group policy organizational unite (OUs), Mi 4. Now you will see the **Contoso's Machine Group** under **Static Computer Groups**. - :::image type="content" source="images/contoso-machine-group.png" alt-text="The Jamf Pro3 page" lightbox="images/contoso-machine-group.png"::: + :::image type="content" source="media/contoso-machine-group.png" alt-text="The Jamf Pro3 page" lightbox="media/contoso-machine-group.png"::: > [!NOTE] > You are not required to use static groups. It is often more convenient and flexible to use e.g. [JAMF Pro's smart groups](https://docs.jamf.com/10.40.0/jamf-pro/documentation/Smart_Groups.html) instead. |
security | Mac Jamfpro Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-jamfpro-policies.md | Note that you must use exact `com.microsoft.wdav` as the **Preference Domain**, 10. Select **Done**. You'll see the new **Configuration profile**. - :::image type="content" source="images/dd55405106da0dfc2f50f8d4525b01c8.png" alt-text="The page on which you complete the Configuration settings." lightbox="images/dd55405106da0dfc2f50f8d4525b01c8.png"::: + :::image type="content" source="media/dd55405106da0dfc2f50f8d4525b01c8.png" alt-text="The page on which you complete the Configuration settings." lightbox="media/dd55405106da0dfc2f50f8d4525b01c8.png"::: Microsoft Defender for Endpoint adds new settings over time. These new settings will be added to the schema, and a new version will be published to GitHub. All you need to do to have updates is to download an updated schema, edit existing configuration profile, and **Edit schema** at the **Application & Custom Settings** tab. All you need to do to have updates is to download an updated schema, edit existi :::image type="content" source="mediAV configuration settings." lightbox="media/3160906404bc5a2edf84d1d015894e3b.png"::: - :::image type="content" source="images/e1cc1e48ec9d5d688087b4d771e668d2.png" alt-text="The application and custom settings." lightbox="images/e1cc1e48ec9d5d688087b4d771e668d2.png"::: + :::image type="content" source="media/e1cc1e48ec9d5d688087b4d771e668d2.png" alt-text="The application and custom settings." lightbox="media/e1cc1e48ec9d5d688087b4d771e668d2.png"::: 6. Select **Upload File (PLIST file)**. All you need to do to have updates is to download an updated schema, edit existi 7. In **Preferences Domain**, enter `com.microsoft.wdav`, then select **Upload PLIST File**. - :::image type="content" source="images/db15f147dd959e872a044184711d7d46.png" alt-text="The configuration settings preferences domain." lightbox="images/db15f147dd959e872a044184711d7d46.png"::: + :::image type="content" source="media/db15f147dd959e872a044184711d7d46.png" alt-text="The configuration settings preferences domain." lightbox="media/db15f147dd959e872a044184711d7d46.png"::: 8. Select **Choose File**. All you need to do to have updates is to download an updated schema, edit existi 16. Select **Done**. You'll see the new **Configuration profile**. - ![Image of configuration settings config profile image.](images/dd55405106da0dfc2f50f8d4525b01c8.png) - :::image type="content" source="images/dd55405106da0dfc2f50f8d4525b01c8.png" alt-text="The config profile's settings." lightbox="images/dd55405106da0dfc2f50f8d4525b01c8.png"::: + ![Image of configuration settings config profile image.](media/dd55405106da0dfc2f50f8d4525b01c8.png) + :::image type="content" source="media/dd55405106da0dfc2f50f8d4525b01c8.png" alt-text="The config profile's settings." lightbox="media/dd55405106da0dfc2f50f8d4525b01c8.png"::: ## Step 4: Configure notifications settings These steps are applicable on macOS 11 (Big Sur) or later. 3. In the Jamf Pro dashboard, select **General**. - :::image type="content" source="images/eaba2a23dd34f73bf59e826217ba6f15.png" alt-text="The configuration settings." lightbox="images/eaba2a23dd34f73bf59e826217ba6f15.png"::: + :::image type="content" source="media/eaba2a23dd34f73bf59e826217ba6f15.png" alt-text="The configuration settings." lightbox="media/eaba2a23dd34f73bf59e826217ba6f15.png"::: 4. Enter the following details on the **General** tab: |
security | Mac Support License | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-license.md | When [Microsoft Defender for Endpoint on macOS](microsoft-defender-endpoint-mac. Select the **x** symbol. ### Message For scenarios where Microsoft Defender for Endpoint on macOS isn't up to date, y 1. Select **Settings**. The **Settings** screen appears. 1. Select **Endpoints**. - :::image type="content" source="images/endpoints-option-on-settings-screen.png" alt-text="Screenshot of the Settings screen on which the Endpoints option is listed." lightbox="images/endpoints-option-on-settings-screen.png"::: + :::image type="content" source="media/endpoints-option-on-settings-screen.png" alt-text="Screenshot of the Settings screen on which the Endpoints option is listed." lightbox="media/endpoints-option-on-settings-screen.png"::: The **Endpoints** screen appears. - :::image type="content" source="images/endpoints-screen.png" alt-text="Screenshot of the Endpoints page." lightbox="images/endpoints-screen.png"::: + :::image type="content" source="media/endpoints-screen.png" alt-text="Screenshot of the Endpoints page." lightbox="media/endpoints-screen.png"::: 1. Select **Licenses**. |
security | Mac Support Sys Ext | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/mac-support-sys-ext.md | If you didn't approve the system extension during the deployment/installation of systemextensionsctl list ``` - :::image type="content" source="images/check-system-extension.png" alt-text="The screen that shows what should be done to check the system extension." lightbox="images/check-system-extension.png"::: + :::image type="content" source="media/check-system-extension.png" alt-text="The screen that shows what should be done to check the system extension." lightbox="media/check-system-extension.png"::: You'll notice that both Microsoft Defender for Endpoint on macOS extensions are in the **[activated waiting for user]** state. endpoint_security_extension_installed : true This output is shown in the following screenshot: The following files might be missing if you're managing it via Intune, JamF, or another MDM solution: |
security | Machine Tags | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machine-tags.md | To add device tags using API, see [Add or remove device tags API](api/add-or-rem 3. Type to find or create tags - :::image type="content" source="images/create-new-tag.png" alt-text="Adding tags on device1" lightbox="images/create-new-tag.png"::: + :::image type="content" source="media/create-new-tag.png" alt-text="Adding tags on device1" lightbox="media/create-new-tag.png"::: Tags are added to the device view and will also be reflected on the **Devices inventory** view. You can then use the **Tags** filter to see the relevant list of devices. |
security | Machines View Overview | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/machines-view-overview.md | During the onboarding process, the **Devices list** is gradually populated with > [!NOTE] > If you export the device list, it will contain every device in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all devices in the organization, regardless of any filtering applied in the view itself. ## Sort and filter the device list The **Classify critical assets** card allows you to define device groups as busi Use the **Onboarding Status** column to sort and filter by discovered devices, and devices that are already onboarded to Microsoft Defender for Endpoint. From the **Network devices** and **IoT devices** tabs, you'll also see information such as vendor, model, and device type: From the **Network devices** and **IoT devices** tabs, you'll also see information such as vendor, model, and device type: > [!NOTE] > Device discovery Integration with [Microsoft Defender for IoT](/azure/defender-for-iot/organizations/) is available to help locate, identify, and secure your complete OT/IOT asset inventory. Devices discovered with this integration will appear on the **IoT devices** tab. For more information, see [Device discovery integration](device-discovery.md#device-discovery-integration). You can add or remove columns from the view and sort the entries by clicking on On the **Computer and Mobiles** tab, select **Customize columns** to see the columns available. The default values are checked in the following image: On the **Network devices** tab, select **Customize columns** to see the columns available. The default values are checked in the following image: |
security | Manage Profiles Approve Sys Extensions Intune | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-profiles-approve-sys-extensions-intune.md | To approve the system extensions: |com.microsoft.wdav.epsext | UBF8T346G9 | |com.microsoft.wdav.netext | UBF8T346G9 | - :::image type="content" source="images/entries-in-configuration-settings-tab.png" alt-text="Adding entries in the Configuration settings tab." lightbox="images/entries-in-configuration-settings-tab.png"::: + :::image type="content" source="media/entries-in-configuration-settings-tab.png" alt-text="Adding entries in the Configuration settings tab." lightbox="media/entries-in-configuration-settings-tab.png"::: 1. In the **Assignments** tab, assign this profile to **All Users & All devices**. 1. Review and create this configuration profile. sysext.xml: OK 1. Open the configuration profile and upload the *sysext.xml* file. 1. Select **OK**. 5. In the **Assignments** tab, assign this profile to **All Users & All devices**. 6. Review and create this configuration profile. |
security | Manage Security Policies | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-security-policies.md | You'll find endpoint security policies under **Endpoints > Configuration managem > [!NOTE] > The **Endpoint Security Policies** page in Microsoft Defender XDR is available only for [users with the security administrator role in Microsoft Defender XDR](/microsoft-365/security/defender-endpoint/assign-portal-access). Any other user role, such as Security Reader, cannot access the portal. When a user has the required permissions to view policies in the Microsoft Defender portal, the data is presented based on Intune permissions. If the user is in scope for Intune role-based access control, it applies to the list of policies presented in the Microsoft Defender portal. We recommend granting security administrators with the [Intune built-in role, "Endpoint Security Manager"](/mem/intune/fundamentals/role-based-access-control#built-in-roles) to effectively align the level of permissions between Intune and Microsoft Defender XDR. The following list provides a brief description of each endpoint security policy type: |
security | Manage Sys Extensions Manual Deployment | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/manage-sys-extensions-manual-deployment.md | In terminal, run the following command to check the system extensions: The execution of this command is shown in the following screenshot: |
security | Microsoft Defender Endpoint | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint.md | Defender for Endpoint uses the following combination of technology built into Wi <td><a href="#tvm"><center><img src="images/logo-mdvm.png" alt="Vulnerability Management"> <br><b> Core Defender Vulnerability Management</b></center></a></td> <td><a href="#asr"><center><img src="media/asr-icon.png" alt="Attack surface reduction"><br><b>Attack surface reduction</b></center></a></td> <td><center><a href="#ngp"><img src="images/ngp-icon.png" alt="Next-generation protection"><br> <b>Next-generation protection</b></a></center></td>-<td><center><a href="#edr"><img src="images/edr-icon.png" alt="Endpoint detection and response"><br> <b>Endpoint detection and response</b></a></center></td> +<td><center><a href="#edr"><img src="media/edr-icon.png" alt="Endpoint detection and response"><br> <b>Endpoint detection and response</b></a></center></td> <td><center><a href="#ai"><img src="media/air-icon.png" alt="Automated investigation and remediation"><br> <b>Automated investigation and remediation</b></a></center></td> <td><center><a href="#mte"><img src="images/mte-icon.png" alt="Microsoft Threat Experts"><br> <b>Microsoft Threat Experts</b></a></center></td> </tr> |
security | Migrating Mde Server To Cloud | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/migrating-mde-server-to-cloud.md | To enable Defender for Servers for Azure VMs and non-Azure machines connected th 6. *Recommended:* If you want to see vulnerability findings in Defender for Cloud, make sure to enable [Microsoft Defender Vulnerability Management](/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-va) for Defender for Cloud. - :::image type="content" source="images/enable-threat-and-vulnerability-management.png" alt-text="Screenshot that shows how to enable vulnerability management." lightbox="images/enable-threat-and-vulnerability-management.png"::: + :::image type="content" source="media/enable-threat-and-vulnerability-management.png" alt-text="Screenshot that shows how to enable vulnerability management." lightbox="media/enable-threat-and-vulnerability-management.png"::: ## How do I migrate existing Azure VMs to Microsoft Defender for Cloud? |
security | Onboard Downlevel | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboard-downlevel.md | Create a new group policy specifically for onboarding devices such as "Microsoft It copies the files from DOMAIN\NETLOGON\MMA\filename to C:\windows\MMA\filename - **so the installation files are local to the server**: Repeat the process but create item level targeting on the COMMON tab, so the file only gets copied to the appropriate platform/Operating system version in scope: As the Script has an exit method and wont re-run if the MMA is installed, you co :::image type="content" source="images/newtaskprops.png" alt-text="The new task properties" lightbox="images/newtaskprops.png"::: :::image type="content" source="images/tasksch.png" alt-text="The task scheduler" lightbox="images/tasksch.png"::: |
security | Onboarding Endpoint Configuration Manager | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-configuration-manager.md | This article acts as an example onboarding method. In the [Planning](deployment-strategy.md) article, there were several methods provided to onboard devices to the service. This article covers the co-management architecture. *Diagram of environment architectures* While Defender for Endpoint supports onboarding of various endpoints and tools, this article doesn't cover them. For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md). Follow the steps below to onboard endpoints using Microsoft Configuration Manage 1. In Microsoft Configuration Manager console, navigate to **Assets and Compliance \> Overview \> Device Collections**. - :::image type="content" source="images/configmgr-device-collections.png" alt-text="The Microsoft Configuration Manager wizard1" lightbox="images/configmgr-device-collections.png"::: + :::image type="content" source="media/configmgr-device-collections.png" alt-text="The Microsoft Configuration Manager wizard1" lightbox="media/configmgr-device-collections.png"::: 2. Right select **Device Collection** and select **Create Device Collection**. - :::image type="content" source="images/configmgr-create-device-collection.png" alt-text="The Microsoft Configuration Manager wizard2" lightbox="images/configmgr-create-device-collection.png"::: + :::image type="content" source="media/configmgr-create-device-collection.png" alt-text="The Microsoft Configuration Manager wizard2" lightbox="media/configmgr-create-device-collection.png"::: 3. Provide a **Name** and **Limiting Collection**, then select **Next**. - :::image type="content" source="images/configmgr-limiting-collection.png" alt-text="The Microsoft Configuration Manager wizard3" lightbox="images/configmgr-limiting-collection.png"::: + :::image type="content" source="media/configmgr-limiting-collection.png" alt-text="The Microsoft Configuration Manager wizard3" lightbox="media/configmgr-limiting-collection.png"::: 4. Select **Add Rule** and choose **Query Rule**. - :::image type="content" source="images/configmgr-query-rule.png" alt-text="The Microsoft Configuration Manager wizard4" lightbox="images/configmgr-query-rule.png"::: + :::image type="content" source="media/configmgr-query-rule.png" alt-text="The Microsoft Configuration Manager wizard4" lightbox="media/configmgr-query-rule.png"::: 5. Select **Next** on the **Direct Membership Wizard** and select on **Edit Query Statement**. - :::image type="content" source="images/configmgr-direct-membership.png" alt-text="The Microsoft Configuration Manager wizard5" lightbox="images/configmgr-direct-membership.png"::: + :::image type="content" source="media/configmgr-direct-membership.png" alt-text="The Microsoft Configuration Manager wizard5" lightbox="media/configmgr-direct-membership.png"::: 6. Select **Criteria** and then choose the star icon. - :::image type="content" source="images/configmgr-criteria.png" alt-text="The Microsoft Configuration Manager wizard6" lightbox="images/configmgr-criteria.png"::: + :::image type="content" source="media/configmgr-criteria.png" alt-text="The Microsoft Configuration Manager wizard6" lightbox="media/configmgr-criteria.png"::: 7. Keep criterion type as **simple value**, choose whereas **Operating System - build number**, operator as **is greater than or equal to** and value **14393** and select on **OK**. - :::image type="content" source="images/configmgr-simple-value.png" alt-text="The Microsoft Configuration Manager wizard7" lightbox="images/configmgr-simple-value.png"::: + :::image type="content" source="media/configmgr-simple-value.png" alt-text="The Microsoft Configuration Manager wizard7" lightbox="media/configmgr-simple-value.png"::: 8. Select **Next** and **Close**. - :::image type="content" source="images/configmgr-membership-rules.png" alt-text="The Microsoft Configuration Manager wizard8" lightbox="images/configmgr-membership-rules.png"::: + :::image type="content" source="media/configmgr-membership-rules.png" alt-text="The Microsoft Configuration Manager wizard8" lightbox="media/configmgr-membership-rules.png"::: 9. Select **Next**. - :::image type="content" source="images/configmgr-confirm.png" alt-text="The Microsoft Configuration Manager wizard9" lightbox="images/configmgr-confirm.png"::: + :::image type="content" source="media/configmgr-confirm.png" alt-text="The Microsoft Configuration Manager wizard9" lightbox="media/configmgr-confirm.png"::: After completing this task, you now have a device collection with all the Windows endpoints in the environment. From within the Microsoft Defender portal it's possible to download the `.onboar 6. Right-click **Microsoft Defender ATP Policies** and select **Create Microsoft Defender ATP Policy**. - :::image type="content" source="images/configmgr-create-policy.png" alt-text="The Microsoft Configuration Manager wizard12" lightbox="images/configmgr-create-policy.png"::: + :::image type="content" source="media/configmgr-create-policy.png" alt-text="The Microsoft Configuration Manager wizard12" lightbox="media/configmgr-create-policy.png"::: 7. Enter the name and description, verify **Onboarding** is selected, then select **Next**. - :::image type="content" source="images/configmgr-policy-name.png" alt-text="The Microsoft Configuration Manager wizard13" lightbox="images/configmgr-policy-name.png"::: + :::image type="content" source="media/configmgr-policy-name.png" alt-text="The Microsoft Configuration Manager wizard13" lightbox="media/configmgr-policy-name.png"::: 8. Select **Browse**. From within the Microsoft Defender portal it's possible to download the `.onboar 10. Select **Next**. 11. Configure the Agent with the appropriate samples (**None** or **All file types**). - :::image type="content" source="images/configmgr-config-settings.png" alt-text="The configuration settings1" lightbox="images/configmgr-config-settings.png"::: + :::image type="content" source="media/configmgr-config-settings.png" alt-text="The configuration settings1" lightbox="media/configmgr-config-settings.png"::: 12. Select the appropriate telemetry (**Normal** or **Expedited**) then select **Next**. - :::image type="content" source="images/configmgr-telemetry.png" alt-text="The configuration settings2" lightbox="images/configmgr-telemetry.png"::: + :::image type="content" source="media/configmgr-telemetry.png" alt-text="The configuration settings2" lightbox="media/configmgr-telemetry.png"::: 13. Verify the configuration, then select **Next**. - :::image type="content" source="images/configmgr-verify-configuration.png" alt-text="The configuration settings3" lightbox="images/configmgr-verify-configuration.png"::: + :::image type="content" source="media/configmgr-verify-configuration.png" alt-text="The configuration settings3" lightbox="media/configmgr-verify-configuration.png"::: 14. Select **Close** when the Wizard completes. 15. In the Microsoft Configuration Manager console, right-click the Defender for Endpoint policy you created and select **Deploy**. - :::image type="content" source="images/configmgr-deploy.png" alt-text="The configuration settings4" lightbox="images/configmgr-deploy.png"::: + :::image type="content" source="media/configmgr-deploy.png" alt-text="The configuration settings4" lightbox="media/configmgr-deploy.png"::: 16. On the right panel, select the previously created collection and select **OK**. - :::image type="content" source="images/configmgr-select-collection.png" alt-text="The configuration settings5" lightbox="images/configmgr-select-collection.png"::: + :::image type="content" source="media/configmgr-select-collection.png" alt-text="The configuration settings5" lightbox="media/configmgr-select-collection.png"::: #### Previous versions of Windows Client (Windows 7 and Windows 8.1) Microsoft Defender Antivirus is a built-in anti-malware solution that provides n 4. Target the new anti-malware policy to your Windows collection and select **OK**. - :::image type="content" source="images/configmgr-select-collection.png" alt-text="The next-generation protection pane11" lightbox="images/configmgr-select-collection.png"::: + :::image type="content" source="media/configmgr-select-collection.png" alt-text="The next-generation protection pane11" lightbox="media/configmgr-select-collection.png"::: After completing this task, you now have successfully configured Microsoft Defender Antivirus. To set attack surface reduction rules in test mode: 3. Set rules to **Audit** and select **Next**. - :::image type="content" source="images/d18e40c9e60aecf1f9a93065cb7567bd.png" alt-text="The Microsoft Configuration Manager console1" lightbox="images/d18e40c9e60aecf1f9a93065cb7567bd.png"::: + :::image type="content" source="media/d18e40c9e60aecf1f9a93065cb7567bd.png" alt-text="The Microsoft Configuration Manager console1" lightbox="media/d18e40c9e60aecf1f9a93065cb7567bd.png"::: 4. Confirm the new Exploit Guard policy by selecting **Next**. |
security | Onboarding Endpoint Manager | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-endpoint-manager.md | This article acts as an example onboarding method. In the [Planning](deployment-strategy.md) article, there were several methods provided to onboard devices to the service. This article covers the cloud-native architecture. *Diagram of environment architectures* While Defender for Endpoint supports onboarding of various endpoints and tools, this article doesn't cover them. For information on general onboarding using other supported deployment tools and methods, see [Onboarding overview](onboarding.md). Then, you continue by creating several different types of endpoint security poli 6. Add scope tags if necessary, then select **Next**. > [!div class="mx-imgBorder"]- > :::image type="content" source="images/ef844f52ec2c0d737ce793f68b5e8408.png" alt-text="The Microsoft Intune admin center8" lightbox="images/ef844f52ec2c0d737ce793f68b5e8408.png"::: + > :::image type="content" source="media/ef844f52ec2c0d737ce793f68b5e8408.png" alt-text="The Microsoft Intune admin center8" lightbox="media/ef844f52ec2c0d737ce793f68b5e8408.png"::: 7. Add test group by clicking on **Select groups to include** and choose your group, then select **Next**. Then, you continue by creating several different types of endpoint security poli 8. Review and create, then select **Create**. > [!div class="mx-imgBorder"]- > :::image type="content" source="images/dfdadab79112d61bd3693d957084b0ec.png" alt-text="The Microsoft Intune admin center17" lightbox="images/dfdadab79112d61bd3693d957084b0ec.png"::: + > :::image type="content" source="media/dfdadab79112d61bd3693d957084b0ec.png" alt-text="The Microsoft Intune admin center17" lightbox="media/dfdadab79112d61bd3693d957084b0ec.png"::: 9. You see the configuration policy you created. Then, you continue by creating several different types of endpoint security poli > For more information, see [Attack surface reduction rules](attack-surface-reduction.md). > [!div class="mx-imgBorder"]- > :::image type="content" source="images/dd0c00efe615a64a4a368f54257777d0.png" alt-text="The Microsoft Intune admin center21" lightbox="images/dd0c00efe615a64a4a368f54257777d0.png"::: + > :::image type="content" source="media/dd0c00efe615a64a4a368f54257777d0.png" alt-text="The Microsoft Intune admin center21" lightbox="media/dd0c00efe615a64a4a368f54257777d0.png"::: 7. Add Scope Tags as required, then select **Next**. Then, you continue by creating several different types of endpoint security poli 10. View the policy. > [!div class="mx-imgBorder"]- > :::image type="content" source="images/e74f6f6c150d017a286e6ed3dffb7757.png" alt-text="The Microsoft Intune admin center32" lightbox="images/e74f6f6c150d017a286e6ed3dffb7757.png"::: + > :::image type="content" source="media/e74f6f6c150d017a286e6ed3dffb7757.png" alt-text="The Microsoft Intune admin center32" lightbox="media/e74f6f6c150d017a286e6ed3dffb7757.png"::: ## Validate configuration settings To confirm that the configuration policy is applied to your test device, follow 3. After the services are running on the device, the device appears in Microsoft Defender portal. > [!div class="mx-imgBorder"]- > [![Image of Microsoft Defender portal.](images/df0c64001b9219cfbd10f8f81a273190.png)](images/df0c64001b9219cfbd10f8f81a273190.png#lightbox) + > [![Image of Microsoft Defender portal.](media/df0c64001b9219cfbd10f8f81a273190.png)](media/df0c64001b9219cfbd10f8f81a273190.png#lightbox) ### Confirm next-generation protection |
security | Onboarding Notification | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/onboarding-notification.md | You need to have access to: 6. Add a new step by selecting **Add new action** then search for **Data Operations** and select **Parse JSON**. - :::image type="content" source="images/data-operations.png" alt-text="The data operations entry" lightbox="images/data-operations.png"::: + :::image type="content" source="media/data-operations.png" alt-text="The data operations entry" lightbox="media/data-operations.png"::: 7. Add Body in the **Content** field. You need to have access to: 11. Under **Condition**, add the following expression: "length(body('Get_items')?['value'])" and set the condition to equal to 0. :::image type="content" source="media/apply-to-each-value.png" alt-text="The application of the flow to each condition" lightbox="media/apply-to-each-value.png":::- :::image type="content" source="images/conditions-2.png" alt-text="The condition-1" lightbox="images/conditions-2.png"::: - :::image type="content" source="images/condition3.png" alt-text="The condition-2" lightbox="images/condition3.png"::: + :::image type="content" source="media/conditions-2.png" alt-text="The condition-1" lightbox="media/conditions-2.png"::: + :::image type="content" source="media/condition3.png" alt-text="The condition-2" lightbox="media/condition3.png"::: :::image type="content" source="images/send-email.png" alt-text="The Send an email section" lightbox="images/send-email.png"::: ## Alert notification |
security | Partner Applications | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/partner-applications.md | Logo|Partner name|Description :|:|: ![Logo for AttackIQ.](media/attackiq-logo.png)|[AttackIQ Platform](https://go.microsoft.com/fwlink/?linkid=2103502)|AttackIQ Platform validates Defender for Endpoint is configured properly by launching continuous attacks safely on production assets ![Logo for Microsoft Sentinel.](images/sentinel-logo.png)|[AzureSentinel](https://go.microsoft.com/fwlink/?linkid=2135705)|Stream alerts from Microsoft Defender for Endpoint into Microsoft Sentinel-![Logo for Cymulate.](images/cymulate-logo.png)|[Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)|Correlate Defender for Endpoint findings with simulated attacks to validate accurate detection and effective response actions -![Logo for Elastic security.](images/elastic-security-logo.png)|[Elastic Security](https://go.microsoft.com/fwlink/?linkid=2139303)|Elastic Security is a free and open solution for preventing, detecting, and responding to threats +![Logo for Cymulate.](media/cymulate-logo.png)|[Cymulate](https://go.microsoft.com/fwlink/?linkid=2135574)|Correlate Defender for Endpoint findings with simulated attacks to validate accurate detection and effective response actions +![Logo for Elastic security.](media/elastic-security-logo.png)|[Elastic Security](https://go.microsoft.com/fwlink/?linkid=2139303)|Elastic Security is a free and open solution for preventing, detecting, and responding to threats ![Logo for IBM QRadar.](images/ibm-qradar-logo.png)|[IBM QRadar](https://go.microsoft.com/fwlink/?linkid=2113903)|Configure IBM QRadar to collect detections from Defender for Endpoint ![Logo for Micro Focus ArcSight.](media/arcsight-logo.png)|[Micro Focus ArcSight](https://go.microsoft.com/fwlink/?linkid=2113548)|Use Micro Focus ArcSight to pull Defender for Endpoint detections ![Logo for RSA NetWitness.](images/rsa-netwitness-logo.png)|[RSA NetWitness](https://go.microsoft.com/fwlink/?linkid=2118566)|Stream Defender for Endpoint Alerts to RSA NetWitness using Microsoft Graph Security API Logo|Partner name|Description Logo|Partner name|Description :|:|: ![Logo for Fortinet.](images/fortinet-logo.jpg)|[Fortinet FortiSOAR](https://www.fortinet.com/products/fortisoar)|Fortinet FortiSOAR is a holistic Security Orchestration, Automation and Response (SOAR) workbench, designed for SOC teams to efficiently respond to the ever-increasing influx of alerts, repetitive manual processes, and shortage of resources. It pulls together all of organization's tools, helps unify operations and reduces alert fatigue, context switching, and the mean time to respond to incidents. -![Logo for Delta Risk ActiveEye.](images/delta-risk-activeeye-logo.png)|[Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468)|Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Defender for Endpoint with its cloud-native SOAR platform, ActiveEye. -![Logo for Demisto, a Palo Alto Networks Company.](images/demisto-logo.png)|[Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414)|Demisto integrates with Defender for Endpoint to enable security teams to orchestrate and automate endpoint security monitoring, enrichment, and response +![Logo for Delta Risk ActiveEye.](media/delta-risk-activeeye-logo.png)|[Delta Risk ActiveEye](https://go.microsoft.com/fwlink/?linkid=2127468)|Delta Risk, a leading provider of SOC-as-a-Service and security services, integrate Defender for Endpoint with its cloud-native SOAR platform, ActiveEye. +![Logo for Demisto, a Palo Alto Networks Company.](media/demisto-logo.png)|[Demisto, a Palo Alto Networks Company](https://go.microsoft.com/fwlink/?linkid=2108414)|Demisto integrates with Defender for Endpoint to enable security teams to orchestrate and automate endpoint security monitoring, enrichment, and response ![Logo for Microsoft Flow & Azure Functions.](images/ms-flow-logo.png)|[Microsoft Flow & Azure Functions](https://go.microsoft.com/fwlink/?linkid=2114300)|Use the Defender for Endpoint connectors for Azure Logic Apps & Microsoft Flow to automating security procedures ![Logo for Rapid7 InsightConnect.](images/rapid7-logo.png)|[Rapid7 InsightConnect](https://go.microsoft.com/fwlink/?linkid=2116040)|InsightConnect integrates with Defender for Endpoint to accelerate, streamline, and integrate your time-intensive security processes ![Logo for ServiceNow.](images/servicenow-logo.png)|[ServiceNow](https://go.microsoft.com/fwlink/?linkid=2135621)|Ingest alerts into ServiceNow Security Operations solution based on Microsoft Graph API integration Logo|Partner name|Description :|:|: ![Logo for Aruba ClearPass Policy Manager.](media/aruba-logo.png)|[Aruba ClearPass Policy Manager](https://go.microsoft.com/fwlink/?linkid=2127544)|Ensure Defender for Endpoint is installed and updated on each endpoint before allowing access to the network ![Logo for Blue Hexagon for Network.](media/bluehexagon-logo.png)|[Blue Hexagon for Network](/training/modules/explore-malware-threat-protection/)|Blue Hexagon has built the industry's first real-time deep learning platform for network threat protection-![Logo for CyberMDX.](images/cybermdx-logo.png)|[CyberMDX](https://go.microsoft.com/fwlink/?linkid=2135620)|Cyber MDX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Defender for Endpoint environment +![Logo for CyberMDX.](mediX integrates comprehensive healthcare assets visibility, threat prevention and repose into your Defender for Endpoint environment ![Logo for HYAS Protect.](images/hyas-logo.png)|[HYAS Protect](https://go.microsoft.com/fwlink/?linkid=2156763)|HYAS Protect utilizes authoritative knowledge of attacker infrastructure to proactively protect Microsoft Defender for Endpoint endpoints from cyberattacks ![Logo for Vectra Network Detection and Response (NDR).](images/vectra-logo.png)|[Vectra Network Detection and Response (NDR)](https://go.microsoft.com/fwlink/?linkid=866934)|Vectra applies AI & security research to detect and respond to cyber-attacks in real time Logo|Partner name|Description :|:|: ![Logo for Bitdefender.](media/bitdefender-logo.png)|[Bitdefender](https://go.microsoft.com/fwlink/?linkid=860032)|Bitdefender GravityZone is a layered next generation endpoint protection platform offering comprehensive protection against the full spectrum of sophisticated cyber threats ![Logo for Better Mobile.](media/bettermobile-logo.png)|[Better Mobile](https://go.microsoft.com/fwlink/?linkid=2086214)|AI-based MTD solution to stop mobile threats & phishing. Private internet browsing to protect user privacy-![Logo for Corrata.](images/corrata-new.png)|[Corrata](https://go.microsoft.com/fwlink/?linkid=2081148)|Mobile solution - Protect your mobile devices with granular visibility and control from Corrata +![Logo for Corrata.](media/corrata-new.png)|[Corrata](https://go.microsoft.com/fwlink/?linkid=2081148)|Mobile solution - Protect your mobile devices with granular visibility and control from Corrata ![Logo for Lookout.](images/lookout-logo.png)|[Lookout](https://go.microsoft.com/fwlink/?linkid=866935)|Get Lookout Mobile Threat Protection telemetry for Android and iOS mobile devices ![Logo for Symantec Endpoint Protection Mobile.](images/symantec-logo.png)|[Symantec Endpoint Protection Mobile](https://go.microsoft.com/fwlink/?linkid=2090992)|SEP Mobile helps businesses predict, detect, and prevent security threats and vulnerabilities on mobile devices ![Logo for Zimperium.](images/zimperium-logo.png)|[Zimperium](https://go.microsoft.com/fwlink/?linkid=2118044)|Extend your Defender for Endpoint to iOS and Android with Machine Learning-based Mobile Threat Defense Logo|Partner name|Description Logo|Partner name|Description :|:|:-![Logo for Cyren Web Filter.](images/cyren-logo.png)|[Cyren Web Filter](https://www.cyren.com/security-center/url-category-check)|Enhance your Defender for Endpoint with advanced Web Filtering +![Logo for Cyren Web Filter.](media/cyren-logo.png)|[Cyren Web Filter](https://www.cyren.com/security-center/url-category-check)|Enhance your Defender for Endpoint with advanced Web Filtering ![Logo for Morphisec.](images/morphisec-logo.png)|[Morphisec](https://go.microsoft.com/fwlink/?linkid=2086215)|Provides Moving Target Defense-powered advanced threat prevention. Integrates forensics data directly into WD Defender for Cloud dashboards to help prioritize alerts, determine device at-risk score and visualize full attack timeline including internal memory information ![Logo for THOR Cloud.](images/nextron-thor-logo.png)|[THOR Cloud](https://go.microsoft.com/fwlink/?linkid=862988)|Provides on-demand live forensics scans using a signature base with focus on persistent threats |
security | Respond Machine Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/respond-machine-alerts.md | Alternate steps: 1. Select **Collect Investigation Package** from the response actions section of the device page. - ![Image of collect investigation package](images/collect-investigation-package.png) + ![Image of collect investigation package](media/collect-investigation-package.png) 1. Add comments and select **Confirm**. - ![Image of confirm comment](images/comments-confirm.png) + ![Image of confirm comment](media/comments-confirm.png) 1. Select **Action center** from the response actions section of the device page. Alternate steps: 1. Click the **Package collection package available** to download the collection package. - ![Image of download package](images/download-package.png) + ![Image of download package](media/download-package.png) For Windows devices, the package contains the following folders: You'll be able to stop containing a device at any time. ## Contain user from the network -When an identity in your network might be compromised, you must prevent that identity from accessing the network and different endpoints. Defender for Endpoint can "contain" an identity, blocking it from access, and helping prevent attacks-- specifically, ransomware. When an identity is contained, any supported Microsoft Defender for Endpoint onboarded device will block incoming traffic in specific protocols related to attacks (network logons, RPC, SMB, RDP), terminate ongoing remote sessions and logoff existing RDP connections, while enabling legitimate traffic. This action can significantly help to reduce the impact of an attack. When an identity is contained, security operations analysts have extra time to locate, identify and remediate the threat to the compromised identity. +When an identity in your network might be compromised, you must prevent that identity from accessing the network and different endpoints. Defender for Endpoint can "contain" an identity, blocking it from access, and helping prevent attacks-- specifically, ransomware. When an identity is contained, any supported Microsoft Defender for Endpoint onboarded device will block incoming traffic in specific protocols related to attacks (network logons, RPC, SMB, RDP), terminate ongoing remote sessions and logoff existing RDP connections (termination the session itself including all its related processes), while enabling legitimate traffic. This action can significantly help to reduce the impact of an attack. When an identity is contained, security operations analysts have extra time to locate, identify and remediate the threat to the compromised identity. > [!NOTE] > Blocking incoming communication with a "contained" user is supported on onboarded Microsoft Defender for Endpoint Windows 10 and 11 devices (Sense version 8740 and higher), Windows Server 2019+ devices, and Windows Servers 2012R2 and 2016 with the modern agent. |
security | Review Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/review-alerts.md | Note the detection status for your alert. - Prevented: The attempted suspicious action was avoided. For example, a file either wasn't written to disk or executed. - :::image type="content" source="images/detstat-prevented.png" alt-text="The page showing the prevention of a threat" lightbox="images/detstat-prevented.png"::: + :::image type="content" source="media/detstat-prevented.png" alt-text="The page showing the prevention of a threat" lightbox="media/detstat-prevented.png"::: - Blocked: Suspicious behavior was executed and then blocked. For example, a process was executed but because it subsequently exhibited suspicious behaviors, the process was terminated. - :::image type="content" source="images/detstat-blocked.png" alt-text="The page showing the blockage of a threat" lightbox="images/detstat-blocked.png"::: + :::image type="content" source="media/detstat-blocked.png" alt-text="The page showing the blockage of a threat" lightbox="media/detstat-blocked.png"::: - Detected: An attack was detected and is possibly still active. - :::image type="content" source="images/detstat-detected.png" alt-text="The page showing the detection of a threat" lightbox="images/detstat-detected.png"::: + :::image type="content" source="media/detstat-detected.png" alt-text="The page showing the detection of a threat" lightbox="media/detstat-detected.png"::: You can then also review the *automated investigation details* in your alert's details pane, to see which actions were already taken, as well as reading the alert's description for recommended actions. Selecting a device or a user card in the affected assets sections will switch to - **For devices**, the details pane will display information about the device itself, like Domain, Operating System, and IP. Active alerts and the logged on users on that device are also available. You can take immediate action by isolating the device, restricting app execution, or running an antivirus scan. Alternatively, you could collect an investigation package, initiate an automated investigation, or go to the device page to investigate from the device's point of view. - :::image type="content" source="images/device-page-details.png" alt-text="The details pane when a device is selected" lightbox="images/device-page-details.png"::: + :::image type="content" source="media/device-page-details.png" alt-text="The details pane when a device is selected" lightbox="media/device-page-details.png"::: - **For users**, the details pane will display detailed user information, such as the user's SAM name and SID, as well as logon types performed by this user and any alerts and incidents related to it. You can select *Open user page* to continue the investigation from that user's point of view. |
security | Schedule Antivirus Scan In Mde | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/schedule-antivirus-scan-in-mde.md | Use the following steps to schedule scans: ls -la ``` - :::image type="content" source="images/chmod-755-mdavfullscan.png" alt-text="7. Change file permissions"::: + :::image type="content" source="mediavfullscan.png" alt-text="7. Change file permissions"::: ```shell [root@redhat7 cron.weekly]# ls -la |
security | Techniques Device Timeline | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/techniques-device-timeline.md | This feature simplifies the investigation experience by helping analysts underst For public preview, Techniques are available by default and shown together with events when a device's timeline is viewed. Techniques are highlighted in bold text and appear with a blue icon on the left. The corresponding MITRE ATT&CK ID and technique name also appear as tags under Additional information. From there you can select which information set to include. To view only either events or techniques, select **Filters** from the device timeline and choose your preferred Data type to view. ## See also |
security | Troubleshoot Collect Support Log | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-collect-support-log.md | If you also require Defender Antivirus support logs (MpSupportFiles.cab), then f 4. Select **Choose file**. - :::image type="content" source="images/choose-file.png" alt-text="The choose file button-1" lightbox="images/choose-file.png"::: + :::image type="content" source="media/choose-file.png" alt-text="The choose file button-1" lightbox="media/choose-file.png"::: 5. Select the downloaded file named MDELiveAnalyzer.ps1 and then click on **Confirm** |
security | Troubleshoot Performance Issues | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-performance-issues.md | Process Monitor (ProcMon) is an advanced monitoring tool that can show real-time 2. The second way is to run the **command line** as admin, then from the Process Monitor path, run: - :::image type="content" source="images/cmd-procmon.png" alt-text="The cmd procmon" lightbox="images/cmd-procmon.png"::: + :::image type="content" source="medi-procmon.png"::: ```console Procmon.exe /AcceptEula /Noconnect /Profiling |
security | Troubleshoot Security Config Mgt | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender-endpoint/troubleshoot-security-config-mgt.md | The Client Analyzer output file (MDE Client Analyzer Results.htm) can provide ke - Verify that the device OS is in scope for Security Management for Microsoft Defender for Endpoint onboarding flow in **General Device Details** section - Verify that the device appears in Microsoft Entra ID in **Device Configuration Management Details** - :::image type="content" source="images/client-analyzer-results.png" alt-text="The client analyzer results" lightbox="images/client-analyzer-results.png"::: + :::image type="content" source="media/client-analyzer-results.png" alt-text="The client analyzer results" lightbox="media/client-analyzer-results.png"::: In the **Detailed Results** section of the report, the Client Analyzer also provides actionable guidance. In the **Detailed Results** section of the report, the Client Analyzer also prov If you weren't able to identify the onboarded device in Microsoft Entra ID or in the Intune admin center, and didn't receive an error during the enrollment, checking the registry key `Computer\\HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\SenseCM\\EnrollmentStatus` can provide additional troubleshooting information. The following table lists errors and directions on what to try/check in order to address the error. Note that the list of errors isn't complete and is based on typical/common errors encountered by customers in the past: |
security | Advanced Hunting Cloudappevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-cloudappevents-table.md | For information on other tables in the advanced hunting schema, [see the advance | `UserAgentTags` | `dynamic` | More information provided by Microsoft Defender for Cloud Apps in a tag in the user agent field. Can have any of the following values: Native client, Outdated browser, Outdated operating system, Robot | | `RawEventData` | `dynamic` | Raw event information from the source application or service in JSON format | | `AdditionalFields` | `dynamic` | Additional information about the entity or event |+| `LastSeenForUser` | `string` | Shows how many days back the attribute was recently in use by the user in days (i.e. ISP, ActionType etc.) | +| `UncommonForUser` | `string` | Lists the attributes in the event that are uncommon for the user, using this data to help rule out false positives and find out anomalies | ## Apps and services covered |
security | Advanced Hunting Emailpostdeliveryevents Table | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-emailpostdeliveryevents-table.md | To get more information about individual email messages, you can also use the [` This table captures events with the following `ActionType` values: -- **Manual remediation** ΓÇô An administrator manually took action on an email message after it was delivered to the user mailbox. This includes actions taken manually through [Threat Explorer](../office-365-security/threat-explorer-about.md) or approvals of [automated investigation and response (AIR) actions](m365d-autoir-actions.md).+- **Manual remediation** ΓÇô An administrator manually took action on an email message after it was delivered to the user mailbox. This includes actions taken manually through [Threat Explorer](../office-365-security/threat-explorer-real-time-detections-about.md) or approvals of [automated investigation and response (AIR) actions](m365d-autoir-actions.md). - **Phish ZAP** ΓÇô [Zero-hour auto purge (ZAP)](../office-365-security/zero-hour-auto-purge.md) took action on a phishing email after delivery. - **Malware ZAP** ΓÇô Zero-hour auto purge (ZAP) took action on an email message found containing malware after delivery. |
security | Advanced Hunting Query Builder | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/advanced-hunting-query-builder.md | You can choose from: - All domains - to look through all available data in your query - Endpoints - to look through endpoint data as provided by Microsoft Defender for Endpoint - Apps and identities - to look through application and identity data as provided by Microsoft Defender for Cloud Apps and Microsoft Defender for Identity; users familiar with [Activity log](/defender-cloud-apps/activity-filters) can find the same data here-- Email and collaboration - to look through email and collaboration apps data like SharePoint, OneDrive and others; users familiar with [Threat Explorer](../office-365-security/threat-explorer-about.md) can find the same data here+- Email and collaboration - to look through email and collaboration apps data like SharePoint, OneDrive and others; users familiar with [Threat Explorer](../office-365-security/threat-explorer-real-time-detections-about.md) can find the same data here ## Use basic filters |
security | Automatic Attack Disruption | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/automatic-attack-disruption.md | This article provides an overview of automated attack disruption and includes li ## How automatic attack disruption works -Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization's assets, and provide more time for security teams to remediate the attack fully. Attack disruption in uses the the full breadth of our extended detection and response (XDR) signals, taking the entire attack into account to act at the incident level. This capability is unlike known protection methods such as prevention and blocking based on a single indicator of compromise. +Automatic attack disruption is designed to contain attacks in progress, limit the impact on an organization's assets, and provide more time for security teams to remediate the attack fully. Attack disruption in uses the full breadth of our extended detection and response (XDR) signals, taking the entire attack into account to act at the incident level. This capability is unlike known protection methods such as prevention and blocking based on a single indicator of compromise. -While many XDR and security orchestration, automation, and response (SOAR) platforms allow you to create your automatic response actions, automatic attack disruption is built-in and uses insights from Microsoft security researchers and advanced AI models to counteract the complexities of advanced attacks. Automatic attack disruption considers the entire context of signals from different sources to determine compromised assets. +While many XDR and security orchestration, automation, and response (SOAR) platforms allow you to create your automatic response actions, automatic attack disruption is built in and uses insights from Microsoft security researchers and advanced AI models to counteract the complexities of advanced attacks. Automatic attack disruption considers the entire context of signals from different sources to determine compromised assets. Automatic attack disruption operates in three key stages: Automatic attack disruption uses Microsoft-based XDR response actions. Examples - [Device contain](/microsoft-365/security/defender-endpoint/respond-machine-alerts#contain-devices-from-the-network) - based on Microsoft Defender for Endpoint's capability, this action is an automatic containment of a suspicious device to block any incoming/outgoing communication with the said device. - [Disable user](/defender-for-identity/remediation-actions) - based on Microsoft Defender for Identity's capability, this action is an automatic suspension of a compromised account to prevent additional damage like lateral movement, malicious mailbox use, or malware execution.-- [Contain user](../defender-endpoint/respond-machine-alerts.md#contain-user-from-the-network) - This response action automatically contains suspicious identities temporarily to help block any lateral movement and remote encryption related to incoming communication with Defender for Endpoint's onboarded devices.+- [Contain user](../defender-endpoint/respond-machine-alerts.md#contain-user-from-the-network) - based on Microsoft Defender for Endpoint's capability, this response action automatically contains suspicious identities temporarily to help block any lateral movement and remote encryption related to incoming communication with Defender for Endpoint's onboarded devices. For more information, see [remediation actions](m365d-remediation-actions.md) in Microsoft Defender XDR. |
security | Communicate Defender Experts Xdr | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/communicate-defender-experts-xdr.md | In break-glass scenarios or matters that require immediate attention (for exampl ## Ask Defender Experts -While the previous scenarios involve our experts initiating communication with you, you can also request advanced threat expertise on demand by selecting **Ask Defender Experts** directly inside the Microsoft Defender XDR portal. [Learn more](start-using-mdex-xdr.md#request-advanced-threat-expertise-on-demand) +While the previous scenarios involve our experts initiating communication with you, you can also request advanced threat expertise on demand by selecting **Ask Defender Experts** directly inside the Microsoft Defender XDR portal. [Learn more](onboarding-defender-experts-for-hunting.md#collaborate-with-experts-on-demand) ## Collaborating with your service delivery manager |
security | Eval Defender Identity Pilot | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-identity-pilot.md | -Use the following steps to setup and configure the pilot for Microsoft Defender for identity. Note that the recommendations don't include setting up a pilot group. The best practice is to go ahead and install the sensor on all of your servers running Active Directory Domain Services (AD DS) and Active Directory Federated Services (AD FS). +Use the following steps to set up and configure the pilot for Microsoft Defender for identity. The recommendations don't include setting up a pilot group. The best practice is to install the sensor on all of your servers running Active Directory Domain Services (AD DS) and Active Directory Federated Services (AD FS). :::image type="content" source="../../media/defender/m365-defender-identity-pilot-steps.png" alt-text="The steps for piloting Microsoft Defender for Identity in the Microsoft Defender evaluation environment" lightbox="../../media/defender/m365-defender-identity-pilot-steps.png"::: The following table describes the steps in the illustration. Microsoft provides security benchmark recommendations for customers using Microsoft Cloud services. The [Azure Security Benchmark](/security/benchmark/azure/overview) (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. -These benchmark recommendations include [Azure security baseline for Microsoft Defender for Identity](/security/benchmark/azure/baselines/defender-for-identity-security-baseline). Implementing these recommendations can take some time to plan and implement. While these will greatly increase the security of your identity environment, they shouldn't prevent you from continuing to evaluate and implement Microsoft Defender for Identity. These are provided here for your awareness. +These benchmark recommendations include [Azure security baseline for Microsoft Defender for Identity](/security/benchmark/azure/baselines/defender-for-identity-security-baseline). Implementing these recommendations can take some time to plan and implement. While these recommendations greatly increase the security of your identity environment, they shouldn't prevent you from continuing to evaluate and implement Microsoft Defender for Identity. These recommendations are provided here for your awareness. ## Step 2: Try out capabilities ΓÇö Walk through tutorials for identifying and remediating different attack types Try out Defender for Identity tutorials: ## Next steps -[Evaluate Microsoft Defender for Office 365](eval-defender-office-365-overview.md) +[Evaluate Microsoft Defender for Office 365.](eval-defender-office-365-overview.md) -Return to the overview for [Evaluate Microsoft Defender for Office 365](eval-defender-office-365-overview.md) +Return to the overview for [Evaluate Microsoft Defender for Office 365.](eval-defender-office-365-overview.md) Return to the overview for [Evaluate and pilot Microsoft Defender XDR](eval-overview.md)+ |
security | Eval Defender Office 365 Pilot | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/eval-defender-office-365-pilot.md | Now that your pilot is set up and configured, it's helpful to become familiar wi |Capability|Description|More information| ||||-|Threat Explorer|Threat Explorer is a powerful near real-time tool to help Security Operations teams investigate and respond to threats and displays information about suspected malware and phish in email and files in Office 365, as well as other security threats and risks to your organization.|[Views in Threat Explorer and real-time detections](../office-365-security/threat-explorer-views.md)| +|Threat Explorer|Threat Explorer is a powerful near real-time tool to help Security Operations teams investigate and respond to threats and displays information about detected malware and phishing in email and files in Office 365, as well as other security threats and risks to your organization.|[About Threat Explorer](../office-365-security/threat-explorer-real-time-detections-about.md)| |Attack simulation training|You can use Attack simulation training in the Microsoft Defender portal to run realistic attack scenarios in your organization, which help you identify and find vulnerable users before a real attack impacts your environment.|[Get started using Attack simulation training](../office-365-security/attack-simulation-training-get-started.md)| |Reports dashboard|On the left navigation menu, click Reports and expand the Email & collaboration heading. The Email & collaboration reports are about spotting security trends some of which will allow you to take action (through buttons like 'Go to submissions'), and others that will show trends. These metrics are generated automatically.|[View email security reports in the Microsoft Defender portal](../office-365-security/reports-email-security.md) <br/><br/> [View Defender for Office 365 reports in the Microsoft Defender portal](../office-365-security/reports-defender-for-office-365.md)| |
security | M365d Action Center | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-action-center.md | In addition to remediation actions that are taken automatically as a result of [ | **Automated device action** | An automated action taken on an entity, such as a file or process. Examples of automated actions include sending a file to quarantine, stopping a process, and removing a registry key. (See [Remediation actions in Microsoft Defender for Endpoint](../defender-endpoint/manage-auto-investigation.md#remediation-actions).) | | **Automated email action** | An automated action taken on email content, such as an email message, attachment, or URL. Examples of automated actions include soft-deleting email messages, blocking URLs, and turning off external mail forwarding. (See [Remediation actions in Microsoft Defender for Office 365](../office-365-security/air-remediation-actions.md).) | | **Advanced hunting action** | Actions taken on devices or email with [advanced hunting](./advanced-hunting-overview.md). |-| **Explorer action** | Actions taken on email content with [Explorer](../office-365-security/threat-explorer-about.md). | +| **Explorer action** | Actions taken on email content with [Explorer](../office-365-security/threat-explorer-real-time-detections-about.md). | | **Manual live response action** | Actions taken on a device with [live response](../defender-endpoint/live-response.md). Examples include deleting a file, stopping a process, and removing a scheduled task. | | **Live response action** | Actions taken on a device with [Microsoft Defender for Endpoint APIs](../defender-endpoint/management-apis.md#microsoft-defender-for-endpoint-apis). Examples of actions include isolating a device, running an antivirus scan, and getting information about a file. | |
security | M365d Remediation Actions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/m365d-remediation-actions.md | In addition to remediation actions that follow automated investigations, your se - Manual email action, such as soft-deleting email messages - Manual user action, such as disable user or reset user password - [Advanced hunting](../defender-endpoint/advanced-hunting-overview.md) action on devices, users, or email-- [Explorer](../office-365-security/threat-explorer-about.md) action on email content, such as moving email to junk, soft-deleting email, or hard-deleting email+- [Explorer](../office-365-security/threat-explorer-real-time-detections-about.md) action on email content, such as moving email to junk, soft-deleting email, or hard-deleting email - Manual [live response](/windows/security/threat-protection/microsoft-defender-atp/live-response) action, such as deleting a file, stopping a process, and removing a scheduled task - Live response action with [Microsoft Defender for Endpoint APIs](../defender-endpoint/management-apis.md#microsoft-defender-for-endpoint-apis), such as isolating a device, running an antivirus scan, and getting information about a file |
security | Microsoft 365 Defender | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-defender.md | Title: What is Microsoft Defender XDR? description: Microsoft Defender XDR is a coordinated threat protection solution designed to protect devices, identity, data and applications keywords: introduction to MMicrosoft Defender XDR, cyber security, advanced persistent threat, enterprise security, devices, device, identity, users, data, applications, incidents, automated investigation and remediation, advanced hunting -search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.mktglfcycl: deploy f1.keywords: ms.localizationpriority: medium- audience: ITPro-- - m365-security - - tier1 - admindeeplinkDEFENDER - intro-overview |
security | Microsoft 365 Security Center Mdo | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/microsoft-365-security-center-mdo.md | This table is a quick reference of Threat management where change has occurred b No changes to these areas: -- [Explorer](../office-365-security/threat-explorer-about.md)+- [Explorer](../office-365-security/threat-explorer-real-time-detections-about.md) - [Policies & Rules](../../compliance/alert-policies.md) - [Campaign](../office-365-security/campaigns.md) - [Submissions](../office-365-security/submissions-admin.md) |
security | Respond First Incident Analyze | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/respond-first-incident-analyze.md | Ransomware continues to be a significant threat to organizations. Microsoft has Identifying and tracking modified, created, or stolen identities are essential to investigating phishing and BEC attacks. Use the following resources when investigating these attacks: -- **Tutorial**: [Investigate malicious email](/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered)+- **Tutorial**: [Investigate malicious email](/microsoft-365/security/office-365-security/threat-explorer-investigate-delivered-malicious-email) - **Tutorial**: [Investigate users](investigate-users.md) - **Tutorial**: [Investigate a user account](/microsoft-365/security/defender-endpoint/investigate-user) - **Blog**: [Total Identity Compromise: Microsoft Incident Response lessons on securing Active Directory |
security | Streaming Api Event Hub | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/defender/streaming-api-event-hub.md | Prior to configuring Microsoft Defender XDR to stream data to Event Hubs, ensure To get your **Event Hub resource ID**, go to your Azure Event Hubs namespace page on [Azure](https://ms.portal.azure.com/) > **Properties** tab > copy the text under **Resource ID**: - :::image type="content" source="../defender-endpoint/images/event-hub-resource-id.png" alt-text="An Event Hub resource ID" lightbox="../defender-endpoint/images/event-hub-resource-id.png"::: + :::image type="content" source="../defender-endpoint/media/event-hub-resource-id.png" alt-text="An Event Hub resource ID" lightbox="../defender-endpoint/media/event-hub-resource-id.png"::: 8. Go to the [Supported Microsoft Defender XDR event types in event streaming API](supported-event-types.md) to review the support status of event types in the Microsoft 365 Streaming API. |
security | Address Compromised Users Quickly | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/address-compromised-users-quickly.md | To learn more, see [View details of an investigation](air-view-investigation-res - [Review the required permissions to use AIR capabilities](air-about.md#required-permissions-to-use-air-capabilities) -- [Find and investigate malicious email in Office 365](investigate-malicious-email-that-was-delivered.md)+- [Find and investigate malicious email in Office 365](threat-explorer-investigate-delivered-malicious-email.md) - [Learn about AIR in Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/automated-investigations) |
security | Advanced Delivery Policy Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/advanced-delivery-policy-configure.md | Use the _advanced delivery policy_ in EOP to prevent inbound messages _in these Messages that are identified by the advanced delivery policy aren't security threats, so the messages are marked with system overrides. Admin experiences show these messages as **Phishing simulation** or **SecOps mailbox** system overrides. Admins can use these values to filter and analyze messages in the following experiences: -- [Threat Explorer/Real-time detections in Defender for Office 365 plan 2](threat-explorer-about.md): Admin can filter on **System override source** and select either **Phishing simulation** or **SecOps Mailbox**.+- [Threat Explorer/Real-time detections in Defender for Office 365 plan 2](threat-explorer-real-time-detections-about.md): Admin can filter on **System override source** and select either **Phishing simulation** or **SecOps Mailbox**. - The [Email entity Page in Threat Explorer/Real-time detections](mdo-email-entity-page.md): Admin can view a message that was allowed by organization policy by either **SecOps mailbox** or **Phishing simulation** under **Tenant override** in the **Override(s)** section. - The [Threat protection status report](reports-email-security.md#threat-protection-status-report): Admin can filter by **view data by System override** in the drop down menu and select to see messages allowed due to a phishing simulation system override. To see messages allowed by the SecOps mailbox override, you can select **chart breakdown by delivery location** in the **chart breakdown by reason** dropdown list. - [Advanced hunting in Microsoft Defender for Endpoint](../defender-endpoint/advanced-hunting-overview.md): Phishing simulation and SecOps mailbox system overrides are options within OrgLevelPolicy in EmailEvents. |
security | Air About Office | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-about-office.md | Remediation is the final phase of the playbook. During this phase, remediation s ## Example: A security administrator triggers an investigation from Threat Explorer -In addition to automated investigations that are triggered by an alert, your organization's security operations team can trigger an automated investigation from a view in [Threat Explorer](threat-explorer-about.md). This investigation also creates an alert, so Microsoft Defender XDR incidents and external SIEM tools can see that this investigation was triggered. +In addition to automated investigations that are triggered by an alert, your organization's security operations team can trigger an automated investigation from a view in [Threat Explorer](threat-explorer-real-time-detections-about.md). This investigation also creates an alert, so Microsoft Defender XDR incidents and external SIEM tools can see that this investigation was triggered. For example, suppose that you are using the **Malware** view in Explorer. Using the tabs below the chart, you select the **Email** tab. If you select one or more items in the list, the **+ Actions** button activates. |
security | Air About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-about.md | An alert is triggered, and a security playbook starts an automated investigation 1. An automated investigation is initiated in one of the following ways: - Either [an alert is triggered](#which-alert-policies-trigger-automated-investigations) by something suspicious in email (such as a message, attachment, URL, or compromised user account). An incident is created, and an automated investigation begins; or- - A security analyst [starts an automated investigation](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer) while using [Explorer](threat-explorer-about.md). + - A security analyst [starts an automated investigation](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer) while using [Explorer](threat-explorer-real-time-detections-about.md). 2. While an automated investigation runs, it gathers data about the email in question and _entities_ related to that email (for example, files, URLs, and recipients). The investigation's scope can increase as new and related alerts are triggered. |
security | Air Remediation Actions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-remediation-actions.md | Microsoft Defender for Office 365 includes remediation actions to address variou |Email|Phish|Soft delete email/cluster <p> If more than a handful of email messages in a cluster contain phishing attempts, the whole cluster is considered a phishing attempt.| |Email|Zapped phish <br> (Email messages were delivered and then [zapped](zero-hour-auto-purge.md).)|Soft delete email/cluster <p> Reports are available to view zapped messages. [See if ZAP moved a message and FAQs](zero-hour-auto-purge.md#how-to-see-if-zap-moved-your-message).| |Email|Missed phish email [reported](submissions-users-report-message-add-in-configure.md) by a user|[Automated investigation triggered by the user's report](air-about-office.md#example-a-user-reported-phish-message-launches-an-investigation-playbook)|-|Email|Volume anomaly <br> (Recent email quantities exceed the previous 7-10 days for matching criteria.)|Automated investigation doesn't result in a specific pending action. <p>Volume anomaly isn't a clear threat, but is merely an indication of larger email volumes in recent days compared to the last 7-10 days. <p>Although a high volume of email can indicate potential issues, confirmation is needed in terms of either malicious verdicts or a manual review of email messages/clusters. See [Find suspicious email that was delivered](investigate-malicious-email-that-was-delivered.md#find-suspicious-email-that-was-delivered).| -|Email|No threats found <br> (The system didn't find any threats based on files, URLs, or analysis of email cluster verdicts.)|Automated investigation doesn't result in a specific pending action. <p>Threats found and [zapped](zero-hour-auto-purge.md) after an investigation is complete aren't reflected in an investigation's numerical findings, but such threats are viewable in [Threat Explorer](threat-explorer-about.md).| -|User|A user clicked a malicious URL <br> (A user navigated to a page that was later found to be malicious, or a user bypassed a [Safe Links warning page](safe-links-about.md#warning-pages-from-safe-links) to get to a malicious page.)|Automated investigation doesn't result in a specific pending action. <p> Block URL (time-of-click) <p> Use Threat Explorer to [view data about URLs and click verdicts](threat-explorer-about.md#view-phishing-url-and-click-verdict-data). <p> If your organization is using [Microsoft Defender for Endpoint](/windows/security/threat-protection/), consider [investigating the user](/microsoft-365/security/defender-endpoint/investigate-user) to determine if their account is compromised.| -|User|A user is sending malware/phish|Automated investigation doesn't result in a specific pending action. <p> The user might be reporting malware/phish, or someone could be [spoofing the user](anti-phishing-protection-spoofing-about.md) as part of an attack. Use [Threat Explorer](threat-explorer-about.md) to view and handle email containing [malware](threat-explorer-views.md#malware) or [phish](threat-explorer-views.md#phish).| +|Email|Volume anomaly <br> (Recent email quantities exceed the previous 7-10 days for matching criteria.)|Automated investigation doesn't result in a specific pending action. <p>Volume anomaly isn't a clear threat, but is merely an indication of larger email volumes in recent days compared to the last 7-10 days. <p>Although a high volume of email can indicate potential issues, confirmation is needed in terms of either malicious verdicts or a manual review of email messages/clusters. See [Find suspicious email that was delivered](threat-explorer-investigate-delivered-malicious-email.md#find-suspicious-email-that-was-delivered).| +|Email|No threats found <br> (The system didn't find any threats based on files, URLs, or analysis of email cluster verdicts.)|Automated investigation doesn't result in a specific pending action. <p>Threats found and [zapped](zero-hour-auto-purge.md) after an investigation is complete aren't reflected in an investigation's numerical findings, but such threats are viewable in [Threat Explorer](threat-explorer-real-time-detections-about.md).| +|User|A user clicked a malicious URL <br> (A user navigated to a page that was later found to be malicious, or a user bypassed a [Safe Links warning page](safe-links-about.md#warning-pages-from-safe-links) to get to a malicious page.)|Automated investigation doesn't result in a specific pending action. <p> Block URL (time-of-click) <p> Use Threat Explorer to [view data about URLs and click verdicts](threat-explorer-real-time-detections-about.md#click-verdict-pivot-for-the-url-clicks-view-for-the-details-area-of-the-all-email-view-in-threat-explorer). <p> If your organization is using [Microsoft Defender for Endpoint](/windows/security/threat-protection/), consider [investigating the user](/microsoft-365/security/defender-endpoint/investigate-user) to determine if their account is compromised.| +|User|A user is sending malware/phish|Automated investigation doesn't result in a specific pending action. <p> The user might be reporting malware/phish, or someone could be [spoofing the user](anti-phishing-protection-spoofing-about.md) as part of an attack. Use [Threat Explorer](threat-explorer-real-time-detections-about.md) to view and handle email containing [malware](threat-explorer-real-time-detections-about.md#malware-view-in-threat-explorer-and-real-time-detections) or [phishing](threat-explorer-real-time-detections-about.md#phish-view-in-threat-explorer-and-real-time-detections).| |User|Email forwarding <br> (Mailbox forwarding rules are configured, chch could be used for data exfiltration.)|Remove forwarding rule <p> Use the [Autoforwarded messages report](/exchange/monitoring/mail-flow-reports/mfr-auto-forwarded-messages-report) to view specific details about forwarded email.| |User|Email delegation rules <br> (A user's account has delegations set up.)|Remove delegation rule <p> If your organization is using [Microsoft Defender for Endpoint](/windows/security/threat-protection/), consider [investigating the user](/microsoft-365/security/defender-endpoint/investigate-user) who's getting the delegation permission.| |User|Data exfiltration <br> (A user violated email or file-sharing [DLP policies](/purview/dlp-learn-about-dlp) |Automated investigation doesn't result in a specific pending action. <p> [Get started with Activity Explorer](/purview/data-classification-activity-explorer#get-started-with-activity-explorer).| |
security | Air Report False Positives Negatives | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-report-false-positives-negatives.md | With Threat Explorer, your security operations team can find an email affected b |Scenario|Undo Options|Learn more| ||||-|An email message was routed to a user's Junk Email folder|<ul><li>Move the message to the user's Deleted Items folder</li><li>Move the message to the user's Inbox</li><li>Delete the message</li></ul>|[Find and investigate malicious email that was delivered in Office 365](investigate-malicious-email-that-was-delivered.md)| +|An email message was routed to a user's Junk Email folder|<ul><li>Move the message to the user's Deleted Items folder</li><li>Move the message to the user's Inbox</li><li>Delete the message</li></ul>|[Find and investigate malicious email that was delivered in Office 365](threat-explorer-investigate-delivered-malicious-email.md)| |An email message or a file was quarantined|<ul><li>Release the email or file</li><li> Delete the email or file</li></ul>|[Manage quarantined messages as an admin](quarantine-admin-manage-messages-files.md)| ### Undo an action in the Action center |
security | Air Review Approve Pending Completed Actions | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-review-approve-pending-completed-actions.md | There are two different ways to reconsider submitted actions: ## Next steps -- [Use Threat Explorer](threat-explorer-about.md)+- [Use Threat Explorer](threat-explorer-real-time-detections-about.md) - [Admin /Manual Actions](remediate-malicious-email-delivered-office-365.md) - [How to report false positives/negatives in automated investigation and response capabilities](air-report-false-positives-negatives.md) |
security | Air User Automatic Feedback Response | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-user-automatic-feedback-response.md | After you enable automated feedback response, the user who reported the message - **Phishing or malware**: If a user reports a message as phishing, the submission triggers AIR on the reported message. What happens next depends on the results of the investigation: - **High confidence phishing or malware**: The message needs to be remediated using one of the following actions: - Approve the recommended action (shown as pending actions in the investigation or in the Action center).- - Remediation through other means (for example, [Threat Explorer](threat-explorer-about.md)). + - Remediation through other means (for example, [Threat Explorer](threat-explorer-real-time-detections-about.md)). After the message has been remediated, the investigation is closed as **Remediated** or **Partially remediated**. Only when the investigation status is one of those values is the email notification sent to the user who reported the message. |
security | Air View Investigation Results | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/air-view-investigation-results.md | The investigation status indicates the progress of the analysis and actions. As ||| |**Starting**|The investigation has been triggered and waiting to start running.| |**Running**|The investigation process has started and is underway. This state also occurs when [pending actions](air-review-approve-pending-completed-actions.md#approve-or-reject-pending-actions) are approved.|-|**No Threats Found**|The investigation has finished and no threats (user account, email message, URL, or file) were identified. <p> **TIP**: If you suspect something was missed (such as a false negative), you can take action using [Threat Explorer](threat-explorer-about.md).| -|**Partially Investigated**|The automated investigation found issues, but there are no specific remediation actions to resolve those issues. <p> The **Partially Investigated** status can occur when some type of user activity was identified but no cleanup actions are available. Examples include any of the following user activities: <ul><li>A [data loss prevention](/purview/dlp-learn-about-dlp) event</li><li>An email sending anomaly</li><li>Sent malware</li><li>Sent phish</li></ul> <br/> **Note**: This **Partially Investigated** status used to be labeled as **Threats Found**. <p> The investigation found no malicious URLs, files, or email messages to remediate, and no mailbox activity to fix, such as turning off forwarding rules or delegation. <p> **TIP**: If you suspect something was missed (such as a false negative), you can investigate and take action using [Threat Explorer](threat-explorer-about.md)| -|**Terminated By System**|The investigation stopped. An investigation can stop for several reasons: <ul><li>The investigation's pending actions expired. Pending actions time out after awaiting approval for one week</li><li>There are too many actions. For example, if there are too many users clicking on malicious URLs, it can exceed the investigation's ability to run all the analyzers, so the investigation halts</li></ul> <br/> **TIP**: If an investigation halts before actions were taken, try using [Threat Explorer](threat-explorer-about.md) to find and address threats.| +|**No Threats Found**|The investigation has finished and no threats (user account, email message, URL, or file) were identified. <p> **TIP**: If you suspect something was missed (such as a false negative), you can take action using [Threat Explorer](threat-explorer-real-time-detections-about.md).| +|**Partially Investigated**|The automated investigation found issues, but there are no specific remediation actions to resolve those issues. <p> The **Partially Investigated** status can occur when some type of user activity was identified but no cleanup actions are available. Examples include any of the following user activities: <ul><li>A [data loss prevention](/purview/dlp-learn-about-dlp) event</li><li>An email sending anomaly</li><li>Sent malware</li><li>Sent phish</li></ul> <br/> **Note**: This **Partially Investigated** status used to be labeled as **Threats Found**. <p> The investigation found no malicious URLs, files, or email messages to remediate, and no mailbox activity to fix, such as turning off forwarding rules or delegation. <p> **TIP**: If you suspect something was missed (such as a false negative), you can investigate and take action using [Threat Explorer](threat-explorer-real-time-detections-about.md)| +|**Terminated By System**|The investigation stopped. An investigation can stop for several reasons: <ul><li>The investigation's pending actions expired. Pending actions time out after awaiting approval for one week</li><li>There are too many actions. For example, if there are too many users clicking on malicious URLs, it can exceed the investigation's ability to run all the analyzers, so the investigation halts</li></ul> <br/> **TIP**: If an investigation halts before actions were taken, try using [Threat Explorer](threat-explorer-real-time-detections-about.md) to find and address threats.| |**Pending Action**|The investigation has found a threat, such as a malicious email, a malicious URL, or a risky mailbox setting, and an action to remediate that threat is [awaiting approval](air-review-approve-pending-completed-actions.md). <p> The **Pending Action** state is triggered when any threat with a corresponding action is found. However, the list of pending actions can increase as an investigation runs. View investigation details to see if other items are still pending completion.| |**Remediated**|The investigation finished and all remediation actions were approved (noted as fully remediated). <p> **NOTE**: Approved remediation actions can have errors that prevent the actions from being taken. Regardless of whether remediation actions are successfully completed, the investigation status doesn't change. View investigation details.| |**Partially Remediated**|The investigation resulted in remediation actions, and some were approved and completed. Other actions are still [pending](air-review-approve-pending-completed-actions.md).| |
security | Anti Phishing Mdo Impersonation Insight | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-mdo-impersonation-insight.md | The following information is available in the details flyout: - **Domain expiration date** - **Registrant** -- **Explorer investigation**: Select the link to open [Threat Explorer or Real-time detections](threat-explorer-about.md) for additional details about the sender.+- **Explorer investigation**: Select the link to open [Threat Explorer or Real-time detections](threat-explorer-real-time-detections-about.md) for additional details about the sender. - **Email from sender**: This section shows the following information about similar messages from senders in the domain: - **Date** The following information is available in the details flyout: - **What do you need to do?** - **Sender summary**: The sender that was detected as impersonation. -- **Explorer investigation**: Select the link to open [Threat Explorer or Real-time detections](threat-explorer-about.md) for additional details about the sender.+- **Explorer investigation**: Select the link to open [Threat Explorer or Real-time detections](threat-explorer-real-time-detections-about.md) for additional details about the sender. - **Email from sender**: This section shows the following information about similar messages from the sender: - **Date** |
security | Anti Phishing Protection Tuning | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-phishing-protection-tuning.md | You can also use the [configuration analyzer](configuration-analyzer-for-securit - On a monthly basis, run [Secure Score](../defender/microsoft-secure-score.md) to assess your organization's security settings. -- For messages that end up in quarantine by mistake (false positives), or for messages that are allowed through (false negatives), we recommend that you search for those messages in [Threat Explorer and real-time detections](threat-explorer-about.md). You can search by sender, recipient, or message ID. After you locate the message, go to details by clicking on the subject. For a quarantined message, look to see what the "detection technology" was so that you can use the appropriate method to override. For an allowed message, look to see which policy allowed the message.+- For messages that end up in quarantine by mistake (false positives), or for messages that are allowed through (false negatives), we recommend that you search for those messages in [Threat Explorer and real-time detections](threat-explorer-real-time-detections-about.md). You can search by sender, recipient, or message ID. After you locate the message, go to details by clicking on the subject. For a quarantined message, look to see what the "detection technology" was so that you can use the appropriate method to override. For an allowed message, look to see which policy allowed the message. - Email from spoofed senders (the From address of the message doesn't match the source of the message) is classified as _phishing_ in Defender for Office 365. Sometimes spoofing is benign, and sometimes users don't want messages from specific spoofed sender to be quarantined. To minimize the impact to users, periodically review the [spoof intelligence insight](anti-spoofing-spoof-intelligence.md), [entries for spoofed senders in the Tenant Allow/Block List](tenant-allow-block-list-email-spoof-configure.md#use-the-microsoft-defender-portal-to-view-entries-for-spoofed-senders-in-the-tenant-allowblock-list), and the [Spoof detections report](reports-email-security.md#spoof-detections-report). After you review allowed and blocked spoofed senders and make any necessary overrides, you can confidently [configure spoof intelligence in anti-phishing policies](anti-phishing-policies-about.md#spoof-settings) to **Quarantine** suspicious messages instead of delivering them to the user's Junk Email folder. |
security | Anti Spoofing Spoof Intelligence | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/anti-spoofing-spoof-intelligence.md | When you select a spoof detection from the list by clicking anywhere in the row - **Why did we catch this?** section: Why we detected this sender as spoof, and what you can do for further information. - **Domain summary** section: Includes the same information from the main **Spoof intelligence insight** page. - **WhoIs data** section: Technical information about the sender's domain.-- **Explorer investigation** section: In Defender for Office 365 organization, this section contains a link to open [Threat Explorer](threat-explorer-about.md) to see additional details about the sender on the **Phish** tab.+- **Explorer investigation** section: In Defender for Office 365 organization, this section contains a link to open [Threat Explorer](threat-explorer-real-time-detections-about.md) to see additional details about the sender on the **Phish** tab. - **Similar Emails** section: Contains the following information about the spoof detection: - **Date** - **Subject** |
security | Campaigns | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/campaigns.md | A campaign might be short-lived, or could span several days, weeks, or months wi - The campaigns feature is available in organizations with Defender for Office 365 Plan 2 (add-on licenses or included in subscriptions like Microsoft 365 E5). - You need to be assigned permissions to view information about campaigns as described in this article. You have the following options: - [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): **Security operations/Raw data (email & collaboration)/Email message headers (read)**.- - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in any of the following role groups: - - **Organization Management** - - **Security Administrator** - - **Security Reader** + - [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): Membership in the **Organization Management**, **Security Administrator**, or **Security Reader** role group. - [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365. ## Campaigns page in the Microsoft Defender portal To open the **Campaigns** page in the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Campaigns**. Or, to go directly to the **Campaigns** page, use <https://security.microsoft.com/campaigns>. -The main **Campaigns** page consists of the following elements: +The **Campaigns** page consists of the following elements: - A filter/query builder at the top of the page.-- A chart area, which is set to **Campaign Type** by default.-- A details table, which is set to the **Campaign** tab by default+- A chart area where you can use the available pivots to organize the chart in different ways. By default, the chart uses the **Campaign Type** pivot, even though that pivot doesn't appear to be selected. +- A details area, which is set to the **Campaign** tab by default :::image type="content" source="../../media/campaigns-overview.png" alt-text="Screenshot that shows the Campaigns in the Microsoft Defender portal." lightbox="../../media/campaigns-overview.png"::: > [!TIP] >-> - If you don't see any campaign data, or very limited data, try changing the date range or [filters](#filters-on-the-campaigns-page). +> - If you don't see any campaign data or very limited data, try changing the date range or [filters](#filters-on-the-campaigns-page). >-> - You can also view information about campaigns in [Threat Explorer](threat-explorer-about.md) at <https://security.microsoft.com/threatexplorerv3>: -> - **Campaigns** tab -> - **All email** tab \> **Campaign** tab -> - **Malware** tab \> **Campaign** tab -> - **Phish** tab \> **Campaign** tab +> - You can also view the same information about campaigns in [Threat Explorer](threat-explorer-real-time-detections-about.md) at <https://security.microsoft.com/threatexplorerv3>: +> - **Campaigns** view. +> - **All email** view \> **Campaign** tab in the details area below the chart. +> - **Malware** view \> **Campaign** tab in the details area below the chart. +> - **Phish** view \> **Campaign** tab in the details area below the chart. > > - If you have a Microsoft Defender for Endpoint subscription, campaigns information is connected with Microsoft Defender for Endpoint. Change the organization of the chart by selecting **Campaign Type**, and then se Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export chart data** to export the data in the chart to a CSV file. -To remove the chart area from the page, select :::image type="icon" source="../../media/m365-cc-sc-chart-view-icon.png" border="false"::: **Chart View** \> :::image type="icon" source="../../media/m365-cc-sc-list-view-icon.png" border="false"::: **List View** at the top of the page. +To remove the chart from the page (which maximizes the size of the details area), do either of the following steps: -### Details table on the Campaigns page +- Select :::image type="icon" source="../../media/m365-cc-sc-chart-view-icon.png" border="false"::: **Chart View** \> :::image type="icon" source="../../media/m365-cc-sc-list-view-icon.png" border="false"::: **List View** at the top of the page. +- Select :::image type="icon" source="../../media/m365-cc-sc-show-list-view-icon.png" border="false"::: **Show list view** between the chart and the views for the details table. ++### Details area on the Campaigns page To filter the information that's shown in the chart and in the details table, change the [filters](#filters-on-the-campaigns-page). On the **Campaigns** page, the **Campaign origin** tab below the chart shows the At the top of the **Campaign** page, there are several filter settings to help you find and isolate specific campaigns. The filters you select affect the chart and the details table. +By default, the view is filtered by yesterday and today. To change the date filter, select the date range, and then select **Start Date** and **End date** values up to 30 days ago. -You can filter the results by the start date/time and end date/time. Data is available for the last 30 days. You can also filter the results by one or more message or campaign properties. The basic syntax is: \<Property\> \<**Equal any of** \| **Equal none of**\> \<Property value or values\> - Select the message or campaign property from the **Campaign Type** dropdown list (**Campaign Type** is the default value that's selected).-- The property values that you need to enter are completely dependent on the property. Some properties allow freeform text with multiple values separated by commas, some properties require a single value selected from a list, and some properties allow multiple values selected from a list.--The available properties and their associated values are described in the following list: --- **Basic** section:- - **Campaign Type**: Select one or more of the following values:┬╣ - - **Malware** - - **Phish** - - **Campaign Name**: Freeform text values separated by commas. - - **Campaign subtype**: Freeform text values separated by commas. - - **Sender**: Freeform text values separated by commas. - - **Recipients**: Freeform text values separated by commas. - - **Sender domain**: Freeform text values separated by commas. - - **Subject**: Freeform text values separated by commas. - - **Attachment filename**: Freeform text values separated by commas. - - **Malware family**: Freeform text values separated by commas. - - **Tags**: Freeform text values separated by commas. For more information about user tags, see [User tags](user-tags-about.md). - - **Delivery action**: Select one of the following values:┬╣ - - **Delivered** - - **Delivered to Junk** - - **Blocked** - - **Replaced** - - **Additional action**: Select one or more of the following values:┬╣ - - **None** - - **Manual remediation** - - **ZAP**: For more information, see [Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365](zero-hour-auto-purge.md). - - **Reprocessed** - - **Dynamic delivery**: For more information, see [Dynamic Delivery in Safe Attachments policies](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies). - - **Directionality**: Select one or more of the following values:┬╣ - - **Inbound** - - **Outbound** - - **Intra-org** - - **Detection technology**: Select one or more of the following values:┬╣ - - **Advanced filter**: Signals based on machine learning. - - **Anti-malware protection** - - **Bulk** - - **Campaign** - - **Domain reputation** - - **File detonation**[Safe Attachments](safe-attachments-about.md) detected a malicious attachment during detonation analysis. - - **File detonation reputation**: File attachments previously detected by [Safe Attachments](safe-attachments-about.md) detonations in other Microsoft 365 organizations. - - **File reputation**: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations. - - **Fingerprint matching**: The message closely resembles a previous detected malicious message. - - **General filter** - - **Impersonation brand**: Sender impersonation of well-known brands. - - **Impersonation domain**: Impersonation of sender domains that you own or specified for protection in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). - - **IP reputation** - - **Mailbox intelligence impersonation**: Impersonation detections from mailbox intelligence in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). - - **Mixed analysis detection**: Multiple filters contributed to the message verdict. - - **Spoof DMARC**: The message failed [DMARC authentication](email-authentication-dmarc-configure.md). - - **Spoof external domain**: Sender email address spoofing using a domain that's external to your organization. - - **Spoof intra-org**: Sender email address spoofing using a domain that's internal to your organization. - - **URL detonation**: [Safe Links](safe-links-about.md) detected a malicious URL in the message during detonation analysis. - - **URL detonation reputation**: URLs previously detected by [Safe Links](safe-links-about.md) detonations in other Microsoft 365 organizations. - - **URL malicious reputation**: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations. - - **Original delivery location**: Select one or more of the following values:┬╣ - - **Deleted Items folder** - - **Dropped** - - **Failed** - - **Inbox/folder** - - **Junk folder** - - **On-prem/external** - - **Quarantine** - - **Unknown** - - **Latest delivery location**: Same values as **Original delivery location**.┬╣ - - **System overrides**: Select one of the following values: - - **Allowed by user policy** - - **Blocked by user policy** - - **Allowed by organization policy** - - **Blocked by organization policy** - - **File extension blocked by organization policy** - - **None** - - **System override source**: Select one of the following values: - - **3rd party filter** - - **Admin initiated time travel** (ZAP) - - **Anti-malware policy block by file type** - - **Anti-spam policy settings** - - **Connection policy** - - **Exchange transport rule** (mail flow rule) - - **Filtering skipped due to on-prem organization** - - **IP region filter from policy** - - **Language filter from policy** - - **Phishing simulation** - - **Quarantine release** - - **SecOPs mailbox** - - **Sender address list (admin override)** - - **Sender address list (user override)** - - **Sender domain list (admin override)** --- **Advanced** section: All properties use freeform text value separated by commas:- - **Internet message ID**: Available in the **Message-ID** header field in the message header. An example value is `<08f1e0f6806a47b4ac103961109ae6ef@server.domain>` (note the angle brackets). - - **Network message ID**: A GUID value that's available in the **X-MS-Exchange-Organization-Network-Message-Id** header field in the message header. - - **Sender IP** - - **Attachment SHA256**: To find the SHA256 hash value of a file in Windows, run the following command in a Command Prompt: `certutil.exe -hashfile "<Path>\<Filename>" SHA256`. - - **Cluster ID** - - **Alert ID** - - **Alert Policy ID** - - **Campaign ID** - - **ZAP URL signal** --- **URLs** section:- - **URL domain**: Freeform text values separated by commas. - - **URL domain and path**: Freeform text values separated by commas. - - **URL**: Freeform text values separated by commas. - - **URL path**: Freeform text values separated by commas. - - **Click verdict**: Select one or more of the following values:┬╣ - - **None** - - **Allowed** - - **Blocked** - - **Block overridden** - - **Error** - - **Failure** - - **Pending verdict bypassed** - - **Pending verdict** --┬╣ Clearing all selections has the same result as selecting all values. +- The property values that you need to enter are completely dependent on the property. Some properties allow freeform text with multiple values separated by commas, and some properties allow multiple values selected from a list. ++The available properties and their associated values are described in the following table: ++|Property|Type| +||| +|**Basic**|| +|Campaign Type|Select one or more values┬╣: <ul><li>**Malware**</li><li>**Phish**</li></ul>| +|Campaign Name|Text. Separate multiple values by commas.| +|Campaign Subtype|Text. Separate multiple values by commas.| +|Sender address|Text. Separate multiple values by commas.| +|Recipients|Text. Separate multiple values by commas.| +|Sender domain|Text. Separate multiple values by commas.| +|Recipient domain|Text. Separate multiple values by commas.| +|Subject|Text. Separate multiple values by commas.| +|Sender display name|Text. Separate multiple values by commas.| +|Sender mail from address|Text. Separate multiple values by commas.| +|Sender mail from domain|Text. Separate multiple values by commas.| +|Malware family|Text. Separate multiple values by commas.| +|Tags|Text. Separate multiple values by commas. <br/><br/> For more information about user tags, see [User tags](user-tags-about.md).| +|Delivery action|Select one or more values┬╣: <ul><li>**Blocked**</li><li>**Delivered**</li><li>**Delivered to junk**</li><li>**Replaced**</li></ul>| +|Additional action|Select one or more values┬╣: <ul><li>**Automated remediation**</li><li>**Dynamic Delivery**: For more information, see [Dynamic Delivery in Safe Attachments policies](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies).</li><li>**Manual remediation**</li><li>**None**</li><li>**Quarantine release**</li><li>**Reprocessed**</li><li>**ZAP**: For more information, see [Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365](zero-hour-auto-purge.md).</li></ul>| +|Directionality|Select one or more values┬╣: <ul><li>**Inbound**</li><li>**Intra-irg**</li><li>**Outbound**</li></ul>| +|Detection technology|Select one or more values┬╣: <ul><li>**Advanced filter**: Signals based on machine learning.</li><li>**Antimalware protection**</li><li>**Bulk**</li><li>**Campaign**</li><li>**Domain reputation**</li><li>**File detonation**: [Safe Attachments](safe-attachments-about.md) detected a malicious attachment during detonation analysis.</li><li>**File detonation reputation**: File attachments previously detected by [Safe Attachments](safe-attachments-about.md) detonations in other Microsoft 365 organizations.</li><li>**File reputation**: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations.</li><li>**Fingerprint matching**: The message closely resembles a previous detected malicious message.</li><li>**General filter**</li><li>**Impersonation brand**: Sender impersonation of well-known brands.</li><li>**Impersonation domain**: Impersonation of sender domains that you own or specified for protection in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>**Impersonation user**</li><li>**IP reputation**</li><li>**Mailbox intelligence impersonation**: Impersonation detections from mailbox intelligence in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).</li><li>**Mixed analysis detection**: Multiple filters contributed to the message verdict.</li><li>**spoof DMARC**: The message failed [DMARC authentication](email-authentication-dmarc-configure.md).</li><li>**Spoof external domain**: Sender email address spoofing using a domain that's external to your organization.</li><li>**Spoof intra-org**: Sender email address spoofing using a domain that's internal to your organization.</li><li>**URL detonation**: [Safe Links](safe-links-about.md) detected a malicious URL in the message during detonation analysis.</li><li>**URL detonation reputation**</li><li>**URL malicious reputation**: URLs previously detected by [Safe Links](safe-links-about.md) detonations in other Microsoft 365 organizations.</li></ul>| +|Original delivery location|Select one or more values┬╣: <ul><li>**Deleted Items folder**</li><li>**Dropped**</li><li>**Failed**</li><li>**Inbox/folder**</li><li>**Junk folder**</li><li>**On-prem/external**</li><li>**Quarantine**</li><li>**Unknown**</li></ul>| +|Latest delivery location|Same values as **Original delivery location**</li></ul>| +|System overrides|Select one or more values┬╣: <ul><li>**Allowed by user policy**</li><li>**Blocked by user policy**</li><li>**Allowed by organization policy**</li><li>**Blocked by organization policy**</li><li>**File extension blocked by organization policy**</li><li>**None**</li></ul>| +|System override source|Select one or more values┬╣: <ul><li>**3rd party filter**</li><li>**Admin initiated time travel** (ZAP)</li><li>**Anti-malware policy block by file type**</li><li>**Anti-spam policy settings**</li><li>**Connection policy**</li><li>**Exchange transport rule** (mail flow rule)</li><li>**Filtering skipped due to on-prem organization**</li><li>**IP region filter from policy**</li><li>**Language filter from policy**</li><li>**Phishing simulation**</li><li>**Quarantine release**</li><li>**SecOPs mailbox**</li><li>**Sender address list (admin override)**</li><li>**Sender address list (user override)**</li><li>**Sender domain list (admin override)**</li></ul>| +|**Advanced**|| +|Internet Message ID|Text. Separate multiple values by commas. <br/><br/> Available in the **Message-ID** header field in the message header. An example value is `<08f1e0f6806a47b4ac103961109ae6ef@server.domain>` (note the angle brackets).| +|Network Message ID|Text. Separate multiple values by commas. <br/><br/> A GUID value that's available in the **X-MS-Exchange-Organization-Network-Message-Id** header field in the message header.| +|Sender IP|Text. Separate multiple values by commas.| +|Attachment SHA256|Text. Separate multiple values by commas. <br/><br/> To find the SHA256 hash value of a file in Windows, run the following command in a Command Prompt: `certutil.exe -hashfile "<Path>\<Filename>" SHA256`.| +|Cluster ID|Text. Separate multiple values by commas.| +|Alert ID|Text. Separate multiple values by commas.| +|Alert Policy ID|Text. Separate multiple values by commas.| +|Campaign ID|Text. Separate multiple values by commas.| +|ZAP URL signal|Text. Separate multiple values by commas.| +|**Urls**|| +|URL domain|Text. Separate multiple values by commas.| +|URL domain and path|Text. Separate multiple values by commas.| +|URL|Text. Separate multiple values by commas.| +|URL path|Text. Separate multiple values by commas.| +|Click verdict|Select one or more values┬╣: <ul><li>**Allowed**</li><li>**Block overridden**</li><li>**Blocked**</li><li>**Error**</li><li>**Failure**</li><li>**None**</li><li>**Pending verdict**</li><li>**Pending verdict bypassed**</li></ul>| +|**File**|| +|Attachment filename|Text. Separate multiple values by commas.| ++┬╣ Not using this property filter or using this property filter with no values selected has the same result as using this property filter with all values selected. After you select a property from the **Campaign Type** dropdown, select **Equal any of** or **Not equal any of**, and then enter or select a value in the property box, the filter query appears below the filter area. The diagram contains the following information: |Value|Spam filter verdict|Description| ||||- |**Allowed**|`SFV:SKN` <p> `SFV:SKI`|The message was marked as not spam and/or skipped filtering before being evaluated by spam filtering. For example, the message was marked as not spam by a mail flow rule (also known as a transport rule). <p> The message skipped spam filtering for other reasons. For example, the sender and recipient appear to be in the same organization.| + |**Allowed**|`SFV:SKN` <br/><br/ `SFV:SKI`|The message was marked as not spam and/or skipped filtering before being evaluated by spam filtering. For example, the message was marked as not spam by a mail flow rule (also known as a transport rule). <br/><br/ The message skipped spam filtering for other reasons. For example, the sender and recipient appear to be in the same organization.| |**Blocked**|`SFV:SKS`|The message was marked as spam before being evaluated by spam filtering. For example, by a mail flow rule.| |**Detected**|`SFV:SPM`|The message was marked as spam by spam filtering.| |**Not Detected**|`SFV:NSPM`|The message was marked as not spam by spam filtering.| On each tab, select a column header to sort by that column. To remove columns, s The actions at the bottom the campaign details flyout allow you to investigate and record details about the campaign: - Select **Yes** or **No** in **Do you think this campaign has accurately grouped these messages together?**.-- **Explore messages**: Use the power of Threat Explorer to further investigate the campaign by selecting one of the following value in the dropdown list:+- **Explore messages**: Use the power of Threat Explorer to further investigate the campaign by selecting one of the following values in the dropdown list: - **All messages**: Opens a new Threat Explorer search tab using the **Campaign ID** value as the search filter. - **Inboxed messages**: Opens a new Threat Explorer search tab using the **Campaign ID** and **Delivery location: Inbox** as the search filter. - **Internal messages**: Opens a new Threat Explorer search tab using the **Campaign ID** and **Directionality: Intra-org** as the search filter. |
security | Defender For Office 365 Whats New | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/defender-for-office-365-whats-new.md | For more information on what's new with other Microsoft Defender security produc ## February/March 2021 -- Alert ID integration (search using Alert ID and Alert-Explorer navigation) in [hunting experiences](threat-explorer-about.md)-- Increasing the limits for Export of records from 9990 to 200,000 in [hunting experiences](threat-explorer-about.md)-- Extending the Explorer (and Real-time detections) data retention and search limit for trial tenants from 7 (previous limit) to 30 days in [hunting experiences](threat-explorer-about.md)-- New hunting pivots called **Impersonated domain** and **Impersonated user** within the Explorer (and Real-time detections) to search for impersonation attacks against protected users or domains. For more information, see [details](threat-explorer-about.md#view-phishing-emails-sent-to-impersonated-users-and-domains). (Microsoft Defender for Office 365 Plan 1 or Plan 2)+- Alert ID integration (search using Alert ID and Alert-Explorer navigation) in [hunting experiences](threat-explorer-real-time-detections-about.md) +- Increasing the limits for Export of records from 9990 to 200,000 in [hunting experiences](threat-explorer-real-time-detections-about.md) +- Extending the Explorer (and Real-time detections) data retention and search limit for trial tenants from 7 (previous limit) to 30 days in [hunting experiences](threat-explorer-real-time-detections-about.md) +- New hunting pivots called **Impersonated domain** and **Impersonated user** within Explorer and Real-time detections to search for impersonation attacks against protected users or domains. For more information, see [Phish view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#phish-view-in-threat-explorer-and-real-time-detections). ## Microsoft Defender for Office 365 Plan 1 and Plan 2 |
security | Email Security In Microsoft Defender | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/email-security-in-microsoft-defender.md | - Title: Email security with Threat Explorer in Microsoft Defender for Office 365 - - NOCSH ---- Previously updated : 6/15/2023-- - m365-security - - tier1 -description: View and investigate malware phishing attempts. --- seo-marvel-apr2020---appliesto: - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> ---# Email security with Threat Explorer in Microsoft Defender for Office 365 ---This article explains how to view and investigate malware and phishing attempts that are detected in email by Microsoft 365 security features. --## View malware detected in email --To see malware detected in email sorted by Microsoft 365 technology, use the [Malware](threat-explorer-views.md#malware) view of Explorer (or Real-time detections). --1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration**, and then choose **Explorer** or **Real-time detections**. To go directly to the page, use <https://security.microsoft.com/threatexplorer> or <https://security.microsoft.com/realtimereports>. -- This example uses **Explorer**. -- From here, start at the **Malware** view, choose a particular frame of time to investigate (if needed), and focus your filters, as per the [Explorer walk- through](threat-explorer-threat-hunting.md#threat-explorer-walk-through). --2. In the **Explorer** page, verify that **Malware** is selected. --3. Select the filter dropdown, and then choose **Basic** \> **Detection technology** in the dropdown list. -- :::image type="content" source="../../media/threat-explorer-malware-detection.png" alt-text="Screenshot of the malware detection technology." lightbox="../../media/threat-explorer-malware-detection.png"::: -- Your detection technologies are now available as filters for the report. --4. Choose an option, and then click **Refresh** to apply that filter (don't refresh your browser window). -- :::image type="content" source="../../media/threat-explorer-malware-detection2.png" alt-text="Screenshot of the selected detection technology." lightbox="../../media/threat-explorer-malware-detection2.png"::: -- The report refreshes to show the results that malware detected in email, using the technology option you selected. From here, you can conduct further analysis. --### Report a message as clean in Explorer --You can use the **Submit to Microsoft** option in Explorer to report a message as false positive. --1. In the Microsoft Defender portal, go to **Email & collaboration** \> **Explorer**, and then verify that **Phish** is selected. --2. Verify that you're on the **Email** tab, and then from the list of reported messages, select the one you'd like to report as clean. --3. Click **Message actions** to expand the list of options. --4. Scroll down the list of options to go to the **Start new submission** section, and then select **Submit to Microsoft**. A flyout appears. -- :::image type="content" source="../../media/submission-panel-explorer.png" alt-text="Screenshot of the submission flyout in Threat Explorer." lightbox="../../media/submission-panel-explorer.png"::: --5. Select **It appears clean** if you're unsure and you want a verdict from Microsoft. Then select **Submit**. --6. Select **I've confirmed it's clean** if you're sure that the message is clean. After selecting **Next**, you can specify whether you want to create an allow entry. You can specify how many days you want the allow entry to be active, add a note if needed, and then select **Submit**. --## View phishing URL and click verdict data --You can view phishing attempts through URLs in email, including a list of URLs that were allowed, blocked, and overridden. To identify URLs that were clicked, you must configure [Safe Links](safe-links-about.md) first. Make sure that you set up [Safe Links policies](safe-links-policies-configure.md) for time-of-click protection and logging of click verdicts by Safe Links. --1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration**, and then choose **Explorer** or **Real-time detections**. To go directly to the page, use <https://security.microsoft.com/threatexplorer> or <https://security.microsoft.com/realtimereports>. -- This example uses **Explorer**. --2. In the **Explorer** page, verify that **Phish** is selected. -- :::image type="content" source="../../media/explorer-view-email-phish-menu-new.png" alt-text="Screenshot of the View menu for Explorer in phishing context." lightbox="../../media/explorer-view-email-phish-menu-new.png"::: --3. Select the filter dropdown, and then choose **URLs** \> **Click verdict** in the dropdown list. --4. In options that appear, select one or more options, such as **Blocked** and **Block overridden**, and then click **Refresh** (don't refresh your browser window). -- :::image type="content" source="../../media/threat-explorer-click-verdict-new.png" alt-text="Screenshot of URLs and click verdicts." lightbox="../../media/threat-explorer-click-verdict-new.png"::: -- The report refreshes to show two different URL tables on the **URLs** tab under the report: -- - **Top URLs** are the URLs in the messages that you filtered down to and the email delivery action counts for each URL. This list typically contains legitimate URLs. Attackers include a mix of good and bad URLs in their messages to try to get them delivered, but they make the malicious links look more interesting. The table of URLs is sorted by total email count, but this column is hidden to simplify the view. -- - **Top clicks** are the Safe Links-wrapped URLs that were clicked, sorted by total click count. This column also isn't displayed, to simplify the view. Total counts by column indicate the Safe Links click verdict count for each clicked URL. Usually, these are suspicious or malicious URLs. But the view could include URLs that aren't threats but are in phish messages. URL clicks on unwrapped links don't show up here. -- The two URL tables show top URLs in phishing email messages by delivery action and location. The tables show URL clicks that were blocked or visited despite a warning, so you can see what potential bad links were presented to users and that the users clicked. From here, you can conduct further analysis. For example, below the chart you can see the top URLs in email messages that were blocked in your organization's environment. -- :::image type="content" source="../../media/threat-explorer-click-verdict-urls.png" alt-text="Screenshot of the Explorer URLs that were blocked." lightbox="../../media/threat-explorer-click-verdict-urls.png"::: -- > [!NOTE] - > In the URL flyout dialog box, the filtering on email messages is removed to show the full view of the URL's exposure in your environment. This lets you filter for email messages you're concerned about in Explorer, find specific URLs that are potential threats, and then expand your understanding of the URL exposure in your environment (via the URL details dialog box) without having to add URL filters to the Explorer view itself. --### Interpretation of click verdicts --In the Email or URL flyouts, Top Clicks, and in our filtering experiences, you'll see different click verdict values: --- **None:** Unable to capture the verdict for the URL. The user might have clicked through the URL.-- **Allowed:** The user was allowed to navigate to the URL.-- **Blocked:** The user was blocked from navigating to the URL.-- **Pending verdict:** The user was presented with the detonation-pending page.-- **Blocked overridden:** The user was blocked from navigating directly to the URL. But the user overrode the block to navigate to the URL.-- **Pending verdict bypassed:** The user was presented with the detonation page. But the user overrode the message to access the URL.-- **Error:** The user was presented with the error page, or an error occurred in capturing the verdict.-- **Failure:** An unknown exception occurred while capturing the verdict. The user might have clicked through the URL.--## Start automated investigation and response --> [!NOTE] -> Automated investigation and response capabilities are available in *Microsoft Defender for Office 365 Plan 2* and *Office 365 E5*. --[Automated investigation and response](air-about-office.md) can save your security operations team time and effort spent investigating and mitigating cyberattacks. In addition to configuring alerts that can trigger a security playbook, you can start an automated investigation and response process from a view in Explorer. For details, see [Example: A security administrator triggers an investigation from Explorer](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). --## Other articles --[Investigate emails with the Email Entity Page](mdo-email-entity-page.md) |
security | Investigate Malicious Email That Was Delivered | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/investigate-malicious-email-that-was-delivered.md | - Title: Investigate malicious email that was delivered in Microsoft 365, Find and investigate malicious email -keywords: TIMailData-Inline, Security Incident, incident, Microsoft Defender for Endpoint PowerShell, email malware, compromised users, email phish, email malware, read email headers, read headers, open email headers,special actions - - NOCSH --- Previously updated : 10/20/2023--- - MET150 - - MOE150 -- - m365-security - - tier1 -description: Learn how to use threat investigation and response capabilities to find and investigate malicious email. --- seo-marvel-apr2020---appliesto: - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> ---# Investigate malicious email that was delivered in Microsoft 365 ---[Microsoft Defender for Office 365](defender-for-office-365.md) enables you to investigate activities that put people in your organization at risk, and to take action to protect your organization. For example, if you are part of your organization's security team, you can find and investigate suspicious email messages that were delivered. You can do this by using [Threat Explorer (or real-time detections)](threat-explorer-about.md). --> [!NOTE] -> Jump to the remediation article [here](remediate-malicious-email-delivered-office-365.md). --## Before you begin --Make sure that the following requirements are met: --- Your organization has [Microsoft Defender for Office 365](defender-for-office-365.md) and [licenses are assigned to users](/microsoft-365/admin/manage/assign-licenses-to-users).--- [Audit logging](/purview/audit-log-enable-disable) is turned on for your organization (it's on by default).--- You are a global administrator, or you have either the Security Administrator or the Search and Purge role assigned in **Email & Collaboration permissions** the Microsoft Defender portal at <https://security.microsoft.com/emailandcollabpermissions>. For more information, see [Permissions in the Microsoft Defender portal](mdo-portal-permissions.md). For some actions, you must also have the Preview role assigned.--### Preview role permissions --To perform certain actions, such as viewing message headers or downloading email message content, you must have the **Preview** role added to another appropriate role group. The following table clarifies required roles and permissions: --|Activity|Role group|Preview role needed?| -|||::| -|Use Threat Explorer (and Real-time detections) to analyze threats|Global Administrator <br/><br/> Security Administrator <br/><br/> Security Reader|No| -|Use Threat Explorer (and Real-time detections) to view headers for email messages as well as preview and download quarantined email messages|Global Administrator <br/><br/> Security Administrator <br/><br/> Security Reader|No| -|Use Threat Explorer to view headers, preview email (only in the email entity page) and download email messages delivered to mailboxes|Global Administrator <br/><br/> Security Administrator <br/><br/> Security Reader <br/><br/> Preview|Yes| --> [!NOTE] -> **Preview** is a role, not a role group. The Preview role must be added to an existing role group or a new role group in **Email & Collaboration permissions** the Microsoft Defender portal at <https://security.microsoft.com/emailandcollabpermissions>. For more information, see [Permissions in the Microsoft Defender portal](mdo-portal-permissions.md). -> -> The Global Administrator role is assigned the Microsoft 365 admin center at <https://admin.microsoft.com>. The Security Administrator and Security Reader roles are assigned in Microsoft Defender portal at <https://security.microsoft.com/emailandcollabpermissions>. --We understand previewing and downloading email are sensitive activities, so auditing is enabled for these activities. Once an admin performs these activities on email, audit log entries are generated. To see these entries, go to the **Audit** page in the Microsoft Defender portal at <https://security.microsoft.com/auditlogsearch>. Filter on the admin name in the **Users** box. The filtered results will show activity for **AdminMailAccess**. Select a row to view details in the **More information** section about previewed or downloaded email. --## Find suspicious email that was delivered --Threat Explorer is a powerful report that can serve multiple purposes, such as finding and deleting messages, identifying the IP address of a malicious email sender, or starting an incident for further investigation. The following procedure focuses on using Explorer to find and delete malicious email from recipient's mailboxes. --> [!NOTE] -> Default searches in Explorer don't currently include delivered items that were removed from the cloud mailbox by zero-hour auto purge (ZAP). This limitation applies to all views (for example, the **Email \> Malware** or **Email \> Phish** views). To include items removed by ZAP, you need to add a **Delivery action** set to include **Removed by ZAP**. If you include all options, you'll see all delivery action results, including items removed by ZAP. --1. In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Explorer** . To go directly to the **Explorer** page, use <https://security.microsoft.com/threatexplorer>. -- On the **Explorer** page, the **Additional actions** column shows admins the outcome of processing an email. The **Additional actions** column can be accessed in the same place as **Delivery action** and **Delivery location**. Special actions might be updated at the end of Threat Explorer's email timeline, which is a new feature aimed at making the hunting experience better for admins. --2. In the **View** menu, choose **Email** \> **All email** from the dropdown list. -- :::image type="content" source="../../media/tp-InvestigateMalEmail-viewmenu.png" alt-text="The Malware drop-down list" lightbox="../../media/tp-InvestigateMalEmail-viewmenu.png"::: -- The *Malware* view is currently the default, and captures emails where a malware threat is detected. The *Phish* view operates in the same way, for Phish. -- However, *All email* view lists every mail received by the organization, whether threats were detected or not. As you can imagine, this is a lot of data, which is why this view shows a placeholder that asks a filter be applied. (This view is only available for Defender for Office 365 P2 customers.) -- *Submissions* view shows up all mails submitted by admin or user that were reported to Microsoft. --3. **Search and filter in Threat Explorer**: Filters appear at the top of the page in the search bar to help admins in their investigations. Notice that multiple filters can be applied at the same time, and multiple comma-separated values added to a filter to narrow down the search. Remember: -- - Filters do exact matching on most filter conditions. - - Subject filter uses a CONTAINS query. A CONTAINS query will look for an exact match of the substring. Wildcards or regular expressions are not supported. - - URL filters work with or without protocols (ex. https). - - URL domain, URL path, and URL domain and path filters don't require a protocol to filter. - - You must click the Refresh icon every time you change the filter values to get relevant results. --4. **Advanced filters**: With these filters, you can build complex queries and filter your data set. Clicking on *Advanced Filters* opens a flyout with options. -- Advanced filtering is a great addition to search capabilities. A boolean NOT on the **Recipient**, **Sender** and **Sender domain** filters allows admins to investigate by excluding values. This option is the **Equals none of** selection. This option allows admins to exclude unwanted mailboxes from investigations (for example, alert mailboxes and default reply mailboxes), and is useful for cases where admins search for a specific subject (for example, Attention) where the Recipient can be set to *Equals none of: defaultMail@contoso.com*. This is an exact value search. -- :::image type="content" source="../../media/tp-InvestigateMalEmail-AdvancedFilter.png" alt-text="The Recipients pane" lightbox="../../media/tp-InvestigateMalEmail-AdvancedFilter.png"::: -- Adding a time filter to the start date and end date helps your security team to drill down quickly. The shortest allowed time duration is 30 minutes. If you can narrow the suspicious action by time-frame (e.g., it happened 3 hours ago), this will limit the context and help pinpoint the problem. -- :::image type="content" source="../../media/tp-InvestigateMalEmail-FilterbyHours.png" alt-text="The filtering by hours option" lightbox="../../media/tp-InvestigateMalEmail-FilterbyHours.png"::: --5. **Fields in Threat Explorer**: Threat Explorer exposes a lot more security-related mail information such as *Delivery action*, *Delivery location*, *Special action*, *Directionality*, *Overrides*, and *URL threat*. It also allows your organization's security team to investigate with a higher certainty. -- *Delivery action* is the action taken on an email due to existing policies or detections. Here are the possible actions an email can take: -- - **Delivered**: Email was delivered to inbox or folder of a user and the user can directly access it. - - **Junked**: Email was sent to either user's Junk Email folder or Deleted Items folder, and the user has access to messages in those folders. - - **Blocked**: Any email messages that are quarantined, that failed, or were dropped. - - **Replaced**: Any email where malicious attachments are replaced by .txt files that state the attachment was malicious -- **Delivery location**: The Delivery location filter is available in order to help admins understand where suspected malicious mail ended-up and what actions were taken on it. The resulting data can be exported to spreadsheet. Possible delivery locations are: -- - **Inbox or folder**: The email is in the Inbox or a specific folder, according to your email rules. - - **On-prem or external**: The mailbox doesn't exist in the Cloud but is on-premises. - - **Junk folder**: The email is in a user's Junk mail folder. - - **Deleted items folder**: The email is in a user's Deleted items folder. - - **Quarantine**: The email in quarantine, and not in a user's mailbox. - - **Failed**: The email failed to reach the mailbox. - - **Dropped**: The email was lost somewhere in the mail flow. -- **Directionality**: This option allows your security operations team to filter by the 'direction' a mail comes from, or is going. Directionality values are *Inbound*, *Outbound*, and *Intra-org* (corresponding to mail coming into your org from outside, being sent out of your org, or being sent internally to your org, respectively). This information can help security operations teams spot spoofing and impersonation, because a mismatch between the Directionality value (ex. *Inbound*), and the domain of the sender (which *appears* to be an internal domain) will be evident! The Directionality value is separate, and can differ from, the Message Trace. Results can be exported to spreadsheet. -- **Overrides**: This filter takes information that appears on the mail's details tab and uses it to expose where organizational, or user policies, for allowing and blocking mails have been *overridden*. The most important thing about this filter is that it helps your organization's security team see how many suspicious emails were delivered due to configuration. This gives them an opportunity to modify allows and blocks as needed. This result set of this filter can be exported to spreadsheet. -- |Threat Explorer Overrides|What they mean| - ||| - |Allowed by Org Policy|Mail was allowed into the mailbox as directed by the organization policy.| - |Blocked by Org policy|Mail was blocked from delivery to the mailbox as directed by the organization policy.| - |File extension blocked by Org Policy|File was blocked from delivery to the mailbox as directed by the organization policy.| - |Allowed by User Policy|Mail was allowed into the mailbox as directed by the user policy.| - |Blocked by User Policy|Mail was blocked from delivery to the mailbox as directed by the user policy.| -- **URL threat**: The URL threat field has been included on the *details* tab of an email to indicate the threat presented by a URL. Threats presented by a URL can include *Malware*, *Phish*, or *Spam*, and a URL with *no threat* will say *None* in the threats section. --6. **Email timeline view**: Your security operations team might need to deep-dive into email details to investigate further. The email timeline allows admins to view actions taken on an email from delivery to post-delivery. To view an email timeline, click on the subject of an email message, and then click Email timeline. (It appears among other headings on the panel like Summary or Details.) These results can be exported to spreadsheet. -- Email timeline will open to a table that shows all delivery and post-delivery events for the email. If there are no further actions on the email, you should see a single event for the original delivery that states a result, such as *Blocked*, with a verdict like *Phish*. Admins can export the entire email timeline, including all details on the tab and email (such as, Subject, Sender, Recipient, Network, and Message ID). The email timeline cuts down on randomization because there is less time spent checking different locations to try to understand events that happened since the email arrived. When multiple events happen at, or close to, the same time on an email, those events show up in a timeline view. --7. **Preview / download**: Threat Explorer gives your security operations team the details they need to investigate suspicious email. Your security operations team can either: -- - [Check the delivery action and location](#check-the-delivery-action-and-location). -- - [View the timeline of your email](#view-the-timeline-of-your-email). --### Check the delivery action and location --In [Threat Explorer (and real-time detections)](threat-explorer-about.md), you now have **Delivery Action** and **Delivery Location** columns instead of the former **Delivery Status** column. This results in a more complete picture of where your email messages land. Part of the goal of this change is to make investigations easier for security operations teams, but the net result is knowing the location of problem email messages at a glance. --Delivery Status is now broken out into two columns: --- **Delivery action** - What is the status of this email?-- **Delivery location** - Where was this email routed as a result?--Delivery action is the action taken on an email due to existing policies or detections. Here are the possible actions an email can take: --- **Delivered**: Email was delivered to inbox or folder of a user and the user can directly access it.-- **Junked**: Email was sent to either user's Junk Email folder or Deleted Items folder, and the user has access to messages in those folders.-- **Blocked**: Any email messages that are quarantined, that failed, or were dropped.-- **Replaced**: Any email where malicious attachments are replaced by .txt files that state the attachment was malicious.--Delivery location shows the results of policies and detections that run post-delivery. It's linked to a Delivery Action. This field was added to give insight into the action taken when a problem mail is found. Here are the possible values of delivery location: --- **Inbox or folder**: The email is in the inbox or a folder (according to your email rules).-- **On-prem or external**: The mailbox doesn't exist on cloud but is on-premises.-- **Junk folder**: The email is in a user's Junk Email folder.-- **Deleted items folder**: The email is in a user's Deleted Items folder.-- **Quarantine**: The email in quarantine, and not in a user's mailbox.-- **Failed**: The email failed to reach the mailbox.-- **Dropped**: The email gets lost somewhere in the mail flow.--### View the timeline of your email --**Email Timeline** is a field in Threat Explorer that makes hunting easier for your security operations team. When multiple events happen at or close to the same time on an email, those events show up in a timeline view. Some events that happen post-delivery to email are captured in the **Special actions** column. Combining information from the timeline of an email message with any special actions that were taken post-delivery gives admins insight into policies and threat handling (such as where the mail was routed, and, in some cases, what the final assessment was). --> [!IMPORTANT] -> Jump to a remediation topic [here](remediate-malicious-email-delivered-office-365.md). --## Related topics --[Remediate malicious email delivered in Office 365](remediate-malicious-email-delivered-office-365.md) --[Microsoft Defender for Office 365](office-365-ti.md) --[View reports for Defender for Office 365](reports-defender-for-office-365.md) |
security | Mdo About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-about.md | Defender for Office 365 includes [reports](reports-defender-for-office-365.md) t Reports update in real-time, providing you with the latest insights. These reports also provide recommendations and alert you to imminent threats. Available predefined reports include: -- [Threat Explorer (or real-time detections)](threat-explorer-about.md)+- [Threat Explorer (or real-time detections)](threat-explorer-real-time-detections-about.md) - [Threat protection status report](reports-defender-for-office-365.md#threat-protection-status-report) - ... and several more. Defender for Office 365 Plan 2 includes best-of-class [threat investigation and ### Threat Explorer or Real-Time Detections -- **[Threat Explorer in Plan 2 (or real-time detections in Plan 1)](threat-explorer-about.md)** (also referred to as Explorer) is a real-time report that allows you to identify and analyze recent threats. You can configure Explorer to show data for custom periods.+- **[Threat Explorer in Plan 2 (or real-time detections in Plan 1)](threat-explorer-real-time-detections-about.md)** (also referred to as Explorer) is a real-time report that allows you to identify and analyze recent threats. You can configure Explorer to show data for custom periods. ### Attack simulation training for user readiness |
security | Mdo Email Entity Page | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-email-entity-page.md | Title: Microsoft Defender for Office 365 email entity page + Title: The email entity page in Defender for Office 365 f1.keywords: - NOCSH--- Previously updated : 11/10/2023+++ Last updated : 2/22/2024 audience: ITPro -description: Microsoft 365 E5 and Microsoft Defender for Office 365 Plan 1 and Plan 2 customers can see email details in all Microsoft Defender for Office 365 experiences including the email headers for copy, Detection details, Threats detected, Latest and Original delivery locations, Delivery actions, and IDs like Alert Id, Network Message ID and more. +description: Admins can learn about the Email entity page in Microsoft Defender for Office 365. This page show many details about email messages. For example, email headers, threat detection details, the latest and original delivery locations, delivery actions, and IDs (for example, the Network message ID and the associated Alert Id). search.appverid: met150 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> appliesto: [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -Admins of Microsoft 365 E5, and Microsoft Defender for Office 365 Plan 1 and Plan 2 have a 360-degree view of email using the **Email entity page**. This go-to email page was created to enhance information delivered throughout Microsoft Defender for Office 365 and Microsoft Defender XDR. +Microsoft 365 organizations that have [Microsoft Defender for Office 365](defender-for-office-365.md) included in their subscription or purchased as an add-on have a 360-degree view of email using the **Email entity page**. This go-to email page was created to enhance information delivered throughout Defender for Office 365 and Microsoft Defender XDR. See email details in the experiences below, including [previewing and downloading the email](#email-preview-and-download-for-cloud-mailboxes), the email headers *with the option to copy*, Detection details, Threats detected, Latest and Original delivery locations, Delivery actions, and IDs like Alert ID, Network Message ID and more. -## How to get to the email entity page +## Where to find the Email email entity page -Anywhere you find email details throughout the Microsoft Defender for Office 365, the email entity details are available. This includes: +The :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity** action is available in the Microsoft Defender portal wherever you find details about email messages. For example: -- Threat Explorer - Advanced Hunting - Alerts-- Quarantine-- Submissions - Reporting - Action Center+- **Threat Explorer** (**Explorer**) on the **Explorer** page at <https://security.microsoft.com/threatexplorerv3> or **Real-time detections** on the **Real-time detections** page at <https://security.microsoft.com/realtimereportsv3>, use one of the following methods: + - Verify the **All email** view is selected \> verify the **Email** tab (view) in the details area is selected \> click on the **Subject** value in an entry. + - Select the **Malware** view \> verify the **Email** tab (view) in the details area is selected \> click on the **Subject** value in an entry. + - Select the **Phish** view \> verify the **Email** tab (view) in the details area is selected \> click on the **Subject** value in an entry. -One way to get to the email entity page is Threat Explorer, but the steps remain the same from wherever you find email details. Navigate to the Microsoft Defender portal at <https://security.microsoft.com>, **Email & collaboration** \> **Explorer**. Or, to go directly to the **Explorer** page, use <https://security.microsoft.com/threatexplorer>. + **Open email entity** is available at the top of the Subject details flyout that opens. For more information, see [Email view for the details area of the All email view in Threat Explorer](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-all-email-view-in-threat-explorer). -1. In **Explorer**, select the subject of an email you're investigating. -1. The email fly-out for that mail opens. -1. You see **Open email entity**. -1. Select it for your email deep dive. -+- **Quarantine**: On the **Quarantine** page at <https://security.microsoft.com/quarantine> \> verify the **Email** tab is selected \> select an entry by clicking anywhere in the row other than the check box. **Open email entity** is available at the top of the details flyout that opens. For more information, see [View quarantined email details](quarantine-admin-manage-messages-files.md#view-quarantined-email-details). +- **Admin email submissions**: On the **Submissions** page at <https://security.microsoft.com/reportsubmission> \> select the **Emails** tab \> select an entry by clicking anywhere in the row other than the check box. **Open email entity** is available at the top of the details flyout that opens. For more information, see [View email attachment admin submissions to Microsoft](submissions-admin.md#view-email-attachment-admin-submissions-to-microsoft). +- **User reported email submissions**: On the **Submissions** page at <https://security.microsoft.com/reportsubmission> \> select the **User reported** tab \> select an entry by clicking anywhere in the row other than the check box. **Open email entity** is available at the top of the details flyout that opens. For more information, see [View user reported messages to Microsoft](submissions-admin.md#view-user-reported-messages-to-microsoft). :::image type="content" source="../../media/email-entities-2-eep.png" alt-text="The graphic of the email entity page that focuses on headings that you'll see" lightbox="../../media/email-entities-2-eep.png"::: |
security | Mdo Sec Ops Guide | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-sec-ops-guide.md | In Defender for Office 365, you manage false positives (good mail marked as bad) - The [Submissions page (admin submissions)](submissions-admin.md). - The [Tenant Allow/Block List](tenant-allow-block-list-about.md)-- [Threat Explorer](threat-explorer-about.md)+- [Threat Explorer](threat-explorer-real-time-detections-about.md) For more information, see the [Manage false positive and false negative detections](#manage-false-positive-and-false-negative-detections) section later in this article. Use [Threat analytics](/microsoft-365/security/defender-endpoint/threat-analytic ### Review top targeted users for malware and phishing -Use the **[Top targeted users](threat-explorer-about.md#top-targeted-users)** tab in Threat Explorer to discover or confirm the users who are the top targets for malware and phishing email. +Use the **[Top targeted users](threat-explorer-real-time-detections-about.md#top-targeted-users-view-for-the-details-area-of-the-all-email-view-in-threat-explorer)** tab (view) in the details area of the **All email**, **Malware**, and **Phish** views in Threat Explorer to discover or confirm the users who are the top targets for malware and phishing email. |Activity|Cadence|Description|Persona| ||||| Campaign Views reveals malware and phishing attacks against your organization. F |Activity|Cadence|Description|Persona| |||||-|Investigate and remove bad email in Threat Explorer at <https://security.microsoft.com/threatexplorer> based on user requests.|Ad-hoc|Use the **Trigger investigation** action in Threat Explorer to start an automated investigation and response playbook on any email from the last 30 days. Manually triggering an investigation saves time and effort by centrally including: <ul><li>A root investigation.</li><li>Steps to identify and correlate threats.</li><li>Recommended actions to mitigate those threats.</li></ul> <br/> For more information, see [Example: A user-reported phish message launches an investigation playbook](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer) <br/><br/> Or, you can use Threat Explorer to [manually investigate email](investigate-malicious-email-that-was-delivered.md) with powerful search and filtering capabilities and [take manual response action](remediate-malicious-email-delivered-office-365.md) directly from the same place. Available manual actions: <ul><li>Move to Inbox</li><li>Move to Junk</li><li>Move to Deleted items</li><li>Soft delete</li><li>Hard delete.</li></ul>|Security Operations Team| +|Investigate and remove bad email in Threat Explorer at <https://security.microsoft.com/threatexplorer> based on user requests.|Ad-hoc|Use the **Trigger investigation** action in Threat Explorer to start an automated investigation and response playbook on any email from the last 30 days. Manually triggering an investigation saves time and effort by centrally including: <ul><li>A root investigation.</li><li>Steps to identify and correlate threats.</li><li>Recommended actions to mitigate those threats.</li></ul> <br/> For more information, see [Example: A user-reported phish message launches an investigation playbook](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer) <br/><br/> Or, you can use Threat Explorer to [manually investigate email](threat-explorer-investigate-delivered-malicious-email.md) with powerful search and filtering capabilities and [take manual response action](remediate-malicious-email-delivered-office-365.md) directly from the same place. Available manual actions: <ul><li>Move to Inbox</li><li>Move to Junk</li><li>Move to Deleted items</li><li>Soft delete</li><li>Hard delete.</li></ul>|Security Operations Team| ### Proactively hunt for threats |Activity|Cadence|Description|Persona| |||||-|Regular, proactive hunting for threats at: <ul><li><https://security.microsoft.com/threatexplorer></li><li><https://security.microsoft.com/v2/advanced-hunting></li></ul>.|Ad-hoc|Search for threats using [Threat Explorer](threat-explorer-about.md) and [Advanced hunting](../defender-endpoint/advanced-hunting-overview.md).|Security Operations Team <br/><br/> Threat hunting team| +|Regular, proactive hunting for threats at: <ul><li><https://security.microsoft.com/threatexplorer></li><li><https://security.microsoft.com/v2/advanced-hunting></li></ul>.|Ad-hoc|Search for threats using [Threat Explorer](threat-explorer-real-time-detections-about.md) and [Advanced hunting](../defender-endpoint/advanced-hunting-overview.md).|Security Operations Team <br/><br/> Threat hunting team| |Share hunting queries.|Ad-hoc|Actively share frequently used, useful queries within the security team for faster manual threat hunting and remediation. <br/><br/> Use [Threat trackers](threat-trackers.md) and [shared queries in Advanced hunting](/microsoft-365/security/defender/advanced-hunting-shared-queries).|Security Operations Team <br/><br/> Threat hunting team| |Create custom detection rules at <https://security.microsoft.com/custom_detection>.|Ad-hoc|[Create custom detection rules](../defender/custom-detections-overview.md) to proactively monitor events, patterns, and threats based on Defender for Office 365 data in Advance Hunting. Detection rules contain advanced hunting queries that generate alerts based on the matching criteria.|Security Operations Team <br/><br/> Threat hunting team| The following permissions (roles and role groups) are available in Defender for - **Exchange Online** and **Email & collaboration**: Roles and role groups that grant permission specific to Microsoft Defender for Office 365. The following roles aren't available in Microsoft Entra ID, but can be important for security teams: - - **Preview** role (Email & collaboration): Assign this role to team members who need to preview or download email messages as part of investigation activities. Allows users to [preview and download](investigate-malicious-email-that-was-delivered.md#preview-role-permissions) email messages in cloud mailboxes using the [email entity page](mdo-email-entity-page.md#email-preview-and-download-for-cloud-mailboxes). + - **Preview** role (Email & collaboration): Assign this role to team members who need to preview or download email messages as part of investigation activities. Allows users to preview and download email messages from cloud mailboxes using [Threat Explorer (Explorer) and Real-time detections](threat-explorer-real-time-detections-about.md#about-threat-explorer-and-real-time-detections-in-microsoft-defender-for-office-365) and the [email entity page](mdo-email-entity-page.md#email-preview-and-download-for-cloud-mailboxes). By default, this role is assigned only to the following role groups: |
security | Mdo Sec Ops Manage Incidents And Alerts | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-sec-ops-manage-incidents-and-alerts.md | Security teams can take wide variety of response actions on email using Defender - You can start an AIR playbook manually on any email message using the **Trigger investigation** action in Threat Explorer. -- You can report false positive or false negative detections directly to Microsoft using [Threat Explorer](threat-explorer-about.md) or [admin submissions](submissions-admin.md).+- You can report false positive or false negative detections directly to Microsoft using [Threat Explorer](threat-explorer-real-time-detections-about.md) or [admin submissions](submissions-admin.md). - You can block undetected malicious files, URLs, or senders using the [Tenant Allow/Block List](tenant-allow-block-list-about.md). The most effective way to take action is to use the built-in integration with In - You benefit from the built-in correlation with other workloads: Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. - You take actions on email from a single place. -You take action on email based on the result of a manual investigation or hunting activity. [Threat Explorer](threat-explorer-about.md) allows security team members to take action on any email messages that might still exist in cloud mailboxes. They can take action on intra-org messages that were sent between users in your organization. Threat Explorer data is available for the last 30 days. +You take action on email based on the result of a manual investigation or hunting activity. [Threat Explorer](threat-explorer-real-time-detections-about.md) allows security team members to take action on any email messages that might still exist in cloud mailboxes. They can take action on intra-org messages that were sent between users in your organization. Threat Explorer data is available for the last 30 days. Watch this short video to learn how Microsoft Defender XDR combines alerts from various detection sources, like Defender for Office 365, into incidents. |
security | Mdo Security Comparison | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/mdo-security-comparison.md | This quick-reference helps you understand what capabilities come with each Defen |Defender for Office 365 Plan 1|Defender for Office 365 Plan 2| |||-|Prevent and detect capabilities: <ul><li>[Safe Attachments](safe-attachments-about.md), including [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)</li><li>[Safe Links](safe-links-about.md)</li><li>[Advanced phishing thresholds and impersonation protection](anti-phishing-policies-about.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>[Real-time detections](threat-explorer-about.md)</li></ul>|Everything in Defender for Office 365 Plan 1 capabilities <br/><br/> plus <br/><br/> Prevent and detect capabilities: <ul><li>[Attack simulation training](attack-simulation-training-simulations.md)</li></ul> <br/> Automate, investigate, and respond capabilities: <ul><li>[Threat Trackers](threat-trackers.md)</li><li>[Threat Explorer](threat-explorer-about.md)</li><li>[Automated investigation and response](air-about.md)</li><li>[Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](../defender/advanced-hunting-overview.md)</li><li>[Investigate incidents in Microsoft Defender XDR](../defender/investigate-incidents.md)</li><li>[Investigate alerts in Microsoft Defender XDR](../defender/investigate-alerts.md)</li></ul>| +|Prevent and detect capabilities: <ul><li>[Safe Attachments](safe-attachments-about.md), including [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)</li><li>[Safe Links](safe-links-about.md)</li><li>[Advanced phishing thresholds and impersonation protection](anti-phishing-policies-about.md#exclusive-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>[Real-time detections](threat-explorer-real-time-detections-about.md)</li></ul>|Everything in Defender for Office 365 Plan 1 capabilities <br/><br/> plus <br/><br/> Prevent and detect capabilities: <ul><li>[Attack simulation training](attack-simulation-training-simulations.md)</li></ul> <br/> Automate, investigate, and respond capabilities: <ul><li>[Threat Trackers](threat-trackers.md)</li><li>[Threat Explorer](threat-explorer-real-time-detections-about.md)</li><li>[Automated investigation and response](air-about.md)</li><li>[Proactively hunt for threats with advanced hunting in Microsoft Defender XDR](../defender/advanced-hunting-overview.md)</li><li>[Investigate incidents in Microsoft Defender XDR](../defender/investigate-incidents.md)</li><li>[Investigate alerts in Microsoft Defender XDR](../defender/investigate-alerts.md)</li></ul>| - Defender for Office 365 Plan 2 is included in Microsoft 365 E5, Microsoft 365 A5, and Microsoft 365 E5. - Defender for Office 365 Plan 1 is included in Microsoft 365 Business Premium. If you're a Security Admin, you may need to configure DKIM or DMARC for your mai Catch up on [what's new in Microsoft Defender for Office 365 (including EOP developments)](defender-for-office-365-whats-new.md) -[Use Threat Explorer or Real-time detections](threat-explorer-about.md) +[Use Threat Explorer or Real-time detections](threat-explorer-real-time-detections-about.md) Use [Attack simulation training](attack-simulation-training-simulations.md) |
security | Migrate To Defender For Office 365 Onboard | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-onboard.md | appliesto: **Applies to** - [Microsoft Defender for Office 365 plan 1 and plan 2](defender-for-office-365.md) -<br> +<br/> -|[:::image type="content" source="../../medi)|:::image type="content" source="../../media/phase-diagrams/onboard.png" alt-text="Phase 3: Onboard." lightbox="../../media/phase-diagrams/onboard.png"::: <br> Phase 3: Onboard| +|[:::image type="content" source="../../medi)|:::image type="content" source="../../media/phase-diagrams/onboard.png" alt-text="Phase 3: Onboard." lightbox="../../media/phase-diagrams/onboard.png"::: <br/> Phase 3: Onboard| |||| |||*You are here!*| If your organization has a security response team, now is the time to begin inte - Learn the new tools and integrate them into existing flows. For example: - Admin management of quarantined messages is important. For instructions, see [Manage quarantined messages and files as an admin](quarantine-admin-manage-messages-files.md). - Message trace allows you to see what happened to messages as they enter or leave Microsoft 365. For more information, see [Message trace in the modern Exchange admin center in Exchange Online](/exchange/monitoring/trace-an-email-message/message-trace-modern-eac).-- Identify risks that may have been let into the organization.+- Identify risks that might have been let into the organization. - Tune and customize [alerts](alert-policies-defender-portal.md) for organizational processes. - Manage the incident queue and remediate potential risks. -If your organization has purchased Microsoft Defender for Office 365 Plan 2, they should begin familiarizing themselves with and using features such as Threat Explorer, Advanced Hunting, and Incidents. For relevant trainings, see <https://aka.ms/mdoninja>. +If your organization purchased Microsoft Defender for Office 365 Plan 2, they should begin familiarizing themselves with and using features such as Threat Explorer, Advanced Hunting, and Incidents. For relevant trainings, see <https://aka.ms/mdoninja>. If your security response team collects and analyzes unfiltered messages, you can configure a SecOps mailbox to receive these unfiltered messages. For instructions, see [Configure SecOps mailboxes in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy). Although this step isn't required, you should consider configuring your pilot us ## Step 3: Tune spoof intelligence -Check the [Spoof intelligence insight](anti-spoofing-spoof-intelligence.md) to see what's being allowed or blocked as spoofing, and to determine if you need to override the system verdict for spoofing. Some sources of your business-critical email might have incorrectly configured email authentication records in DNS (SPF, DKIM, and DMARC) and you might be using overrides in your existing protection service to mask their domain issues. +Check the [Spoof intelligence insight](anti-spoofing-spoof-intelligence.md) to see what's being allowed or blocked as spoofing, and to determine if you need to override the system verdict for spoofing. Some sources of your business-critical email might have misconfigured email authentication records in DNS (SPF, DKIM, and DMARC) and you might be using overrides in your existing protection service to mask their domain issues. Spoof intelligence can rescue email from domains without proper email authentication records in DNS, but the feature sometimes needs assistance in distinguishing good spoofing from bad spoofing. Focus on the following types of message sources: The longer you monitor the impersonation protection results without acting on th ### Tune mailbox intelligence -Although mailbox intelligence has been configured to take no action on messages that were [determined to be impersonation attempts](anti-phishing-mdo-impersonation-insight.md), it has been on and learning the email sending and receiving patterns of the pilot users. If an external user is in contact with one your pilot users, messages from that external user aren't identified as impersonation attempts by mailbox intelligence (thus reducing false positives). +Although mailbox intelligence is configured to take no action on messages that were [determined to be impersonation attempts](anti-phishing-mdo-impersonation-insight.md), it's turned on and learning the email sending and receiving patterns of the pilot users. If an external user is in contact with one your pilot users, messages from that external user aren't identified as impersonation attempts by mailbox intelligence (thus reducing false positives). When you're ready, do the following steps to allow mailbox intelligence to act on messages that are detected as impersonation attempts: When you're ready, do the following steps to allow mailbox intelligence to act o To modify the policies, see [Configure anti-phishing policies in Defender for Office 365](anti-phishing-policies-mdo-configure.md). -After you've observed the results and made any adjustments, proceed to the next section to quarantine messages detected by user impersonation. +After you observed the results and made any adjustments, proceed to the next section to quarantine messages detected by user impersonation. ### Tune user impersonation protection As your pilot users report false positives and false negatives, the messages app Use the following features to monitor and iterate on the protection settings in Defender for Office 365: - [Quarantine](quarantine-admin-manage-messages-files.md)-- [Threat Explorer](email-security-in-microsoft-defender.md)+- [Threat Explorer (Explorer)](threat-explorer-real-time-detections-about.md) - [Email security reports](reports-email-security.md) - [Defender for Office 365 reports](reports-defender-for-office-365.md) - [Mail flow insights](/exchange/monitoring/mail-flow-insights/mail-flow-insights) |
security | Migrate To Defender For Office 365 Setup | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/migrate-to-defender-for-office-365-setup.md | If you're using some other mechanism to override the Microsoft filtering stack ( The SCL=-1 mail flow rule is important during the migration for the following reasons: -- You can use [Threat Explorer](email-security-in-microsoft-defender.md) to see which features in the Microsoft stack *would have* acted on messages without affecting the results from your existing protection service.+- You can use [Threat Explorer (Explorer)](threat-explorer-real-time-detections-about.md) to see which features in the Microsoft stack *would have* acted on messages without affecting the results from your existing protection service. - You can gradually adjust who is protected by the Microsoft 365 filtering stack by configuring exceptions to the SCL=-1 mail flow rule. The exceptions are the members of the pilot distribution groups that we recommend later in this article. Before or during the cutover of your MX record to Microsoft 365, you disable this rule to turn on the full protection of the Microsoft 365 protection stack for all recipients in your organization. For more information, see [Use mail flow rules to set the spam confidence level The first thing to do is configure [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) (also known as *skip listing*) on the connector that's used for mail flow from your existing protection service into Microsoft 365. You can use the [Inbound messages report](/exchange/monitoring/mail-flow-reports/mfr-inbound-messages-and-outbound-messages-reports) to help identify the connector. -Enhanced Filtering for Connectors is required by Defender for Office 365 to see where internet messages actually came from. Enhanced Filtering for Connectors greatly improves the accuracy of the Microsoft filtering stack (especially [spoof intelligence](anti-phishing-protection-spoofing-about.md), and post-breach capabilities in [Threat Explorer](threat-explorer-about.md) and [Automated Investigation & Response (AIR)](air-about-office.md). +Enhanced Filtering for Connectors is required by Defender for Office 365 to see where internet messages actually came from. Enhanced Filtering for Connectors greatly improves the accuracy of the Microsoft filtering stack (especially [spoof intelligence](anti-phishing-protection-spoofing-about.md), and post-breach capabilities in [Threat Explorer](threat-explorer-real-time-detections-about.md) and [Automated Investigation & Response (AIR)](air-about-office.md). To correctly enable Enhanced Filtering for Connectors, you need to add the **public** IP addresses of \*\***all\*\*** third-party services and/or on-premises email system hosts that route inbound mail to Microsoft 365. To confirm that Enhanced Filtering for Connectors is working, verify that incomi ## Step 5: Create pilot protection policies -By creating production policies, even if they aren't applied to all users, you can test post-breach features like [Threat Explorer](threat-explorer-about.md) and test integrating Defender for Office 365 into your security response team's processes. +By creating production policies, even if they aren't applied to all users, you can test post-breach features like [Threat Explorer](threat-explorer-real-time-detections-about.md) and test integrating Defender for Office 365 into your security response team's processes. > [!IMPORTANT] > Policies can be scoped to users, groups, or domains. We do not recommend mixing all three in one policy, as only users that match all three will fall inside the scope of the policy. For pilot policies, we recommend using groups or users. For production policies, we recommend using domains. It's extremely important to understand that **only** the user's primary email domain determines if the user falls inside the scope of the policy. So, if you switch the MX record for a user's secondary domain, make sure that their primary domain is also covered by a policy. |
security | Office 365 Ti | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/office-365-ti.md | Threat investigation and response capabilities in the Microsoft Defender portal ### Explorer -Use [Explorer (and real-time detections)](threat-explorer-about.md) to analyze threats, see the volume of attacks over time, and analyze data by threat families, attacker infrastructure, and more. Explorer (also referred to as Threat Explorer) is the starting place for any security analyst's investigation workflow. +Use [Explorer (and real-time detections)](threat-explorer-real-time-detections-about.md) to analyze threats, see the volume of attacks over time, and analyze data by threat families, attacker infrastructure, and more. Explorer (also referred to as Threat Explorer) is the starting place for any security analyst's investigation workflow. :::image type="content" source="../../media/7a7cecee-17f0-4134-bcb8-7cee3f3c3890.png" alt-text="The Threat explorer page" lightbox="../../media/7a7cecee-17f0-4134-bcb8-7cee3f3c3890.png"::: Microsoft Defender for Office 365 uses role-based access control. Permissions ar |Activity|Roles and permissions| ||| |Use the Microsoft Defender Vulnerability Management dashboard <p> View information about recent or current threats|One of the following: <ul><li>**Global Administrator**</li><li>**Security Administrator**</li><li>**Security Reader**</li></ul> <br/> These roles can be assigned in either Microsoft Entra ID (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>).|-|Use [Explorer (and real-time detections)](threat-explorer-about.md) to analyze threats|One of the following: <ul><li>**Global Administrator**</li><li>**Security Administrator**</li><li>**Security Reader**</li></ul> <br/> These roles can be assigned in either Microsoft Entra ID (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>).| +|Use [Explorer (and real-time detections)](threat-explorer-real-time-detections-about.md) to analyze threats|One of the following: <ul><li>**Global Administrator**</li><li>**Security Administrator**</li><li>**Security Reader**</li></ul> <br/> These roles can be assigned in either Microsoft Entra ID (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>).| |View Incidents (also referred to as Investigations) <p> Add email messages to an incident|One of the following: <ul><li>**Global Administrator**</li><li>**Security Administrator**</li><li>**Security Reader**</li></ul> <br/> These roles can be assigned in either Microsoft Entra ID (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>).| |Trigger email actions in an incident <p> Find and delete suspicious email messages|One of the following: <ul><li>**Global Administrator**</li><li>**Security Administrator** plus the **Search and Purge** role</li></ul> <br/> The **Global Administrator** and **Security Administrator** roles can be assigned in either Microsoft Entra ID (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>). <p> The **Search and Purge** role must be assigned in the **Email & collaboration roles** in the Microsoft 36 Defender portal (<https://security.microsoft.com>).| |Integrate Microsoft Defender for Office 365 Plan 2 with Microsoft Defender for Endpoint <p> Integrate Microsoft Defender for Office 365 Plan 2 with a SIEM server|Either the **Global Administrator** or the **Security Administrator** role assigned in either Microsoft Entra ID (<https://portal.azure.com>) or the Microsoft 365 admin center (<https://admin.microsoft.com>). <p> **plus** <p> An appropriate role assigned in additional applications (such as [Microsoft Defender Security Center](/windows/security/threat-protection/microsoft-defender-atp/user-roles) or your SIEM server).| Microsoft Defender for Office 365 uses role-based access control. Permissions ar ## Next steps - [Learn about Threat Trackers - New and Noteworthy](threat-trackers.md)-- [Find and investigate malicious email that was delivered (Office 365 Threat Investigation and Response)](investigate-malicious-email-that-was-delivered.md)+- [Find and investigate malicious email that was delivered (Office 365 Threat Investigation and Response)](threat-explorer-investigate-delivered-malicious-email.md) - [Simulate a phishing attack](attack-simulation-training-simulations.md) |
security | Priority Accounts Security Recommendations | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/priority-accounts-security-recommendations.md | After you secure and tag your priority users, you can use the available reports, |Alerts|The user tags of affected users are visible and available as filters on the **Alerts** page in the Microsoft Defender portal. For more information, see [Alert policies in the Microsoft Defender portal](alert-policies-defender-portal.md).| |Incidents|The user tags for all correlated alerts are visible on the **Incidents** page in the Microsoft Defender portal. For more information, see [Manage incidents and alerts](mdo-sec-ops-manage-incidents-and-alerts.md).| |Custom alert policies|You can create alert policies based on user tags in the Microsoft Defender portal. For more information, see [Alert policies in the Microsoft Defender portal](alert-policies-defender-portal.md).|-|Explorer <p> Real-time detections|In **Explorer** (Defender for Office 365 Plan 2) or **Real-time detections** (Defender for Office 365 Plan 1), user tags are visible in the Email grid view and the Email details flyout. User tags are also available as a filterable property. For more information, see [Tags in Explorer](threat-explorer-about.md#tags-in-threat-explorer).| +|Explorer <p> Real-time detections|In **Explorer** (Defender for Office 365 Plan 2) or **Real-time detections** (Defender for Office 365 Plan 1), user tags are visible in the Email grid view and the Email details flyout. User tags are also available as a filterable property. For more information, see [Tags in Threat Explorer](threat-explorer-threat-hunting.md#tags-in-threat-explorer).| |Email entity page|You can filter email based on applied user tags in Microsoft 365 E5 and in Defender for Office 365 Plan 1 and Plan 2. For more information, see [Email entity page](mdo-email-entity-page.md).| |Campaign Views|User tags are one of many filterable properties in Campaign Views in Microsoft Defender for Office 365 Plan 2. For more information, see [Campaign Views](campaigns.md).| |Threat protection status report|In virtually all of the views and detail tables in the **Threat protection status report**, you can filter the results by **priority accounts**. For more information, see [Threat protection status report](reports-email-security.md#threat-protection-status-report).| |
security | Priority Accounts Turn On Priority Account Protection | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/priority-accounts-turn-on-priority-account-protection.md | The effects of priority account protection are visible in the following reportin - [View data by Email \> Malware and Chart breakdown by Detection Technology](reports-email-security.md#view-data-by-email--malware-and-chart-breakdown-by-detection-technology) - [Chart breakdown by Policy type](reports-email-security.md#chart-breakdown-by-policy-type) - [Chart breakdown by Delivery status](reports-email-security.md#chart-breakdown-by-delivery-status)-- [Threat Explorer and real-time detections](threat-explorer-about.md)+- [Threat Explorer and real-time detections](threat-explorer-real-time-detections-about.md) - [Email entity page](mdo-email-entity-page.md) For information about where the Priority account tag and other user tags are available as filters, see [User tags in reports and features](user-tags-about.md#user-tags-in-reports-and-features). In the previously mentioned views in the report, the option **Priority account p ### Threat Explorer -For more information about Threat Explorer, see [Threat Explorer and Real-time detections](threat-explorer-about.md). +For more information about Threat Explorer, see [Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md). To view the results of priority account protection in Threat Explorer, do the following steps: To view the results of priority account protection in Threat Explorer, do the fo ### Email entity page -The email entity page is available in **Threat Explorer**. For more information, see [The Email entity page](mdo-email-entity-page.md). +The email entity page is available from many locations in the Defender portal, including **Threat Explorer** (also known as **Explorer**). For more information, see [The Email entity page](mdo-email-entity-page.md). -In the filtered results on the **All email**, **Malware**, or **Phish** tabs of the **Explorer** page, select the **Subject** of an email message in the results. --In the details flyout that opens, select :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity** at the top of the flyout. --On the email entity page that opens, select the **Analysis** tab. **Priority account protection** is listed in the **Threat detection details** section. +On the Email entity page, select the **Analysis** tab. **Priority account protection** is listed in the **Threat detection details** section. :::image type="content" source="../../media/email-entity-priority-account-protection.png" alt-text="The Analysis tab of the Email entity page showing Priority account protection results." lightbox="../../media/email-entity-priority-account-protection.png"::: |
security | Real Time Detections | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/real-time-detections.md | - Title: Threat Explorer and Real-time detections basics in Microsoft Defender for Office 365 - - NOCSH ---- Previously updated : 1/16/2024-- - m365-security - - tier1 - - highpri -description: Use Explorer or Real-time detections to investigate and respond to threats efficiently. --- seo-marvel-apr2020---appliesto: - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> ---# What is Threat Explorer and Real-time detections? ---This article explains the difference between Threat Explorer and real-time detections reporting, updated experience with Threat Explorer and real-time detections where you can toggle between old and new experiences, and the licenses and permissions that are required. --If your organization has [Microsoft Defender for Office 365](defender-for-office-365.md), and you have the [permissions](#required-licenses-and-permissions), you can use **Explorer** (also known as **Threat Explorer**) or **Real-time detections** to detect and remediate threats. --In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration**, and then choose **Explorer** _or_ **Real-time detections**. To go directly to the page, use <https://security.microsoft.com/threatexplorer> or <https://security.microsoft.com/realtimereports>. --With these tools, you can: --- See malware detected by Microsoft 365 security features.-- View phishing URL and click verdict data.-- Start an automated investigation and response process from a view in Explorer.-- Investigate malicious email, and more.--For more information, see [Email security with Explorer](email-security-in-microsoft-defender.md). --## Differences between Explorer and Real-time detections --- _Real-time detections_ is a reporting tool available in Defender for Office 365 Plan 1. _Threat Explorer_ is a threat hunting and remediation tool available in Defender for Office 365 Plan 2.-- The Real-time detections report allows you to view detections in real time. Threat Explorer does this as well, but it provides additional details for a given attack, such as highlighting attack campaigns, and gives security operations teams the ability to remediate threats (including triggering an [Automated Investigation and Response investigation](air-about-office.md).-- An **All email** view is available in Threat Explorer, but not included in the Real-time detections report.-- Rich filtering capabilities and remediation actions are included in Threat Explorer. For more information, see [Microsoft Defender for Office 365 Service Description: Feature availability across Defender for Office 365 plans](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#feature-availability-across-advanced-threat-protection-atp-plans).--## Updated experience for Explorer and Real-time detections --The experience for Threat Explorer and Real-time detections is updated to align with modern accessibility standards, and to optimize the workflow. For a short while, you'll be able to toggle between the old experience and the new one. --> [!NOTE] -> Toggling impacts only your account and does not impact anyone else within your tenant. --Threat Explorer and Real-time detections are divided into the following views: --- **All email**: Shows all email analyzed by Defender for office 365 and contains both good and malicious emails. This feature is only present in Threat Explorer and isn't available for Real-time detections. By default, it's set to show data for two days, which can be expanded up to 30 days. This is also the default view for Threat Explorer.--- **Malware view**: Shows emails on which a malware threat was identified. This is the default view for Real-time detections, and shows data for two days (can be expanded to 30 days).--- **Phish view**: Shows emails on which a phish threat was identified.--- **Content malware view**: Shows malicious detections identified in files shared through OneDrive, SharePoint, or Teams.--Here are the common components within these experiences: --- Filters-- - You can use the various filters to view the data based on email or file attributes. -- - By default, the time filter is applied to the records, and is applied for two days. -- - If you're applying multiple filters, they're applied in 'AND' mode and you can use the advanced filter to change it to 'OR' mode. -- - You can use commas to add multiple values for the same filter. -- :::image type="content" source="../../media/explorer-new-experience-filters.png" alt-text="Screenshot showing filters in Explorer." lightbox="../../media/explorer-new-experience-filters.png"::: --- Charts-- - Charts provide a visual, aggregate view of data based on filters. You can use different filters to view the data by different dimensions. -- > [!NOTE] - > You may see no results in chart view even if you are seeing an entry in the list view. This happens if the filter does not produce any data. For example, if you have applied the filter malware family, but the underlying data does not have any malicious emails, then you may see the message no data available for this scenario. -- :::image type="content" source="../../media/explorer-new-experience-export-chart-data.png" alt-text="Screenshot showing exporting chart data." lightbox="../../media/explorer-new-experience-export-chart-data.png"::: --- Results grid-- - Results grid shows the email results based on the filters you've applied. -- - Based on the configuration set in your tenant, data is shown in UTC or local timezone, with the timezone information available in the first column. -- - You can navigate to the individual email entity page from the list view by clicking the **Open in new window** icon. -- - You can also customize your columns to add or remove columns to optimize your view. -- > [!NOTE] - > You can toggle between the **Chart view** and the **List view** to maximize your result set. -- :::image type="content" source="../../media/explorer-new-experience-list-chart-view.png" alt-text="Screenshot showing viewing chart data." lightbox="../../media/explorer-new-experience-list-chart-view.png"::: --- Detailed flyout-- - You can click on hyperlinks to get to the email summary panel (entries in Subject column), recipient, or IP flyout. -- - The email summary panel replaces the legacy email flyout, and also provides a path to access the email entity panel. -- - The individual entity flyouts like IP, recipient, and URL would reflect the same information, but presented in a single tab-based view, with the ability to expand and collapse the different sections based on requirement. -- - For flyouts like URLs, you can click **View all Email** or **View all Clicks** to view the full set of emails/clicks containing that URL, as well as export the result set. --- Actions-- - From Threat Explorer, you can trigger remediation actions like **Delete an email**. For more information on remediation, remediation limits, and tracking remediation see [Remediate malicious email](remediate-malicious-email-delivered-office-365.md). --- Export-- - You can click **Export chart data** to export the chart details. Similarly, click **Export email list** to export email details. -- - You can export up to 200K records for email list. However, for better system performance and reduced download time, you should use various email filters. -- :::image type="content" source="../../media/explorer-new-experience-export-chart-data.png" alt-text="Screenshot showing exporting chart data." lightbox="../../media/explorer-new-experience-export-chart-data.png"::: --In addition to these features, you'll also get updated experiences like **Top URLs**, **Top clicks**, **Top targeted users**, and **Email origin**. **Top URLs**, **Top clicks**, and **Top targeted users** can be further filtered based on the filter that you apply within Explorer. --### Exporting data --Threat Explorer and Real-time detections now allows users to export additional data in addition to the data visible on the data grid. With the new export feature, users will have the ability to selectively export the data that are relevant to their analysis or investigation, without having to shift through irrelevant data. The latest export feature includes a group of default fields that offer fundamental information from email metadata as pre-selected options. You now have the choice to pick extra fields or modify the current selection based on your requirements. The new export feature is available across all tabs in Threat Explorer and Real-time detections. ---## Required licenses and permissions --You need [Microsoft Defender for Office 365](defender-for-office-365.md) to use either of Explorer or Real-time detections (included in your subscription or purchased as an add-on): --- Explorer is only included in Defender for Office 365 Plan 2.-- The Real-time detections report is included in Defender for Office 365 Plan 1.--Security Operations teams need to assign licenses for all users who should be protected by Defender for Office 365 and be aware that Explorer and Real-time detections show detection data for licensed users. --To view and use Explorer or Real-time detections, you need to be assigned permissions. You have the following options: --- [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell):- - _Read access for email and Teams message headers_: **Security operations/Raw data (email & collaboration)/Email message headers (read)**. - - _Preview and download email messages_: **Security operations/Raw data (email & collaboration)/Email content (read)**. - - _Remediate malicious email_: **Security operations/Security data/Email advanced actions (manage)**. -- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md):- - _Full access_: Membership in the **Organization Management** or **Security Administrator** role groups. - - _Preview and download messages_: Membership in the **Preview** role group. - - _Read-only access_: Membership in the **Security Reader** role group. -- [Exchange Online permissions](/exchange/permissions-exo/permissions-exo):- - _Full access_: Membership in the **Organization Management** or **Compliance Management** role groups. - - _Read-only access_: Membership in the **View-Only Organization Management** or **View-Only Recipients** role groups. -- [Microsoft Entra permissions](/entra/identity/role-based-access-control/manage-roles-portal): Membership in the **Global Administrator**, **Security Administrator**, **Global Reader**, or **Security Reader** roles gives users the required permissions _and_ permissions for other features in Microsoft 365.--## More information --- [Threat Explorer collect email details on the email entity page](mdo-email-entity-page.md)-- [Find and investigate malicious email that was delivered](investigate-malicious-email-that-was-delivered.md)-- [View malicious files detected in SharePoint Online, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)-- [Threat protection status report](reports-email-security.md#threat-protection-status-report)-- [Automated investigation and response in Microsoft Threat Protection](air-about-office.md) |
security | Reports Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/reports-defender-for-office-365.md | In addition to the reports described in this article, the following tables descr |Report|Article| |||-|**Explorer** (Microsoft Defender for Office 365 Plan 2) or **real-time detections** (Microsoft Defender for Office 365 Plan 1)|[Threat Explorer (and real-time detections)](threat-explorer-about.md)| +|**Explorer** (Microsoft Defender for Office 365 Plan 2) or **real-time detections** (Microsoft Defender for Office 365 Plan 1)|[Threat Explorer (and real-time detections)](threat-explorer-real-time-detections-about.md)| |Email security reports that don't require Defender for Office 365|[View email security reports in the Microsoft Defender portal](reports-email-security.md)| |Mail flow reports in the Exchange admin center (EAC)|[Mail flow reports in the new Exchange admin center](/exchange/monitoring/mail-flow-reports/mail-flow-reports)| |
security | Safe Attachments For Spo Odfb Teams About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-about.md | To learn more about the user experience when a file has been detected as malicio ## View information about malicious files detected by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams -Files that are identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams appear in [reports for Microsoft Defender for Office 365](reports-defender-for-office-365.md) and in [Explorer (and real-time detections)](threat-explorer-about.md). +Files that are identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams appear in [reports for Microsoft Defender for Office 365](reports-defender-for-office-365.md) and in [Explorer (and real-time detections)](threat-explorer-real-time-detections-about.md). When a file is identified as malicious by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, the file is also available in quarantine, but only to admins. For more information, see [Manage quarantined files in Defender for Office 365](quarantine-admin-manage-messages-files.md#use-the-microsoft-defender-portal-to-manage-quarantined-files-in-defender-for-office-365). |
security | Safe Attachments Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-attachments-policies-configure.md | To verify that you've successfully created, modified, or removed Safe Attachment - Add the URL `http://spamlink.contoso.com` to a file (for example, a Word document), and attach that file in an email message to test Safe Attachments protection. This URL is similar to the GTUBE text string for testing anti-spam solutions. This URL isn't harmful, but when it's included in an email attachment, it triggers a Safe Attachments protection response. -- To verify that Safe Attachments is scanning messages, check the available Defender for Office 365 reports. For more information, see [View reports for Defender for Office 365](reports-defender-for-office-365.md) and [Use Explorer in the Microsoft Defender portal](threat-explorer-about.md).+- To verify that Safe Attachments is scanning messages, check the available Defender for Office 365 reports. For more information, see [View reports for Defender for Office 365](reports-defender-for-office-365.md) and [Use Explorer in the Microsoft Defender portal](threat-explorer-real-time-detections-about.md). |
security | Safe Links Policies Configure | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/safe-links-policies-configure.md | Remove-SafeLinksRule -Identity "Marketing Department" For detailed syntax and parameter information, see [Remove-SafeLinksRule](/powershell/module/exchange/remove-safelinksrule). -To verify that Safe Links is scanning messages, check the available Microsoft Defender for Office 365 reports. For more information, see [View reports for Defender for Office 365](reports-defender-for-office-365.md) and [Use Explorer in the Microsoft Defender portal](threat-explorer-about.md). +To verify that Safe Links is scanning messages, check the available Microsoft Defender for Office 365 reports. For more information, see [View reports for Defender for Office 365](reports-defender-for-office-365.md) and [Use Explorer in the Microsoft Defender portal](threat-explorer-real-time-detections-about.md). ## How do you know these procedures worked? |
security | Defense In Depth Guide | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/step-by-step-guides/defense-in-depth-guide.md | This guide is for you if: - You're licensed for Microsoft Defender for Office 365 and host your mailboxes in Office 365 - You're also using a third party for your email security -The information below will detail how to get the most out of your investment, broken down into easy to follow steps. +The following information details how to get the most out of your investment, broken down into easy to follow steps. -## What you will need +## What you need - Mailboxes hosted in Office 365 - One or more of: The information below will detail how to get the most out of your investment, br ## Step 1 ΓÇô Understand the value you already have -### Protection features +### Built-in protection features -- Built-in protection offers a base level of unobtrusive protection, and includes malware, zero day (Safe Attachments), and URL protection (Safe Links) in email (including internal email), SharePoint Online, OneDrive, and Teams. Note that URL protection provided in this state is via API call only. It doesn't wrap or rewrite URLs but does require a supported Outlook client. You can create your own custom policies to expand your protection.+- Built-in protection offers a base level of unobtrusive protection, and includes malware, zero day (Safe Attachments), and URL protection (Safe Links) in email (including internal email), SharePoint Online, OneDrive, and Teams. URL protection provided in this state is via API call only. It doesn't wrap or rewrite URLs but does require a supported Outlook client. You can create your own custom policies to expand your protection. **Read more & watch an overview video of Safe Links here:** [Complete Safe Links overview](../safe-links-about.md) **Read more about Safe Attachments here:** [Safe Attachments](../safe-attachments-about.md) -### Detection, investigation, response and hunting features +### Detection, investigation, response, and hunting features -- When alerts fire in Microsoft Defender for Office 365, they're automatically correlated, and combined into Incidents to help reduce the alert fatigue on security staff. Automated Investigation and Response (AIR) will trigger investigations to help remediate and contain threats.+- When alerts fire in Microsoft Defender for Office 365, they're automatically correlated, and combined into Incidents to help reduce the alert fatigue on security staff. Automated Investigation and Response (AIR) triggers investigations to help remediate and contain threats. **Read more, watch an overview video and get started here :** [Incident response with Microsoft Defender XDR](/microsoft-365/security/defender/incidents-overview) -- Threat Analytics is our in-product detailed threat intelligence solution from expert Microsoft security researchers, detailed reports designed to get you up to speed on the latest threat groups, attack techniques, how to protect your organization with Indicators of Compromise (IOC) and much more.+- Threat Analytics is our in-product, detailed threat intelligence solution from expert Microsoft security researchers. Threat Analytics contains detailed reports that are designed to get you up to speed on the latest threat groups, attack techniques, how to protect your organization with Indicators of Compromise (IOC) and much more. **Read more, watch an overview video and get started here :** [Threat analytics in Microsoft Defender XDR](../../defender/threat-analytics.md) - Explorer can be used to hunt threats, visualize mail flow patterns, spot trends, and identify the impact of changes you make during tuning Defender for Office 365. You can also quickly delete messages from your organization with a few simple clicks. -**Read more, and get started here:** [Threat Explorer and Real-time detections](../threat-explorer-about.md) +**Read more, and get started here:** [Threat Explorer and Real-time detections](../threat-explorer-real-time-detections-about.md) ## Step 2 ΓÇô Enhance the value further with these simple steps -### Protection features +### Additional protection features -- Consider enabling policies beyond the built-in Protection. Enabling time-of-click protection, or impersonation protection, for example, to add extra layers or fill gaps missing from your third party protection. Be aware that if you have a transport rule or connection filter that is overriding verdicts (this also can be known as SCL=-1) you'll need to address this before turning on other protection features.+- Consider enabling policies beyond the built-in Protection. Enabling time-of-click protection, or impersonation protection, for example, to add extra layers or fill gaps missing from your third party protection. If you have a mail flow rule (also known as a transport rule) or connection filter that overrides verdicts (also known as an SCL=-1 rule) you need to address this configuration before turning on other protection features. **Read more here:** [Anti-phishing policies](../anti-phishing-policies-about.md) - If your current security provider is configured to modify messages *in any way*, it's important to note that authentication signals can impact the ability for Defender for Office 365 to protect you against attacks such as spoofing. If your third party supports Authenticated Received Chain (ARC), then enabling this is a highly recommended step in your journey to advanced dual filtering. Moving any message modification configuration to Defender for Office 365 is also an alternative. -**Read more here:** [Configure trusted ARC sealers](../email-authentication-arc-configure.md) +**Read more here:** [Configure trusted ARC sealers.](../email-authentication-arc-configure.md) -- Enhanced Filtering for connectors allows IP address and sender information to be preserved through the third party. This improves accuracy for the filtering (protection) stack, post breach capabilities & authentication improvements.+- Enhanced Filtering for connectors allows IP address and sender information to be preserved through the third party. This feature improves accuracy for the filtering (protection) stack, post breach capabilities & authentication improvements. **Read more here:** [Enhanced filtering for connectors in Exchange Online](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) -- Priority account protection will offer enhanced visibility for accounts in tooling, along with additional protection when in an advanced defense in-depth configuration state.+- Priority account protection offers enhanced visibility for accounts in tooling, along with additional protection when in an advanced defense in-depth configuration state. **Read more here:** [Priority account protection](protect-your-c-suite-with-priority-account-protection.md) -- Advanced Delivery should be configured to deliver any third party phish simulations correctly, and if you have a Security Operations mailbox, consider defining it as a SecOps mailbox to ensure emails *do not* get removed from the mailbox due to threats.+- Advanced Delivery should be configured to deliver any third party phish simulations correctly, and if you have a Security Operations mailbox, consider defining it as a SecOps mailbox to ensure emails *don't* get removed from the mailbox due to threats. **Read more here:** [Advanced delivery](../advanced-delivery-policy-configure.md) - You can configure user reported settings to allow users to report good or bad messages to Microsoft, to a designated reporting mailbox (to integrate with current security workflows) or both. Admins can use the **User reported** tab on the **Submissions** page to triage false positives and false negative user reported messages. -**Read more here:** [Deploy and configure the report message add-in to users](deploy-and-configure-the-report-message-add-in.md) +**Read more here:** [Deploy and configure the report message add-in to users.](deploy-and-configure-the-report-message-add-in.md) ### Detection, investigation, response, and hunting features The information below will detail how to get the most out of your investment, br ### Education features -- Attack simulation training allows you to run realistic but benign cyber-attack scenarios in your organization. If you don't already have phishing simulation capabilities from your primary email security provider, Microsoft's simulated attacks can help you identify and find vulnerable users, policies, and practices. This is important knowledge to have and correct *before* a real attack impacts your organization. Post simulation we assign in product or custom training to educate users about the threats they missed, ultimately reducing your organization's risk profile. With Attack simulation training we deliver messages directly into the inbox, so the user experience is rich. This also means no security changes such as overrides needed to get simulations delivered correctly.+- Attack simulation training allows you to run realistic but benign cyber-attack scenarios in your organization. If you don't already have phishing simulation capabilities from your primary email security provider, Microsoft's simulated attacks can help you identify and find vulnerable users, policies, and practices. This capability contains important knowledge to have and correct *before* a real attack impacts your organization. Post simulation we assign in product or custom training to educate users about the threats they missed, ultimately reducing your organization's risk profile. With Attack simulation training, we deliver messages directly into the inbox, so the user experience is rich. This also means no security changes such as overrides needed to get simulations delivered correctly. -**Get started here:** [Get started using Attack simulation](../attack-simulation-training-get-started.md) +**Get started here:** [Get started using Attack simulation.](../attack-simulation-training-get-started.md) **Jump right into delivering a simulation here:** [How to setup automated attacks and training within Attack simulation training](how-to-setup-attack-simulation-training-for-automated-attacks-and-training.md) ## Step 3 and beyond, becoming a dual use hero -- Many of the detection, investigation, response, and hunting activities described above should be repeated by your security teams. This guidance offers a detailed description of tasks, cadence, and team assignments we would recommend.+- Many of the detection, investigation, response, and hunting activities as previously described should be repeated by your security teams. This guidance offers a detailed description of tasks, cadence, and team assignments we would recommend. **Read More:** [Security Operations Guide for Defender for Office 365](../mdo-sec-ops-guide.md) -- Consider user experiences such as accessing multiple quarantines, or the submission / reporting of false positives and false negatives. You can mark messages which are detected by the third party service with a custom *X* header, for example, to allow Defender for Office 365 to detect and quarantine them via transport rules, which would also give users a single place to access quarantined mail.+- Consider user experiences such as accessing multiple quarantines, or the submission / reporting of false positives and false negatives. You can mark messages detected by the third party service with a custom *X* header. For example, you can use mail flow rules to detect and quarantine email that contains the *X* header. This result also gives users a single place to access quarantined mail. **Read More:** [How to configure quarantine permissions and policies](how-to-configure-quarantine-permissions-with-quarantine-policies.md) - The Migration guide contains lots of useful guidance on preparing and tuning your environment to ready it for a migration. But many of the steps are *also* applicable to a dual-use scenario. Simply ignore the MX switch guidance in the final steps. -**Read it here:** [Migrate from a third-party protection service to Microsoft Defender for Office 365 - Office 365 | Microsoft Docs](../migrate-to-defender-for-office-365.md) +**Read it here:** [Migrate from a third-party protection service to Microsoft Defender for Office 365 - Office 365 | Microsoft Docs.](../migrate-to-defender-for-office-365.md) ## More information The information below will detail how to get the most out of your investment, br [Security Operations Guide for Defender for Office 365](../mdo-sec-ops-guide.md) -[Get more out of Microsoft Defender for Office 365 with Microsoft Defender XDR](https://www.youtube.com/watch?v=Tdz6KfruDGo) +[Get more out of Microsoft Defender for Office 365 with Microsoft Defender XDR.](https://www.youtube.com/watch?v=Tdz6KfruDGo) |
security | Submissions Admin | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-admin.md | In organizations with Microsoft Defender for Office 365 Plan 2 (add-on licenses - :::image type="icon" source="../../media/m365-cc-sc-view-alert-icon.png" border="false"::: **View alert**. An alert is triggered when an admin submission is created or updated. Selecting this action takes you to the details of the alert. -- In the **Result details** section, the following links for [Threat Explorer](threat-explorer-about.md) might also be available, depending on the status and result of the reported item:+- In the **Result details** section, the following links for [Threat Explorer](threat-explorer-real-time-detections-about.md) might also be available, depending on the status and result of the reported item: - **View this message in Explorer**: **Emails** tab only. - **Search for similar messages in Explorer**: **Emails** tab only. - **Search for URL or file**: **Email attachments** or **URL** tabs only. |
security | Submissions Report Messages Files To Microsoft | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/submissions-report-messages-files-to-microsoft.md | User reported messages are also available to admins in the following locations i - The [User-reported messages report](reports-email-security.md#user-reported-messages-report) - [Automated investigation and response (AIR) results](air-view-investigation-results.md) (Defender for Office 365 Plan 2)-- [Threat Explorer](threat-explorer-views.md) (Defender for Office 365 Plan 2)+- [Threat Explorer](threat-explorer-real-time-detections-about.md) (Defender for Office 365 Plan 2) In Defender for Office 365 Plan 2, admins can also submit messages from the [Email entity page](mdo-email-entity-page.md#actions-you-can-take-on-the-email-entity-page) and from [Alerts](../defender/investigate-alerts.md) in the Defender portal. |
security | Tenant Wide Setup For Increased Security | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/tenant-wide-setup-for-increased-security.md | On the **Email & collaboration reports** page that opens, note the cards that ar Mail flow reports and insights are available in the Exchange admin center (EAC). For more information, see [Mail flow reports](/exchange/monitoring/mail-flow-reports/mail-flow-reports) and [Mail flow insights](/exchange/monitoring/mail-flow-insights/mail-flow-insights). -|If you're investigating or experiencing an attack against your tenant, use [Threat Explorer (or real-time detections)](threat-explorer-about.md) to analyze threats. Explorer (and the real-time detections report) shows you the volume of attacks over time, and you can analyze this data by threat families, attacker infrastructure, and more. You can also mark any suspicious email for the Incidents list. +|If you're investigating or experiencing an attack against your tenant, use [Threat Explorer (or real-time detections)](threat-explorer-real-time-detections-about.md) to analyze threats. Explorer (and the real-time detections report) shows you the volume of attacks over time, and you can analyze this data by threat families, attacker infrastructure, and more. You can also mark any suspicious email for the Incidents list. ## Additional considerations |
security | Threat Explorer About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-about.md | - Title: Threat Explorer and Real-time Detections - - NOCSH ----- - MET150 - - MOE150 -- - m365-security - - tier1 -description: Use Explorer and Real-time detections in the Microsoft Defender portal to investigate and respond to threats efficiently. --- seo-marvel-apr2020-- Previously updated : 6/20/2023-appliesto: - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> ---# Improvements to Threat Hunting in Threat Explorer ---If your organization has [Microsoft Defender for Office 365](defender-for-office-365.md), and you have the [necessary permissions](#required-licenses-and-permissions), you have either **Threat Explorer** or **Real-time detections** (formerly *Real-time reports* — [see what's new](#new-features-in-threat-explorer-and-real-time-detections)!). --Threat Explorer or Real-time detections helps your security operations team investigate and respond to threats efficiently. With this report, you can: --- [See malware detected by Microsoft 365 security features](#see-malware-detected-in-email-by-technology)-- [View phishing URL and click verdict data](#view-phishing-url-and-click-verdict-data)-- [Start an automated investigation and response process from a view in Explorer](#start-automated-investigation-and-response) (Defender for Office 365 Plan 2 only)-- [Investigate malicious email, and more](#more-ways-to-use-explorer-and-real-time-detections)--## The Threat Hunting Experience --### Introduction of Alert ID for Defender for Office 365 alerts within Explorer/Real-time detections --Today, if you navigate from an alert to Threat Explorer, it opens a filtered view within the Explorer, with the view filtered by Alert policy ID (policy ID being a unique identifier for an Alert policy). -We are making this integration more relevant by introducing the alert ID (see an example of alert ID below) in Threat Explorer and Real-time detections so that you see messages which are relevant to the specific alert, as well as a count of emails. You will also be able to see if a message was part of an alert, as well as navigate from that message to the specific alert. --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/AlertID-Filter.png" alt-text="Screenshot of the Filtering for Alert ID." lightbox="../../media/AlertID-Filter.png"::: --### Extending the Explorer (and Real-time detections) data retention and search limit for trial tenants from 7 to 30 days --As part of this change, you will be able to search for, and filter email data across 30 days (an increase from the previous 7 days) in Threat Explorer/Real-time detections for both Defender for Office 365 P1 and P2 trial tenants. -This does not impact any production tenants for both P1 and P2/E5 customers, which already have the 30 day data retention and search capabilities. --### Updated limits for Export of records for Threat Explorer --As part of this update, the number of rows for Email records that can be exported from Threat Explorer is increased from 9990 to 200,000 records. The set of columns that can be exported currently will remain the same, but the number of rows will increase from the current limit. --### Tags in Threat Explorer --> [!NOTE] -> The user tags feature is in *Preview*, isn't available to everyone, and is subject to change. For information about the release schedule, check out the Microsoft 365 roadmap. --User tags identify specific groups of users in Microsoft Defender for Office 365. For more information about tags, including licensing and configuration, see [User tags](user-tags-about.md). --In Threat Explorer, you can see information about user tags in the following experiences. --#### Email grid view --The **Tags** column in the email grid contains all the tags that have been applied to the sender or recipient mailboxes. By default, system tags like priority accounts are shown first. --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/tags-grid.png" alt-text="Screenshot of the Filter tags in email grid view." lightbox="../../media/tags-grid.png"::: --#### Filtering --You can use tags as a filter. Hunt just across priority accounts or specific user tags scenarios. You can also exclude results that have certain tags. Combine this functionality with other filters to narrow your scope of investigation. ---> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/tags-filter-not.png" alt-text="Screenshot of tags that are not filtered." lightbox="../../media/tags-filter-not.png"::: --#### Email detail flyout --To view the individual tags for sender and recipient, select the subject to open the message details flyout. On the **Summary** tab, the sender and recipient tags are shown separately, if they're present for an email. -The information about individual tags for sender and recipient also extends to exported CSV data, where you can see these details in two separate columns. --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/tags-flyout.png" alt-text="Screenshot of the Email Details tags." lightbox="../../media/tags-flyout.png"::: --Tags information is also shown in the URL clicks flyout. To view it, go to Phish or All Email view and then to the **URLs** or **URL Clicks** tab. Select an individual URL flyout to view additional details about clicks for that URL, including tags associated with that click. --### Updated Timeline View --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/tags-urls.png" alt-text="Screenshot of the URL tags." lightbox="../../media/tags-urls.png"::: -> -Learn more by watching [this video](https://www.youtube.com/watch?v=UoVzN0lYbfY&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=4). --## Upcoming improvements to the threat hunting experience --### Updated threat information for emails --We've focused on platform and data-quality improvements to increase data accuracy and consistency for email records. Improvements include consolidation of pre-delivery and post-delivery information, such as actions executed on an email as part of the ZAP process, into a single record. Additional details like spam verdict, entity-level threats (for example, which URL was malicious), and latest delivery locations are also included. --After these updates, you'll see a single entry for each message, regardless of the different post-delivery events that affect the message. Actions can include ZAP, manual remediation (which means admin action), [Dynamic Delivery](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies), and so on. --In addition to showing malware and phishing threats, you see the spam verdict associated with an email. Within the email, see all the threats associated with the email along with the corresponding detection technologies. An email can have zero, one, or multiple threats. You'll see the current threats in the **Details** section of the email flyout. For multiple threats (such as malware and phishing), the **Detection tech** field shows the threat-detection mapping, which is the detection technology that identified the threat. --The set of detection technologies now includes new detection methods, as well as spam-detection technologies. You can use the same set of detection technologies to filter the results across the different email views (Malware, Phish, All Email). --> [!NOTE] -> Verdict analysis might not necessarily be tied to entities. As an example, an email might be classified as phish or spam, but there are no URLs that are stamped with a phish/spam verdict. This is because the filters also evaluate content and other details for an email before assigning a verdict. --#### Threats in URLs --You can now see the specific threat for a URL on the email flyout **Details** tab. The threat can be *malware*, *phish*, *spam*, or *none*.) --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/URL_Threats.png" alt-text="Screenshot of the URL threats." lightbox="../../media/URL_Threats.png"::: --### Updated timeline view (upcoming) --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/Email_Timeline.png" alt-text="Screenshot of the updated Timeline View." lightbox="../../media/Email_Timeline.png"::: --Timeline view identifies all delivery and post-delivery events. It includes information about the threat identified at that point of time for a subset of these events. Timeline view also provides information about any additional action taken (such as ZAP or manual remediation), along with the result of that action. Timeline view information includes: --- **Source:** Source of the event. It can be admin/system/user.-- **Event:** Includes top-level events like original delivery, manual remediation, ZAP, submissions, and Dynamic Delivery.-- **Action:** The specific action that was taken either as part of ZAP or admin action (for example, soft delete).-- **Threats:** Covers the threats (malware, phish, spam) identified at that point of time.-- **Result/Details:** More information about the result of the action, such as whether it was performed as part of ZAP/admin action.--### Original and latest delivery location --Currently, we surface delivery location in the email grid and email flyout. The **Delivery location** field is getting renamed ***Original delivery location***. And we're introducing another field, ***Latest delivery location***. --**Original delivery location** will give more information about where an email was delivered initially. **Latest delivery location** will state where an email landed after system actions like *ZAP* or admin actions like *Move to deleted items*. Latest delivery location is intended to tell admins the message's last-known location post-delivery or any system/admin actions. It doesn't include any end-user actions on the email. For example, if a user deleted a message or moved the message to archive/pst, the message "delivery" location won't be updated. But if a system action updated the location (for example, ZAP resulting in an email moving to quarantine), **Latest delivery location** would show as "quarantine." --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/Updated_Delivery_Location.png" alt-text="Screenshot of the updated delivery locations." lightbox="../../media/Updated_Delivery_Location.png"::: --> [!NOTE] -> There are a few cases where **Delivery location** and **Delivery action** may show as "unknown": -> -> - You might see **Delivery location** as "delivered" and **Delivery location** as "unknown" if the message was delivered, but an Inbox rule moved the message to a default folder (such as Draft or Archive) instead of to the Inbox or Junk Email folder. -> -> - **Latest delivery location** can be "Deleted items folder" if an admin/system action (such as ZAP) was attempted, but the message wasn't found. Typically, the action happens after the user moved or deleted the message. In such cases, verify the **Result/Details** column in timeline view. Look for the statement "Message moved or deleted by the user." --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/Updated_Timeline_Delivery_Location.png" alt-text="Screenshot of the delivery locations for timeline." lightbox="../../media/Updated_Timeline_Delivery_Location.png"::: --### Additional actions --*Additional actions* were applied after delivery of the email. They can include *ZAP*, *manual remediation* (action taken by an Admin such as soft delete), *Dynamic Delivery*, and *reprocessed* (for an email that was retroactively detected as good). --> [!NOTE] -> As part of the pending changes, the "Removed by ZAP" value currently surfaced in the Delivery Action filter is going away. You'll have a way to search for all email with the ZAP attempt through **Additional actions**. --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/Additional_Actions.png" alt-text="Screenshot of the additional actions in Explorer." lightbox="../../media/Additional_Actions.png"::: --### System overrides --*System overrides* enable you to make exceptions to the intended delivery location of a message. You override the delivery location provided by the system, based on the threats and other detections identified by the filtering stack. System overrides can be set through tenant or user policy to deliver the message as suggested by the policy. Overrides can identify unintentional delivery of malicious messages due to configurations gaps, such as an overly broad Safe Sender policy set by a user. These override values can be: --- Allowed by user policy: A user creates policies at the mailbox level to allow domains or senders.--- Blocked by user policy: A user creates policies at the mail box level to block domains or senders.--- Allowed by org policy: The organization's security teams set policies or Exchange mail flow rules (also known as transport rules) to allow senders and domains for users in their organization. This can be for a set of users or the entire organization.--- Blocked by org policy: The organization's security teams set policies or mail flow rules to block senders, domains, message languages, or source IPs for users in their organization. This can be applied to a set of users or the entire organization.--- File extension blocked by org policy: An organization's security team blocks a file name extension through the anti-malware policy settings. These values will now be displayed in email details to help with investigations. Secops teams can also use the rich-filtering capability to filter on blocked file extensions.---> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/System_Overrides_Grid.png" alt-text="Screenshot of the System Overrides Grid in Explorer." lightbox="../../media/System_Overrides_Grid.png"::: --### Improvements for the URL and clicks experience --The improvements include: --- Show the full clicked URL (including any query parameters that are part of the URL) in the **Clicks** section of the URL flyout. Currently, the URL domain and path appear in the title bar. We're extending that information to show the full URL.--- Fixes across URL filters (*URL* versus *URL domain* versus *URL domain and path*): The updates affect searching for messages that contain a URL/click verdict. We enabled support for protocol-agnostic searches, so you can search for a URL without using `http`. By default, the URL search maps to http, unless another value is explicitly specified. For example:- - Search with and without the `http://` prefix in the **URL**, **URL Domain**, and **URL Domain and Path** filter fields. The searches should show the same results. - - Search for the `https://` prefix in **URL**. When no value is specified, the `http://` prefix is assumed. - - `/` is ignored at the beginning and end of the **URL path**, **URL Domain**, **URL domain and path** fields. `/` at the end of the **URL** field is ignored. --### Phish confidence level --Phish confidence level helps identify the degree of confidence with which an email was categorized as "phish." The two possible values are *High* and *Normal*. In the initial stages, this filter will be available only in the Phish view of Threat Explorer. ---### ZAP URL signal --The ZAP URL signal is typically used for ZAP Phish alert scenarios where an email was identified as Phish and removed after delivery. This signal connects the alert with the corresponding results in Explorer. It's one of the IOCs for the alert. --To improve the hunting process, we've updated Threat Explorer and Real-time detections to make the hunting experience more consistent. The changes are outlined here: --- [Timezone improvements](#timezone-improvements)-- [Update in the refresh process](#update-in-the-refresh-process)-- [Chart drilldown to add to filters](#chart-drilldown-to-add-to-filters)-- [In product information updates](#in-product-information-updates)--### Filter by user tags --You can now sort and filter on system or custom user tags to quickly grasp the scope of threats. To learn more, see [User tags](user-tags-about.md). --> [!IMPORTANT] -> Filtering and sorting by user tags is currently in public preview. This functionality may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided about it. --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/threat-explorer-tags.png" alt-text="Screenshot of the Tags column in Explorer." lightbox="../../media/threat-explorer-tags.png"::: --### Timezone improvements --You'll see the time zone for the email records in the Portal as well as for Exported data. It will be visible across experiences like Email Grid, Details flyout, Email Timeline, and Similar Emails, so the time zone for the result set is clear. --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/TimezoneImprovements.png" alt-text="Screenshot of the View time zone in Explorer." lightbox="../../media/TimezoneImprovements.png"::: --### Update in the refresh process --Some users have commented about confusion with automatic refresh (for example, as soon as you change the date, the page refreshes) and manual refresh (for other filters). Similarly, removing filters leads to automatic refresh. Changing filters while modifying the query can cause inconsistent search experiences. To resolve these issues, we're moving to a manual-filtering mechanism. --From an experience standpoint, the user can apply and remove the different range of filters (from the filter set and date) and select the refresh button to filter the results after they've defined the query. The refresh button is also now emphasized on the screen. We've also updated the related tooltips and in-product documentation. --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/ManualRefresh.png" alt-text="Screenshot of the Refresh button to filter results." lightbox="../../media/ManualRefresh.png"::: --### Chart drilldown to add to filters --You can now chart legend values to add them as filters. Select the **Refresh** button to filter the results. --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/ChartDrilldown.png" alt-text="Screenshot of the Drill down through charts to Filter." lightbox="../../media/ChartDrilldown.png"::: --### In-product information updates --Additional details are now available within the product, such as the total number of search results within the grid (see below). We've improved labels, error messages, and tooltips to provide more information about the filters, search experience, and result set. --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/ProductInfo.png" alt-text="Screenshot showing the in-product information to be viewed." lightbox="../../media/ProductInfo.png"::: --## Extended capabilities in Threat Explorer --### Top targeted users --Today we expose the list of the top targeted users in the Malware view for emails, in the **Top Malware Families** section. We'll be extending this view in the Phish and All Email views as well. You'll be able to see the top-five targeted users, along with the number of attempts for each user for the corresponding view. For example, for Phish view, you'll see the number of Phish attempts. --You'll be able to export the list of targeted users, up to a limit of 3,000, along with the number of attempts for offline analysis for each email view. In addition, selecting the number of attempts (for example, 13 attempts in the image below) will open a filtered view in Threat Explorer, so you can see more details across emails and threats for that user. --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/Top_Targeted_Users.png" alt-text="Screenshot of top-targeted users." lightbox="../../media/Top_Targeted_Users.png"::: --### Exchange transport rules --As part of data enrichment, you'll be able to see all the different Exchange transport rules (ETR) that were applied to a message. This information will be available in the Email grid view. To view it, select **Column options** in the grid and then **Add Exchange Transport Rule** from the column options. It will also be visible on the **Details** flyout in the email. --You'll be able to see both the GUID and the name of the transport rules that were applied to the message. You'll be able to search for the messages by using the name of the transport rule. This is a "Contains" search, which means you can do partial searches as well. --> [!IMPORTANT] -> ETR search and name availability depend on the specific role that's assigned to you. You need to have one of the following roles/permissions to view the ETR names and search. If you don't have any of these roles assigned to you, you can't see the names of the transport rules or search for messages by using ETR names. However, you could see the ETR label and GUID information in the Email Details. Other record-viewing experiences in Email Grids, Email flyouts, Filters, and Export are not affected. -> -> - EXO Only - data loss prevention: All -> - EXO Only - O365SupportViewConfig: All -> - Microsoft Entra ID or EXO - Security Admin: All -> - Microsoft Entra ID or EXO - Security Reader: All -> - EXO Only - Transport Rules: All -> - EXO Only - View-Only Configuration: All -> -> Within the email grid, Details flyout, and Exported CSV, the ETRs are presented with a Name/GUID as shown below. -> -> > [!div class="mx-imgBorder"] -> > :::image type="content" source="../../media/ETR_Details.png" alt-text="Screenshot of Exchange transport rules." lightbox="../../media/ETR_Details.png"::: --### Inbound connectors --Connectors are a collection of instructions that customize how your email flows to and from your Microsoft 365 or Office 365 organization. They enable you to apply any security restrictions or controls. Within Threat Explorer, you can now view the connectors that are related to an email and search for emails by using connector names. --The search for connectors is "contains" in nature, which means partial keyword searches should work as well. Within the Main grid view, the Details flyout, and the Exported CSV, the connectors are shown in the Name/GUID format as shown here: --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/Connector_Details.png" alt-text="Screenshot of the Connector details." lightbox="../../media/Connector_Details.png"::: --## New features in Threat Explorer and Real-time detections --- [View phishing emails sent to impersonated users and domains](#view-phishing-emails-sent-to-impersonated-users-and-domains)-- [Preview email header and download email body](#preview-email-header-and-download-email-body)-- [Email timeline](#email-timeline)-- [Export URL click data](#export-url-click-data)--### View phishing emails sent to impersonated users and domains --To identify phishing attempts against users and domains that are impersonated users must be added to the list of *Users to protect*. For domains, admins must either enable *Organization domains*, or add a domain name to *Domains to protect*. The domains to protect are found on the *Anti-Phishing policy page* in the *Impersonation* section. --To review phish messages and search for impersonated users or domains, use the [Email > Phish view](threat-explorer-views.md) of Explorer. --This example uses Threat Explorer. --1. In the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), choose **Threat management** > **Explorer** (or **Real-time detections**). --2. In the View menu, choose **Phish**. -- Here you can choose **impersonated domain** or **impersonated user**. --3. **EITHER** select **Impersonated domain**, and then type a protected domain in the textbox. -- For example, search for protected domain names like *contoso*, *contoso.com*, or *contoso.com.au*. --4. Select the Subject of any message under the Email tab > Details tab to see additional impersonation information like Impersonated Domain / Detected location. -- **OR** -- Select **Impersonated user** and type a protected user's email address in the textbox. -- > [!TIP] - > **For best results**, use *full email addresses* to search protected users. You will find your protected user quicker and more successfully if you search for *firstname.lastname@contoso.com*, for example, when investigating user impersonation. When searching for a protected domain the search will take the root domain (contoso.com, for example), and the domain name (*contoso*). Searching for the root domain *contoso.com* will return both impersonations of *contoso.com* and the domain name *contoso*. --5. Select the **Subject** of any message under **Email tab** > **Details tab** to see additional impersonation information about the user or domain, and the *Detected location*. -- :::image type="content" source="../../media/threat-ex-views-impersonated-user-image.png" alt-text="Screenshot of the Threat Explorer details pane for a protected user showing the detection location, and the threat that was detected (here phish impersonation of a user)." lightbox="../../media/threat-ex-views-impersonated-user-image.png"::: --> [!NOTE] -> In step 3 or 5, if you choose **Detection Technology** and select **Impersonation domain** or **Impersonation user** respectively, the information in the **Email tab** > **Details tab** about the user or domain, and the *Detected location* will be shown only on the messages that are related to the user or domain listed on the *Anti-Phishing policy* page. --### Preview email header and download email body --You can now preview an email header and download the email body in Threat Explorer. Admins can analyze downloaded headers/email messages for threats. Because downloading email messages can risk exposure of information, this process is controlled by role-based access control (RBAC). A new role, *Preview*, is required to grant the ability to download mails in all-email messages view. However, viewing the email header does not require any additional role (other than what is required to view messages in Threat Explorer). To create a new role group with the Preview role: --1. Select a built-in role group that only has the Preview role, such as Data Investigator or eDiscovery Manager. -2. Select **Copy role group**. -3. Choose a name and description for your new role group and select **Next**. -4. Modify the roles by adding and removing roles as necessary but leaving the Preview role. -5. Add members and then select **Create role group**. --Explorer and Real-time detections will also get new fields that provide a more complete picture of where your email messages land. These changes make hunting easier for Security Ops. But the main result is you can know the location of problem email messages at a glance. --How is this done? Delivery status is now broken out into two columns: --- **Delivery action** - Status of the email.-- **Delivery location** - Where the email was routed.--*Delivery action* is the action taken on an email due to existing policies or detections. Here are the possible actions for an email: --|Delivered|Junked|Blocked|Replaced| -||||| -|Email was delivered to the inbox or folder of a user, and the user can access it.|Email was sent to the user's Junk or Deleted folder, and the user can access it.|Emails that are quarantined, that failed, or were dropped. These mails are inaccessible to the user.|Email had malicious attachments replaced by .txt files that state the attachment was malicious.| --Here is what the user can and can't see: --|Accessible to end users|Inaccessible to end users| -||| -|Delivered|Blocked| -|Junked|Replaced| --**Delivery location** shows the results of policies and detections that run post-delivery. It's linked to ***Delivery action***. These are the possible values: --- *Inbox or folder*: The email is in the inbox or a folder (according to your email rules).-- *On-prem or external*: The mailbox doesn't exist on cloud but is on-premises.-- *Junk folder*: The email is in a user's Junk folder.-- *Deleted items folder*: The email in a user's Deleted items folder.-- *Quarantine*: The email is in quarantine and not in a user's mailbox.-- *Failed*: The email failed to reach the mailbox.-- *Dropped*: The email got lost somewhere in the mail flow.--### Email timeline --The **Email timeline** is a new Explorer feature that improves the hunting experience for admins. It cuts the time spent checking different locations to try to understand the event. When multiple events happen at or close to the same time an email arrives, those events are displayed in a timeline view. Some events that happen to your email post-delivery are captured in the **Special action** column. Admins can combine information from the timeline with the special action taken on the mail post-delivery to get insight into how their policies work, where the mail was finally routed, and, in some cases, what the final assessment was. --For more information, see [Investigate and remediate malicious email that was delivered in Office 365](investigate-malicious-email-that-was-delivered.md). --### Export URL click data --You can now export reports for URL clicks to Microsoft Excel to view their **network message ID** and **click verdict**, which helps explain where your URL click traffic originated. Here's how it works: In Threat Management on the Office 365 quick-launch bar, follow this chain: --**Explorer** \> **Phish** \> **Clicks** \> **Top URLs** or **URL Top Clicks** \> select any record to open the URL flyout. --When you select a URL in the list, you'll see a new **Export** button on the fly-out panel. Use this button to move data to an Excel spreadsheet for easier reporting. --Follow this path to get to the same location in the Real-time detections report: --**Explorer** \> **Real-time detections** \> **Phish** \> **URLs** \> **Top URLs** or **Top Clicks** \> Select any record to open the URL flyout \> navigate to the **Clicks** tab. --> [!TIP] -> The Network Message ID maps the click back to specific mails when you search on the ID through Explorer or associated third-party tools. Such searches identify the email associated with a click result. Having the correlated Network Message ID makes for quicker and more powerful analysis. --> [!div class="mx-imgBorder"] -> :::image type="content" source="../../media/tp_ExportClickResultAndNetworkID.png" alt-text="Screenshot of the Clicks tab in Explorer." lightbox="../../media/tp_ExportClickResultAndNetworkID.png"::: --## See malware detected in email by technology --Suppose you want to see malware detected in email sorted by Microsoft 365 technology. To do this, use the [Malware](threat-explorer-views.md#malware) view of Explorer (or Real-time detections). --1. In the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), choose **Threat management** \> **Explorer** (or **Real-time detections**). (This example uses Explorer.) --2. In the **View** menu, choose **Malware**. -- > [!div class="mx-imgBorder"] - > :::image type="content" source="../../media/ExplorerViewEmailMalwareMenu.png" alt-text="Screenshot of the View menu for Explorer." lightbox="../../media/ExplorerViewEmailMalwareMenu.png"::: --3. Click **Sender**, and then choose **Basic** \> **Detection technology**. -- Your detection technologies are now available as filters for the report. -- > [!div class="mx-imgBorder"] - > :::image type="content" source="../../media/ExplorerEmailMalwareDetectionTech.png" alt-text="Screenshot of the Malware detection technologies." lightbox="../../media/ExplorerEmailMalwareDetectionTech.png"::: --4. Choose an option. Then select the **Refresh** button to apply that filter. -- > [!div class="mx-imgBorder"] - > :::image type="content" source="../../media/ExplorerEmailMalwareDetectionTechATP.png" alt-text="Screenshot of the selected detection technology." lightbox="../../media/ExplorerEmailMalwareDetectionTechATP.png"::: --The report refreshes to show the results that malware detected in email, using the technology option you selected. From here, you can conduct further analysis. --## View phishing URL and click verdict data --Suppose that you want to see phishing attempts through URLs in email, including a list of URLs that were allowed, blocked, and overridden. To identify URLs that were clicked, [Safe Links](safe-links-about.md) must be configured. Make sure that you set up [Safe Links policies](safe-links-policies-configure.md) for time-of-click protection and logging of click verdicts by Safe Links. --To review phish URLs in messages and clicks on URLs in phish messages, use the [**Phish**](threat-explorer-views.md#phish) view of Explorer or Real-time detections. --1. In the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), choose **Threat management** \> **Explorer** (or **Real-time detections**). (This example uses Explorer.) --2. In the **View** menu, choose **Email** \> **Phish**. -- > [!div class="mx-imgBorder"] - > :::image type="content" source="../../media/explorer-view-email-phish-menu-new.png" alt-text="Screenshot of the View menu for Explorer in phishing context." lightbox="../../media/explorer-view-email-phish-menu-new.png"::: --3. Click **Sender**, and then choose **URLs** \> **Click verdict**. --4. Select one or more options, such as **Blocked** and **Block overridden**, and then select the **Refresh** button on the same line as the options to apply that filter. (Don't refresh your browser window.) -- > [!div class="mx-imgBorder"] - > :::image type="content" source="../../media/ThreatExplorerEmailPhishClickVerdictOptions.png" alt-text="The URLs and click verdicts" lightbox="../../media/ThreatExplorerEmailPhishClickVerdictOptions.png"::: -- The report refreshes to show two different URL tables on the URL tab under the report: -- - **Top URLs** are the URLs in the messages that you filtered down to and the email delivery action counts for each URL. In the Phish email view, this list typically contains legitimate URLs. Attackers include a mix of good and bad URLs in their messages to try to get them delivered, but they make the malicious links look more interesting. The table of URLs is sorted by total email count, but this column is hidden to simplify the view. -- - **Top clicks** are the Safe Links-wrapped URLs that were clicked, sorted by total click count. This column also isn't displayed, to simplify the view. Total counts by column indicate the Safe Links click verdict count for each clicked URL. In the Phish email view, these are usually suspicious or malicious URLs. But the view could include URLs that aren't threats but are in phish messages. URL clicks on unwrapped links don't show up here. -- The two URL tables show top URLs in phishing email messages by delivery action and location. The tables show URL clicks that were blocked or visited despite a warning, so you can see what potential bad links were presented to users and that the user's clicked. From here, you can conduct further analysis. For example, below the chart you can see the top URLs in email messages that were blocked in your organization's environment. -- > [!div class="mx-imgBorder"] - > :::image type="content" source="../../media/ExplorerPhishClickVerdictURLs.png" alt-text="The Explorer URLs that were blocked" lightbox="../../media/ExplorerPhishClickVerdictURLs.png"::: -- Select a URL to view more detailed information. -- > [!NOTE] - > In the URL flyout dialog box, the filtering on email messages is removed to show the full view of the URL's exposure in your environment. This lets you filter for email messages you're concerned about in Explorer, find specific URLs that are potential threats, and then expand your understanding of the URL exposure in your environment (via the URL details dialog box) without having to add URL filters to the Explorer view itself. --### Interpretation of click verdicts --Within the Email or URL flyouts, Top Clicks as well as within our filtering experiences, you'll see different click verdict values: --- **None:** Unable to capture the verdict for the URL. The user might have clicked through the URL.-- **Allowed:** The user was allowed to navigate to the URL.-- **Blocked:** The user was blocked from navigating to the URL.-- **Pending verdict:** The user was presented with the detonation-pending page.-- **Blocked overridden:** The user was blocked from navigating directly to the URL. But the user overrode the block to navigate to the URL.-- **Pending verdict bypassed:** The user was presented with the detonation page. But the user overrode the message to access the URL.-- **Error:** The user was presented with the error page, or an error occurred in capturing the verdict.-- **Failure:** An unknown exception occurred while capturing the verdict. The user might have clicked through the URL.--## Review email messages reported by users --Suppose that you want to see email messages that users in your organization reported as *Junk*, *Not Junk*, or *Phishing* through the [Microsoft Report Message or Report Phishing add-ins](submissions-users-report-message-add-in-configure.md), use the [**All email**](threat-explorer-views.md#all-email) view of Explorer (or Real-time detections). --1. In the Microsoft Defender portal ([https://security.microsoft.com](https://security.microsoft.com)), choose **Threat management** \> **Explorer** (or **Real-time detections**). (This example uses Explorer.) --2. In the **View** menu, choose **Email** \> **Submissions**. -- > [!div class="mx-imgBorder"] - > :::image type="content" source="../../media/explorer-view-menu-email-user-reported.png" alt-text="The View menu for Explorer for emails" lightbox="../../media/explorer-view-menu-email-user-reported.png"::: --3. Click **Sender**, and then choose **Basic** \> **Report type**. --4. Select an option, such as **Phish**, and then select the **Refresh** button. -- > [!div class="mx-imgBorder"] - > :::image type="content" source="../../media/EmailUserReportedReportType.png" alt-text="The user-reported phish" lightbox="../../media/EmailUserReportedReportType.png"::: --The report refreshes to show data about email messages that people in your organization reported as a phishing attempt. You can use this information to conduct further analysis, and, if necessary, adjust your [anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md). --## Start automated investigation and response --> [!NOTE] -> Automated investigation and response capabilities are available in *Microsoft Defender for Office 365 Plan 2* and *Office 365 E5*. --[Automated investigation and response](air-about-office.md) can save your security operations team time and effort spent investigating and mitigating cyberattacks. In addition to configuring alerts that can trigger a security playbook, you can start an automated investigation and response process from a view in Explorer. For details, see [Example: A security administrator triggers an investigation from Explorer](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). --## More ways to use Explorer and Real-time detections --In addition to the scenarios outlined in this article, you have many more reporting options available with Explorer (or Real-time detections). See the following articles: --- [Find and investigate malicious email that was delivered](investigate-malicious-email-that-was-delivered.md)-- [View malicious files detected in SharePoint Online, OneDrive, and Microsoft Teams](./safe-attachments-for-spo-odfb-teams-about.md)-- [Get an overview of the views in Threat Explorer (and Real-time detections)](threat-explorer-views.md)-- [Threat protection status report](reports-email-security.md#threat-protection-status-report)-- [Automated investigation and response in Microsoft Defender XDR](../defender/m365d-autoir.md)--## Required licenses and permissions --You must have [Microsoft Defender for Office 365](defender-for-office-365.md) to use Explorer or Real-time detections. --- Explorer is included in Defender for Office 365 Plan 2.-- The Real-time detections report is included in Defender for Office 365 Plan 1.-- Plan to assign licenses for all users who should be protected by Defender for Office 365. Explorer and Real-time detections show detection data for licensed users.--To view and use Explorer or Real-time detections, you must have appropriate permissions, such as those granted to a security administrator or security reader. --- For the Microsoft Defender portal, you must have one of the following roles assigned:-- - Organization Management - - Security Administrator (this can be assigned in the Microsoft Entra admin center (<https://aad.portal.azure.com>) - - Security Reader --- For Exchange Online, you must have one of the following roles assigned in either the Exchange admin center (EAC) or [Exchange Online PowerShell](/powershell/exchange/exchange-online-powershell):-- - Organization Management - - View-Only Organization Management - - View-Only Recipients - - Compliance Management --To learn more about roles and permissions, see the following resources: --- [Permissions in the Microsoft Defender portal](mdo-portal-permissions.md)-- [Feature permissions in Exchange Online](/exchange/permissions-exo/feature-permissions)--## Differences between Threat Explorer and Real-time detections --- The *Real-time detections* report is available in Defender for Office 365 Plan 1. *Threat Explorer* is available in Defender for Office 365 Plan 2.-- The Real-time detections report allows you to view detections in real time. Threat Explorer does this as well, but it also provides additional details for a given attack.-- An *All email* view is available in Threat Explorer but not in the Real-time detections report.-- More filtering capabilities and available actions are included in Threat Explorer. For more information, see [Microsoft Defender for Office 365 Service Description: Feature availability across Defender for Office 365 plans](/office365/servicedescriptions/office-365-advanced-threat-protection-service-description#feature-availability-across-advanced-threat-protection-atp-plans).--## Other articles --[Investigate emails with the Email Entity Page](mdo-email-entity-page.md) |
security | Threat Explorer Email Security | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-email-security.md | + + Title: Email security with Threat Explorer and Real-time detections in Microsoft Defender for Office 365 +f1.keywords: + - NOCSH ++++audience: ITPro + Last updated : 2/27/2024+ms.localizationpriority: medium ++ - m365-security + - tier1 +description: Use Threat Explorer (Explorer) or Real-time detections to view and investigate malware and phishing attempts in email. ++- seo-marvel-apr2020 +++search.appverid: met150 +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> +++# Email security with Threat Explorer and Real-time detections in Microsoft Defender for Office 365 +++Microsoft 365 organizations that have [Microsoft Defender for Office 365](defender-for-office-365.md) included in their subscription or purchased as an add-on have **Explorer** (also known as **Threat Explorer**) or **Real-time detections**. These features are powerful, near real-time tools to help Security Operations (SecOps) teams investigate and respond to threats. For more information, see [About Threat Explorer and Real-time detections in Microsoft Defender for Office 365](threat-explorer-real-time-detections-about.md). ++This article explains how to view and investigate detected malware and phishing attempts in email using Threat Explorer or Real-time Detections. ++> [!TIP] +> For other email scenarios using Threat Explorer and Real-time detections, see the following articles: +> +> - [Threat hunting in Threat Explorer and Real-time detections in Microsoft Defender for Office 365](threat-explorer-threat-hunting.md) +> - [Investigate malicious email that was delivered in Microsoft 365](threat-explorer-investigate-delivered-malicious-email.md) ++## What do you need to know before you begin? ++- Threat Explorer is included in Defender for Office 365 Plan 2. Real-time detections is included in Defender for Office Plan 1: + - The differences between Threat Explorer and Real-time detections are described in [About Threat Explorer and Real-time detections in Microsoft Defender for Office 365](threat-explorer-real-time-detections-about.md). + - The differences between Defender for Office 365 Plan 2 and Defender for Office Plan 1 are described in the [Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet](mdo-security-comparison.md#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet). ++- For permissions and licensing requirements for Threat Explorer and Real-time detections, see [Permissions and licensing for Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#permissions-and-licensing-for-threat-explorer-and-real-time-detections). ++## View phishing email sent to impersonated users and domains ++For more information about user and domain impersonation protection in anti-phishing policies in Defender for Office 365, see [Impersonation settings in anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365). ++In the default or custom anti-phishing policies, you need to specify the users and domains to protect from impersonation, including domains you own ([accepted domains](/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains)). In the Standard or Strict preset security policies, domains that you own automatically receive impersonation protection, but you need to specify any users or custom domains for impersonation protection. For instructions, see the following articles: ++- [Preset security policies in EOP and Microsoft Defender for Office 365](preset-security-policies.md) +- [Configure anti-phishing policies in Microsoft Defender for Office 365](anti-phishing-policies-mdo-configure.md) ++Use the following steps to review phishing messages and search for impersonated users or domains. ++1. Use one of the following steps to open Threat Explorer or Real-time detections: + - **Threat Explorer**: In the Defender portal at <https://security.microsoft.com>, go to **Email & Security** \> **Explorer**. Or, to go directly to the **Explorer** page, use <https://security.microsoft.com/threatexplorerv3>. + - **Real-time detections**: In the Defender portal at <https://security.microsoft.com>, go to **Email & Security** \> **Real-time detections**. Or, to go directly to the **Real-time detections** page, use <https://security.microsoft.com/realtimereportsv3>. ++2. On the **Explorer** or **Real-time detections** page, select the **Phish** view. For more information about the **Phish** view, see [Phish view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#phish-view-in-threat-explorer-and-real-time-detections). ++3. Select the date/time range. The default is yesterday and today. ++4. Do any of the following steps: + - **Find any user or domain impersonation attempts**: + - Select the **Sender address** (property) box, and then select **Detection technology** in the **Basic** section of the drop down list. + - Verify **Equal any of** is selected as the filter operator. + - In the property value box, select **Impersonation domain** and **Impersonation user** ++ - **Find specific impersonated user attempts**: + - Select the **Sender address** (property) box, and then select **Impersonated user** in the **Basic** section of the drop down list. + - Verify **Equal any of** is selected as the filter operator. + - In the property value box, enter the full email address of the recipient. Separate multiple recipient values by commas. ++ - **Find specific impersonated domain attempts**: + - Select the **Sender address** (property) box, and then select **Impersonated domain** in the **Basic** section of the drop down list. + - Verify **Equal any of** is selected as the filter operator. + - In the property value box, enter the domain (for example, contoso.com). Separate multiple domain values by commas. ++5. Enter more conditions using other filterable properties as required. For instructions, see [Property filters in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#property-filters-in-threat-explorer-and-real-time-detections). ++6. When you're finished creating the filter conditions, select **Refresh**. ++7. In the details area below the chart, verify the **Email** tab (view) is selected. ++ You can sort the entries and show more columns as described in [Email view for the details area of the Phish view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-phish-view-in-threat-explorer-and-real-time-detections). ++ If you select the **Subject** or **Recipient** value of an entry in the table, a details flyout opens. For more information, see [Subject details from the Email view of the details area in the Phish view](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-phish-view) and [Recipient details from the Email view of the details area in the Phish view](threat-explorer-real-time-detections-about.md#recipient-details-from-the-email-view-of-the-details-area-in-the-phish-view). ++<! ### Email timeline ++The **Email timeline** is a new Explorer feature that improves the hunting experience for admins. It cuts the time spent checking different locations to try to understand the event. When multiple events happen at or close to the same time an email arrives, those events are displayed in a timeline view. Some events that happen to your email post-delivery are captured in the **Special action** column. Admins can combine information from the timeline with the special action taken on the mail post-delivery to get insight into how their policies work, where the mail was finally routed, and, in some cases, what the final assessment was. ++For more information, see [Investigate and remediate malicious email that was delivered in Office 365](threat-explorer-investigate-delivered-malicious-email.md). --> ++## Export URL click data ++You can export URL click data to a CSV file to view the **Network Message ID** and **Click verdict** values, which help explain where your URL click traffic came from. ++1. Use one of the following steps to open Threat Explorer or Real-time detections: + - **Threat Explorer**: In the Defender portal at <https://security.microsoft.com>, go to **Email & Security** \> **Explorer**. Or, to go directly to the **Explorer** page, use <https://security.microsoft.com/threatexplorerv3>. + - **Real-time detections**: In the Defender portal at <https://security.microsoft.com>, go to **Email & Security** \> **Real-time detections**. Or, to go directly to the **Real-time detections** page, use <https://security.microsoft.com/realtimereportsv3>. ++2. On the **Explorer** or **Real-time detections** page, select the **Phish** view. For more information about the **Phish** view, see [Phish view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#phish-view-in-threat-explorer-and-real-time-detections). ++3. Select the date/time range, and then select **Refresh**. The default is yesterday and today. ++4. In the details area, select the **Top URLs** or **Top clicks** tab (view). ++5. In the **Top URLs** or **Top clicks** view, select one or more entries from the table by selecting the check box next to the first column, and then select :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export**. +**Explorer** \> **Phish** \> **Clicks** \> **Top URLs** or **URL Top Clicks** \> select any record to open the URL flyout. ++You can use the Network Message ID value to search for specific messages in Threat Explorer or Real-time detections or external tools. These searches identify the email message that's associated with a click result. Having the correlated Network Message ID makes for quicker and more powerful analysis. ++## View malware detected in email ++Use the following steps in Threat Explorer or Real-time detections to see the malware detected in email by Microsoft 365. ++1. Use one of the following steps to open Threat Explorer or Real-time detections: + - **Threat Explorer**: In the Defender portal at <https://security.microsoft.com>, go to **Email & Security** \> **Explorer**. Or, to go directly to the **Explorer** page, use <https://security.microsoft.com/threatexplorerv3>. + - **Real-time detections**: In the Defender portal at <https://security.microsoft.com>, go to **Email & Security** \> **Real-time detections**. Or, to go directly to the **Real-time detections** page, use <https://security.microsoft.com/realtimereportsv3>. ++2. On the **Explorer** or **Real-time detections** page, select the **Malware** view. For more information about the **Phish** view, see [Malware view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#malware-view-in-threat-explorer-and-real-time-detections). ++3. Select the date/time range. The default is yesterday and today. ++4. Select the **Sender address** (property) box, and then select **Detection technology** in the **Basic** section of the drop down list. + - Verify **Equal any of** is selected as the filter operator. + - In the property value box, select one or more of the following values: + - **Anti-malware protection** + - **File detonation** + - **File detonation reputation** + - **File reputation** + - **Fingerprint matching** ++5. Enter more conditions using other filterable properties as required. For instructions, see [Property filters in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#property-filters-in-threat-explorer-and-real-time-detections). ++6. When you're finished creating the filter conditions, select **Refresh**. ++The report shows the results that malware detected in email, using the technology options you selected. From here, you can conduct further analysis. ++## Report messages as clean ++You can use the **Submissions** page in the Defender portal at <https://security.microsoft.com/reportsubmission> to [report messages as clean (false positives) to Microsoft](submissions-admin.md#report-good-email-to-microsoft). But you can also submit messages as clean to Microsoft from Explorer or Real-time detections. ++For instructions, see [Email remediation in Threat Explorer and Real-time detections](threat-explorer-threat-hunting.md#email-remediation). ++To summarize: ++- Select a message from the details table in the **Email** tab (view) in the **All email**, **Malware**, or **Phish** views by selecting the check box in the row, and then select **Message actions** and then one of the following options: + - **Threat Explorer**: Select **Submit to Microsoft** in the **Start new submission** section. For further instruction, see [Start new submission actions in Threat Explorer](threat-explorer-threat-hunting.md#start-new-submission-actions-in-threat-explorer). + - **Real-time detections**: Select **Report clean**. For further instruction, see [Start new submission actions in Real-time detections](threat-explorer-threat-hunting.md#start-new-submission-actions-in-real-time-detections). ++Or ++- Select a message from the details table in the **Email** tab (view) in the **All email**, **Malware**, or **Phish** views by clicking on the **Subject** value. ++ In the details flyout that opens, select :::image type="icon" source="../../medi#remediate-using-take-action). ++## View phishing URL and click verdict data ++Safe Links protection tracks URLs that were allowed, blocked, and overridden. Safe Links protection is on by default, thanks to Built-in protection in [preset security policies](preset-security-policies.md). Safe Links protection is on in the Standard and Strict preset security policies. You can also create and configure Safe Links protection in [custom Safe Links policies](safe-links-policies-configure.md). For more information about the Safe Links policy settings, see [Safe Links policy settings](recommended-settings-for-eop-and-office365.md#safe-links-policy-settings). ++Use the following steps to see phishing attempts using URLs in email messages. ++1. Use one of the following steps to open Threat Explorer or Real-time detections: + - **Threat Explorer**: In the Defender portal at <https://security.microsoft.com>, go to **Email & Security** \> **Explorer**. Or, to go directly to the **Explorer** page, use <https://security.microsoft.com/threatexplorerv3>. + - **Real-time detections**: In the Defender portal at <https://security.microsoft.com>, go to **Email & Security** \> **Real-time detections**. Or, to go directly to the **Real-time detections** page, use <https://security.microsoft.com/realtimereportsv3>. ++2. On the **Explorer** or **Real-time detections** page, select the **Phish** view. For more information about the **Phish** view, see [Phish view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#phish-view-in-threat-explorer-and-real-time-detections). ++3. Select the date/time range. The default is yesterday and today. ++4. Select the **Sender address** (property) box, and then select **Click verdict** in the **URLs** section of the drop down list. + - Verify **Equal any of** is selected as the filter operator. + - In the property value box, select one or more of the following values: + - **Blocked** + - **Blocked overridden** ++ For explanations of the **Click verdict** values, see **Click verdict** in [Filterable properties in the All email view in Threat Explorer](threat-explorer-real-time-detections-about.md#filterable-properties-in-the-all-email-view-in-threat-explorer). ++5. Enter more conditions using other filterable properties as required. For instructions, see [Property filters in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#property-filters-in-threat-explorer-and-real-time-detections). ++6. When you're finished creating the filter conditions, select **Refresh**. ++The **Top URLs** tab (view) in the details area below the chart shows the count of **Messages blocked**, **Messages junked**, and **Messages delivered** for the top five URLs. For more information, see [Top URLs view for the details area of the Phish view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#top-urls-view-for-the-details-area-of-the-phish-view-in-threat-explorer-and-real-time-detections). ++The **Top clicks** tab (view) in the details area below the chart shows the top five clicked links that were wrapped by Safe Links. URL clicks on unwrapped links don't show up here. For more information, see [Top clicks view for the details area of the Phish view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#top-clicks-view-for-the-details-area-of-the-phish-view-in-threat-explorer-and-real-time-detections). ++These URL tables show URLs that were blocked or visited despite a warning. This information shows the potential bad links that were presented to users. From here, you can conduct further analysis. ++Select a URL from an entry in the view for details. For more information, see [URL details for the Top URLs and Top clicks tabs in Phish view](threat-explorer-real-time-detections-about.md#top-urls-details-for-the-phish-view). ++> [!TIP] +> In the URL details flyout, the filtering on email messages is removed to show the full view of the URL's exposure in your environment. This behavior lets you filter for specific email messages, find specific URLs that are potential threats, and then expand your understanding of the URL exposure in your environment without having to add URL filters in the **Phish** view. ++### Interpretation of click verdicts ++The **Click verdict** property results are visible in the following locations: ++- [Click verdict chart pivot for the URL clicks view of the details area of the All email view (Threat Explorer only) or Phish view](threat-explorer-real-time-detections-about.md#click-verdict-pivot-for-the-url-clicks-view-for-the-details-area-of-the-all-email-view-in-threat-explorer) +- [Top clicks view for the details area of the All email view in Threat Explorer](threat-explorer-real-time-detections-about.md#top-clicks-view-for-the-details-area-of-the-all-email-view-in-threat-explorer) +- [Top clicks view for the details area of the Phish view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#top-clicks-view-for-the-details-area-of-the-phish-view-in-threat-explorer-and-real-time-detections) +- [Top clicks view for the details area of the URL clicks view in Threat Explorer](threat-explorer-real-time-detections-about.md#top-clicks-view-for-the-details-area-of-the-url-clicks-view-in-threat-explorer) ++The verdict values are described in the following list: ++- **Allowed**: The user was allowed to open the URL. +- **Block overridden**: The user was blocked from directly opening the URL, but they overrode the block to open the URL. +- **Blocked**: The user was blocked from opening the URL. +- **Error**: The user was presented with the error page, or an error occurred in capturing the verdict. +- **Failure**: An unknown exception occurred while capturing the verdict. The user might have opened the URL. +- **None**: Unable to capture the verdict for the URL. The user might have opened the URL. +- **Pending verdict**: The user was presented with the detonation pending page. +- **Pending verdict bypassed**: The user was presented with the detonation page, but they overrode the message to open the URL. ++## Start automated investigation and response in Threat Explorer ++[Automated investigation and response (AIR)](air-about-office.md) in Defender for Office 365 Plan 2 can save time and effort as you investigate and mitigate cyberattacks. You can configure alerts that trigger a security playbook, and you can start AIR in Threat Explorer. For details, see [Example: A security administrator triggers an investigation from Explorer](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). ++## Other articles ++[Investigate email with the Email entity page](mdo-email-entity-page.md) |
security | Threat Explorer Investigate Delivered Malicious Email | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-investigate-delivered-malicious-email.md | + + Title: Investigate malicious email that was delivered in Microsoft 365, find and investigate malicious email +keywords: TIMailData-Inline, Security Incident, incident, Microsoft Defender for Endpoint PowerShell, email malware, compromised users, email phish, email malware, read email headers, read headers, open email headers,special actions +f1.keywords: + - NOCSH +++ Last updated : 2/27/2024+audience: ITPro +++ms.localizationpriority: medium +search.appverid: + - MET150 + - MOE150 +ms.assetid: 8f54cd33-4af7-4d1b-b800-68f8818e5b2a ++ - m365-security + - tier1 +description: Learn how to use threat investigation and response capabilities to find and investigate malicious email. ++- seo-marvel-apr2020 +++appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> +++# Investigate malicious email that was delivered in Microsoft 365 +++Microsoft 365 organizations that have [Microsoft Defender for Office 365](defender-for-office-365.md) included in their subscription or purchased as an add-on have **Explorer** (also known as **Threat Explorer**) or **Real-time detections**. These features are powerful, near real-time tools to help Security Operations (SecOps) teams investigate and respond to threats. For more information, see [About Threat Explorer and Real-time detections in Microsoft Defender for Office 365](threat-explorer-real-time-detections-about.md). ++Threat Explorer and Real-time detections allow you to investigate activities that put people in your organization at risk, and to take action to protect your organization. For example: ++- Find and delete messages. +- Identify the IP address of a malicious email sender. +- Start an incident for further investigation. ++This article explains how to use Threat Explorer and Real-time detections to find malicious email in recipient mailboxes. ++> [!TIP] +> To go directly to the remediation procedures, see [Remediate malicious email delivered in Office 365](remediate-malicious-email-delivered-office-365.md). +> +> For other email scenarios using Threat Explorer and Real-time detections, see the following articles: +> +> - [Threat hunting in Threat Explorer and Real-time detections in Microsoft Defender for Office 365](threat-explorer-threat-hunting.md) +> - [Email security with Threat Explorer and Real-time detections in Microsoft Defender for Office 365](threat-explorer-email-security.md) ++## What do you need to know before you begin? ++- Threat Explorer is included in Defender for Office 365 Plan 2. Real-time detections is included in Defender for Office Plan 1: + - The differences between Threat Explorer and Real-time detections are described in [About Threat Explorer and Real-time detections in Microsoft Defender for Office 365](threat-explorer-real-time-detections-about.md). + - The differences between Defender for Office 365 Plan 2 and Defender for Office Plan 1 are described in the [Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet](mdo-security-comparison.md#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet). ++- For filter properties that require you to select one or more available values, using the property in the filter condition with all values selected has the same result as not using the property in the filter condition. ++- For permissions and licensing requirements for Threat Explorer and Real-time detections, see [Permissions and licensing for Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#permissions-and-licensing-for-threat-explorer-and-real-time-detections). ++## Find suspicious email that was delivered ++1. Use one of the following steps to open Threat Explorer or Real-time detections: + - **Threat Explorer**: In the Defender portal at <https://security.microsoft.com>, go to **Email & Security** \> **Explorer**. Or, to go directly to the **Explorer** page, use <https://security.microsoft.com/threatexplorerv3>. + - **Real-time detections**: In the Defender portal at <https://security.microsoft.com>, go to **Email & Security** \> **Real-time detections**. Or, to go directly to the **Real-time detections** page, use <https://security.microsoft.com/realtimereportsv3>. ++2. On the **Explorer** or **Real-time detections** page, select an appropriate view: + - **Threat Explorer**: Verify the [All email view](threat-explorer-real-time-detections-about.md#all-email-view-in-threat-explorer) is selected. + - **Real-time detections**: Verify the [Malware view](threat-explorer-real-time-detections-about.md#malware-view-in-threat-explorer-and-real-time-detections) is selected, or select the [Phish view](threat-explorer-real-time-detections-about.md#phish-view-in-threat-explorer-and-real-time-detections). ++3. Select the date/time range. The default is yesterday and today. ++ :::image type="content" source="../../media/te-rtd-date-filter.png" alt-text="Screenshot of the date filter used in Threat Explorer and Real-time detections in the Defender portal." lightbox="../../media/te-rtd-date-filter.png"::: ++4. Create one or more filter conditions using some or all of the following targeted properties and values. For complete instructions, see [Property filters in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#property-filters-in-threat-explorer-and-real-time-detections). For example: ++ - **Delivery action**: The action taken on an email due to existing policies or detections. Useful values are: + - **Delivered**: Email delivered to the user's Inbox or other folder where the user can access the message. + - **Junked**: Email delivered to the user's Junk Email folder or Deleted Items folder where the user can access the message. + - **Blocked**: Email messages that were quarantined, that failed delivery, or were dropped. ++ - **Original delivery location**: Where email went before any automatic or manual post-delivery actions by the system or admins (for example, [ZAP](zero-hour-auto-purge.md) or moved to quarantine). Useful values are: + - **Deleted items folder** + - **Dropped**: The message was lost somewhere in mail flow. + - **Failed**: The message failed to reach the mailbox. + - **Inbox/folder** + - **Junk folder** + - **On-prem/external**: The mailbox doesn't exist in the Microsoft 365 organization. + - **Quarantine** + - **Unknown**: For example, after delivery, an Inbox rule moved the message to a default folder (for example, Draft or Archive) instead of to the Inbox or Junk Email folder. ++ - **Last delivery location**: Where email ended-up after any automatic or manual post-delivery actions by the system or admins. The same values are available from **Original delivery location**. + + - **Directionality**: Valid values are: + - **Inbound** + - **Intra-org** + - **Outbound** ++ This information can help identify spoofing and impersonation. For example, messages from internal domain senders should be **Intra-org**, not **Inbound**. ++ - **Additional action**: Valid values are: + - **Automated remediation** (Defender for Office 365 Plan 2) + - **Dynamic Delivery**: For more information, see [Dynamic Delivery in Safe Attachments policies](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies). + - **Manual remediation** + - **None** + - **Quarantine release** + - **Reprocessed**: The message was retroactively identified as good. + - **ZAP**: For more information, see [Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365](zero-hour-auto-purge.md). ++ - **Primary override**: If organization or user settings allowed or blocked messages that would have otherwise been blocked or allowed. Values are: + - **Allowed by organization policy** + - **Allowed by user policy** + - **Blocked by organization policy** + - **Blocked by user policy** + - **None** ++ These categories are further refined by the **Primary override source** property. ++ - **Primary override source** The type of organization policy or user setting that allowed or blocked messages that would have otherwise been blocked or allowed. Values are: ++ - **3rd Party Filter** + - **Admin initiated time travel** + - **Antimalware policy block by file type**: [Common attachments filter in anti-malware policies](anti-malware-protection-about.md#common-attachments-filter-in-anti-malware-policies) + - **Antispam policy settings** + - **Connection policy**: [Configure connection filtering](connection-filter-policies-configure.md) + - **Exchange transport rule** (mail flow rule) + - **Exclusive mode (User override)**: The **Only trust email from addresses in my Safe senders and domains list and Safe mailing lists** setting in the [safelist collection on a mailbox](configure-junk-email-settings-on-exo-mailboxes.md#use-exchange-online-powershell-to-configure-the-safelist-collection-on-a-mailbox). + - **Filtering skipped due to on-prem organization** + - **IP region filter from policy**: The **From these countries** filter in [anti-spam policies](anti-spam-protection-about.md#spam-properties-in-anti-spam-policies). + - **Language filter from policy**: The **Contains specific languages** filter in [anti-spam policies](anti-spam-protection-about.md#spam-properties-in-anti-spam-policies). + - **Phishing Simulation**: [Configure third-party phishing simulations in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-defender-portal-to-configure-third-party-phishing-simulations-in-the-advanced-delivery-policy) + - **Quarantine release**: [Release quarantined email](quarantine-admin-manage-messages-files.md#release-quarantined-email) + - **SecOps Mailbox**: [Configure SecOps mailboxes in the advanced delivery policy](advanced-delivery-policy-configure.md#use-the-microsoft-defender-portal-to-configure-secops-mailboxes-in-the-advanced-delivery-policy) + - **Sender address list (Admin Override)**: The allowed senders list or blocked senders list in [anti-spam policies](anti-spam-protection-about.md#allow-and-block-lists-in-anti-spam-policies). + - **Sender address list (User override)**: Sender email addresses in the **Blocked Senders** list in the [safelist collection on a mailbox](configure-junk-email-settings-on-exo-mailboxes.md#use-exchange-online-powershell-to-configure-the-safelist-collection-on-a-mailbox). + - **Sender domain list (Admin Override)**: The allowed domains list or blocked domains list in [anti-spam policies](anti-spam-protection-about.md#allow-and-block-lists-in-anti-spam-policies). + - **Sender domain list (User override)**: Sender domains in the **Blocked Senders** list in the [safelist collection on a mailbox](configure-junk-email-settings-on-exo-mailboxes.md). + - **Tenant Allow/Block List file block**: [Create block entries for files](tenant-allow-block-list-files-configure.md#create-block-entries-for-files) + - **Tenant Allow/Block List sender email address block**: [Create block entries for domains and email addresses](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-domains-and-email-addresses) + - **Tenant Allow/Block List spoof block**: [Create block entries for spoofed senders](tenant-allow-block-list-email-spoof-configure.md#create-block-entries-for-spoofed-senders) + - **Tenant Allow/Block List URL block**: [Create block entries for URLs](tenant-allow-block-list-urls-configure.md#create-block-entries-for-urls) + - **Trusted contact list (User override)**: The **Trust email from my contacts** setting in the [safelist collection on a mailbox](configure-junk-email-settings-on-exo-mailboxes.md#use-exchange-online-powershell-to-configure-the-safelist-collection-on-a-mailbox). + - **Tenant Allow/Block List file block**: [Create block entries for files](tenant-allow-block-list-files-configure.md#create-block-entries-for-files) + - **Trusted domain (User override)**: Sender domains in the **Safe Senders** list in the [safelist collection on a mailbox](configure-junk-email-settings-on-exo-mailboxes.md#use-exchange-online-powershell-to-configure-the-safelist-collection-on-a-mailbox). + - **Trusted recipient (User override)**: Recipient email addresses or domains in the **Safe Recipients** list in the [safelist collection on a mailbox](configure-junk-email-settings-on-exo-mailboxes.md#use-exchange-online-powershell-to-configure-the-safelist-collection-on-a-mailbox). + - **Trusted senders only (User override)**: The **Safe Lists Only: Only mail from people or domains on your Safe Senders List or Safe Recipients List will be delivered to your Inbox** setting in the [safelist collection on a mailbox](configure-junk-email-settings-on-exo-mailboxes.md#use-exchange-online-powershell-to-configure-the-safelist-collection-on-a-mailbox). ++ - **Override source**: Same available values as **Primary override source**. ++ > [!TIP] + > In the **Email** tab (view) in the details area of the **[All email](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-all-email-view-in-threat-explorer)**, **[Malware](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-malware-view-in-threat-explorer-and-real-time-detections)**, and **[Phish](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-phish-view-in-threat-explorer-and-real-time-detections)** views, the corresponding override columns are named **System overrides** and **System overrides source**. ++ - **URL threat**: Valid values are: + - **Malware** + - **Phish** + - **Spam** ++5. When you're finished configuring date/time and property filters, select **Refresh**. ++The **Email** tab (view) in the details area of the **[All email](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-all-email-view-in-threat-explorer)**, **[Malware](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-malware-view-in-threat-explorer-and-real-time-detections)**, or **[Phish](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-phish-view-in-threat-explorer-and-real-time-detections)** views contains the details you need to investigate suspicious email. ++For example, Use the **Delivery Action**, **Original delivery location**, and **Last delivery location** columns in the **Email** tab (view) to get a complete picture of where the affected messages went. The values were explained in Step 4. ++Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to selectively export up to 200,000 filtered or unfiltered results to a CSV file. ++<! ### View the timeline of your email ++**Email Timeline** is a field in Threat Explorer that makes hunting easier for your security operations team. When multiple events happen at or close to the same time on an email, those events show up in a timeline view. Some events that happen post-delivery to email are captured in the **Special actions** column. Combining information from the timeline of an email message with any special actions that were taken post-delivery gives admins insight into policies and threat handling (such as where the mail was routed, and, in some cases, what the final assessment was). > ++## Remediate malicious email that was delivered ++After you identify the malicious email messages that were delivered, you can remove them from recipient mailboxes. For instructions, see [Remediate malicious email delivered in Microsoft 365](remediate-malicious-email-delivered-office-365.md). ++## Related articles ++[Remediate malicious email delivered in Office 365](remediate-malicious-email-delivered-office-365.md) ++[Microsoft Defender for Office 365](office-365-ti.md) ++[View reports for Defender for Office 365](reports-defender-for-office-365.md) |
security | Threat Explorer Real Time Detections About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-real-time-detections-about.md | + + Title: About Threat Explorer and Real-time detections in Microsoft Defender for Office 365 +f1.keywords: + - NOCSH ++++audience: ITPro + Last updated : 3/13/2024+ms.localizationpriority: medium ++ - m365-security + - tier1 + - highpri +description: Learn about the available views, filters, and actions in Threat Explorer (Explorer) or Real-time detections to investigate and respond to threats. ++- seo-marvel-apr2020 +++search.appverid: met150 +appliesto: + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> + - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> +++# About Threat Explorer and Real-time detections in Microsoft Defender for Office 365 +++Microsoft 365 organizations that have [Microsoft Defender for Office 365](defender-for-office-365.md) included in their subscription or purchased as an add-on have **Explorer** (also known as **Threat Explorer**) or **Real-time detections**. These features are powerful, near real-time reporting tools that help Security Operations (SecOps) teams investigate and respond to threats. ++Depending on your subscription, Threat Explorer or Real-time detections is available in the **Email & collaboration** section in the Microsoft Defender portal at <https://security.microsoft.com>: ++- **Real-time detections** is available in _Defender for Office 365 Plan 1_. The **Real-time detections** page is available directly at <https://security.microsoft.com/realtimereportsv3>. ++ :::image type="content" source="../../media/te-rtd-select-real-time-detections.png" alt-text="Screenshot of the Real-time detections selection in the Email & collaboration section in the Microsoft Defender portal." lightbox="../../media/te-rtd-select-real-time-detections.png"::: ++- **Threat Explorer** is available in _Defender for Office 365 Plan 2_. The **Explorer** page is available directly at <https://security.microsoft.com/threatexplorerv3>. ++ :::image type="content" source="../../media/te-rtd-select-threat-explorer.png" alt-text="Screenshot of the Explorer selection in the Email & collaboration section in the Microsoft Defender portal." lightbox="../../media/te-rtd-select-threat-explorer.png"::: ++Threat Explorer contains the same information and capabilities as Real-time detections, but with the following additional features: ++- More views. +- More property filtering options, including the option to save queries. +- More actions. ++For more information about the differences between Defender for Office 365 Plan 1 and Plan 2, see the [Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet](mdo-security-comparison.md#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet). ++The rest of this article explains the views and features that are available in Threat Explorer and Real-time detections. ++> [!TIP] +> For email scenarios using Threat Explorer and Real-time detections, see the following articles: +> +> - [Threat hunting in Threat Explorer and Real-time detections in Microsoft Defender for Office 365](threat-explorer-threat-hunting.md) +> - [Email security with Threat Explorer and Real-time detections in Microsoft Defender for Office 365](threat-explorer-email-security.md) +> - [Investigate malicious email that was delivered in Microsoft 365](threat-explorer-investigate-delivered-malicious-email.md) ++## Permissions and licensing for Threat Explorer and Real-time detections ++To use Explorer or Real-time detections, you need to be assigned permissions. You have the following options: ++- [Microsoft Defender XDR Unified role based access control (RBAC)](/microsoft-365/security/defender/manage-rbac) (Affects the Defender portal only, not PowerShell): + - _Read access for email and Teams message headers_: **Security operations/Raw data (email & collaboration)/Email message headers (read)**. + - _Preview and download email messages_: **Security operations/Raw data (email & collaboration)/Email content (read)**. + - _Remediate malicious email_: **Security operations/Security data/Email advanced actions (manage)**. +- [Email & collaboration permissions in the Microsoft Defender portal](mdo-portal-permissions.md): + - _Full access_: Membership in the **Organization Management** or **Security Administrator** role groups. More permissions are required to do all available actions: + - _Preview and download messages_: Membership in the **Data Investigator** or **eDiscovery Manager** role groups. Or, [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the same roles as **Organization Management** or **Security Administrator**, and then add the **Preview** role. + - _Move messages in and delete messages from mailboxes_: Membership in the **Data Investigator** or **Organization Management** role groups. Or, [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the same roles as **Security Administrator**, and then add the **Search and Purge** role. + - _Read-only access_: Membership in the **Security Reader** role group. +- [Microsoft Entra permissions](/microsoft-365/admin/add-users/about-admin-roles): Membership these roles gives users the required permissions _and_ permissions for other features in Microsoft 365: + - _Full access_: Membership in the **Global Administrator** or **Security Administrator** roles. + - _Search for Exchange mail flow rules (transport rules) by name in Threat Explorer_: Membership in the **Security Admin** or **Security Reader** roles. + - _Read-only access_: Membership in the **Global Reader** or **Security Reader** roles. ++> [!TIP] +> Audit log entries are generated when admins preview or download email messages. You can search the admin audit log by user for **AdminMailAccess** activity. For instructions, see [Audit New Search](/purview/audit-new-search). ++To use Threat Explorer or Real-time detections, you need to be assigned a license for Defender for Office 365 (included in your subscription or an add-on license). ++Threat Explorer or Real-time detections contains data for users with Defender for Office 365 licenses assigned to them. ++## Elements of Threat Explorer and Real-time detections ++Threat Explorer and Real-time detections contain the following elements: ++- **Views**: Tabs at the top of the page that organize detections by threat. The view affects the rest of the data and options on the page. ++ The following table lists the available views in Threat Explorer and Real-time detections: ++ |View|Threat<br/>Explorer|Real-time<br/>detections|Description| + ||::|::|| + |**All email**|✔||Default view for Threat Explorer. Information about all email messages sent by external users into your organization, or email sent between internal users in your organization.| + |**Malware**|✔|✔|Default view for Real-time detections. Information about email messages that contain malware.| + |**Phish**|✔|✔|Information about email messages that contain phishing threats.| + |**Campaigns**|✔||Information about malicious email that Defender for Office 365 Plan 2 identified as part of a [coordinated phishing or malware campaign](campaigns.md).| + |**Content malware**|✔|✔|Information about malicious files detected by the following features: <ul><li>[Built-in virus protection in SharePoint, OneDrive, and Microsoft Teams](anti-malware-protection-for-spo-odfb-teams-about.md)</li><li>[Safe Attachments for Sharepoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)</li></ul>| + |**URL clicks**|✔||Information about user clicks on URLs in email messages, Teams messages, SharePoint files, and OneDrive files.| ++ These views are described in detail in this article, including the differences between Threat Explorer and Real-time detections. ++- **Date/time filters**: By default, the view is filtered by yesterday and today. To change the date filter, select the date range, and then select **Start Date** and **End date** values up to 30 days ago. ++ :::image type="content" source="../../media/te-rtd-date-filter.png" alt-text="Screenshot of the date filter used in Threat Explorer and Real-time detections in the Defender portal." lightbox="../../media/te-rtd-date-filter.png"::: ++- **Property filters (queries)**: Filter the results in the view by the available message, file, or threat properties. The available filterable properties depend on the view. Some properties are available in many views, while other properties are limited to a specific view. ++ The available property filters for each view are listed in this article, including the differences between Threat Explorer and Real-time detections. ++ For instructions to create property filters, see [Property filters in Threat Explorer and Real-time detections](#property-filters-in-threat-explorer-and-real-time-detections) ++ Threat Explorer allows you to save queries for later use as described in the [Saved queries in Threat Explorer](#saved-queries-in-threat-explorer) section. ++- **Charts**: Each view contains a visual, aggregate representation of the filtered or unfiltered data. You can use available pivots to organize the chart in different ways. ++ You can often use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export chart data** to export filtered or unfiltered chart data to a CSV file. ++ The charts and available pivots are described in detail in this article, including the differences between Threat Explorer and Real-time detections. ++ > [!TIP] + > To remove the chart from the page (which maximizes the size of the details area), use either of the following methods: + > + > - Select :::image type="icon" source="../../media/m365-cc-sc-chart-view-icon.png" border="false"::: **Chart View** \> :::image type="icon" source="../../media/m365-cc-sc-list-view-icon.png" border="false"::: **List View** at the top of the page. + > - Select :::image type="icon" source="../../media/m365-cc-sc-show-list-view-icon.png" border="false"::: **Show list view** between the chart and the details area. ++- **Details area**: The details area for a view typically shows a table that contains the filtered or unfiltered data. You can use the available views (tabs) to organize the data in the details area in different ways. For example, a view might contain charts, maps, or different tables. ++ If the details area contains a table, you can often use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to selectively export up to 200,000 filtered or unfiltered results to a CSV file. ++ > [!TIP] + > In the **Export** flyout, you can select some or all of the available properties to export. The selections are saved per user. Selections in Incognito or InPrivate browsing mode are saved until you close the web browser. +++## All email view in Threat Explorer ++The **All email** view in Threat Explorer shows information about all email messages sent by external users into your organization, and email sent between internal users in your organization. The view shows malicious and non-malicious email. For example: ++- Email identified phishing or malware. +- Email identified as spam or bulk. +- Email identified with no threats. ++This view is the default in Threat Explorer. To open the **All email** view on the **Explorer** page in the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Explorer** \> **All email** tab. Or, go directly to the **Explorer** page using <https://security.microsoft.com/threatexplorerv3>, and then verify that the **All email** tab is selected. +++### Filterable properties in the All email view in Threat Explorer ++By default, no property filters are applied to the data. The steps to create filters (queries) are described in the [Filters in Threat Explorer and Real-time detections](#property-filters-in-threat-explorer-and-real-time-detections) section later in this article. ++The filterable properties that are available in the **Delivery action** box in the **All email** view are described in the following table: ++|Property|Type| +||| +|**Basic**|| +|Sender address|Text. Separate multiple values by commas.| +|Recipients|Text. Separate multiple values by commas.| +|Sender domain|Text. Separate multiple values by commas.| +|Recipient domain|Text. Separate multiple values by commas.| +|Subject|Text. Separate multiple values by commas.| +|Sender display name|Text. Separate multiple values by commas.| +|Sender mail from address|Text. Separate multiple values by commas.| +|Sender mail from domain|Text. Separate multiple values by commas.| +|Return path|Text. Separate multiple values by commas.| +|Return path domain|Text. Separate multiple values by commas.| +|Malware family|Text. Separate multiple values by commas.| +|Tags|Text. Separate multiple values by commas. <br/><br/> For more information about user tags, see [User tags](user-tags-about.md).| +|Impersonated domain|Text. Separate multiple values by commas.| +|Impersonated user|Text. Separate multiple values by commas.| +|Exchange transport rule|Text. Separate multiple values by commas.| +|Data loss prevention rule|Text. Separate multiple values by commas.| +|Context|Select one or more values: <ul><li>**Evaluation**</li><li>**Priority account protection**</li></ul>| +|Connector|Text. Separate multiple values by commas.| +|Delivery action|Select one or more values: <ul><li>**Blocked**: Email messages that were quarantined, that failed delivery, or were dropped.</li><li>**Delivered**: Email delivered to the user's Inbox or other folder where the user can access the message.</li><li>**Delivered to junk**: Email delivered to the user's Junk Email folder or Deleted Items folder where the user can access the message.</li><li>**Replaced**: This value is no longer relevant. [Anti-malware policies](anti-malware-protection-about.md) in Exchange Online Protection (EOP) used to have an option to deliver the message with all attachments replaced by TXT files. This action is no longer available in Microsoft 365, but is still available in anti-malware policies in Exchange Server.</li></ul>| +|Additional action|Select one or more values: <ul><li>**Automated remediation**</li><li>**Dynamic Delivery**: For more information, see [Dynamic Delivery in Safe Attachments policies](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies).</li><li>**Manual remediation**</li><li>**None**</li><li>**Quarantine release**</li><li>**Reprocessed**: The message was retroactively identified as good.</li><li>**ZAP**: For more information, see [Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365](zero-hour-auto-purge.md).</li></ul>| +|Directionality|Select one or more values: <ul><li>**Inbound**</li><li>**Intra-irg**</li><li>**Outbound**</li></ul>| +|Detection technology|Select one or more values: <ul><li>**Advanced filter**: Signals based on machine learning.</li><li>**Antimalware protection**</li><li>**Bulk**</li><li>**Campaign**</li><li>**Domain reputation**</li><li>**File detonation**: [Safe Attachments](safe-attachments-about.md) detected a malicious attachment during detonation analysis.</li><li>**File detonation reputation**: File attachments previously detected by [Safe Attachments](safe-attachments-about.md) detonations in other Microsoft 365 organizations.</li><li>**File reputation**: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations.</li><li>**Fingerprint matching**: The message closely resembles a previous detected malicious message.</li><li>**General filter**</li><li>**Impersonation brand**: Sender impersonation of well-known brands.</li><li>**Impersonation domain**: Impersonation of sender domains that you own or specified for protection in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>**Impersonation user**</li><li>**IP reputation**</li><li>**Mailbox intelligence impersonation**: Impersonation detections from mailbox intelligence in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).</li><li>**Mixed analysis detection**: Multiple filters contributed to the message verdict.</li><li>**spoof DMARC**: The message failed [DMARC authentication](email-authentication-dmarc-configure.md).</li><li>**Spoof external domain**: Sender email address spoofing using a domain that's external to your organization.</li><li>**Spoof intra-org**: Sender email address spoofing using a domain that's internal to your organization.</li><li>**URL detonation reputation**: URLs previously detected by [Safe Links](safe-links-about.md) detonations in other Microsoft 365 organizations.</li><li>**URL malicious reputation**: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations.</li></ul>| +|Original delivery location|Select one or more values: <ul><li>**Deleted Items folder**</li><li>**Dropped**</li><li>**Failed**</li><li>**Inbox/folder**</li><li>**Junk folder**</li><li>**On-prem/external**</li><li>**Quarantine**</li><li>**Unknown**</li></ul>| +|Latest delivery location¹|Same values as **Original delivery location**</li></ul>| +|Phish confidence level|Select one or more values: <ul><li>**High**</li><li>**Normal**</li></ul>| +|Primary override|Select one or more values: <ul><li>**Allowed by organization policy**</li><li>**Allowed by user policy**</li><li>**Blocked by organization policy**</li><li>**Blocked by user policy**</li><li>**None**</li></ul>| +|Primary override source|Select one or more values: <ul><li>**3rd Party Filter**</li><li>**Admin initiated time travel** (ZAP)</li><li>**Antimalware policy block by file type**</li><li>**Antispam policy settings**</li><li>**Connection policy**</li><li>**Exchange transport rule**</li><li>**Exclusive mode (User override)**</li><li>**Filtering skipped due to on-prem organization**</li><li>**IP region filter from policy**</li><li>**Language filter from policy**</li><li>**Phishing Simulation**</li><li>**Quarantine release**</li><li>**SecOps Mailbox**</li><li>**Sender address list (Admin Override)**</li><li>**Sender address list (User override)**</li><li>**Sender domain list (Admin Override)**</li><li>**Sender domain list (User override)**</li><li>**Tenant Allow/Block List file block**</li><li>**Tenant Allow/Block List sender email address block**</li><li>**Tenant Allow/Block List spoof block**</li><li>**Tenant Allow/Block List URL block**</li><li>**Trusted contact list (User override)**</li><li>**Trusted domain (User override)**</li><li>**Trusted recipient (User override)**</li><li>**Trusted senders only (User override)**</li></ul>| +|Override source|Same values as **Primary override source**</li></ul>| +|Policy type|Select one or more values: <ul><li>**Anti-malware policy**</li><li>**Anti-phishing policy**</li><li>**Exchange transport rule** (mail flow rule), **Hosted content filter policy** (anti-spam policy), **Hosted outbound spam filter policy** (outbound spam policy), **Safe Attachments policy**</li><li>**Unknown**</li></ul>| +|Policy action|Select one or more values: <ul><li>**Add x-header**</li><li>**Bcc message**</li><li>**Delete message**</li><li>**Modify subject**</li><li>**Move to Junk Email folder**</li><li>**No action taken**</li><li>**Redirect message**</li><li>**Send to quarantine**</li></ul>| +|Threat type|Select one or more values: <ul><li>**Malware**</li><li>**Phish**</li><li>**Spam**</li></ul>| +|Forwarded message|Select one or more values: <ul><li>**True**</li><li>**False**</li></ul>| +|Distribution list|Text. Separate multiple values by commas.| +|Email size|Integer. Separate multiple values by commas.| +|**Advanced**|| +|Internet Message ID|Text. Separate multiple values by commas. <br/><br/> Available in the **Message-ID** header field in the message header. An example value is `<08f1e0f6806a47b4ac103961109ae6ef@server.domain>` (note the angle brackets).| +|Network message ID|Text. Separate multiple values by commas. <br/><br/> A GUID value that's available in the **X-MS-Exchange-Organization-Network-Message-Id** header field in the message header.| +|Sender IP|Text. Separate multiple values by commas.| +|Attachment SHA256|Text. Separate multiple values by commas.| +|Cluster ID|Text. Separate multiple values by commas.| +|Alert ID|Text. Separate multiple values by commas.| +|Alert Policy ID|Text. Separate multiple values by commas.| +|Campaign ID|Text. Separate multiple values by commas.| +|ZAP URL signal|Text. Separate multiple values by commas.| +|**Urls**|| +|URL Count|Integer. Separate multiple values by commas.| +|URL domain²|Text. Separate multiple values by commas.| +|URL domain and path²|Text. Separate multiple values by commas.| +|URL²|Text. Separate multiple values by commas.| +|URL path²|Text. Separate multiple values by commas.| +|URL source|Select one or more values: <ul><li>**Attachments**</li><li>**Cloud attachment**</li><li>**Email body**</li><li>**Email header**</li><li>**QR Code**</li><li>**Subject**</li><li>**Unknown**</li></ul>| +|Click verdict|Select one or more values: <ul><li>**Allowed**: The user was allowed to open the URL.</li><li>**Block overridden**: The user was blocked from directly opening the URL, but they overrode the block to open the URL.</li><li>**Blocked**: The user was blocked from opening the URL.</li><li>**Error**: The user was presented with the error page, or an error occurred in capturing the verdict.</li><li>**Failure**: An unknown exception occurred while capturing the verdict. The user might have opened the URL.</li><li>**None**: Unable to capture the verdict for the URL. The user might have opened the URL.</li><li>**Pending verdict**: The user was presented with the detonation pending page.</li><li>**Pending verdict bypassed**: The user was presented with the detonation page, but they overrode the message to open the URL.</li></ul>| +|URL Threat|Select one or more values: <ul><li>**Malware**</li><li>**Phish**</li><li>**Spam**</li></ul>| +|**File**|| +|Attachment Count|Integer. Separate multiple values by commas.| +|Attachment filename|Text. Separate multiple values by commas.| +|File type|Text. Separate multiple values by commas.| +|File Extension|Text. Separate multiple values by commas.| +|File Size|Integer. Separate multiple values by commas.| +|**Authentication**|| +|SPF|Select one or more values: <ul><li>**Fail**</li><li>**Neutral**</li><li>**None**</li><li>**Pass**</li><li>**Permanent error**</li><li>**Soft fail**</li><li>**Temporary error**</li></ul>| +|DKIM|Select one or more values: <ul><li>**Error**</li><li>**Fail**</li><li>**Ignore**</li><li>**None**</li><li>**Pass**</li><li>**Test**</li><li>**Timeout**</li><li>**Unknown**</li></ul>| +|DMARC|Select one or more values: <ul><li>**Best guess pass**</li><li>**Fail**</li><li>**None**</li><li>**Pass**</li><li>**Permanent error**</li><li>**Selector pass**</li><li>**Temporary error**</li><li>**Unknown**</li></ul>| +|Composite|Select one or more values: <ul><li>**Fail**</li><li>**None**</li><li>**Pass**</li><li>**Soft pass**</li></ul>| ++> [!TIP] +> ¹ **Latest delivery location** doesn't include end-user actions on messages. For example, if the user deleted the message or moved the message to an archive or PST file. +> +> There are scenarios where **Original delivery location**/**Latest delivery location** and/or **Delivery action** have the value **Unknown**. For example: +> +> - The message was delivered (**Delivery action** is **Delivered**), but an Inbox rule moved the message to a default folder other than the Inbox or Junk Email folder (for example, the Draft or Archive folder). +> - ZAP attempted to move the message after delivery, but the message wasn't found (for example, the user moved or deleted the message). +> +> ² By default, a URL search maps to `http`, unless another value is explicitly specified. For example: +> +> - Searching with and without the `http://` prefix in **URL**, **URL Domain**, and **URL Domain and Path** should show the same results. +> - Search for the `https://` prefix in **URL**. When no value is specified, the `http://` prefix is assumed. +> - `/` at the beginning and end of the **URL path**, **URL Domain**, **URL domain and path** fields is ignored. +> - `/` at the end of the **URL** field is ignored. ++### Pivots for the chart in the All email view in Threat Explorer ++The chart has a default view, but you can select a value from **Select pivot for histogram chart** to change how the filtered or unfiltered chart data is organized and displayed. ++The available chart pivots are described in the following subsections. ++#### Delivery action chart pivot in the All email view in Threat Explorer ++Although this pivot doesn't look selected by default, **Delivery action** is the default chart pivot in the **All email** view. ++The **Delivery action** pivot organizes the chart by the actions taken on messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each delivery action. ++#### Sender domain chart pivot in the All email view in Threat Explorer ++The **Sender domain** pivot organizes the chart by the domains in messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each sender domain. ++#### Sender IP chart pivot in the All email view in Threat Explorer ++The **Sender IP** pivot organizes the chart by the source IP addresses of messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each sender IP address. ++#### Detection technology chart pivot in the All email view in Threat Explorer ++The **Detection technology** pivot organizes the chart by the feature that identified messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each detection technology. ++#### Full URL chart pivot in the All email view in Threat Explorer ++The **Full URL** pivot organizes the chart by the full URLs in messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each full URL. ++#### URL domain chart pivot in the All email view in Threat Explorer ++The **URL domain** pivot organizes the chart by the domains in URLs in messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each URL domain. ++#### URL domain and path chart pivot in the All email view in Threat Explorer ++The **URL domain and path** pivot organizes the chart by the domains and paths in URLs in messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each URL domain and path. ++### Views for the details area of the All email view in Threat Explorer ++The available views (tabs) in the details area of the **All email** view are described in the following subsections. ++#### Email view for the details area of the All email view in Threat Explorer ++**Email** is the default view for the details area in the **All email** view. ++The **Email** view shows a details table. You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>): ++- **Date**<sup>\*</sup> +- **Subject**<sup>\*</sup> +- **Recipient**<sup>\*</sup> +- **Recipient domain** +- **Tags**<sup>\*</sup> +- **Sender address**<sup>\*</sup> +- **Sender display name** +- **Sender domain**<sup>\*</sup> +- **Sender IP** +- **Sender mail from address** +- **Sender mail from domain** +- **Additional actions**<sup>\*</sup> +- **Delivery action** +- **Latest delivery location**<sup>\*</sup> +- **Original delivery location**<sup>\*</sup> +- **System overrides source** +- **System overrides** +- **Alert ID** +- **Internet message ID** +- **Network message ID** +- **Mail language** +- **Exchange transport rule** +- **Connector** +- **Context** +- **Data loss prevention rule** +- **Threat type**<sup>\*</sup> +- **Detection technology** +- **Attachment Count** +- **URL Count** +- **Email size** ++> [!TIP] +> To see all columns, you likely need to do one or more of the following steps: +> +> - Horizontally scroll in your web browser. +> - Narrow the width of appropriate columns. +> - Remove columns from the view. +> - Zoom out in your web browser. +> +> Customized column settings are saved per user. Customized column settings in Incognito or InPrivate browsing mode are saved until you close the web browser. ++When you select one or more entries from the list by selecting the check box next to the first column, **Message actions** is available. For information, see [Threat hunting: Email remediation](threat-explorer-threat-hunting.md#email-remediation). +++In the **Subject** value for the entry, the :::image type="icon" source="../../medi). ++When you click on the **Subject** or **Recipient** values in an entry, details flyouts open. These flyouts are described in the following subsections. ++##### Subject details from the Email view of the details area in the All email view ++When you select an entry by clicking on the **Subject** value, a details flyout opens with the following information: ++> [!TIP] +> To see details about other message subjects without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. ++- The number of attachments or links in the message. +- Any [user tags](user-tags-about.md) that are assigned to the recipients of the message. +- The following actions are available: + - :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity** + - :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **View header** + - :::image type="icon" source="../../medi#remediate-using-take-action). + - :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More options**: + - :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **Email preview**¹ + - :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Download email**¹ ++ > [!TIP] + > **Download email** isn't available for messages that were quarantined. Instead, [download a password protected copy of the message from quarantine](quarantine-admin-manage-messages-files.md#download-email-from-quarantine). ++ - :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **View in Explorer** + - :::image type="icon" source="../../media/m365-cc-sc-view-message-headers-icon.png" border="false"::: **Go hunt** ++¹ The **Email preview** and **Download email** actions require the **Preview** role in [Email & collaboration permissions](mdo-portal-permissions.md). By default, this role is assigned to the **Data Investigator** and **eDiscovery Manager** role groups. Members of only the **Organization Management** or **Security Administrators** role groups can't open these actions. You can add the members of the groups to the **Data Investigator** and **eDiscovery Manager** role groups, or you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the same roles as **Organization Management** or **Security Administrator**, and then add the **Search and Purge** role to the custom role group. ++- The following sections are available: + - **Delivery details** section: + - **Original threats** + - **Latest threats** + - **Original location** + - **Latest delivery location** + - **Delivery action** + - **Detection technologies** + - **Primary override : Source** + - **Email details** section: + - **Sender display name** + - **Sender address** + - **Sender email from address** + - **Sent on behalf of** + - **Return path** + - **Sender IP** + - **Location** + - **Recipient(s)** + - **Time received** + - **Directionality** + - **Network message ID** + - **Internet message ID** + - **Campaign ID** + - **DMARC** + - **DKIM** + - **SPF** + - **Composite authentication** + - **URLs** section: Details about any URLs in the message: + - **URL** + - **Threat** status ++ If the message has more than three URLs, select **View all URLs** to see all of them. ++ - **Attachments** section: Details about any file attachments in the message: + - **Attachment name** + - **Threat** + - **Detection tech / Malware family** ++ If the message has more than three attachments, select **View all attachments** to see all of them. +++##### Recipient details from the Email view of the details area in the All email view ++When you select an entry by clicking on the **Recipient** value, a details flyout opens with the following information: ++> [!TIP] +> To see details about other recipients without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. ++- **Summary** section: + - **Role**: Whether the recipient has any admin roles assigned. + - **Policies**: + - Whether the user has permission to see archive information. + - Whether the user has permission to see retention information. + - Whether the user is covered by data loss prevention (DLP). + - Whether the user is covered by **Mobile management** at <https://portal.office.com/EAdmin/Device/IntuneInventory.aspx>. <!-- Security Administrator can't open the page> +- **Email** section: A table showing the following related information for messages sent to the recipient: + - **Date** + - **Subject** + - **Recipient** ++ Select **View all email** to open Threat Explorer in a new tab filtered by the recipient. ++- **Recent alerts** section: A table showing the following related information for related recent alerts: + - **Severity** + - **Alert policy** + - **Category** + - **Activities** ++ If there are more than three recent alerts, select **View all recent alerts** to see all of them. ++ - **Recent activity** section: Shows the summarized results of an [Audit log search](/purview/audit-new-search) for the recipient: + - **Date** + - **IP address** + - **Activity** + - **Item** ++ If the recipient has more than three audit log entries, select **View all recent activity** to see all of them. ++ > [!TIP] + > Members of the **Security Administrators** role group in [Email & collaboration permissions](mdo-portal-permissions.md) can't expand the **Recent activity** section. You need to be a member of a role group in [Exchange Online permissions](/exchange/permissions-exo/permissions-exo) that has the **Audit Logs**, **Information Protection Analyst**, or **Information Protection Investigator** roles assigned. By default, those roles are assigned to the **Records Management**, **Compliance Management**, **Information Protection**, **Information Protection Analysts**, **Information Protection Investigators**, and **Organization Management** role groups. You can add the members of **Security Administrators** to those role groups, or you can [create a new role group](/exchange/recipients-in-exchange-online/manage-permissions-for-recipients#use-the-eac-to-assign-permissions-to-individual-mailboxes) with with the **Audit Logs** role assigned. +++#### URL clicks view for the details area of the All email view in Threat Explorer ++The **URL clicks** view shows a chart that can be organized using pivots. The chart has a default view, but you can select a value from **Select pivot for histogram chart** to change how the filtered or unfiltered chart data is organized and displayed. ++The chart pivots are described in the following subsections. +++> [!TIP] +> In Threat Explorer, each pivot in **URL clicks** view has a :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View all clicks** action that opens the [URL clicks view](#url-clicks-view-in-threat-explorer) in a new tab. ++##### URL domain pivot for the URL clicks view for the details area of the All email view in Threat Explorer ++Although this chart pivot doesn't appear to be selected, **URL domain** is the default chart pivot in the **URL clicks** view. ++The **URL domain** pivot shows the different domains in URLs in email messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each URL domain. ++##### Click verdict pivot for the URL clicks view for the details area of the All email view in Threat Explorer ++The **Click verdict** pivot shows the different verdicts for clicked URLs in email messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each click verdict. ++##### URL pivot for the URL clicks view for the details area of the All email view in Threat Explorer ++The **URL** pivot shows the different URLs that were clicked in email messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each URL. ++##### URL domain and path pivot for the URL clicks view for the details area of the All email view in Threat Explorer ++The **URL domain and path** pivot shows the different domains and file paths of URLs that were clicked in email messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each URL domain and file path. ++#### Top URLs view for the details area of the All email view in Threat Explorer ++The **Top URLs** view shows a details table. You can sort the entries by clicking on an available column header: ++- **URL** +- **Messages blocked** +- **Messages junked** +- **Messages delivered** ++##### Top URLs details for the All email view ++When you select an entry by clicking anywhere in the row other than the check box next to the first column, a details flyout opens with the following information: ++> [!TIP] +> To see details about other URLs without leaving the details flyout, use :::image type="icon" source="../../media/updownarrows.png" border="false"::: **Previous item** and **Next item** at the top of the flyout. ++- The following actions are available at the top of the flyout: + - :::image type="icon" source="../../media/m365-cc-sc-open-url-page-icon.png" border="false"::: **Open URL page** + - :::image type="icon" source="../../media/m365-cc-sc-send-icon.png" border="false"::: **Submit for analysis**: + - :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Report clean** + - :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Report phishing** + - :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Report malware** + <! The target URL is constructed such that it should open a new submission with the details filled out. But it takes me to the Email tab on the main Submissions page. Perhaps another permissions issue?> + - :::image type="icon" source="../../media/m365-cc-sc-manage-indicator-icon.png" border="false"::: **Manage indicator**: + - :::image type="icon" source="../../media/m365-cc-sc-create-icon.png" border="false"::: **Add indicator** + - :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Manage in tenant block list** ++ Selecting any of these options takes you to the **Submissions** page in the Defender portal. ++ - :::image type="icon" source="../../media/m365-cc-sc-more-actions-icon.png" border="false"::: **More**: + - :::image type="icon" source="../../media/m365-cc-sc-show-trends-icon.png" border="false"::: **View in Explorer** + - :::image type="icon" source="../../media/m365-cc-sc-go-hunt-icon.png" border="false":::**Go hunt** +- **Original URL** +- **Detection** section: + - **Threat intelligence verdict** + - **x active alerts y incidents**: A horizontal bar graph that shows the number of **High**, **Medium**, **Low**, and **Info** alerts that are related to this link. + - A link to **View all incidents & alerts in URL page**. +- **Domain details** section: + - **Domain name** and a link to **View domain page**. + - **Registrant** + - **Registered on** + - **Updated on** + - **Expires on** +- **Registrant contact info** section: + - **Registrar** + - **Country/Region** + - **Mailing address** + - **Email** + - **Phone** + - **More info**: A link to **Open at Whois**. +- **URL prevalence (last 30 days)** section: Contains the number of **Devices**, **Email**, and **Clicks**. Select each value to view the full list. +- **Devices**: Shows the affected devices: + - **Date (First / Last)** + - **Devices** ++ If more than two devices are involved, select **View all devices** to see all of them. + ++#### Top clicks view for the details area of the All email view in Threat Explorer ++The **Top clicks** view shows a details table. You can sort the entries by clicking on an available column header: ++- **URL** +- **Blocked** +- **Allowed** +- **Block overridden** +- **Pending verdict** +- **Pending verdict bypassed** +- **None** +- **Error page** +- **Failure** ++> [!TIP] +> All available columns are selected. If you select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**, you can't deselect any columns. +> +> To see all columns, you likely need to do one or more of the following steps: +> +> - Horizontally scroll in your web browser. +> - Narrow the width of appropriate columns. +> - Zoom out in your web browser. ++When you select an entry by clicking anywhere in the row other than the check box next to the first column, a details flyout opens. The information in the flyout is the same as described in [Top URLs details for the All email view](#top-urls-details-for-the-all-email-view). ++#### Top targeted users view for the details area of the All email view in Threat Explorer ++The **Top targeted users** view organizes the data into a table of the top five recipients who were targeted by the most threats. The table contains the following information: ++- **Top targeted users**: The recipient's email address. If you select a recipient address, a details flyout opens. The information in the flyout is the same as described in [Recipient details from the Email view of the details area in the All email view](#recipient-details-from-the-email-view-of-the-details-area-in-the-all-email-view). ++- The number of attempts: If you select the number of attempts, Threat Explorer opens in a new tab filtered by the recipient. ++> [!TIP] +> Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the list of up to 3000 users and the corresponding attempts. ++#### Email origin view for the details area of the All email view in Threat Explorer ++The **Email origin** view shows message sources on a map of the world. +++#### Campaign view for the details area of the All email view in Threat Explorer ++The **Campaign** view shows a details table. You can sort the entries by clicking on an available column header. ++The information in the table is the same as described in [details table on the Campaigns page](campaigns.md#details-area-on-the-campaigns-page). ++When you select an entry by clicking anywhere in the row other than the check box next to the **Name**, a details flyout opens. The information in the flyout is the same as described in [Campaign details](campaigns.md#campaign-details). ++## Malware view in Threat Explorer and Real-time detections ++The **Malware** view in Threat Explorer and Real-time detections shows information about email messages that were found to contain malware. This view is the default in Real-time detections. ++To open the **Malware** view, do one of the following steps: ++- **Threat Explorer**: On the **Explorer** page in the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Explorer** \> **Malware** tab. Or, go directly to the **Explorer** page using <https://security.microsoft.com/threatexplorerv3>, and then select the **Malware** tab. +- **Real-time detections**: On the **Real-time detections** page in the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Explorer** \> **Malware** tab. Or, go directly to the **Real-time detections** page using <https://security.microsoft.com/realtimereportsv3>, and then verify that the **Malware** tab is selected. +++### Filterable properties in the Malware view in Threat Explorer and Real-time detections ++By default, no property filters are applied to the data. The steps to create filters (queries) are described in the [Filters in Threat Explorer and Real-time detections](#property-filters-in-threat-explorer-and-real-time-detections) section later in this article. ++The filterable properties that are available in the **Sender address** box in the **Malware** view are described in the following table: ++|Property|Type|Threat<br/>Explorer|Real-time<br/>detections| +|||::|::| +|**Basic**|||| +|Sender address|Text. Separate multiple values by commas.|✔|✔| +|Recipients|Text. Separate multiple values by commas.|✔|✔| +|Sender domain|Text. Separate multiple values by commas.|✔|✔| +|Recipient domain|Text. Separate multiple values by commas.|✔|✔| +|Subject|Text. Separate multiple values by commas.|✔|✔| +|Sender display name|Text. Separate multiple values by commas.|✔|✔| +|Sender mail from address|Text. Separate multiple values by commas.|✔|✔| +|Sender mail from domain|Text. Separate multiple values by commas.|✔|✔| +|Return path|Text. Separate multiple values by commas.|✔|✔| +|Return path domain|Text. Separate multiple values by commas.|✔|✔| +|Malware family|Text. Separate multiple values by commas.|✔|✔| +|Tags|Text. Separate multiple values by commas. <br/><br/> For more information about user tags, see [User tags](user-tags-about.md).|✔|| +|Exchange transport rule|Text. Separate multiple values by commas.|✔|| +|Data loss prevention rule|Text. Separate multiple values by commas.|✔|| +|Context|Select one or more values: <ul><li>**Evaluation**</li><li>**Priority account protection**</li></ul>|✔|| +|Connector|Text. Separate multiple values by commas.|✔|| +|Delivery action|Select one or more values: <ul><li>**Blocked**</li><li>**Delivered**</li><li>**Delivered to junk**</li><li>**Replaced**</li></ul>|✔|✔| +|Additional action|Select one or more values: <ul><li>**Automated remediation**</li><li>**Dynamic Delivery**: For more information, see [Dynamic Delivery in Safe Attachments policies](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies).</li><li>**Manual remediation**</li><li>**None**</li><li>**Quarantine release**</li><li>**Reprocessed**</li><li>**ZAP**: For more information, see [Zero-hour auto purge (ZAP) in Microsoft Defender for Office 365](zero-hour-auto-purge.md).</li></ul>|✔|✔| +|Directionality|Select one or more values: <ul><li>**Inbound**</li><li>**Intra-irg**</li><li>**Outbound**</li></ul>|✔|✔| +|Detection technology|Select one or more values: <ul><li>**Advanced filter**: Signals based on machine learning.</li><li>**Antimalware protection**</li><li>**Bulk**</li><li>**Campaign**</li><li>**Domain reputation**</li><li>**File detonation**: [Safe Attachments](safe-attachments-about.md) detected a malicious attachment during detonation analysis.</li><li>**File detonation reputation**: File attachments previously detected by [Safe Attachments](safe-attachments-about.md) detonations in other Microsoft 365 organizations.</li><li>**File reputation**: The message contains a file that was previously identified as malicious in other Microsoft 365 organizations.</li><li>**Fingerprint matching**: The message closely resembles a previous detected malicious message.</li><li>**General filter**</li><li>**Impersonation brand**: Sender impersonation of well-known brands.</li><li>**Impersonation domain**: Impersonation of sender domains that you own or specified for protection in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365)</li><li>**Impersonation user**</li><li>**IP reputation**</li><li>**Mailbox intelligence impersonation**: Impersonation detections from mailbox intelligence in [anti-phishing policies](anti-phishing-policies-about.md#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365).</li><li>**Mixed analysis detection**: Multiple filters contributed to the message verdict.</li><li>**spoof DMARC**: The message failed [DMARC authentication](email-authentication-dmarc-configure.md).</li><li>**Spoof external domain**: Sender email address spoofing using a domain that's external to your organization.</li><li>**Spoof intra-org**: Sender email address spoofing using a domain that's internal to your organization.</li><li>**URL detonation**: [Safe Links](safe-links-about.md) detected a malicious URL in the message during detonation analysis.</li><li>**URL detonation reputation**: URLs previously detected by [Safe Links](safe-links-about.md) detonations in other Microsoft 365 organizations.</li><li>**URL malicious reputation**: The message contains a URL that was previously identified as malicious in other Microsoft 365 organizations.</li></ul>|✔|✔| +|Original delivery location|Select one or more values: <ul><li>**Deleted Items folder**</li><li>**Dropped**</li><li>**Failed**</li><li>**Inbox/folder**</li><li>**Junk folder**</li><li>**On-prem/external**</li><li>**Quarantine**</li><li>**Unknown**</li></ul>|✔|✔| +|Latest delivery location|Same values as **Original delivery location**</li></ul>|✔|✔| +|Primary override|Select one or more values: <ul><li>**Allowed by organization policy**</li><li>**Allowed by user policy**</li><li>**Blocked by organization policy**</li><li>**Blocked by user policy**</li><li>**None**</li></ul>|✔|✔| +|Primary override source|Select one or more values: <ul><li>**3rd Party Filter**</li><li>**Admin initiated time travel**</li><li>**Antimalware policy block by file type**</li><li>**Antispam policy settings**</li><li>**Connection policy**</li><li>**Exchange transport rule**</li><li>**Exclusive mode (User override)**</li><li>**Filtering skipped due to on-prem organization**</li><li>**IP region filter from policy**</li><li>**Language filter from policy**</li><li>**Phishing Simulation**</li><li>**Quarantine release**</li><li>**SecOps Mailbox**</li><li>**Sender address list (Admin Override)**</li><li>**Sender address list (User override)**</li><li>**Sender domain list (Admin Override)**</li><li>**Sender domain list (User override)**</li><li>**Tenant Allow/Block List file block**</li><li>**Tenant Allow/Block List sender email address block**</li><li>**Tenant Allow/Block List spoof block**</li><li>**Tenant Allow/Block List URL block**</li><li>**Trusted contact list (User override)**</li><li>**Trusted domain (User override)**</li><li>**Trusted recipient (User override)**</li><li>**Trusted senders only (User override)**</li></ul>|✔|✔| +|Override source|Same values as **Primary override source**</li></ul>|✔|✔| +|Policy type|Select one or more values: <ul><li>**Anti-malware policy**</li><li>**Anti-phishing policy**</li><li>**Exchange transport rule** (mail flow rule), **Hosted content filter policy** (anti-spam policy), **Hosted outbound spam filter policy** (outbound spam policy), **Safe Attachments policy**</li><li>**Unknown**</li></ul>|✔|✔| +|Policy action|Select one or more values: <ul><li>**Add x-header**</li><li>**Bcc message**</li><li>**Delete message**</li><li>**Modify subject**</li><li>**Move to Junk Email folder**</li><li>**No action taken**</li><li>**Redirect message**</li><li>**Send to quarantine**</li></ul>|✔|✔| +|Email size|Integer. Separate multiple values by commas.|✔|✔| +|**Advanced**|||| +|Internet Message ID|Text. Separate multiple values by commas. <br/><br/> Available in the **Message-ID** header field in the message header. An example value is `<08f1e0f6806a47b4ac103961109ae6ef@server.domain>` (note the angle brackets).|✔|✔| +|Network message ID|Text. Separate multiple values by commas. <br/><br/> A GUID value that's available in the **X-MS-Exchange-Organization-Network-Message-Id** header field in the message header.|✔|✔| +|Sender IP|Text. Separate multiple values by commas.|✔|✔| +|Attachment SHA256|Text. Separate multiple values by commas.|✔|✔| +|Cluster ID|Text. Separate multiple values by commas.|✔|✔| +|Alert ID|Text. Separate multiple values by commas.|✔|✔| +|Alert Policy ID|Text. Separate multiple values by commas.|✔|✔| +|Campaign ID|Text. Separate multiple values by commas.|✔|✔| +|ZAP URL signal|Text. Separate multiple values by commas.|✔|✔| +|**Urls**|||| +|URL Count|Integer. Separate multiple values by commas.|✔|✔| +|URL domain|Text. Separate multiple values by commas.|✔|✔| +|URL domain and path|Text. Separate multiple values by commas.|✔|✔| +|URL|Text. Separate multiple values by commas.|✔|✔| +|URL path|Text. Separate multiple values by commas.|✔|✔| +|URL source|Select one or more values: <ul><li>**Attachments**</li><li>**Cloud attachment**</li><li>**Email body**</li><li>**Email header**</li><li>**QR Code**</li><li>**Subject**</li><li>**Unknown**</li></ul>|✔|✔| +|Click verdict|Select one or more values: <ul><li>**Allowed**</li><li>**Block overridden**</li><li>**Blocked**</li><li>**Error**</li><li>**Failure**</li><li>**None**</li><li>**Pending verdict**</li><li>**Pending verdict bypassed**</li></ul>|✔|✔| +|URL Threat|Select one or more values: <ul><li>**Malware**</li><li>**Phish**</li><li>**Spam**</li></ul>|✔|✔| +|**File**|||| +|Attachment Count|Integer. Separate multiple values by commas.|✔|✔| +|Attachment filename|Text. Separate multiple values by commas.|✔|✔| +|File type|Text. Separate multiple values by commas.|✔|✔| +|File Extension|Text. Separate multiple values by commas.|✔|✔| +|File Size|Integer. Separate multiple values by commas.|✔|✔| +|**Authentication**|||| +|SPF|Select one or more values: <ul><li>**Fail**</li><li>**Neutral**</li><li>**None**</li><li>**Pass**</li><li>**Permanent error**</li><li>**Soft fail**</li><li>**Temporary error**</li></ul>|✔|✔| +|DKIM|Select one or more values: <ul><li>**Error**</li><li>**Fail**</li><li>**Ignore**</li><li>**None**</li><li>**Pass**</li><li>**Test**</li><li>**Timeout**</li><li>**Unknown**</li></ul>|✔|✔| +|DMARC|Select one or more values: <ul><li>**Best guess pass**</li><li>**Fail**</li><li>**None**</li><li>**Pass**</li><li>**Permanent error**</li><li>**Selector pass**</li><li>**Temporary error**</li><li>**Unknown**</li></ul>|✔|✔| +|Composite|Select one or more values: <ul><li>**Fail**</li><li>**None**</li><li>**Pass**</li><li>**Soft pass**</li></ul>| ++### Pivots for the chart in the Malware view in Threat Explorer and Real-time Detections ++The chart has a default view, but you can select a value from **Select pivot for histogram chart** to change how the filtered or unfiltered chart data is organized and displayed. ++The chart pivots that are available in the **Malware** view in Threat Explorer and Real-time detections are listed in the following table: ++|Pivot|Threat<br/>Explorer|Real-time<br/>detections| +||::|::| +|**Malware family**|✔|| +|**Sender domain**|✔|| +|**Sender IP**|✔|| +|**Delivery action**|✔|✔| +|**Detection technology**|✔|✔| ++The available chart pivots are described in the following subsections. ++#### Malware family chart pivot in the Malware view in Threat Explorer ++Although this pivot doesn't look selected by default, **Malware family** is the default chart pivot in the **Malware** view in Threat Explorer. ++The **Malware family** pivot organizes the chart by the malware family detected in messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each malware family. ++#### Sender domain chart pivot in the Malware view in Threat Explorer ++The **Sender domain** pivot organizes the chart by the sender domain of messages that were found to contain malware for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each sender domain. ++#### Sender IP chart pivot in the Malware view in Threat Explorer ++The **Sender IP** pivot organizes the chart by the source IP address of messages that were found to contain malware for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each source IP address. ++#### Delivery action chart pivot in the Malware view in Threat Explorer and Real-time detections ++Although this pivot doesn't look selected by default, **Delivery action** is the default chart pivot in the **Malware** view in Real-time detections. ++The **Delivery action** pivot organizes the chart by what happened to messages that were found to contain malware for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each delivery action. ++#### Detection technology chart pivot in the Malware view in Threat Explorer and Real-time detections ++The **Detection technology** pivot organizes the chart by the feature that identified malware in messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each detection technology. ++### Views for the details area of the Malware view in Threat Explorer and Real-time detections ++The available views (tabs) in the details area of the **Malware** view are listed in the following table, and are described in the following subsections. ++|View|Threat<br/>Explorer|Real-time<br/>detections| +||::|::| +|**Email**|✔|✔| +|**Top malware families**|✔|| +|**Top targeted users**|✔|| +|**Email origin**|✔|| +|**Campaign**|✔|| ++#### Email view for the details area of the Malware view in Threat Explorer and Real-time detections ++**Email** is the default view for the details area of the **Malware** view in Threat Explorer and Real-time detections. ++The **Email** view shows a details table. You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. ++The following table shows the columns that are available in Threat Explorer and Real-time detections. The default values are marked with an asterisk (<sup>\*</sup>). ++|Column|Threat<br/>Explorer|Real-time<br/>detections| +||::|::| +|**Date**<sup>\*</sup>|✔|✔| +|**Subject**<sup>\*</sup>|✔|✔| +|**Recipient**<sup>\*</sup>|✔|✔| +|**Recipient domain**|✔|✔| +|**Tags**<sup>\*</sup>|✔|| +|**Sender address**<sup>\*</sup>|✔|✔| +|**Sender display name**|✔|✔| +|**Sender domain**<sup>\*</sup>|✔|✔| +|**Sender IP**|✔|✔| +|**Sender mail from address**|✔|✔| +|**Sender mail from domain**|✔|✔| +|**Additional actions**<sup>\*</sup>|✔|✔| +|**Delivery action**|✔|✔| +|**Latest delivery location**<sup>\*</sup>|✔|✔| +|**Original delivery location**<sup>\*</sup>|✔|✔| +|**System overrides source**|✔|✔| +|**System overrides**|✔|✔| +|**Alert ID**|✔|✔| +|**Internet message ID**|✔|✔| +|**Network message ID**|✔|✔| +|**Mail language**|✔|✔| +|**Exchange transport rule**|✔|| +|**Connector**|✔|| +|**Context**|✔|✔| +|**Data loss prevention rule**|✔|✔| +|**Threat type**<sup>\*</sup>|✔|✔| +|**Detection technology**|✔|✔| +|**Attachment Count**|✔|✔| +|**URL Count**|✔|✔| +|**Email size**|✔|✔| ++> [!TIP] +> To see all columns, you likely need to do one or more of the following steps: +> +> - Horizontally scroll in your web browser. +> - Narrow the width of appropriate columns. +> - Remove columns from the view. +> - Zoom out in your web browser. +> +> Customized column settings are saved per user. Customized column settings in Incognito or InPrivate browsing mode are saved until you close the web browser. ++When you select one or more entries from the list by selecting the check box next to the first column, **Message actions** is available. For information, see [Threat hunting: Email remediation](threat-explorer-threat-hunting.md#email-remediation). ++When you click on the **Subject** or **Recipient** values in an entry, details flyouts open. These flyouts are described in the following subsections. ++##### Subject details from the Email view of the details area in the Malware view ++When you select an entry by clicking on the **Subject** value, a details flyout opens. The information in the flyout is the same as described in [Subject details from the Email view of the details area in the All email view](#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view). ++> [!TIP] +> The :::image type="icon" source="../../media/m365-cc-sc-go-hunt-icon.png" border="false"::: **Go hunt** action is available only in Threat Explorer. It isn't available in Real-time detections. ++##### Recipient details from the Email view of the details area in the Malware view ++When you select an entry by clicking on the **Recipient** value, a details flyout opens. The information in the flyout is the same as described in [Recipient details from the Email view of the details area in the All email view](#recipient-details-from-the-email-view-of-the-details-area-in-the-all-email-view). ++#### Top malware families view for the details area of the Malware view in Threat Explorer ++The **Top malware families** view for the details area organizes the data into a table of the top malware families. The table shows: ++- **Top malware families** column: The malware family name. ++ If you select a malware family name, a details flyout opens that contains the following information: ++ - **Email** section: A table showing the following related information for messages that contain the malware file: + - **Date** + - **Subject** + - **Recipient** ++ Select **View all email** to open Threat Explorer in a new tab filtered by the malware family name. ++ - **Technical details** section ++ :::image type="content" source="../../media/te-rtd-malware-view-details-area-top-malware-families-details-flyout.png" alt-text="Screenshot of the details flyout after you select a malware family from the Top malware families tab of the details area in the Malware view of Threat Explorer." lightbox="../../media/te-rtd-malware-view-details-area-top-malware-families-details-flyout.png"::: ++- The number of attempts: If you select the number of attempts, Threat Explorer opens in a new tab filtered by the malware family name. ++#### Top targeted users view for the details area of the Malware view in Threat Explorer ++The **Top targeted users** view organizes the data into a table of the top five recipients who were targeted by malware. The table shows: ++- **Top targeted users**: The email address of the top targeted user. If you select an email address, a details flyout opens. The information in the flyout is the same as described in [Top targeted users view for the details area of the All email view in Threat Explorer](#top-targeted-users-view-for-the-details-area-of-the-all-email-view-in-threat-explorer). ++- The number of attempts: If you select the number of attempts, Threat Explorer opens in a new tab filtered by the malware family name. ++> [!TIP] +> Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the list of up to 3000 users and the corresponding attempts. ++#### Email origin view for the details area of the Malware view in Threat Explorer ++The **Email origin** view shows message sources on a map of the world. ++#### Campaign view for the details area of the Malware view in Threat Explorer ++The **Campaign** view shows a details table. You can sort the entries by clicking on an available column header. ++The details table is identical to the [details table on the Campaigns page](campaigns.md#details-area-on-the-campaigns-page). ++When you select an entry by clicking anywhere in the row other than the check box next to the **Name**, a details flyout opens. The information in the flyout is the same as described in [Campaign details](campaigns.md#campaign-details). ++## Phish view in Threat Explorer and Real-time detections ++The **Phish** view in Threat Explorer and Real-time detections shows information about email messages that were identified as phishing. ++To open the **Phish** view, do one of the following steps: ++- **Threat Explorer**: On the **Explorer** page in the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Explorer** \> **Phish** tab. Or, go directly to the **Explorer** page using <https://security.microsoft.com/threatexplorerv3>, and then select the **Phish** tab. +- **Real-time detections**: On the **Real-time detections** page in the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Explorer** \> **Phish** tab. Or, go directly to the **Real-time detections** page using <https://security.microsoft.com/realtimereportsv3>, and then select the **Phish** tab. +++### Filterable properties in the Phish view in Threat Explorer and Real-time detections ++By default, no property filters are applied to the data. The steps to create filters (queries) are described in the [Filters in Threat Explorer and Real-time detections](#property-filters-in-threat-explorer-and-real-time-detections) section later in this article. ++The filterable properties that are available in the **Sender address** box in the **Malware** view are described in the following table: ++|Property|Type|Threat<br/>Explorer|Real-time<br/>detections| +|||::|::| +|**Basic**|||| +|Sender address|Text. Separate multiple values by commas.|✔|✔| +|Recipients|Text. Separate multiple values by commas.|✔|✔| +|Sender domain|Text. Separate multiple values by commas.|✔|✔| +|Recipient domain|Text. Separate multiple values by commas.|✔|✔| +|Subject|Text. Separate multiple values by commas.|✔|✔| +|Sender display name|Text. Separate multiple values by commas.|✔|✔| +|Sender mail from address|Text. Separate multiple values by commas.|✔|✔| +|Sender mail from domain|Text. Separate multiple values by commas.|✔|✔| +|Return path|Text. Separate multiple values by commas.|✔|✔| +|Return path domain|Text. Separate multiple values by commas.|✔|✔| +|Tags|Text. Separate multiple values by commas. <br/><br/> For more information about user tags, see [User tags](user-tags-about.md).|✔|| +|Impersonated domain|Text. Separate multiple values by commas.|✔|✔| +|Impersonated user|Text. Separate multiple values by commas.|✔|✔| +|Exchange transport rule|Text. Separate multiple values by commas.|✔|| +|Data loss prevention rule|Text. Separate multiple values by commas.|✔|| +|Context|Select one or more values: <ul><li>**Evaluation**</li><li>**Priority account protection**</li></ul>|✔|| +|Connector|Text. Separate multiple values by commas.|✔|| +|Delivery action|Select one or more values: <ul><li>**Blocked**</li><li>**Delivered**</li><li>**Delivered to junk**</li><li>**Replaced**</li></ul>|✔|✔| +|Additional action|Select one or more values: <ul><li>**Automated remediation**</li><li>**Dynamic Delivery**</li><li>**Manual remediation**</li><li>**None**</li><li>**Quarantine release**</li><li>**Reprocessed**</li><li>**ZAP**</li></ul>|✔|✔| +|Directionality|Select one or more values: <ul><li>**Inbound**</li><li>**Intra-irg**</li><li>**Outbound**</li></ul>|✔|✔| +|Detection technology|Select one or more values: <ul><li>**Advanced filter**</li><li>**Antimalware protection**</li><li>**Bulk**</li><li>**Campaign**</li><li>**Domain reputation**</li><li>**File detonation**</li><li>**File detonation reputation**</li><li>**File reputation**</li><li>**Fingerprint matching**</li><li>**General filter**</li><li>**Impersonation brand**</li><li>**Impersonation domain**</li><li>**Impersonation user**</li><li>**IP reputation**</li><li>**Mailbox intelligence impersonation**</li><li>**Mixed analysis detection**</li><li>**spoof DMARC**</li><li>**Spoof external domain**</li><li>**Spoof intra-org**</li><li>**URL detonation**</li><li>**URL detonation reputation**</li><li>**URL malicious reputation**</li></ul>|✔|✔| +|Original delivery location|Select one or more values: <ul><li>**Deleted Items folder**</li><li>**Dropped**</li><li>**Failed**</li><li>**Inbox/folder**</li><li>**Junk folder**</li><li>**On-prem/external**</li><li>**Quarantine**</li><li>**Unknown**</li></ul>|✔|✔| +|Latest delivery location|Same values as **Original delivery location**</li></ul>|✔|✔| +|Phish confidence level|Select one or more values: <ul><li>**High**</li><li>**Normal**</li></ul>|✔|| +|Primary override|Select one or more values: <ul><li>**Allowed by organization policy**</li><li>**Allowed by user policy**</li><li>**Blocked by organization policy**</li><li>**Blocked by user policy**</li><li>**None**</li></ul>|✔|✔| +|Primary override source|Select one or more values: <ul><li>**3rd Party Filter**</li><li>**Admin initiated time travel**</li><li>**Antimalware policy block by file type**</li><li>**Antispam policy settings**</li><li>**Connection policy**</li><li>**Exchange transport rule**</li><li>**Exclusive mode (User override)**</li><li>**Filtering skipped due to on-prem organization**</li><li>**IP region filter from policy**</li><li>**Language filter from policy**</li><li>**Phishing Simulation**</li><li>**Quarantine release**</li><li>**SecOps Mailbox**</li><li>**Sender address list (Admin Override)**</li><li>**Sender address list (User override)**</li><li>**Sender domain list (Admin Override)**</li><li>**Sender domain list (User override)**</li><li>**Tenant Allow/Block List file block**</li><li>**Tenant Allow/Block List sender email address block**</li><li>**Tenant Allow/Block List spoof block**</li><li>**Tenant Allow/Block List URL block**</li><li>**Trusted contact list (User override)**</li><li>**Trusted domain (User override)**</li><li>**Trusted recipient (User override)**</li><li>**Trusted senders only (User override)**</li></ul>|✔|✔| +|Override source|Same values as **Primary override source**</li></ul>|✔|✔| +|Policy type|Select one or more values: <ul><li>**Anti-malware policy**</li><li>**Anti-phishing policy**</li><li>**Exchange transport rule** (mail flow rule), **Hosted content filter policy** (anti-spam policy), **Hosted outbound spam filter policy** (outbound spam policy), **Safe Attachments policy**</li><li>**Unknown**</li></ul>|✔|✔| +|Policy action|Select one or more values: <ul><li>**Add x-header**</li><li>**Bcc message**</li><li>**Delete message**</li><li>**Modify subject**</li><li>**Move to Junk Email folder**</li><li>**No action taken**</li><li>**Redirect message**</li><li>**Send to quarantine**</li></ul>|✔|✔| +|Email size|Integer. Separate multiple values by commas.|✔|✔| +|**Advanced**|||| +|Internet Message ID|Text. Separate multiple values by commas. <br/><br/> Available in the **Message-ID** header field in the message header. An example value is `<08f1e0f6806a47b4ac103961109ae6ef@server.domain>` (note the angle brackets).|✔|✔| +|Network message ID|Text. Separate multiple values by commas. <br/><br/> A GUID value that's available in the **X-MS-Exchange-Organization-Network-Message-Id** header field in the message header.|✔|✔| +|Sender IP|Text. Separate multiple values by commas.|✔|✔| +|Attachment SHA256|Text. Separate multiple values by commas.|✔|✔| +|Cluster ID|Text. Separate multiple values by commas.|✔|✔| +|Alert ID|Text. Separate multiple values by commas.|✔|✔| +|Alert Policy ID|Text. Separate multiple values by commas.|✔|✔| +|Campaign ID|Text. Separate multiple values by commas.|✔|✔| +|ZAP URL signal|Text. Separate multiple values by commas.|✔|| +|**Urls**|||| +|URL Count|Integer. Separate multiple values by commas.|✔|✔| +|URL domain|Text. Separate multiple values by commas.|✔|✔| +|URL domain and path|Text. Separate multiple values by commas.|✔|| +|URL|Text. Separate multiple values by commas.|✔|| +|URL path|Text. Separate multiple values by commas.|✔|| +|URL source|Select one or more values: <ul><li>**Attachments**</li><li>**Cloud attachment**</li><li>**Email body**</li><li>**Email header**</li><li>**QR Code**</li><li>**Subject**</li><li>**Unknown**</li></ul>|✔|✔| +|Click verdict|Select one or more values: <ul><li>**Allowed**</li><li>**Block overridden**</li><li>**Blocked**</li><li>**Error**</li><li>**Failure**</li><li>**None**</li><li>**Pending verdict**</li><li>**Pending verdict bypassed**</li></ul>|✔|✔| +|URL Threat|Select one or more values: <ul><li>**Malware**</li><li>**Phish**</li><li>**Spam**</li></ul>|✔|✔| +|**File**|||| +|Attachment Count|Integer. Separate multiple values by commas.|✔|✔| +|Attachment filename|Text. Separate multiple values by commas.|✔|✔| +|File type|Text. Separate multiple values by commas.|✔|✔| +|File Extension|Text. Separate multiple values by commas.|✔|✔| +|File Size|Integer. Separate multiple values by commas.|✔|✔| +|**Authentication**|||| +|SPF|Select one or more values: <ul><li>**Fail**</li><li>**Neutral**</li><li>**None**</li><li>**Pass**</li><li>**Permanent error**</li><li>**Soft fail**</li><li>**Temporary error**</li></ul>|✔|✔| +|DKIM|Select one or more values: <ul><li>**Error**</li><li>**Fail**</li><li>**Ignore**</li><li>**None**</li><li>**Pass**</li><li>**Test**</li><li>**Timeout**</li><li>**Unknown**</li></ul>|✔|✔| +|DMARC|Select one or more values: <ul><li>**Best guess pass**</li><li>**Fail**</li><li>**None**</li><li>**Pass**</li><li>**Permanent error**</li><li>**Selector pass**</li><li>**Temporary error**</li><li>**Unknown**</li></ul>|✔|✔| +|Composite|Select one or more values: <ul><li>**Fail**</li><li>**None**</li><li>**Pass**</li><li>**Soft pass**</li></ul>| ++### Pivots for the chart in the Phish view in Threat Explorer and Real-time Detections ++The chart has a default view, but you can select a value from **Select pivot for histogram chart** to change how the filtered or unfiltered chart data is organized and displayed. ++The chart pivots that are available in the **Phish** view in Threat Explorer and Real-time detections are listed in the following table: ++|Pivot|Threat<br/>Explorer|Real-time<br/>detections| +||::|::| +|**Sender domain**|✔|✔| +|**Sender IP**|✔|| +|**Delivery action**|✔|✔| +|**Detection technology**|✔|✔| +|**Full URL**|✔|| +|**URL domain**|✔|✔| +|**URL domain and path**|✔|| ++The available chart pivots are described in the following subsections. ++#### Sender domain chart pivot in the Phish view in Threat Explorer and Real-time detections ++Although this pivot doesn't look selected by default, **Sender domain** is the default chart pivot in the **Phish** view in Real-time detections. ++The **Sender domain** pivot organizes the chart by the domains in messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each sender domain. ++#### Sender IP chart pivot in the Phish view in Threat Explorer ++The **Sender IP** pivot organizes the chart by the source IP addresses of messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each source IP address. ++#### Delivery action chart pivot in the Phish view in Threat Explorer and Real-time detections ++Although this pivot doesn't look selected by default, **Delivery action** is the default chart pivot in the **Phish** view in Threat Explorer. ++The **Delivery action** pivot organizes the chart by the actions taken on messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each delivery action. ++#### Detection technology chart pivot in the Phish view in Threat Explorer and Real-time detections ++The **Detection technology** pivot organizes the chart by the feature that identified the phishing messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each detection technology. ++#### Full URL chart pivot in the Phish view in Threat Explorer ++The **Full URL** pivot organizes the chart by the full URLs in phishing messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each full URL. ++#### URL domain chart pivot in the Phish view in Threat Explorer and Real-time detections ++The **URL domain** pivot organizes the chart by the domains in URLs in phishing messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each URL domain. ++#### URL domain and path chart pivot in the Phish view in Threat Explorer ++The **URL domain and path** pivot organizes the chart by the domains and paths in URLs in phishing messages for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each URL domain and path. ++### Views for the details area of the Phish view in Threat Explorer ++The available views (tabs) in the details area of the **Phish** view are listed in the following table, and are described in the following subsections. ++|View|Threat<br/>Explorer|Real-time<br/>detections| +||::|::| +|**Email**|✔|✔| +|**URL clicks**|✔|✔| +|**Top URLs**|✔|✔| +|**Top clicks**|✔|✔| +|**Top targeted users**|✔|| +|**Email origin**|✔|| +|**Campaign**|✔|| ++#### Email view for the details area of the Phish view in Threat Explorer and Real-time detections ++**Email** is the default view for the details area of the **Phish** view in Threat Explorer and Real-time detections. ++The **Email** view shows a details table. You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. ++The following table shows the columns that are available in Threat Explorer and Real-time detections. The default values are marked with an asterisk (<sup>\*</sup>). ++|Column|Threat<br/>Explorer|Real-time<br/>detections| +||::|::| +|**Date**<sup>\*</sup>|✔|✔| +|**Subject**<sup>\*</sup>|✔|✔| +|**Recipient**<sup>\*</sup>|✔|✔| +|**Recipient domain**|✔|✔| +|**Tags**<sup>\*</sup>|✔|| +|**Sender address**<sup>\*</sup>|✔|✔| +|**Sender display name**|✔|✔| +|**Sender domain**<sup>\*</sup>|✔|✔| +|**Sender IP**|✔|✔| +|**Sender mail from address**|✔|✔| +|**Sender mail from domain**|✔|✔| +|**Additional actions**<sup>\*</sup>|✔|✔| +|**Delivery action**|✔|✔| +|**Latest delivery location**<sup>\*</sup>|✔|✔| +|**Original delivery location**<sup>\*</sup>|✔|✔| +|**System overrides source**|✔|✔| +|**System overrides**|✔|✔| +|**Alert ID**|✔|✔| +|**Internet message ID**|✔|✔| +|**Network message ID**|✔|✔| +|**Mail language**|✔|✔| +|**Exchange transport rule**|✔|| +|**Connector**|✔|| +|**Phish confidence level**|✔|| +|**Context**|✔|| +|**Data loss prevention rule**|✔|| +|**Threat type**<sup>\*</sup>|✔|✔| +|**Detection technology**|✔|✔| +|**Attachment Count**|✔|✔| +|**URL Count**|✔|✔| +|**Email size**|✔|✔| ++> [!TIP] +> To see all columns, you likely need to do one or more of the following steps: +> +> - Horizontally scroll in your web browser. +> - Narrow the width of appropriate columns. +> - Remove columns from the view. +> - Zoom out in your web browser. +> +> Customized column settings are saved per user. Customized column settings in Incognito or InPrivate browsing mode are saved until you close the web browser. ++When you select one or more entries from the list by selecting the check box next to the first column, **Message actions** is available. For information, see [Threat hunting: Email remediation](threat-explorer-threat-hunting.md#email-remediation). ++When you click on the **Subject** or **Recipient** values in an entry, details flyouts open. These flyouts are described in the following subsections. ++##### Subject details from the Email view of the details area in the Phish view ++When you select an entry by clicking on the **Subject** value, a details flyout opens. The information in the flyout is the same as described in [Subject details from the Email view of the details area in the All email view](#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view). ++> [!TIP] +> The :::image type="icon" source="../../media/m365-cc-sc-go-hunt-icon.png" border="false"::: **Go hunt** action is available only in Threat Explorer. It isn't available in Real-time detections. ++##### Recipient details from the Email view of the details area in the Phish view ++When you select an entry by clicking on the **Recipient** value, a details flyout opens. The information in the flyout is the same as described in [Recipient details from the Email view of the details area in the All email view](#recipient-details-from-the-email-view-of-the-details-area-in-the-all-email-view). ++#### URL clicks view for the details area of the Phish view in Threat Explorer and Real-time detections ++The **URL clicks** view shows a chart that can be organized using pivots. The chart has a default view, but you can select a value from **Select pivot for histogram chart** to change how the filtered or unfiltered chart data is organized and displayed. ++The chart pivots that are available in the **Malware** view in Threat Explorer and Real-time detections are described in the following table: ++|Pivot|Threat<br/>Explorer|Real-time<br/>detections| +||::|::| +|**URL domain**|✔|✔| +|**Click verdict**|✔|✔| +|**URL**|✔|| +|**URL domain and path**|✔|| ++The same chart pivots are available and described for the **All email** view in Threat Explorer: ++- [URL domain pivot for the URL clicks view for the details area of the All email view in Threat Explorer](#url-domain-pivot-for-the-url-clicks-view-for-the-details-area-of-the-all-email-view-in-threat-explorer) +- [Click verdict pivot for the URL clicks view for the details area of the All email view in Threat Explorer](#click-verdict-pivot-for-the-url-clicks-view-for-the-details-area-of-the-all-email-view-in-threat-explorer) +- [URL pivot for the URL clicks view for the details area of the All email view in Threat Explorer](#url-pivot-for-the-url-clicks-view-for-the-details-area-of-the-all-email-view-in-threat-explorer) +- [URL domain and path pivot for the URL clicks view for the details area of the All email view in Threat Explorer](#url-domain-and-path-pivot-for-the-url-clicks-view-for-the-details-area-of-the-all-email-view-in-threat-explorer) +++> [!TIP] +> In Threat Explorer, each pivot in **URL clicks** view has a :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View all clicks** action that opens the [URL clicks view in Threat Explorer](#url-clicks-view-in-threat-explorer) in a new tab. This action isn't available in Real-time detections, because the **URL clicks** view isn't avaialble in Real-time detections. ++#### Top URLs view for the details area of the Phish view in Threat Explorer and Real-time detections ++The **Top URLs** view shows a details table. You can sort the entries by clicking on an available column header: ++- **URL** +- **Messages blocked** +- **Messages junked** +- **Messages delivered** ++##### Top URLs details for the Phish view ++When you select an entry by clicking anywhere in the row other than the check box next to the first column, a details flyout opens. The information in the flyout is the same as described in [Top URLs details for the All email view](#top-urls-details-for-the-all-email-view). ++> [!TIP] +> The :::image type="icon" source="../../media/m365-cc-sc-go-hunt-icon.png" border="false"::: **Go hunt** action is available only in Threat Explorer. It isn't available in Real-time detections. ++#### Top clicks view for the details area of the Phish view in Threat Explorer and Real-time detections ++The **Top clicks** view shows a details table. You can sort the entries by clicking on an available column header: ++- **URL** +- **Blocked** +- **Allowed** +- **Block overridden** +- **Pending verdict** +- **Pending verdict bypassed** +- **None** +- **Error page** +- **Failure** ++> [!TIP] +> All available columns are selected. If you select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**, you can't deselect any columns. +> +> To see all columns, you likely need to do one or more of the following steps: +> +> - Horizontally scroll in your web browser. +> - Narrow the width of appropriate columns. +> - Zoom out in your web browser. ++When you select an entry by clicking anywhere in the row other than the check box next to the first column, a details flyout opens. The information in the flyout is the same as described in [Top URLs details for the All email view](#top-urls-details-for-the-all-email-view). ++#### Top targeted users view for the details area of the Phish view in Threat Explorer ++The **Top targeted users** view organizes the data into a table of the top five recipients who were targeted by phishing attempts. The table shows: ++- **Top targeted users**: The email address of the top targeted user. If you select an email address, a details flyout opens. The information in the flyout is the same as described in [Top targeted users view for the details area of the All email view in Threat Explorer](#top-targeted-users-view-for-the-details-area-of-the-all-email-view-in-threat-explorer). ++- The number of attempts: If you select the number of attempts, Threat Explorer opens in a new tab filtered by the malware family name. ++> [!TIP] +> Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the list of up to 3000 users and the corresponding attempts. ++#### Email origin view for the details area of the Phish view in Threat Explorer ++The **Email origin** view shows message sources on a map of the world. ++#### Campaign view for the details area of the Phish view in Threat Explorer ++The **Campaign** view shows a details table. You can sort the entries by clicking on an available column header. ++The information in the table is the same as described in [details table on the Campaigns page](campaigns.md#details-area-on-the-campaigns-page). ++When you select an entry by clicking anywhere in the row other than the check box next to the **Name**, a details flyout opens. The information in the flyout is the same as described in [Campaign details](campaigns.md#campaign-details). ++## Campaigns view in Threat Explorer ++The **Campaigns** view in Threat Explorer shows information about threats that were identified as coordinated phishing and malware attacks, either specific to your organization, or to other organizations in Microsoft 365. ++To open the **Campaigns** view on the **Explorer** page in the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Explorer** \> **Campaigns** tab. Or, go directly to the **Explorer** page using <https://security.microsoft.com/threatexplorerv3>, and then select the **Campaigns** tab. ++All of the available information and actions are identical to the information and actions on the **Campaigns** page at <https://security.microsoft.com/campaignsv3>. For more information, see [Campaigns page in the Microsoft Defender portal](campaigns.md#campaigns-page-in-the-microsoft-defender-portal). +++## Content malware view in Threat Explorer and Real-time detections ++The **Content malware** view in Threat Explorer and Real-time detections shows information about files that were identified as malware by: ++- [Built-in virus protection in SharePoint, OneDrive, and Microsoft Teams](anti-malware-protection-for-spo-odfb-teams-about.md) +- [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md). ++To open the **Content malware** view, do one of the following steps: ++- **Threat Explorer**: On the **Explorer** page in the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Explorer** \> **Content malware** tab. Or, go directly to the **Explorer** page using <https://security.microsoft.com/threatexplorerv3>, and then select the **Content malware** tab. +- **Real-time detections**: On the **Real-time detections** page in the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Explorer** \> **Content malware** tab. Or, go directly to the **Real-time detections** page using <https://security.microsoft.com/realtimereportsv3>, and then select the **Content malware** tab. +++### Filterable properties in the Content malware view in Threat Explorer and Real-time detections ++By default, no property filters are applied to the data. The steps to create filters (queries) are described in the [Filters in Threat Explorer and Real-time detections](#property-filters-in-threat-explorer-and-real-time-detections) section later in this article. ++The filterable properties that are available in the **File name** box in the **Content malware** view in Threat Explorer and Real-time detections are described in the following table: ++|Property|Type|Threat<br/>Explorer|Real-time<br/>detections| +|||::|::| +|**File**|||| +|File name|Text. Separate multiple values by commas.|✔|✔| +|Workload|Select one or more values: <ul><li>**OneDrive**</li><li>**SharePoint**</li><li>**Teams**</li></ul>|✔|✔| +|Site|Text. Separate multiple values by commas.|✔|✔| +|File owner|Text. Separate multiple values by commas.|✔|✔| +|Last modified by|Text. Separate multiple values by commas.|✔|✔| +|SHA256|Integer. Separate multiple values by commas. <br/><br/> To find the SHA256 hash value of a file in Windows, run the following command in a Command Prompt: `certutil.exe -hashfile "<Path>\<Filename>" SHA256`.|✔|✔| +|Malware family|Text. Separate multiple values by commas.|✔|✔| +|Detection technology|Select one or more values: <ul><li>**Advanced filter**</li><li>**Antimalware protection**</li><li>**Bulk**</li><li>**Campaign**</li><li>**Domain reputation**</li><li>**File detonation**</li><li>**File detonation reputation**</li><li>**File reputation**</li><li>**Fingerprint matching**</li><li>**General filter**</li><li>**Impersonation brand**</li><li>**Impersonation domain**</li><li>**Impersonation user**</li><li>**IP reputation**</li><li>**Mailbox intelligence impersonation**</li><li>**Mixed analysis detection**</li><li>**spoof DMARC**</li><li>**Spoof external domain**</li><li>**Spoof intra-org**</li><li>**URL detonation**</li><li>**URL detonation reputation**</li><li>**URL malicious reputation**</li></ul>|✔|✔| +|Threat type|Select one or more values: <ul><li>**Block**</li><li>**Malware**</li><li>**Phish**</li><li>**Spam**</li></ul>|✔|✔| ++### Pivots for the chart in the Content malware view in Threat Explorer and Real-time Detections ++The chart has a default view, but you can select a value from **Select pivot for histogram chart** to change how the filtered or unfiltered chart data is organized and displayed. ++The chart pivots that are available in the **Content malware** view in Threat Explorer and Real-time detections are listed in the following table: ++|Pivot|Threat<br/>Explorer|Real-time<br/>detections| +||::|::| +|**Malware family**|✔|✔| +|**Detection technology**|✔|✔| +|**Workload**|✔|✔| ++The available chart pivots are described in the following subsections. ++#### Malware family chart pivot in the Content malware view in Threat Explorer and Real-time detections ++Although this pivot doesn't look selected by default, **Malware family** is the default chart pivot in the **Content malware** view in Threat Explorer and Real-time detections. ++The **Malware family** pivot organizes the chart by the malware identified in files in SharePoint, OneDrive, and Microsoft Teams using the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each malware family. ++#### Detection technology chart pivot in the Content malware view in Threat Explorer and Real-time detections ++The **Detection technology** pivot organizes the chart by the feature that identified malware in files in SharePoint, OneDrive, and Microsoft Teams for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each detection technology. ++#### Workload chart pivot in the Content malware view in Threat Explorer and Real-time detections ++The **Workload** pivot organizes the chart by where the malware was identified (SharePoint, OneDrive, or Microsoft Teams) for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each workload. ++### Views for the details area of the Content malware view in Threat Explorer and Real-time detections ++In Threat Explorer and Real-time detections, the details area of the **Content malware** view contains only one view (tab) named **Documents**. This view is described in the following subsection. ++#### Document view for the details area of the Content malware view in Threat Explorer and Real-time detections ++**Document** is the default and only view for the details area in the **Content malware** view. ++The **Document** view shows a details table. You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. The default values are marked with an asterisk (<sup>\*</sup>): ++- **Date**<sup>\*</sup> +- **Name**<sup>\*</sup> +- **Workload**<sup>\*</sup> +- **Threat**<sup>\*</sup> +- **Detection technology**<sup>\*</sup> +- **Last modifying user**<sup>\*</sup> +- **File owner**<sup>\*</sup> +- **Size (bytes)**<sup>\*</sup> +- **Last modified time** +- **Site path** +- **File path** +- **Document ID** +- **SHA256** +- **Detected date** +- **Malware family** +- **Context** ++> [!TIP] +> To see all columns, you likely need to do one or more of the following steps: +> +> - Horizontally scroll in your web browser. +> - Narrow the width of appropriate columns. +> - Remove columns from the view. +> - Zoom out in your web browser. +> +> Customized column settings are saved per user. Customized column settings in Incognito or InPrivate browsing mode are saved until you close the web browser. ++When you select a filename value from the **Name** column, a details flyout opens. The flyout contains the following information: ++- **Summary** section: + - **Filename** + - **Site path** + - **File path** + - **Document ID** + - **SHA256** + - **Last date modified** + - **Last modified by** + - **Threat** + - **Detection technology** +- **Details** section: + - **Detected date** + - **Detected by** + - **Malware name** + - **Last modified by** + - **File size** + - **File owner** +- **Email list** section: A table showing the following related information for messages that contain the malware file: + - **Date** + - **Subject** + - **Recipient** ++ Select **View all email** to open Threat Explorer in a new tab filtered by the malware family name. ++- **Recent activity**: Shows the summarized results of an [Audit log search](/purview/audit-new-search) for the recipient: + - **Date** + - **IP address** + - **Activity** + - **Item** ++ If the recipient has more than three audit log entries, select **View all recent activity** to see all of them. ++ > [!TIP] + > Members of the **Security Administrators** role group in [Email & collaboration permissions](mdo-portal-permissions.md) can't expand the **Recent activity** section. You need to be a member of a role group in [Exchange Online permissions](/exchange/permissions-exo/permissions-exo) that has the **Audit Logs**, **Information Protection Analyst**, or **Information Protection Investigator** roles assigned. By default, those roles are assigned to the **Records Management**, **Compliance Management**, **Information Protection**, **Information Protection Analysts**, **Information Protection Investigators**, and **Organization Management** role groups. You can add the members of **Security Administrators** to those role groups, or you can [create a new role group](/exchange/recipients-in-exchange-online/manage-permissions-for-recipients#use-the-eac-to-assign-permissions-to-individual-mailboxes) with with the **Audit Logs** role assigned. +++## URL clicks view in Threat Explorer ++The **URL clicks** view in Threat Explorer shows all user clicks on URLs in email, in supported Office files in SharePoint and OneDrive, and in Microsoft Teams. ++To open the **URL clicks** view on the **Explorer** page in the Defender portal at <https://security.microsoft.com>, go to **Email & collaboration** \> **Explorer** \> **URL clicks** tab. Or, go directly to the **Explorer** page using <https://security.microsoft.com/threatexplorerv3>, and then select the **URL clicks** tab. +++### Filterable properties in the URL clicks view in Threat Explorer ++By default, no property filters are applied to the data. The steps to create filters (queries) are described in the [Filters in Threat Explorer and Real-time detections](#property-filters-in-threat-explorer-and-real-time-detections) section later in this article. ++The filterable properties that are available in the **Recipients** box in the **URL clicks** view in Threat Explorer are described in the following table: ++|Property|Type| +||| +|**Basic**|| +|Recipients|Text. Separate multiple values by commas.| +|Tags|Text. Separate multiple values by commas. <br/><br/> For more information about user tags, see [User tags](user-tags-about.md).| +|Network message ID|Text. Separate multiple values by commas. <br/><br/> A GUID value that's available in the **X-MS-Exchange-Organization-Network-Message-Id** header field in the message header.| +|URL|Text. Separate multiple values by commas.| +|Click action|Select one or more values: <ul><li>**Allowed**</li><li>**Block page**</li><li>**Block page override**</li><li>**Error page**</li><li>**Failure**</li><li>**None**</li><li>**Pending detonation page**</li><li>**Pending detonation page override**</li></ul>| +|Threat type|Select one or more values: <ul><li>**Allow**</li><li>**Block**</li><li>**Malware**</li><li>**Phish**</li><li>**Spam**</li></ul>| +|Detection technology|Select one or more values: <ul><li>**URL detonation**</li><li>**URL detonation reputation**</li><li>**URL malicious reputation**</li></ul>| +|Click ID|Text. Separate multiple values by commas.| +|Client IP|Text. Separate multiple values by commas.| ++### Pivots for the chart in the URL clicks view in Threat Explorer ++The chart has a default view, but you can select a value from **Select pivot for histogram chart** to change how the filtered or unfiltered chart data is organized and displayed. ++The available chart pivots are described in the following subsections. ++#### URL domain chart pivot in the URL clicks view in Threat Explorer ++Although this pivot doesn't look selected by default, **URL domain** is the default chart pivot in the **URL clicks** view. ++The **URL domain** pivot organizes the chart by the domains in URLs that users clicked in email, Office files, or Microsoft Teams for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each URL domain. ++#### Workload chart pivot in the URL clicks view in Threat Explorer ++The **Workload** pivot organizes the chart by the location of the clicked URL (email, Office files, or Microsoft Teams) for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each workload. ++#### Detection technology chart pivot in the URL clicks view in Threat Explorer ++The **Detection technology** pivot organizes the chart by the feature that identified the URL clicks in email, Office files, or Microsoft Teams for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each detection technology. ++#### Threat type chart pivot in the URL clicks view in Threat Explorer ++The **Threat type** pivot organizes the chart by the results for clicked URLs in email, Office files, or Microsoft Teams for the specified date/time range and property filters. +++Hovering over a data point in the chart shows the count for each threat type technology. ++### Views for the details area of the URL clicks view in Threat Explorer ++The available views (tabs) in the details area of the **URL clicks** view are described in the following subsections. ++#### Results view for the details area of the URL clicks view in Threat Explorer ++**Results** is the default view for the details area in the **URL clicks** view. ++The **Results** view shows a details table. You can sort the entries by clicking on an available column header. Select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns** to change the columns that are shown. By default, all columns are selected: ++- **Time clicked** +- **Recipient** +- **URL click action** +- **URL** +- **Tags** +- **Network message ID** +- **Click ID** +- **Client IP** +- **URL chain** +- **Threat type** +- **Detection technology** ++> [!TIP] +> To see all columns, you likely need to do one or more of the following steps: +> +> - Horizontally scroll in your web browser. +> - Narrow the width of appropriate columns. +> - Remove columns from the view. +> - Zoom out in your web browser. +> +> Customized column settings are saved per user. Customized column settings in Incognito or InPrivate browsing mode are saved until you close the web browser. ++Select one or entries by selecting the check box next to the first column in the row, and then select :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View all emails** to open Threat Explorer in **All email** view in a new tab filtered by the **Network message ID** values of the selected messages. ++#### Top clicks view for the details area of the URL clicks view in Threat Explorer ++The **Top clicks** view shows a details table. You can sort the entries by clicking on an available column header: ++- **URL** +- **Blocked** +- **Allowed** +- **Block overridden** +- **Pending verdict** +- **Pending verdict bypassed** +- **None** +- **Error page** +- **Failure** ++> [!TIP] +> All available columns are selected. If you select :::image type="icon" source="../../media/m365-cc-sc-customize-icon.png" border="false"::: **Customize columns**, you can't deselect any columns. +> +> To see all columns, you likely need to do one or more of the following steps: +> +> - Horizontally scroll in your web browser. +> - Narrow the width of appropriate columns. +> - Zoom out in your web browser. ++Select an entry by selecting the check box next to the first column in the row, and then select :::image type="icon" source="../../media/m365-cc-sc-view-icon.png" border="false"::: **View all clicks** to open Threat Explorer in a new tab in **URL clicks** view. <! Doesn't work? No filters > ++When you select an entry by clicking anywhere in the row other than the check box next to the first column, a details flyout opens. The information in the flyout is the same as described in [Top URLs details for the All email view](#top-urls-details-for-the-all-email-view). ++#### Top targeted users view for the details area of the URL clicks view in Threat Explorer ++The **Top targeted users** view organizes the data into a table of the top five recipients who clicked on URLs. The table shows: ++- **Top targeted users**: The email address of the top targeted user. If you select an email address, a details flyout opens. The information in the flyout is the same as described in [Top targeted users view for the details area of the All email view in Threat Explorer](#top-targeted-users-view-for-the-details-area-of-the-all-email-view-in-threat-explorer). ++- The number of attempts: If you select the number of attempts, Threat Explorer opens in a new tab filtered by the malware family name. ++> [!TIP] +> Use :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the list of up to 3000 users and the corresponding attempts. ++## Property filters in Threat Explorer and Real-time detections ++The basic syntax of a property filter/query is: ++Condition = \<Filter property\> \<Filter operator> \<Property value or values\> ++Multiple conditions use the following syntax: ++\<Condition1> \<AND | OR\> \<Condition2> \<AND | OR\> \<Condition3>... \<AND | OR\> \<ConditionN> ++> [!TIP] +> Wildcard searches (**\*** or **?**) aren't supported in text or integer values. The **Subject** property uses partial text matching, and yields results similar to a wildcard search. ++The steps to create property filter/query conditions are the same in all views in Threat Explorer and Real-time detections: ++1. Identify the filter property using the tables in the preview view description sections earlier in this article. ++2. Select an available filter operator. The available filter operators depend on the property type as described in the following table: ++ |Filter operator|Property type| + ||| + |**Equal any of**|Text <br/> Integer <br/> Discreet values| + |**Equal none of**|Text <br/> Discreet values| + |**Greater than**|Integer| + |**Less than**|Integer| ++3. Enter or select one or more property values. For text values and integers, you can enter multiple values separated by commas. ++ Multiple values in the property value use the OR logical operator. For example, **Sender address** \> **Equal any of** \> `bob@fabrikam.com,cindy@fabrikam.com` means **Sender address** \> **Equal any of** \> `bob@fabrikam.com` OR `cindy@fabrikam.com`. ++ After you enter or select one or more property values, the completed filter condition appears below the filter creation boxes. ++ > [!TIP] + > For properties that require you to select one or more available values, using the property in the filter condition with all values selected has the same result as not using the property in the filter condition. ++4. To add another condition, repeat the previous three steps. ++ The conditions below the filter creation boxes are separated by the logical operator that was selected at the time you created the second or subsequent conditions. The default value is **AND**, but you can also select **OR**. ++ The same logical operator is used between all conditions: they're all **AND** or they're all **OR**. To change the existing logical operators, select the logical operator box, and then select **AND** or **OR**. ++ To edit an existing condition, double-click on it to bring the selected property, filter operator, and values back into the corresponding boxes. ++ To remove an existing condition, select :::image type="icon" source="../../media/m365-cc-sc-remove-selection-icon.png" border="false"::: on the condition. ++5. To apply the filter to the chart and the details table, select **Refresh** ++ :::image type="content" source="../../media/te-rtd-query-builder.png" alt-text="Screenshot of an example query in Threat Explorer or Real-time detections showing multiple conditions." lightbox="../../media/te-rtd-query-builder.png"::: ++### Saved queries in Threat Explorer ++> [!TIP] +> **Save query** isn't available in Real-time detections. It's available only in Threat Explorer. +> +> **Save query** isn't available in the [Content malware view](#content-malware-view-in-threat-explorer-and-real-time-detections). ++Most views in Threat Explorer allow you to save filters (queries) for later use. Saved queries are available on the **Threat tracker** page in the Defender portal at <https://security.microsoft.com/threattrackerv2>. For more information about Threat trackers, see [About Threat trackers](threat-trackers.md). ++To save queries in Threat Explorer, do the following steps: ++1. After you create the filter/query as previously described, select **Save query** \> :::image type="icon" source="../../media/m365-cc-sc-save-icon.png" border="false"::: **Save query**. ++2. In the **Save query** flyout that opens, configure the following options: + - **Query name**: Enter a unique name for the query. + - Select one of the following options: + - **Exact dates**: Select a start date and end date in the boxes. The oldest start date that you can select is 30 days before today. The newest end date that you can select is today. + - **Relative dates**: Select the number of days in the **Show last nn days when search is run**. The default value is 7, but you can select 1 to 30. + - **Track query**: By default, this option isn't selected. This option affects whether the query runs automatically: + - **Track query** not selected: The query is available for you to run manually in Threat Explorer. The query is saved on the **Saved queries** tab on the **Threat tracker** page. + - **Track query** selected: The query periodically runs in the background. The results and the query are saved on the **Tracked queries** tab on the **Threat tracker** page. ++ When you're finished in the **Save query** flyout, select **Save**, and then select **OK** in the confirmation dialog. +++On the **Saved query** or **Tracked query** tabs on the **Threat tracker** page in the Defender portal at <https://security.microsoft.com/threattrackerv2>, you can select **Explore** in the **Actions** column to open and use the query in Threat Explorer. ++When you open the query from the **Threat tracker** page, :::image type="icon" source="../../media/m365-cc-sc-save-icon.png" border="false"::: **Save query as** and :::image type="icon" source="../../media/m365-cc-sc-gear-icon.png" border="false"::: **Saved query settings** are now available in **Save query** on the **Explorer** page: ++- If you select :::image type="icon" source="../../media/m365-cc-sc-save-icon.png" border="false"::: **Save query as**, the **Save query** flyout opens with all previously selected settings. If you make changes, select **Save**, and then select **OK** in the **Success** dialog, the updated query is saved as a new query on the **Threat tracker** page (you might need to select :::image type="icon" source="../../media/m365-cc-sc-refresh-icon.png" border="false":::**Refresh** to see it). ++- If you select :::image type="icon" source="../../media/m365-cc-sc-gear-icon.png" border="false"::: **Saved query settings**, the **Saved query settings** flyout opens where you can update the date and **Track query** settings of the existing query. +++## More information ++- [Threat Explorer collect email details on the email entity page](mdo-email-entity-page.md) +- [Find and investigate malicious email that was delivered](threat-explorer-investigate-delivered-malicious-email.md) +- [View malicious files detected in SharePoint Online, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md) +- [Threat protection status report](reports-email-security.md#threat-protection-status-report) +- [Automated investigation and response in Microsoft Threat Protection](air-about-office.md) |
security | Threat Explorer Threat Hunting | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-threat-hunting.md | Title: Threat hunting in Threat Explorer for Microsoft Defender for Office 365 + Title: Threat hunting in Threat Explorer and Real-time detections f1.keywords: - NOCSH---+++ audience: ITPro Previously updated : 6/20/2023 Last updated : 3/5/2024 ms.localizationpriority: medium - m365-security - tier1-description: Use Threat Explorer or Real-time detections in the Microsoft Defender portal to investigate and respond to threats efficiently. +description: Learn about threat hunting and remediation in Microsoft Defender for Office 365 using Threat Explorer or Real-time detections in the Microsoft Defender portal. - seo-marvel-apr2020 appliesto: - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> -# Threat hunting in Threat Explorer for Microsoft Defender for Office 365 +# Threat hunting in Threat Explorer and Real-time detections in Microsoft Defender for Office 365 [!INCLUDE [MDO Trial banner](../includes/mdo-trial-banner.md)] -If your organization has [Microsoft Defender for Office 365](defender-for-office-365.md), and you have the [permissions](#required-licenses-and-permissions), you can use **Explorer** or **Real-time detections** to detect and remediate threats. +Microsoft 365 organizations that have [Microsoft Defender for Office 365](defender-for-office-365.md) included in their subscription or purchased as an add-on have **Explorer** (also known as **Threat Explorer**) or **Real-time detections**. These features are powerful, near real-time tools to help Security Operations (SecOps) teams investigate and respond to threats. For more information, see [About Threat Explorer and Real-time detections in Microsoft Defender for Office 365](threat-explorer-real-time-detections-about.md). -In the Microsoft Defender portal at <https://security.microsoft.com>, go to **Email & collaboration**, and then choose **Explorer** or **Real-time detections**. To go directly to the page, use <https://security.microsoft.com/threatexplorer> or <https://security.microsoft.com/realtimereports>. +Threat Explorer or Real-time detections allow you to take the following actions: -With these tools, you can: +- See malware detected by Microsoft 365 security features. +- View phishing URL and click verdict data. +- Start an automated investigation and response process (Threat Explorer only). +- Investigate malicious email. +- And more. -- See malware detected by Microsoft 365 security features-- View phishing URL and click verdict data-- Start an automated investigation and response process from a view in Explorer-- Investigate malicious email, and more+Watch this short video to learn how to hunt and investigate email and collaboration-based threats using Defender for Office 365. -For more information, see [Email security with Threat Explorer](email-security-in-microsoft-defender.md). +> [!VIDEO https://www.microsoft.com/videoplayer/embed/RWyPRU] > [!TIP]-> Advanced hunting in Microsoft Defender XDR now supports an easy-to-use query builder for analysts who want to hunt through cloud app data and other threat data (if available), even if they do not know Kusto Query Language (KQL). To get started, read [Build queries using guided mode](/microsoft-365/security/defender/advanced-hunting-query-builder). +> Advanced hunting in Microsoft Defender XDR supports an easy-to-use query builder that doesn't use the Kusto Query Language (KQL). For more information, see [Build queries using guided mode](/microsoft-365/security/defender/advanced-hunting-query-builder). -Watch this short video to learn how to hunt and investigate email and collaboration-based threats using Microsoft Defender for Office 365. +The following information is available in this article: -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWyPRU] +- [A general walkthrough of Threat Explorer and Real-time detections](#threat-explorer-and-real-time-detections-walkthrough) +- [The threat hunting experience using Threat Explorer and Real-time detections](#the-threat-hunting-experience-using-threat-explorer-and-real-time-detections) +- [Extended capabilities in Threat Explorer](#extended-capabilities-in-threat-explorer) -## Threat Explorer walk-through +> [!TIP] +> For email scenarios using Threat Explorer and Real-time detections, see the following articles: +> +> - [Email security with Threat Explorer and Real-time detections in Microsoft Defender for Office 365](threat-explorer-email-security.md) +> - [Investigate malicious email that was delivered in Microsoft 365](threat-explorer-investigate-delivered-malicious-email.md) ++## What do you need to know before you begin? ++- Threat Explorer is included in Defender for Office 365 Plan 2. Real-time detections is included in Defender for Office Plan 1: + - The differences between Threat Explorer and Real-time detections are described in [About Threat Explorer and Real-time detections in Microsoft Defender for Office 365](threat-explorer-real-time-detections-about.md). + - The differences between Defender for Office 365 Plan 2 and Defender for Office Plan 1 are described in the [Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet](mdo-security-comparison.md#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet). ++- For permissions and licensing requirements for Threat Explorer and Real-time detections, see [Permissions and licensing for Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#permissions-and-licensing-for-threat-explorer-and-real-time-detections). ++## Threat Explorer and Real-time detections walkthrough ++Threat Explorer or Real-time detections is available in the **Email & collaboration** section in the Microsoft Defender portal at <https://security.microsoft.com>: ++- **Real-time detections** is available in _Defender for Office 365 Plan 1_. The **Real-time detections** page is available directly at <https://security.microsoft.com/realtimereportsv3>. ++ :::image type="content" source="../../media/te-rtd-select-real-time-detections.png" alt-text="Screenshot of the Real-time detections selection in the Email & collaboration section in the Microsoft Defender portal." lightbox="../../media/te-rtd-select-real-time-detections.png"::: ++- **Threat Explorer** is available in _Defender for Office 365 Plan 2_. The **Explorer** page is available directly at <https://security.microsoft.com/threatexplorerv3>. -In Microsoft Defender for Office 365, there are two subscription plans—Plan 1 and Plan 2. Manually operated Threat hunting tools exist in both plans, under different names and with different capabilities. + :::image type="content" source="../../media/te-rtd-select-threat-explorer.png" alt-text="Screenshot of the Explorer selection in the Email & collaboration section in the Microsoft Defender portal." lightbox="../../media/te-rtd-select-threat-explorer.png"::: -Defender for Office 365 Plan 1 uses *Real-time detections*, which is a subset of the *Threat Explorer* (also called *Explorer*) hunting tool in Plan 2. In this series of articles, most of the examples were created using the full Threat Explorer. Admins should test any steps in Real-time detections to see where they apply. +Threat Explorer contains the same information and capabilities as Real-time detections, but with the following additional features: -After you go to **Explorer**, by default, you'll arrive on the **All email** page, but use the tabs to navigate to the available views. If you're hunting phish or digging into a threat campaign, choose those views. +- More views. +- More property filtering options, including the option to save queries. +- Threat hunting and remediation actions. -Once a security operations (Sec Ops) person selects the data they want to see, they can further narrow down the data by applying filters such as Sender, Recipient, and Subject, or select an appropriate date range to get the desired results. Remember to select Refresh to complete your filtering actions. +For more information about the differences between Defender for Office 365 Plan 1 and Plan 2, see the [Defender for Office 365 Plan 1 vs. Plan 2 cheat sheet](mdo-security-comparison.md#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet). +Use the tabs (views) at the top of the page to start your investigation. -Refining focus in Explorer or Real-time detection can be thought of in layers. The first is **View**. The second can be thought of as a *filtered focus*. For example, you can retrace the steps you took in finding a threat by recording your decisions like this: To find the issue in Explorer, **I chose the Malware View with a Recipient filter focus**. This makes retracing your steps easier. +The available views in Threat Explorer and Real-time detections are described in the following table: ++|View|Threat<br/>Explorer|Real-time<br/>detections|Description| +||::|::|| +|**All email**|✔||Default view for Threat Explorer. Information about all email messages sent by external users into your organization, or email sent between internal users in your organization.| +|**Malware**|✔|✔|Default view for Real-time detections. Information about email messages that contain malware.| +|**Phish**|✔|✔|Information about email messages that contain phishing threats.| +|**Campaigns**|✔||Information about malicious email that Defender for Office 365 Plan 2 identified as part of a [coordinated phishing or malware campaign](campaigns.md).| +|**Content malware**|✔|✔|Information about malicious files detected by the following features: <ul><li>[Built-in virus protection in SharePoint, OneDrive, and Microsoft Teams](anti-malware-protection-for-spo-odfb-teams-about.md)</li><li>[Safe Attachments for Sharepoint, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)</li></ul>| +|**URL clicks**|✔||Information about user clicks on URLs in email messages, Teams messages, SharePoint files, and OneDrive files.| ++Use the date/time filter and the available filter properties in the view to refine the results: ++- For instructions to create filters, see [Property filters in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#property-filters-in-threat-explorer-and-real-time-detections). +- The available filter properties for each view are described in the following locations: + - [Filterable properties in the All email view in Threat Explorer](threat-explorer-real-time-detections-about.md#filterable-properties-in-the-all-email-view-in-threat-explorer) + - [Filterable properties in the Malware view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#filterable-properties-in-the-malware-view-in-threat-explorer-and-real-time-detections) + - [Filterable properties in the Phish view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#filterable-properties-in-the-phish-view-in-threat-explorer-and-real-time-detections) + - [Filterable properties in the Campaigns view in Threat Explorer](campaigns.md#filters-on-the-campaigns-page) + - [Filterable properties in the Content malware view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#filterable-properties-in-the-content-malware-view-in-threat-explorer-and-real-time-detections) + - [Filterable properties in the URL clicks view in Threat Explorer](threat-explorer-real-time-detections-about.md#filterable-properties-in-the-url-clicks-view-in-threat-explorer) > [!TIP]-> If Sec Ops uses **Tags** to mark accounts they consider high valued targets, they can make selections like *Phish View with a Tags filter focus (include a date range if used)*. This will show them any phishing attempts directed at their high value user targets during a time-range (like dates when certain phishing attacks are happening a lot for their industry). +> Remember to select **Refresh** after you create or update the filter. The filters affect the information in the chart and the details area of the view. ++You can think of refining the focus in Threat Explorer or Real-time detections as layers to make retracing your steps easier: ++- The first layer is the view you're using. +- The second later is the filters you're using in that view. -With the new version of Threat Explorer, users can use the following new dropdown options with four new operators on the filters: +For example, you can retrace the steps you took to find a threat by recording your decisions like this: To find the issue in Threat Explorer, I used the **Malware** view and used a **Recipient** filter focus. -- Equals any of – returns values matching the exact user input.-- Equals none of – returns values not matching the exact user input.-- Contains any of – returns values partially matching user input.-- Contains none of – returns values not partially matching user input.+Also, be sure to test your display options. Different audiences (for example, management) might react better or worse to different presentations of the same data. -Note that these filter conditions are available based on filter types and input types. +For example, in Threat Explorer the **All email** view, the **Email origin** and **Campaigns** views (tabs) are available in the details area at the bottom of the page: -Use the **Column options** button to get the kind of information on the table that would be most helpful: +- For some audiences, the world map in the **Email origin** tab might do a better job of showing how widespread the detected threats are. + :::image type="content" source="../../media/te-rtd-all-email-view-details-area-email-origin-tab.png" alt-text="Screenshot of the world map in the Email origin view in the details area of the All email view in Threat Explorer." lightbox="../../media/te-rtd-all-email-view-details-area-email-origin-tab.png"::: +- Others might find the detailed information in the table in the **Campaigns** tab more useful to convey the information. -In the same mien, make sure to test your display options. Different audiences will react well to different presentations of the same data. For some viewers, the **Email Origins** map can show that a threat is widespread or discreet more quickly than the **Campaign display** option right next to it. Sec Ops can make use of these displays to best make points that underscore the need for security and protection, or for later comparison, to demonstrate the effectiveness of their actions. + :::image type="content" source="../../media/te-rtd-all-email-view-details-area-campaign-tab.png" alt-text="Screenshot of the details table in the Campaign tab in the All email view in Threat Explorer." lightbox="../../media/te-rtd-all-email-view-details-area-campaign-tab.png"::: +You can use this information for the following results: +- To show the need for security and protection. +- To later demonstrate the effectiveness of any actions. ### Email investigation -When you see a suspicious email, click the name to expand the flyout on the right. Here, the banner that lets Sec Ops see the [email entity page](mdo-email-entity-page.md) is available. +In the **All email**, **Malware**, or **Phish** views in Threat Explorer or Real-time detections, email message results are shown in a table in the **Email** tab (view) of the details area below the chart. -The email entity page pulls together contents that can be found under **Details**, **Attachments**, **Devices**, but includes more organized data. This includes things like DMARC results, plain text display of the email header with a copy option, verdict information on attachments that were securely detonated, and files those detonations dropped (can include IP addresses that were contacted and screenshots of pages or files). URLs and their verdicts are also listed with similar details reported. +When you see a suspicious email message, click on the **Subject** value of an entry in the table. The details flyout that opens contains :::image type="icon" source="../../media/m365-cc-sc-open-icon.png" border="false"::: **Open email entity** at the top of the flyout. +++The Email entity page pulls together everything you need to know about the message and its contents so you can determine whether the message is a threat. For more information, see [Email entity page overview](mdo-email-entity-page.md). ++### Email remediation -When you reach this stage, the email entity page will be critical to the final step—*remediation*. +After you determine that an email message is a threat, the next step is remediating the threat. You remediate the threat in Threat Explorer or Real-time detections using **Message actions** or :::image type="icon" source="../../media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action**. +These actions are available in the **All email**, **Malware**, or **Phish** views in Threat Explorer or Real-time detections in the **Email** tab (view) of the details area below the chart: ++- Select one or more entries in the table by selecting the check box next to the first column. **Message actions** is available directly in the tab. For more information, see [Remediate using Message actions](#remediate-using-message-actions). ++ - **Threat Explorer**: ++ :::image type="content" source="../../media/te-rtd-all-email-view-details-area-email-tab-message-selected-message-actions-threat-explorer.png" alt-text="Screenshot of the Email tab of the All email view in Threat Explorer showing a selected message and the available actions in Message actions." lightbox="../../media/te-rtd-all-email-view-details-area-email-tab-message-selected-message-actions-threat-explorer.png"::: ++ - **Real-time detections**: ++ :::image type="content" source="../../media/te-rtd-all-email-view-details-area-email-tab-message-selected-message-actions-real-time-detections.png" alt-text="Screenshot of the Email tab of the All email view in Real-time detections showing a selected message and the available actions in Message actions." lightbox="../../media/te-rtd-all-email-view-details-area-email-tab-message-selected-message-actions-real-time-detections.png"::: ++- Click on the **Subject** value of an entry in the table. The details flyout that opens contains :::image type="icon" source="../../media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action** at the top of the flyout. For more information, see [Remediate using Take action](#remediate-using-take-action). ++ :::image type="content" source="../../media/te-rtd-all-email-view-email-tab-details-area-subject-details-flyout-actions-only.png" alt-text="Screenshot of the actions available in the details flyout after you select a Subject value in the Email tab of the details area in the All email view." lightbox="../../media/te-rtd-all-email-view-email-tab-details-area-subject-details-flyout-actions-only.png"::: ++#### Remediate using Message actions ++In Threat Explorer and Real-time detections, selecting one or more messages enables **Message actions** on the **Email** tab (view) in the details area of the view: ++- In Threat Explorer, the available **Message actions** in the **All email**, **Malware**, and **Phish** views are described in the following list: ++ - **Move & delete**¹ + - Move to junk folder + - Move to deleted items + - Soft delete + - Hard delete + - Move to inbox + - **Track & notify** + - Trigger investigation + - Investigate Sender + - Investigate Recipient + - Add to remediation + - Contact recipients| + - **Start new submission** + - Submit to Microsoft ++ ¹ The **Move & delete** actions require the **Search and Purge** role in [Email & collaboration permissions](mdo-portal-permissions.md). By default, this role is assigned to the **Data Investigator** and **Organization Management** role groups. Members of the **Security Administrators** role group don't see these actions. You can add the members of the group to the **Data Investigator** role group, or you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the **Search and Purge** role assigned, and then add the members of the **Security Administrators** role group. ++- In Real-time detectionsAvailable, the available **Message actions** in the **Malware** and **Phish** views are described in the following list: + - **Start new submission** + - Report clean + - Report phishing + - Report malware + - Report spam ++##### Move & delete actions in Threat Explorer ++The following actions are available in the **Move & delete** category: ++- **Move to Junk folder**: Move the message to the Junk Email folder. +- **Move to Deleted Items**: Move the message to the Deleted items folder. +- **Soft delete**: Delete the message from the Deleted items folder (move to the Recoverable Items\Deletions folder). The message is recoverable by the user and admins. +- **Hard delete**: Purge the deleted message. Admins can recover hard deleted items using single-item recovery. For more information about hard deleted and soft deleted items, see [Soft-deleted and hard-deleted items](/compliance/assurance/assurance-exchange-online-data-deletion#soft-deleted-and-hard-deleted-items). +- **Move to Inbox**: Move the message to the Inbox. > [!TIP]-> To learn more about the rich email entity page (seen below on the **Analysis** tab), including the results of detonated Attachments, findings for included URLs, and safe Email preview, click [here](mdo-email-entity-page.md). +> Selecting **Move to Inbox** for message with the value **Quarantine** for the **Latest delivery location** property releases the message from quarantine. +When you select an action, a remediation wizard opens: -### Email remediation +1. On the **Name your remediation** page, enter a unique, descriptive name and an optional description to track and identify the selected action, and then select **Next**. ++2. On the **Determine severity** page, configure the following settings: + - **Severity**: Choose one of the following values: + - **High** (this is the default value) + - **Medium** + - **Low** + - **Status**: The value **Open** is selected, and you can't change it. ++ When you're finished on the **Determine severity** page, select **Next**. ++3. On the **Review and trigger action** page, review your previous selections. ++ Select :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the impacted assets to a CSV file. By default, the filename is **Impacted assets.csv** located in the **Downloads** folder. ++ Select **Back** or **Edit** to change your selections. ++ When you're finished on the **Review and trigger action** page, select **Next**. ++4. The **Submit actions** page contains the following information: + - The unique **Approval ID** value (for example, `d5f139`) and a link to the **History** tab of the **Action Center** at <https://security.microsoft.com/action-center/history>. + - The following information about the email message: + - **Date** + - **Recipient** + - **Subject** + - **Status** ++ When you're finished on the **Submit actions** page, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: **Close**. ++##### Track & notify actions in Threat Explorer ++- **Trigger investigation**, **Investigate sender**, **Investigate recipient**: Selecting one of these actions immediately creates the investigation. Selecting **OK** in the confirmation dialog opens the **Investigations** page in the Defender portal at <https://security.microsoft.com/airinvestigation> to show the new investigation in the list. ++- **Add to remediation**: Selecting this option opens the **Create a new remediation or add to an existing one** wizard: + 1. On the **Create a remediation investigation** page, select one of the following values: + - **Create a new remediation**: When you select **Next**, you go to the **Name your remediation** page. + 1. On the **Name your remediation** page, enter a unique, descriptive name and an optional description to track and identify the selected action, and then select **Next**. + 2. On the **Determine severity** page, select the **Severity** level (**High**, **Medium**, or **Low**; **High** is the default), and then select **Next**. ++ - **Add to an existing remediation**: When you select **Next**, you go to the **Choose an existing remediation** page where you select the existing remediation from the **Submit emails to the following remediations** list, and then select **Next**. ++ 2. On the **Review the scope of this remediation** page, review the **Date**, **Recipient**, **Subject**, and **Sender** information on the page, and then select **Next**. + 3. The **Submit actions** page repeats the information from the previous page, and includes a link to the **Pending** tab of the **Action center** page at <https://security.microsoft.com/action-center/history>. When you're finished on the **Submit actions** page, select :::image type="icon" source="../../media/m365-cc-sc-close-icon.png" border="false"::: **Close**. ++- **Contact recipients**: Opens a new email message in the registered email client on your computer (for example, Microsoft Outlook) with the affected recipients in the Bcc box. ++##### Start new submission actions in Threat Explorer ++When you select **Submit to Microsoft**, the **Submit to Microsoft for analysis** flyout opens. Select one of the following values: ++- **I've confirmed it's clean**: Select this value if you're sure that the message is clean. When you select **Next**, the following items are available on a new flyout that opens: + - **Allow messages like this**: If you select this value, allow entries are added to the [Tenant Allow/Block List](tenant-allow-block-list-about.md) for the sender and any related URLs or attachments in the message. The following options also appear: + - **Remove allow entry after**: The default value is **30 days**, but you can also select **1 day**, **7 days**, or a **Specific date** that's less than 30 days. + - **Allow entry note**: Enter an optional note that contains additional information. ++ When you're finished in this flyout, select **Submit**. ++- **It appears clean** or **It appears suspicious**: Select one of these values if you're unsure and you want a verdict from Microsoft, and then select **Submit**. ++- **I've confirmed it's a threat**: Select this value if you're sure that the item is malicious, and then select **Spam**, **Phish**, or **Malware** in the **Choose a category** section that appears. When you select **Next**, the following items are available on a new flyout that opens: + - **Block all emails from this sender or domain**: This option is selected by default to add block entries to the [Tenant Allow/Block List](tenant-allow-block-list-about.md) for the sender and any related URLs or attachments in the message. When this option is selected, the following options are also available: + - Select **Sender** or **Domain** to block the specific email address or all email addresses in the domain. **Sender** is selected by default. + - **Remove block entry after**: The default value is **30 days**, but you can also select **1 day**, **7 days**, or a **Specific date** that's less than 30 days. + - **Block entry note**: Enter an optional note that contains additional information. ++ When you're finished in this flyout, select **Submit**. ++##### Start new submission actions in Real-time detections ++Selecting an action from the **Start new submission** category in Real-time detections results in the following options: ++- **Report clean**: In the **Submit message as clean to Microsoft** dialog that opens, configure the following settings: + - **Allow emails with similar attributes (URL, sender, etc.)**: If you select this value, allow entries are added to the [Tenant Allow/Block List](tenant-allow-block-list-about.md) for the sender and any related URLs or attachments in the message. The following options are also available: + - **Remove allow entry after**: The default value is **30 days**, but you can also select **1 days**, **7 days**, or a **Specific date** that's less than 30 days. + - **Allow entry note**: Enter an optional note that contains additional information. ++ When you're finished in the dialog, select **Submit**. ++- **Report phishing**: In the **Submit message as phishing to Microsoft** dialog that opens, configure the following options: + - **Block all emails from this sender or domain**: If you select this value, block entries are added to the [Tenant Allow/Block List](tenant-allow-block-list-about.md) for the sender and any related URLs or attachments in the message. The following options are also available: + - Select **Sender** or **Domain** to block the specific email address or all email addresses in the domain. **Sender** is selected by default. + - **Remove block entry after**: The default value is **30 days**, but you can also select **1 days**, **7 days**, or a **Specific date** that's less than 30 days. + - **Block entry note**: Enter an optional note that contains additional information. ++ When you're finished in the dialog, select **Submit**. ++- **Report malware**: In the **Submit message as malware to Microsoft** dialog that opens, configure the following options: + - **Block all emails from this sender or domain**: If you select this value, allow entries are added to the [Tenant Allow/Block List](tenant-allow-block-list-about.md) for the sender and any related URLs or attachments in the message. The following options are also available: + - Select **Sender** or **Domain** to block the specific email address or all email addresses in the domain. **Sender** is selected by default. + - **Remove block entry after**: The default value is **30 days**, but you can also select **1 days**, **7 days**, or a **Specific date** that's less than 30 days. + - **Block entry note**: Enter an optional note that contains additional information. ++ When you're finished in the dialog, select **Submit**. ++- **Report spam**: In the **Submit message as spam to Microsoft** dialog that opens, configure the following options: + - **Block all emails from this sender or domain**: If you select this value, block entries are added to the [Tenant Allow/Block List](tenant-allow-block-list-about.md) for the sender and any related URLs or attachments in the message. The following options are also available: + - Select **Sender** or **Domain** to block the specific email address or all email addresses in the domain. **Sender** is selected by default. + - **Remove block entry after**: The default value is **30 days**, but you can also select **1 days**, **7 days**, or a **Specific date** that's less than 30 days. + - **Block entry note**: Enter an optional note that contains additional information. ++ When you're finished in the dialog, select **Submit**. ++#### Remediate using Take action ++After you click on the **Subject** value of an entry in the details table of the **Email** tab (view), selecting :::image type="icon" source="../../media/m365-cc-sc-take-actions-icon.png" border="false"::: **Take action** at the top of the flyout opens the **Take action** wizard in a new flyout. +++The available actions in the **Take action** wizard in Threat Explorer and Real-time detections are listed in the following table: -Once a Sec Ops person determines that an email is a threat, the next Explorer or Real-time detection step is dealing with the threat and remediating it. This can be done by returning to Threat Explorer, selecting the checkbox for the problem email, and using the **Actions** button. +|Action|Threat<br/>Explorer|Real-time<br/>Detections| +||::|::| +|**Move to mailbox folder**|✔¹|| +|**Submit to Microsoft for review**|✔|✔| +|**Initiate automated investigation**|✔|| +|**Propose remediation**|✔|✔| ++¹ This action requires the **Search and Purge** role in [Email & collaboration permissions](mdo-portal-permissions.md). By default, this role is assigned to the **Data Investigator** and **Organization Management** role groups. Members of the **Security Administrators** role group don't see this action. You can add the members of the group to the **Data Investigator** role group, or you can [create a new role group](mdo-portal-permissions.md#create-email--collaboration-role-groups-in-the-microsoft-defender-portal) with the **Search and Purge** role assigned, and then add the members of the **Security Administrators** role group. ++1. On the **Choose response actions** page, select one or more of the following options in the **Email message actions** section: ++ - **Move to mailbox folder**: Select one of the available values that appear: + - **Junk**: Move the message to the Junk Email folder. + - **Inbox**: Move the message to the Inbox. ++ If the message has the value **Quarantine** for the **Latest delivery location** property, selecting **Inbox** releases the message from quarantine as described on the page. Select one of the following values that appears: ++ - **Release to one or more of the original recipients of the email** + - **Release to all recipients**. ++ - **Deleted items**: Move the message to the Deleted items folder. + - **Soft deleted items**: Delete the message from the Deleted items folder (move to the Recoverable Items\Deletions folder). The message is recoverable by the user and admins. + - **Hard deleted items**: Purge the deleted message. Admins can recover hard deleted items using single-item recovery. For more information about hard deleted and soft deleted items, see [Soft-deleted and hard-deleted items](/compliance/assurance/assurance-exchange-online-data-deletion#soft-deleted-and-hard-deleted-items). ++ - **Submit to Microsoft for review**: Select one of the available values that appear: + - **I've confirmed it's clean**: Select this value if you're sure that the message is clean. The following options appear: + - **Allow messages like this**: If you select this value, allow entries are added to the [Tenant Allow/Block List](tenant-allow-block-list-about.md) for the sender and any related URLs or attachments in the message. The following options also appear: + - **Remove entry after**: The default value is **1 day**, but you can also select **7 days**, **30 days**, or a **Specific date** that's less than 30 days. + - **Allow entry note**: Enter an optional note that contains additional information. + - **It appears clean** or **It appears suspicious**: Select one of these values if you're unsure and you want a verdict from Microsoft. + - **I've confirmed it's a threat**: Select this value if you're sure that the item is malicious, and then select one of the following values in the **Choose a category** section that appears: + - **Phish** + - **Malware** + - **Spam** ++ After you select one of those values, a **Select entities to block** flyout opens where you can select one or more entities associated with the message (sender address, sender domain, URLs, or file attachments) to add as block entries to the Tenant Allow/Block list. ++ After you select the items to block, select **Add to block rule** to close the **Select entities to block** flyout. Or, select no items and then select **Cancel**. ++ Back on the **Choose response actions** page, select an expiration option for the block entries: ++ - :::image type="icon" source="../../media/scc-toggle-off.png" border="false"::: **Expire on**: Select a date for block entries to expire. + - :::image type="icon" source="../../media/scc-toggle-on.png" border="false"::: **Never expire** ++ The number of blocked entities is shown (for example, **4/4 entities to be blocked**). Select :::image type="icon" source="../../media/m365-cc-sc-edit-icon.png" border="false"::: **Edit** to reopen the **Add to block rule** and make changes. ++ - **Initiate automated investigation**: Threat Explorer only. Select one of the following values that appear: + - **Investigate email** + - **Investigate recipient** + - **Investigate sender** + - **Contact recipients** ++ - **Propose remediation**: Select one of the following values that appear: + - **Create new**: This value triggers a soft delete email pending action that needs to be approved by an admin in the Action center. + - **Add to existing**: Use this value to apply actions to this email message from an existing remediation. In the **Submit email to the following remediations** box, select the existing remediation. ++ When you're finished on the **Choose response actions** page, select **Next**. ++2. On the **Choose target entities** page, configure the following options: ++ - **Name** and **Description**: Enter a unique, descriptive name and an optional description to track and identify the selected action. ++ The rest of the page is a table that lists the affected assets. The table is organized by the following columns: ++ - **Impacted asset**: The affected assets from the previous page. For example: + - **Recipient email address** + - **Entire tenant** + - **Action**: The selected actions for the assets from the previous page. For example: + - Values from **Submit to Microsoft for review**: + - **Report as clean** + - **Report** + - **Report as malware**, **Report as spam**, or **Report as phishing** + - **Block sender** + - **Block sender domain** + - **Block URL** + - Values from **Initiate automated investigation**: + - **Investigate email** + - **Investigate recipient** + - **Investigate sender** + - **Contact recipients** + - Values from **Propose remediation**: + - **Create new remediation** + - **Add to existing remediation** + - **Target entity**: For example: + - The **Network Message ID value** of the email message. + - The blocked sender email address. + - The blocked sender domain. + - The blocked URL. + - **Expires on**: Values exist only for allow or block entries in the Tenant/Allow Block List. For example: + - **Never expire** for block entries. + - The expiration date for allow or block entries. + - **Scope**: Typically, this value is **MDO**. ++ When you're finished on the **Choose target entities** page, select **Next**. ++3. On the **Review and submit** page, review your previous selections. ++ Select :::image type="icon" source="../../media/m365-cc-sc-download-icon.png" border="false"::: **Export** to export the impacted assets to a CSV file. By default, the filename is **Impacted assets.csv** located in the **Downloads** folder. ++ Select **Back** to go back and change your selections. ++ When you're finished on the **Review and submit** page, select **Submit**. ++## The threat hunting experience using Threat Explorer and Real-time detections ++Threat Explorer or Real-time detections helps your security operations team investigate and respond to threats efficiently. The following subsections explain how Threat Explorer and Real-time detections can help you find threats. ++### Threat hunting from Alerts ++The **Alerts** page is available in the Defender portal at **Incidents & alerts** \> **Alerts**, or directly at <https://security.microsoft.com/alerts>. ++Many alerts with the **Detection source** value **MDO** have the :::image type="icon" source="../../media/m365-cc-sc-show-trends-icon.png" border="false"::: **View messages in Explorer** action available at the top of the alert details flyout. ++The alert details flyout opens when you click anywhere on the alert other than the check box next to the first column. For example: ++- **A potentially malicious URL click was detected** +- **Admin submission result completed** +- **Email messages containing malicious URL removed after delivery​** +- **Email messages removed after delivery** +- **Messages containing malicious entity not removed after delivery** +- **Phish not zapped because ZAP is disabled** +++Selecting **View messages in Explorer** opens Threat Explorer in the **All email** view with the property filter **Alert ID** selected for the alert. The **Alert ID** value is a unique GUID value for the alert (for example, 89e00cdc-4312-7774-6000-08dc33a24419). ++**Alert ID** is a filterable property in the following views in Threat Explorer and Real-time detections: ++- [The **All email** view in Threat Explorer](threat-explorer-real-time-detections-about.md#filterable-properties-in-the-all-email-view-in-threat-explorer). +- [The **Malware** view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#filterable-properties-in-the-malware-view-in-threat-explorer-and-real-time-detections) +- [The **Phish view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#filterable-properties-in-the-phish-view-in-threat-explorer-and-real-time-detections) ++In those views, **Alert ID** is available as a selectable column in the details area below the chart in the following tabs (views): ++- [The **Email** view for the details area of the **All email** view in Threat Explorer](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-all-email-view-in-threat-explorer) +- [The **Email** view for the details area of the **Malware** view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-malware-view-in-threat-explorer-and-real-time-detections) +- [The **Email** view for the details area of the **Phish** view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-phish-view-in-threat-explorer-and-real-time-detections) ++In the [details flyout that opens when you click on a **Subject** value from one of the entries](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view), the **Alert ID** link is available in the **Email details** section of the flyout. Selecting the **Alert ID** link opens the **View alerts** page at <https://security.microsoft.com/viewalertsv2> with the alert selected and the details flyout open for the alert. +++### Tags in Threat Explorer ++In Defender for Office 365 Plan 2, if you use [user tags](user-tags-about.md) to mark high value targets accounts (for example, the **Priority account** tag) you can use those tags as filters. This method shows phishing attempts directed at high value target accounts during a specific time period. For more information about user tags, see [User tags](user-tags-about.md). ++User tags are available in the following locations in Threat Explorer: ++- **All email** view: + - [As a filterable property](threat-explorer-real-time-detections-about.md#filterable-properties-in-the-all-email-view-in-threat-explorer). + - [An available column in the **Email** tab (view) of the details area](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-all-email-view-in-threat-explorer). + - [The **Subject** details flyout from an entry in the **Email** tab (view)](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view) +- **Malware** view: + - [As a filterable property](threat-explorer-real-time-detections-about.md#malware-view-in-threat-explorer-and-real-time-detections). + - [An available column in the **Email** tab (view) of the details area in the **Malware** view](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-malware-view-in-threat-explorer-and-real-time-detections). + - [[The **Subject** details flyout from an entry in the **Email** tab (view)](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view) +- **Phish** view: + - [As a filterable property](threat-explorer-real-time-detections-about.md#phish-view-in-threat-explorer-and-real-time-detections). + - [An available column in the **Email** tab (view) of the details](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-phish-view-in-threat-explorer-and-real-time-detections). + - [[The **Subject** details flyout from an entry in the **Email** tab (view)](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view) +- **URL clicks** view: + - [As a filterable property](threat-explorer-real-time-detections-about.md#url-clicks-view-in-threat-explorer). + - [An available column in the **Results** tab (view) of the details area in the **URL clicks** view](threat-explorer-real-time-detections-about.md#results-view-for-the-details-area-of-the-url-clicks-view-in-threat-explorer). ++<! ### Updated Timeline View ++> [!div class="mx-imgBorder"] +> :::image type="content" source="../../media/tags-urls.png" alt-text="Screenshot of the URL tags." lightbox="../../media/tags-urls.png"::: +> +Learn more by watching [this video](https://www.youtube.com/watch?v=UoVzN0lYbfY&list=PL3ZTgFEc7LystRja2GnDeUFqk44k7-KXf&index=4). > ++### Threat information for email messages ++Pre-delivery and post-delivery actions on email messages are consolidated into a single record, regardless of the different post-delivery events that affected the message. For example: ++- [Zero-hour auto purge (ZAP)](zero-hour-auto-purge.md). +- Manual remediation (admin action). +- [Dynamic Delivery](safe-attachments-about.md#dynamic-delivery-in-safe-attachments-policies). ++[The **Subject** details flyout from the **Email** tab (view)](threat-explorer-real-time-detections-about.md#subject-details-from-the-email-view-of-the-details-area-in-the-all-email-view) in the **All email**, **Malware**, or **Phish** views shows the associated threats and the corresponding detection technologies that are associated with the email message. A message can have zero, one, or multiple threats. ++- In the **Delivery details** section, the **Detection technology** property shows the detection technology that identified the threat. **Detection technology** is also available as a chart pivot or a column in the details table for many views in Threat Explorer and Real-time detections. ++- The **URLs** section shows specific **Threat** information for any URLs in the message. For example, **Malware**, **Phish**, **Spam, or **None**. ++> [!TIP] +> Verdict analysis might not necessarily be tied to entities. The filters evaluate content and other details of an email message before assigning a verdict. For example, an email message might be classified as phishing or spam, but no URLs in the message are stamped with a phishing or spam verdict. +++<!-- ### Updated timeline view (upcoming) ++> [!div class="mx-imgBorder"] +> :::image type="content" source="../../media/Email_Timeline.png" alt-text="Screenshot of the updated Timeline View." lightbox="../../media/Email_Timeline.png"::: ++Timeline view identifies all delivery and post-delivery events. It includes information about the threat identified at that point of time for a subset of these events. Timeline view also provides information about any additional action taken (such as ZAP or manual remediation), along with the result of that action. Timeline view information includes: ++- **Source:** Source of the event. It can be admin/system/user. +- **Event:** Includes top-level events like original delivery, manual remediation, ZAP, submissions, and Dynamic Delivery. +- **Action:** The specific action that was taken either as part of ZAP or admin action (for example, soft delete). +- **Threats:** Covers the threats (malware, phish, spam) identified at that point of time. +- **Result/Details:** More information about the result of the action, such as whether it was performed as part of ZAP/admin action. > ++## Extended capabilities in Threat Explorer ++The following subsections describe filters that are exclusive to Threat Explorer. ++### Exchange mail flow rules (transport rules) ++To find messages that were affected by Exchange mail flow rules (also known as transport rules), you have the following options in the **All email**, **Malware**, and **Phish** views in Threat Explorer (not in Real-time detections): ++- **Exchange transport rule** is a selectable value for the **Primary override source**, **Override source**, and **Policy type** filterable properties. +- **Exchange transport rule** is a filterable property. You enter a partial text value for the name of the rule. ++For more information, see the following links: ++- [All email view in Threat Explorer](threat-explorer-real-time-detections-about.md#all-email-view-in-threat-explorer) +- [Malware view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#malware-view-in-threat-explorer-and-real-time-detections) +- [Phish view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#phish-view-in-threat-explorer-and-real-time-detections) ++The **Email** tab (view) for the details area of the **All email**, **Malware**, and **Phish** views in Threat Explorer also have **Exchange transport rule** as an available column that's not selected by default. This column shows the name of the transport rule. For more information, see the following links: ++- [Email view for the details area of the All email view in Threat Explorer](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-all-email-view-in-threat-explorer) +- [Email view for the details area of the Malware view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-malware-view-in-threat-explorer-and-real-time-detections) +- [Email view for the details area of the Phish view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-phish-view-in-threat-explorer-and-real-time-detections) ++> [!TIP] +> For the permissions required to search for mail flow rules by name in Threat Explorer, see [Permissions and licensing for Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#permissions-and-licensing-for-threat-explorer-and-real-time-detections). No special permissions are required to see rule names in email details flyouts, details tables, and exported results. +### Inbound connectors -Here, the analyst can take actions like submitting the message as Spam, Phishing, or Malware, contacting recipients, or further investigations that can include triggering Automated Investigation and Response (or AIR) playbooks (if you have Plan 2). Or, the message can also be submitted as clean. +Inbound connectors specify specific settings for email sources for Microsoft 365. For more information, see [Configure mail flow using connectors in Exchange Online](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/use-connectors-to-configure-mail-flow). +To find messages that were affected by inbound connectors, you can use the **Connector** filterable property to search for connectors by name in the **All email**, **Malware**, and **Phish** views in Threat Explorer (not in Real-time detections). You enter a partial text value for the name of the connector. For more information, see the following links: -## Required licenses and permissions +- [All email view in Threat Explorer](threat-explorer-real-time-detections-about.md#all-email-view-in-threat-explorer) +- [Malware view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#malware-view-in-threat-explorer-and-real-time-detections) +- [Phish view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#phish-view-in-threat-explorer-and-real-time-detections) -You must have [Microsoft Defender for Office 365](defender-for-office-365.md) to use Explorer or Real-time detections. +The **Email** tab (view) for the details area of the **All email**, **Malware**, and **Phish** views in Threat Explorer also have **Connector** as an available column that's not selected by default. This column shows the name of the connector. For more information, see the following links: -- Explorer is included in Defender for Office 365 Plan 2.-- The Real-time detections report is included in Defender for Office 365 Plan 1.-- Plan to assign licenses for all users who should be protected by Defender for Office 365. Explorer and Real-time detections show detection data for licensed users.+- [Email view for the details area of the All email view in Threat Explorer](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-all-email-view-in-threat-explorer) +- [Email view for the details area of the Malware view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-malware-view-in-threat-explorer-and-real-time-detections) +- [Email view for the details area of the Phish view in Threat Explorer and Real-time detections](threat-explorer-real-time-detections-about.md#email-view-for-the-details-area-of-the-phish-view-in-threat-explorer-and-real-time-detections) -To view and use Explorer or Real-time detections, you must have the following permissions: +## Email security scenarios in Threat Explorer and Real-time detections -- In the Microsoft Defender portal:- - Organization Management - - Security Administrator (this can be assigned in the Microsoft Entra admin center (<https://aad.portal.azure.com>) - - Security Reader -- In Exchange Online:- - Organization Management - - View-Only Organization Management - - View-Only Recipients - - Compliance Management +For specific scenarios, see the following articles: -To learn more about roles and permissions, see the following resources: +- [Email security with Threat Explorer and Real-time detections in Microsoft Defender for Office 365](threat-explorer-email-security.md) +- [Investigate malicious email that was delivered in Microsoft 365](threat-explorer-investigate-delivered-malicious-email.md) -- [Permissions in the Microsoft Defender portal](mdo-portal-permissions.md)-- [Permissions in Exchange Online](/exchange/permissions-exo/permissions-exo)-- [Exchange Online PowerShell](/powershell/exchange/exchange-online-powershell)+### More ways to use Threat Explorer and Real-time detections -## More information +In addition to the scenarios outlined in this article, you have more options in Explorer or Real-time detections. For more information, see the following articles: -- [Find and investigate malicious email that was delivered](investigate-malicious-email-that-was-delivered.md)-- [View malicious files detected in SharePoint Online, OneDrive, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md)-- [Get an overview of the views in Threat Explorer (and Real-time detections)](threat-explorer-views.md) - [Threat protection status report](reports-email-security.md#threat-protection-status-report)-- [Automated investigation and response in Microsoft Threat Protection](air-about-office.md)+- [Automated investigation and response in Microsoft Defender XDR](../defender/m365d-autoir.md) +- [Trigger an investigation from Threat Explorer](air-about-office.md#example-a-security-administrator-triggers-an-investigation-from-threat-explorer). - [Investigate emails with the Email Entity Page](mdo-email-entity-page.md) |
security | Threat Explorer Views | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/threat-explorer-views.md | - Title: Views in Threat Explorer and real-time detections - - NOCSH --- Previously updated : 6/20/2023--- - m365-security - - tier1 -description: Learn about how to use Threat Explorer and the real-time detections report to investigate and respond to threats in the Microsoft Defender portal. ----appliesto: - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/office-365-security/mdo-security-comparison#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet" target="_blank">Microsoft Defender for Office 365 plan 1 and plan 2</a> - - ✅ <a href="https://learn.microsoft.com/microsoft-365/security/defender/microsoft-365-defender" target="_blank">Microsoft Defender XDR</a> ---# Views in Threat Explorer and real-time detections ----[Threat Explorer](threat-explorer-about.md) (and the real-time detections report) is a powerful, near real-time tool to help Security Operations teams investigate and respond to threats in the Microsoft Defender portal. Explorer (and the real-time detections report) displays information about suspected malware and phish in email and files in Office 365, as well as other security threats and risks to your organization. --- If you have [Microsoft Defender for Office 365](defender-for-office-365.md) Plan 2, then you have Explorer.-- If you have Microsoft Defender for Office 365 Plan 1, then you have real-time detections.--When you first open Explorer (or the real-time detections report), the default view shows email malware detections for the past 7 days. This report can also show Microsoft Defender for Office 365 detections, such as malicious URLs detected by [Safe Links](safe-links-about.md), and malicious files detected by [Safe Attachments](safe-attachments-about.md). This report can be modified to show data for the past 30 days (with a Microsoft Defender for Office 365 P2 paid subscription). Trial subscriptions will include data for the past seven days only. --|Subscription|Utility|Days of Data| -|||| -|Microsoft Defender for Office 365 P1 trial|Real-time detections|7| -|Microsoft Defender for Office 365 P1 paid|Real-time detections|30| -|Microsoft Defender for Office 365 P1 paid testing Defender for Office 365 P2 trial|Threat Explorer|7| -|Microsoft Defender for Office 365 P2 trial|Threat Explorer|7| -|Microsoft Defender for Office 365 P2 paid|Threat Explorer|30| --> [!NOTE] -> We will soon be extending the Explorer (and Real-time detections) data retention and search limit for trial tenants from 7 to 30 days. This change is being tracked as part of roadmap item no. 70544, and is currently in a roll-out phase. --Select the **View** menu using the navigation bar. Once you have selected a view, you can apply filters and set up queries to conduct further analysis. The following sections provide a brief overview of the various views available in Explorer (or real-time detections). --## All email --To view this report, in Explorer, select **All email** in the top navigation pane. This view shows emails identified as malicious due to phishing or malware, as well all other non-malicious emails like regular email, spam, and bulk mail. ---> [!NOTE] -> If you get a **Too much data to display** error, add a filter and, if necessary, narrow the date range you're viewing. --To apply a filter, select the filter dropdown, select an item in the list, and then select **Refresh**. You can view information by sender, sender's domain, recipients, subject, attachment filename, malware family, detection technology (how the malware was detected), and more. --You can view more details about specific email messages, such as subject line, recipient, sender, status, and so on below the chart. --## Malware --To view this report, in Explorer, select **Malware** in the top navigation pane. This view shows information about email messages that were identified as containing malware. ---Use this list to view data by sender, recipients, sender domain, subject, detection technology, and more. --You can also use the **Top malware families** section to identify the malware families used most frequently to attack the users and the number of times it is used in last 30 days. --Below the chart, view more details about specific messages. When you select an item in the list, a fly-out pane opens, where you can learn more about the item you selected. ---## Phish --To view this report, in Explorer (or real-time detections), select **Phish** in the top navigation pane. This view shows email messages identified as phishing attempts. ---Your list of viewing options include data by sender, recipients, sender domain, sender IP, URL domain, click verdict, and more. --For example, to see what actions were taken when people clicked on URLs that were identified as phishing attempts, select **Click verdict**, select one or more options, and then select **Refresh**. --Below the chart, view more details about specific emails, **URL clicks**, **Top URLs**, **Top clicks**, and more. --When you select an item in the list, such as a URL that was detected, a fly-out pane opens, where you can learn more about the item you selected. ---## Campaigns --To view this report, in Explorer, select **Campaign** in the top navigation pane. This view shows details of all the campaigns identified by Microsoft Defender for Office 365. ---For more information on campaigns, see [Campaigns in Microsoft Defender for Office 365](campaigns.md). --## Content Malware --To view this report, in Explorer (or real-time detections), select **Content Malware** in the top navigation pane. This view shows files that were identified as malicious by [Microsoft Defender for Office 365 in SharePoint Online, OneDrive for Business, and Microsoft Teams](safe-attachments-for-spo-odfb-teams-about.md). ---You can view information by malware family, detection technology (how the malware was detected), and workload (OneDrive, SharePoint, or Teams). --Below the chart, view more details about specific files, such as attachment filename, workload, file size, who last modified the file, and more. --## URL clicks --To view this report, in Explorer, select **URL clicks** in the top navigation pane. This view shows all end user clicks on URLs in emails, Teams messages, and Office 365 apps like OneDrive and SharePoint. ---You can view information by recipient, detection technology (how the malware was detected), and workload (Email, Office, Teams). --You can also use the **Top clicks** and **Top targeted users** options to get more information on user click patterns and know which users are more vulnerable to external attacks. ---## Queries and filters --Explorer (as well as the real-time detections report) has several powerful filters and querying capabilities that enable you to drill into details, such as top targeted users, top malware families, detection technology, and more. Each kind of report offers a variety of ways to view and explore data. --> [!IMPORTANT] -> Do not use wildcard characters, such as an asterisk or a question mark, in the query bar for Explorer (or real-time detections). When you search on the **Subject field** for email messages, Explorer (or real-time detections) will perform partial matching and yield results similar to a wildcard search. |
security | Trial User Guide Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/trial-user-guide-defender-for-office-365.md | Watch this video to learn more: [Detect and respond to compromise in Microsoft D #### Use Threat Explorer to investigate malicious email -Defender for Office 365 enables you to investigate activities that put people in your organization at risk and to take action to protect your organization. You can do this using [Threat Explorer](threat-explorer-about.md). +Defender for Office 365 enables you to investigate activities that put people in your organization at risk and to take action to protect your organization. You can do this using [Threat Explorer (Explorer)](threat-explorer-real-time-detections-about.md): -- [Find suspicious email that was delivered](investigate-malicious-email-that-was-delivered.md#find-suspicious-email-that-was-delivered): Find and delete messages, identify the IP address of a malicious email sender, or start an incident for further investigation.-- [Check the delivery action and location](investigate-malicious-email-that-was-delivered.md#check-the-delivery-action-and-location): This check lets you know the location of problem email messages.-- [View the timeline of your email](investigate-malicious-email-that-was-delivered.md#view-the-timeline-of-your-email): Simply hunting for your security operations team.+- [Find suspicious email that was delivered](threat-explorer-investigate-delivered-malicious-email.md#find-suspicious-email-that-was-delivered): Find and delete messages, identify the IP address of a malicious email sender, or start an incident for further investigation. +- [Email security scenarios in Threat Explorer and Real-time detections](threat-explorer-threat-hunting.md#email-security-scenarios-in-threat-explorer-and-real-time-detections) ++<!-- #### See campaigns targeting your organization Use the reporting capabilities in Defender for Office 365 to get more details ab #### Use Threat Explorer to investigate malicious email in auditing mode -Defender for Office 365 enables you to investigate activities that put people in your organization at risk and to take action to protect your organization. You can do this using [Threat Explorer](threat-explorer-about.md). +Defender for Office 365 enables you to investigate activities that put people in your organization at risk and to take action to protect your organization. You can do this using [Threat Explorer (Explorer)](threat-explorer-real-time-detections-about.md): ++- [Find suspicious email that was delivered](threat-explorer-investigate-delivered-malicious-email.md#find-suspicious-email-that-was-delivered): Find and delete messages, identify the IP address of a malicious email sender, or start an incident for further investigation. +- [Email security scenarios in Threat Explorer and Real-time detections](threat-explorer-threat-hunting.md#email-security-scenarios-in-threat-explorer-and-real-time-detections) -- [Find suspicious email that was delivered](investigate-malicious-email-that-was-delivered.md#find-suspicious-email-that-was-delivered): Find and delete messages, identify the IP address of a malicious email sender, or start an incident for further investigation.-- [Check the delivery action and location](investigate-malicious-email-that-was-delivered.md#check-the-delivery-action-and-location): This check lets you know the location of problem email messages.-- [View the timeline of your email](investigate-malicious-email-that-was-delivered.md#view-the-timeline-of-your-email): Simply hunting for your security operations team.+<!-- #### Convert to Standard Protection at the end of evaluation period |
security | Try Microsoft Defender For Office 365 | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/try-microsoft-defender-for-office-365.md | Remember, when you evaluate or try Defender for Office 365 in audit mode, specia [Enhanced Filtering for Connectors](/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/enhanced-filtering-for-connectors) (also known as *skip listing*) is automatically configured on the connector that you specify. - When a third-party service or device sits in front of email flowing into Microsoft 365, Enhanced Filtering for Connectors correctly identifies the source of internet messages and greatly improves the accuracy of the Microsoft filtering stack (especially [spoof intelligence](anti-phishing-protection-spoofing-about.md), as well as post-breach capabilities in [Threat Explorer](threat-explorer-about.md) and [Automated Investigation & Response (AIR)](air-about-office.md). + When a third-party service or device sits in front of email flowing into Microsoft 365, Enhanced Filtering for Connectors correctly identifies the source of internet messages and greatly improves the accuracy of the Microsoft filtering stack (especially [spoof intelligence](anti-phishing-protection-spoofing-about.md), as well as post-breach capabilities in [Threat Explorer](threat-explorer-real-time-detections-about.md) and [Automated Investigation & Response (AIR)](air-about-office.md). - **I'm only using Microsoft Exchange Online**: The MX records for your domain point to Microsoft 365. There's nothing left to configure, so select **Finish**. No special reports are created for **blocking mode**, so use the standard report In **audit mode**, you're looking for reports that show detections by the evaluation policies as described in the following list: -- The [Email entity page](mdo-email-entity-page.md) (part of [Threat Explorer](threat-explorer-about.md)) shows the following banner in message detection details on the **Analysis** tab for **Bad attachment**, **spam url + malware**, **Phish url**, and **impersonation** messages that were detected by the Defender for Office 365 evaluation:+- The [Email entity page](mdo-email-entity-page.md) (part of [Threat Explorer](threat-explorer-real-time-detections-about.md)) shows the following banner in message detection details on the **Analysis** tab for **Bad attachment**, **spam url + malware**, **Phish url**, and **impersonation** messages that were detected by the Defender for Office 365 evaluation: :::image type="content" source="../../media/evalv2-detection-banner.png" alt-text="Notification banner in message details that the Defender for Office 365 evaluation detected a malicious email message." lightbox="../../media/evalv2-detection-banner.png"::: |
security | User Tags About | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/user-tags-about.md | After you apply system tags or custom tags to users, you can use those tags as f - [Alerts](../defender/investigate-alerts.md) - [Incidents](mdo-sec-ops-manage-incidents-and-alerts.md) - [Custom alert policies](/purview/alert-policies#view-alerts)-- [Threat Explorer](threat-explorer-about.md)+- [Threat Explorer](threat-explorer-real-time-detections-about.md) - [Campaign Views](campaigns.md) - [Email entity page](mdo-email-entity-page.md) - [Email security reports](reports-email-security.md) |
security | Zero Hour Auto Purge | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/office-365-security/zero-hour-auto-purge.md | For more information about configuring spam filtering verdicts, see [Configure a To determine if ZAP moved your message, you have the following options: - **Number of messages**: Use the [Mailflow view in the Mailflow status report](reports-email-security.md#mailflow-view-for-the-mailflow-status-report) to see the number of ZAP-affected messages for the specified date range.-- **Message details**: Use [Threat Explorer (or real-time detections)](threat-explorer-about.md) to filter **All email** events by the value **ZAP** for the **Additional action** column.+- **Message details**: Use [Threat Explorer (or real-time detections)](threat-explorer-real-time-detections-about.md) to filter **All email** events by the value **ZAP** for the **Additional action** column. > [!NOTE] > ZAP is not logged in the Exchange mailbox audit logs as a system action. |
test-base | Faq | https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/test-base/faq.md | f1.keywords: NOCSH ## Test Base End-of-life(EOL) **Q: When is Test Base end of life (EOL)?**+ **A:** Test Base EOL is on May 31, 2024. + + **Q: What does end of life (EOL) for Test Base mean?**+ **A:** Test Base will reach EOL on May 31, 2024. The end-of-life (EOL) process for the Test Base for Microsoft 365 service started on March 4, 2024. From this date, no new features or updates are released for Test Base. Existing users will retain access to the service and their data until May 31, 2024. During this period, the service is available for testing, exporting data, and making necessary arrangements for the transition. Our team is dedicated to assisting you during this transition. If you have any feedback or questions regarding this decision, don't hesitate to contact our support team at [testbase_support@microsoft.com](mailto:testbase_support@microsoft.com). + + **Q: Why did Microsoft decide to transition Test Base for Microsoft 365 to end of life (EOL)?**+ **A:** Test Base for Microsoft 365 is a cloud-based app testing service on Azure that evaluates the compatibility of applications with new Windows releases or updates. While cloud-based app testing services are an intriguing option, the continuous innovation of Windows 11 has resolved a high percentage of application compatibility issues. Additionally, with greater support from application vendors, customers have less reliance on services such as Test Base. After carefully evaluating current demands, we have decided to discontinue Test Base and refocus our investments and resources. + + **Q: What happens to the customer environment during the transition to EOL?**-**A:** During the transition to EOL, Test Base provides customers with instructions on how to complete the offboarding process. Our goal is to prevent any disruption to the business and users. All configurations used for management (configurations, policies, scripts, etc.) will remain in place. The customer can choose to maintain or remove them. ++**A:** During the transition to EOL, Test Base provides customers with instructions on how to complete the offboarding process. Our goal is to prevent any disruption to the business and users. All configurations used for management (configurations, policies, scripts, etc.) will remain in place. The customer can choose to maintain or remove them until May 31, 2024. After May 31, 2024, all customer environments and data will be permanently deleted. ++ **Q: Will Test Base offer an extension to the 60 days?**+ **A:** No, Test Base won't offer an extension after May 31, 2024. + + **Q: <a name="Does_have_solution"></a>Does Test Base have an alternative solution?**+ **A:** There's no 1:1 replacement for Test Base. Microsoft remains committed to ensuring that the apps you rely upon continue to work as expected when you upgrade. There are still rich services and guidance that can help you ensure the compatibility of your applications: - **App Assure**: If you run into compatibility issues or want to ensure that your organization's applications are compatible from day one, you may reach out to App Assure. With enrollment in the [App Assure](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fwindows%2Fcompatibility%2Fapp-assure&data=05%7C02%7Cmiaoyuezhou%40microsoft.com%7C7a21782822d142dfe41908dc43ba47c0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638459714580439514%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=B38PoXObefTHSHSKGHTiDlm7YzJmKkgn0TYz1AOAk4o%3D&reserved=0) service, any app compatibility issues that you find with Windows 11 can be resolved. Microsoft helps you remedy application issues at no cost. Since 2018, App Assure has evaluated almost 800,000 apps, and subscriptions are free for eligible customers with 150+ seats. - **SUVP**: The [Security Update Validation Program (SUVP)](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fwindows-it-pro-blog%2Fsecurity-update-validation-program-the-early-bird-tests-the-worm%2Fba-p%2F2569392&data=05%7C02%7Cmiaoyuezhou%40microsoft.com%7C7a21782822d142dfe41908dc43ba47c0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638459714580457417%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=T7B2DnRAe6p%2Fve3UlocDbYpdm%2FbSQKxEcLv7XszsOGE%3D&reserved=0) is a quality assurance testing program for Microsoft security updates, which are released on the second Tuesday of each month. The SUVP provides early access to Microsoft security updatesΓÇöup to three weeks in advance of the official releaseΓÇöfor the purpose of validation and interoperability testing. The program encompasses any Microsoft products for which we fix a vulnerability (for example: Windows, Office, Exchange, or SQL Server) and is limited to trusted customers under NDA who have been nominated by a Microsoft representative. To join SUVP program, contact [suvp@microsoft.com](mailto:suvp@microsoft.com). - **Selfhost**: If youΓÇÖre building your own service pipeline to validate Windows or Office update. These guidances and services could potentially help you: [Azure DevTest Labs](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fazure%2Fdevtest-labs%2F&data=05%7C02%7Cmiaoyuezhou%40microsoft.com%7C7a21782822d142dfe41908dc43ba47c0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638459714580469035%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=hCmHl7FT8L6Xkbg2FXfpnS34N3kII%2B8o%2B3UzxunNhzM%3D&reserved=0), [Security Update Guide](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fmsrc%2Ffaqs-security-update-guide&data=05%7C02%7Cmiaoyuezhou%40microsoft.com%7C7a21782822d142dfe41908dc43ba47c0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638459714580479144%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=MwZ8J9f3BVzUopW9BOesvxo%2FP%2BHQ7fLqLVBsV4QNxHY%3D&reserved=0), [Office Deployment Tool](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Flearn.microsoft.com%2Fen-us%2Fdeployoffice%2Foverview-office-deployment-tool&data=05%7C02%7Cmiaoyuezhou%40microsoft.com%7C7a21782822d142dfe41908dc43ba47c0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C638459714580487089%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=sTWfQXK9exSm74Y4qqkha8mRW%2FQLU0DX7%2Fuq24Q3%2F6o%3D&reserved=0). + + **Q: Will the service continue to be supported as usual during the end-of-life period before May 31?**+ **A:** Starting from March 4, the service will no longer be actively maintained and supported. Existing users will retain access to the service and their data until May 31, 2024. During this period, users may continue to use the service for testing, export data, and make necessary arrangements for the transition. + + **Q: Will there be new monthly security updates, feature updates and Office updates?**-**A:** For customers who have signed up for monthly security updates, their tests will continue to be triggered upon original configuration until May 31. Feature updates are paused after Build 22635.3212 in Beta Channel. Office updates are paused after Build 16.0.17328.20004. In you need any support for feature update or office update extension, or any transition help needed, [submit a support request](https://aka.ms/TestBaseSupport). ++**A:** For customers who have signed up for monthly security updates, their tests will continue to be triggered upon original configuration until May 31. Feature updates are paused after Build 22635.3212 in Beta Channel. Office updates are paused after Build 16.0.17328.20004. [Submit a support request](https://aka.ms/TestBaseSupport) if needed. ++ **Q: What if I need data from Test Base? Will I still access to my data?**-**A:** You'll retain access to the service and data until May 31, 2024. Following this date, all customer data will be |